The European Union Agency for Cybersecurity publishes the latest report on Network and Information Security Investments in the EU providing an insight on how the NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors.
Published on November 23, 2022
The report analyses data collected from Operators of Essential Services (OES) and from Digital Service Providers (DSP) identified in the European Union’s Directive on Network and Information Security Systems (NIS Directive). The analysis seeks to understand whether those operators have invested their budgets differently over the past year in order to meet the new requirements set by the legislative text.
EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, declared: “The resilience of our EU critical infrastructures and technologies will highly depend on our ability to make strategic investments. I am confident that we have the competence and skills driving us to achieve our goal, which is to ensure we will have the adequate resources at hand to further develop our cybersecurity capacities across all economic sectors of the EU.”
Contextual parameters framing the analysis
The report includes an analysis reaching more than 1000 operators across the 27 EU Member States. Related results show that the proportion of Information Technology (IT) budget dedicated to Information Security (IS) appears to be lower, compared to last year’s findings, dropping from 7.7% to 6.7%.
These numbers should be conceived as a general overview of information security spending across a varied typology of strategic sectors. Accordingly, specific macroeconomic contingencies such as COVID19 may have influenced the average results.
What are the key findings?
Key findings of Health and Energy sectors
From a global perspective, investments in ICT for the health sector seem to be greatly impacted by COVID-19 with many hospitals looking for technologies to expand healthcare services to be delivered beyond the geographical boundaries of hospitals. Still, cybersecurity controls remain a top priority for spending with 55% of health operators seeking increased funding for cybersecurity tools.
64% of health operators already resort to connected medical devices and 62% already deployed a security solution specifically for medical devices. Only 27% of surveyed OES in the sector have a dedicated ransomware defence programme and 40% of them have no security awareness programme for non-IT staff.
Oil and gas operators seem to prioritise cybersecurity with investments increasing at a rate of 74%. Energy sector shows a trend in investments shifting from legacy infrastructure and data centres to cloud services.
However, 32% of operators in this sector do not have a single critical Operation Technology (OT) process monitored by a SOC. OT and IT are covered by a single SOC for 52% of OES in the energy sector.
Background
The objective of the Directive on Security of Network and Information Systems (NIS Directive) is to achieve a high common level of cybersecurity across all Member States.
One of the three pillars of the NIS Directive is the implementation of risk management and reporting obligations for OES and DSP.
OES provide essential services in strategic sectors of energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries).
DSP operate in an online environment, namely online marketplaces, online search engines and cloud computing services.
The report investigates how operators invest in cybersecurity and comply with the objectives of the NIS Directive. It also gives an overview of the situation in relation to such aspects as IT security staffing, cyber insurance and organisation of information security in OES and DSP.
Further information
NIS Investments – ENISA report 2022
NIS Investments – ENISA Report 2021
NIS Investments – ENISA Report 2020
ENISA Topic – NIS Directive
Contact
For press questions and interviews, please contact press (at) enisa.europa.eu
Stay updated – subscribe to RSS feeds of both ENISA news items & press releases!
News items:
http://www.enisa.europa.eu/media/news-items/news-wires/RSS
PRs:
http://www.enisa.europa.eu/media/press-releases/press-releases/RSS
Your feedback can help us maintain or improve our content.
The European Union Agency for Cybersecurity (ENISA) is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe.
ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.
We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.
