December 4, 2023

Two-thirds of European companies must act

Only a third of companies (34 percent) in the UK, France and Germany have completed preparations for the updated EU Network and Information Security Directive (NIS2). This is despite the fact that the legal deadline expires in less than a year.

This is what a new study conducted by SailPoint, a company that provides identity security services to businesses, shows. Since fines for non-compliance with the Directive can reach €10 million or 2 percent of a company’s annual global turnover, implementing the necessary measures to comply with the Directive should be a top priority for companies.

The study, which surveyed 1,500 IT decision-makers, found that companies still have a lot of work to do. 82% of affected German companies are still obligated to properly secure their supply chain, while 79% have to evaluate the efficiency of current cyber measures. Three-quarters of those affected need to take new risk management measures (76 percent) and introduce HR security measures (75 percent). 79% believe there is a need to catch up on employee training on the topic of cybersecurity. Affected companies cannot afford to put off this issue for long – those surveyed assume that implementing these five milestones will take an average of five months.

Through the NIS2 Directive, the EU responds to the growing number of cyber threats. It aims to achieve a broad, comprehensive and holistic improvement in cybersecurity in the European Union. Over the next 12 months, adopting an appropriate cybersecurity strategy within the Directive should be a top priority for affected businesses. And not just because of NIS2: operational failures, reputational damage, customer losses and system recoveries are just some of the consequences that come with a security breach.

Stephen Bradford, Senior Vice President EMEA at SailPoint: “Businesses need to learn from the experience of the introduction of GDPR and use the next 12 months wisely to ensure they have an effective security strategy at the core of their business model. The extended supply chain is often overlooked , but this is where the threats come in. Businesses need to ensure they are securely protected across the entire ecosystem.

The key: applying the right technology. AI-driven identity security initiatives help identify and respond to risks more quickly. Such safeguards should be a key component of any organization’s cybersecurity risk management strategy. They can provide the support needed to fully comply with NIS2 regulations.


This research was conducted by Censuswide in October 2023 on behalf of SailPoint. 1,500 IT decision makers in the UK, France and Germany were surveyed in critical and other critical sectors for companies with 250 or more employees and a turnover of at least €10 million, which corresponds to companies affected by 2 shekels.

The survey was conducted to understand companies’ readiness and awareness of NIS2, one year before the NIS2 deadline (17 October 2024), by which EU Member States must incorporate this new law into their national legislation.

Sectors examined include: energy, transport, banking and finance, healthcare, utilities, digital infrastructure, ICT service management, government, aerospace, postal and courier services, waste management, manufacturing, digital service providers, production Food and research institutions.