On November 21, 2024, the European Union Agency for Cybersecurity (ENISA) released a report on Navigating cybersecurity investments in the time of the Directive (EU) 2022/2555 on Security of Network and Information Systems (NIS 2 Directive).

ENISA clarified that it aims to help policymakers assess the effectiveness of the existing EU cybersecurity framework. In particular, it intends to help further assess the impact of the NIS 2 Directive by providing relevant metrics for new sectors and entities in the scope of the NIS 2 Directive and other EU cybersecurity policy frameworks, such as the Cyber Resilience Act (CRA) and the Regulation on digital operational resilience for the financial sector (DORA).

Key findings

ENISA highlighted that the key findings from the report include:

• percentage of IT Full Time Equivalents (FTEs) dedicated to information security has declined - ENISA considered this trend especially notable given that 89% of organizations expect to need additional cybersecurity staff to comply with the NIS 2 Directive;
• new NIS 2 Directive sectors are comparable in cybersecurity spending to existing NIS Directive entities, with their investments largely focused on developing and maintaining baseline cybersecurity capabilities;
• the majority of organizations anticipate a one-off or permanent increase in their cybersecurity budgets for compliance with the NIS 2 Directive;
• 90% of entities expect an increase in cyberattacks next year, in terms of volume, costliness, or both, and 74% focus their cybersecurity preparedness efforts internally, with much lower participation in national or EU-level initiatives - ENISA outlines that effective cross-border cooperation in managing large-scale incidents can only be achieved at higher levels;
• 92% of in-scope entities are aware of the general scope or specific provisions of the NIS 2 Directive - however, ENISA highlighted that a notable percentage of entities in certain new NIS 2 Directive sectors remain unaware, which suggests a potential need for increased awareness campaigns by the national competent authorities; and
• entities in sectors already covered by the NIS Directive outperform those newly included under the NIS 2 Directive across various cybersecurity governance, risk, and compliance metrics.

Artificial intelligence in cybersecurity

Regarding the impact of artificial intelligence (AI) on cybersecurity, the report outlined that, among other things:

• many organizations recognize the risks associated with AI, but only two-thirds have implemented a documented strategy to address them;
• 80% of organizations have not yet conducted audits of their third-party vendors for AI-related vulnerabilities, underscoring a critical gap in proactive risk management;
• 74% of organizations report acquiring new tools for AI privacy, security, and risk management, which may contribute to this positive trend; and
• a 2024 survey on AI in enterprise use revealed that nearly 30% of organizations deploying AI have experienced AI-related security breaches.

You can read the press release here and the report here.