At times we have delayed in adapting national law to the requirements of Directive NIS2, that is the EU-wide regulations on cyber-security – assesses the report of ENISA, that is, the European Agency for security. Cybersecurity. Although the deadline for adjustment of local law passed 17 October, work on the amendment
of the law on the National System of Security continues.
Read more
40 proc. Polish firms have experienced a cybernetic attack
W while European Agency ds. Cyber Security (ENISA) has collected information on this topic, how organizations covered by Directive NIS2 plan their budgets to protect against digital threats and protect them in accounting for new regulatory requirements, challenges related to personal and development of art intelligence. Data was collected from 1350 organizations from all member states of the EU. The survey included all sectors NIS2 of high criticality and production enterprises.
Investments in security information
In response to the increasing number of cyber threats companies in European Union are intensifying spending on security IT. In 2023 the year more for cyber-security has already been allocated 9 percent of IT budgets- by 1.9 percentage points more than the year before.
Organizations react to the problem not only increasing spending, but also changing priorities. Median budgets allocated for cybersecurity doubled over a year – from 0.7 million euro in 2022 to 1.4 million euro in 2023 year. Growth median total expenditures on technologies IT was significantly decreased: from 10 million euro in 2022 year to 15 million euro in 2023 year. This disparity confirms, that security is becoming a key element of technological strategies.
Experts emphasize, that this trend results from the necessity of protecting customer data and maintaining continuity of activity in a and more digital business environment.
– Increasing spending on cyber security is a natural response of organizations to growingrisk cyberattacks and new legal requirements, such as the NIS2 directive – notes Robert Lugowski, Cybersecurity Architect from Safesqr, a company specializing in cybersecurity and adds: – The increase in expenditures on data security in 2023 years shows, that companies are starting to treat data security as an necessary investment, a only cost. Key will however be only ensuring the efficiency of this expenditure, especially in the context of increasing dependence on new technologies, such as art intelligence and the necessity of meeting new regulations legislation. Investments in security telecommunications must and pair with long-term strategy and assess risk, which should take into consideration the corporate maturity and aspirations of the organization, and also collaboration industry and international, to cope with and more complex threats.
Specialists for disabilities. cyber-security wanted urgently
Data shows also the other side of media and the situation related to the lack of specialists for cyber-security in the market. Fourth year of decreased from the percentage of time working (FTE) departments IT designed to provide security teleinformation: from 11.9 percent. to 11.1 proc. as many 32 proc. organizations and 59 proc. firms from the SM sector have difficult to fill positions related to security IT, especially those requiring special knowledge technical. All indicates that that in the nearest future it will not be easier, because with changing legal requirements, resulting from the need to adjust to NIS2, 89 proc. organizations expect that they will need additional staff for cybersecurity.
A growing problem related to the lack of professionals in the market confirms experts: – The shortage of specialists is becoming one of the most serious challenges for organizations in the European Union. The observed decline in the participation of security specialists in total employees IT is an alarming signal, especially in the context of expansion of NIS2. The lack of qualified personnel does not only limit the ability of organizations to respond to threats, but also complicates enterprises for compliance with legal requirements. To prevent this, there are necessary systemic measures, such as increasing the attractiveness of the job, developing educational programs and stimulating collaboration between the private, public and academic sectors. Without appropriate support.Human resources, even the highest budgets may prove insufficient. Also it must support the retraining of employees, both IT, and outside IT, in positions related to cyber-security. Today there is a shortage not only of technical specialists, but also of people concerned with risks, processes or managing security strategy.
Processes adapting to new guidelines
The NIS2 Directive, in comparison to the previous version, has expanded the scope of application to new sectors of the market. It appears that most firms and institutions from these industries have already taken action, to comply with the new guidelines. The new sectors NIS2 have performed in comparable in terms of expenditures on information security to the entities covered by the first directive on network and information security. Their investments are primarily for developing and maintaining basic capabilities in security systems IT.
The Survey of ENISA shows that the most organizations predict one-time or permanent increases in their budgets for cyber security in order to ensure compliance with NIS2. It is worth noting, that a significant number of entities declare, that they will not be able to obtain the required additional budget, at which the interest this is especially high in the case of MW (34 proc.). In Poland almost half of researched (47 proc.) declare, that they will not need additional budget for security in to maintain compliance with NIS2, 26 proc. subjects predict permanent increase budget, a 17 proc. will not be able to request additional budget.
Growing awareness of threats cyberattacks and necessary changes
As many as 9 out 10 subjects expect an increase in the number of cyberattacks in the future year, both in terms of their number, and the cost of handling. As many as 74 proc of the organizations surveyed declare exchanging information primarily with legally designated national entities, but not participating in industry or non-national initiatives. This aspect needs reinforcement, because effective industry and international cooperation in the management of incidents on a large scale can be achieved on on those higher levels.
General awareness of changes among subjects covered to adapt to NIS2 is positive, because 92 proc. of their facts are of a general scope or specific provisions of directive NIS2.If it comes to Poland,This result is even slightly better, because as 94 proc. students declare at least general familiarity with directive NIS2. However there is also an interest in some new sectors NIS2, which does not know about the existence directive, which may raise concerns about the success of implementing those significant changes.
How do respondents of the study rate their maturity in management of cyber risk on a scale from 1 to 10? The average score in all sectors and countries is 6.7, which indicates, that the researched organizations perceive themselves as understanding cybernetic risks. Poland falls here even above the EU average, with arating7.1.Of coursesuchresultdoesnot necessarilytestifyofrealmaturity,aonlyofaconfidentperceptionofreality.
EU-wideregulationsoncyber-securityare in effect
Sectors,whichhavealreadybeencoveredbysecuritynetworkandinformation requirements,areperformingsignificantlybetterthanthosewhichareonlynowincludedinNIS2.Firmsfromnewareoftenlessinvolvedinactivitiesrelatedtocyber-securityandfewerparticipateinpreparednessinitiatives.
Thisshowsclearly,thattheNISdirectiveisacting-helpingsectorsto betterprotectthemselvesagainstdigital threats.Extendingtheseregulationstonewbranchesisanopportunity,toalsosignificantlyimprovetheirsecurity.It is worth,fornewcoveredcompaniestouseasquickestastheEuropeanAgencyforSecurity.
.