Content Assessment: Balancing Spend and Standards? Cybersecurity Investments in the European Union
Information - 92%
Insight - 91%
Relevance - 90%
Objectivity - 93%
Authority - 94%
A short percentage-based assessment of the qualitative benefit of the recent post highlighting the recently published annual report on NIS spend on cybersecurity investments.
Editor’s Note: The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. In November of 2022, ENISA published its third annual report on Network and Information Security (NIS) Investments in the EU. The report shares insight into how the NIS Directive has impacted the cybersecurity budget of operators over the past year. This new report may benefit cybersecurity, information governance, and legal discovery professionals operating in the eDiscovery ecosystem as they consider cyber discovery through the lens of budgeted investments.
Press Announcement And Report*
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
The European Union Agency for Cybersecurity publishes the latest report on Network and Information Security Investments in the EU providing an insight on how the NIS Directive has impacted the cybersecurity budget of operators over the past year with deep dives into the Energy and Health sectors.
The report analyses data collected from Operators of Essential Services (OES) and from Digital Service Providers (DSP) identified in the European Union’s Directive on Network and Information Security Systems (NIS Directive). The analysis seeks to understand whether those operators have invested their budgets differently over the past year in order to meet the new requirements set by the legislative text.
EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, declared: “The resilience of our EU critical infrastructures and technologies will highly depend on our ability to make strategic investments. I am confident that we have the competence and skills driving us to achieve our goal, which is to ensure we will have the adequate resources at hand to further develop our cybersecurity capacities across all economic sectors of the EU.”
Contextual parameters framing the analysis
The report includes an analysis reaching more than 1000 operators across the 27 EU Member States. Related results show that the proportion of Information Technology (IT) budget dedicated to Information Security (IS) appears to be lower, compared to last year’s findings, dropping from 7.7% to 6.7%.
These numbers should be conceived as a general overview of information security spending across a varied typology of strategic sectors. Accordingly, specific macroeconomic contingencies such as COVID-19 may have influenced the average results.
What are the key findings?
- The NIS Directive, other regulatory obligations and the threat landscape are the main factors impacting information security budgets;
- Large operators invest EUR 120 000 on Cyber Threat Intelligence (CTI) compared to EUR 5 500 for SMEs, while operators with fully internal or insourced SOCs spend around EUR 350 000 on CTI, which is 72% more than the spending of operators with a hybrid SOC;
- The health and banking sectors bear the heaviest cost among the critical sectors in case of major cybersecurity incidents with the median direct cost of an incident in these sectors amounting to EUR 300 000;
- 37% of Operators of Essential Services and Digital Service Providers do not operate a SOC;
- For 69% the majority of their information security incidents are caused by vulnerabilities in software or hardware products with the health sector declaring the higher number of such incidents;
- Cyber insurance has dropped to 13% in 2021 reaching a low 30% compared to 2020;
- Only 5% of SMEs subscribe to cyber insurance;
- 86% have implemented third-party risks management policies.
Key findings of Health and Energy sectors
From a global perspective, investments in ICT for the health sector seem to be greatly impacted by COVID-19 with many hospitals looking for technologies to expand healthcare services to be delivered beyond the geographical boundaries of hospitals. Still, cybersecurity controls remain a top priority for spending with 55% of health operators seeking increased funding for cybersecurity tools.
64% of health operators already resort to connected medical devices and 62% already deployed a security solution specifically for medical devices. Only 27% of surveyed OES in the sector have a dedicated ransomware defence programme and 40% of them have no security awareness programme for non-IT staff.
Oil and gas operators seem to prioritise cybersecurity with investments increasing at a rate of 74%. Energy sector shows a trend in investments shifting from legacy infrastructure and data centres to cloud services.
However, 32% of operators in this sector do not have a single critical Operation Technology (OT) process monitored by a SOC. OT and IT are covered by a single SOC for 52% of OES in the energy sector.
The objective of the Directive on Security of Network and Information Systems (NIS Directive) is to achieve a high common level of cybersecurity across all Member States.
One of the three pillars of the NIS Directive is the implementation of risk management and reporting obligations for OES and DSP.
OES provide essential services in strategic sectors of energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries).
DSP operate in an online environment, namely online marketplaces, online search engines and cloud computing services.
The report investigates how operators invest in cybersecurity and comply with the objectives of the NIS Directive. It also gives an overview of the situation in relation to such aspects as IT security staffing, cyber insurance and organisation of information security in OES and DSP.
- NIS Investments – ENISA report 2022
- NIS Investments – ENISA Report 2021
- NIS Investments – ENISA Report 2020
- ENISA Topic – NIS Directive
Read the original announcement.
Complete Report: ENISA Network and Information Security (NIS) Investments (PDF) – Mouseover to ScrollEU NIS Investments 2022
*Shared with permission under Creative Commons – Attribution 4.0 International (CC BY 4.0) – license.
- International Cyber Law in Practice: Interactive Toolkit
- Defining Cyber Discovery? A Definition and Framework
Generative Artificial Intelligence and Large Language Model Use
ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT and DALL-E2, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).
ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.
Have a Request?
If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.
ComplexDiscovery is a premier online publication renowned for providing essential insights and intelligence in the realms of cybersecurity, information governance, and legal discovery to professionals navigating these fields. As a leading source of information, the publication expertly combines original research with aggregated news to cater to a highly specialized audience. Committed to enhancing readers’ understanding of relevant topics, ComplexDiscovery stands as an impartial and comprehensive resource for exploring trends, technologies, and services associated with electronically stored information.
The driving force behind this influential publication is ComplexDiscovery OÜ, a technology marketing firm that excels in strategic planning and tactical execution for organizations operating within these sectors. Registered as a private limited company in Estonia, a global leader in digital advancements, ComplexDiscovery OÜ dedicates its primary focus to supporting the publication. The company capitalizes on its virtual presence to provide marketing consulting and services to a diverse array of clients around the world, further solidifying its reputation as a leading voice in the eDiscovery ecosystem.