The European Union Agency for Cybersecurity publishes the latest report on Network and Information Security Investments in the EU providing an insight on how the NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors.
The report analyses data collected from Operators of Essential Services (OES) and from Digital Service Providers (DSP) identified in the European Union's Directive on Network and Information Security Systems (NIS Directive). The analysis seeks to understand whether those operators have invested their budgets differently over the past year in order to meet the new requirements set by the legislative text.
EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, declared: “The resilience of our EU critical infrastructures and technologies will highly depend on our ability to make strategic investments. I am confident that we have the competence and skills driving us to achieve our goal, which is to ensure we will have the adequate resources at hand to further develop our cybersecurity capacities across all economic sectors of the EU."
Contextual parameters framing the analysis
The report includes an analysis reaching more than 1000 operators across the 27 EU Member States. Related results show that the proportion of Information Technology (IT) budget dedicated to Information Security (IS) appears to be lower, compared to last year's findings, dropping from 7.7% to 6.7%.
These numbers should be conceived as a general overview of information security spending across a varied typology of strategic sectors. Accordingly, specific macroeconomic contingencies such as COVID19 may have influenced the average results.
What are the key findings?
- The NIS Directive, other regulatory obligations and the threat landscape are the main factors impacting information security budgets;
- Large operators invest EUR 120 000 on Cyber Threat Intelligence (CTI) compared to EUR 5 500 for SMEs, while operators with fully internal or insourced SOCs spend around EUR 350 000 on CTI, which is 72% more than the spending of operators with a hybrid SOC;
- The health and banking sectors bear the heaviest cost among the critical sectors in case of major cybersecurity incidents with the median direct cost of an incident in these sectors amounting to EUR 300 000;
- 37% of Operators of Essential Services and Digital Service Providers do not operate a SOC;
- For 69% the majority of their information security incidents are caused by vulnerabilities in software or hardware products with the health sector declaring the higher number of such incidents;
- Cyber insurance has dropped to 13% in 2021 reaching a low 30% compared to 2020;
- Only 5% of SMEs subscribe to cyber insurance;
- 86% have implemented third-party risks management policies.
Key findings of Health and Energy sectors
- Health
From a global perspective, investments in ICT for the health sector seem to be greatly impacted by COVID-19 with many hospitals looking for technologies to expand healthcare services to be delivered beyond the geographical boundaries of hospitals. Still, cybersecurity controls remain a top priority for spending with 55% of health operators seeking increased funding for cybersecurity tools.
64% of health operators already resort to connected medical devices and 62% already deployed a security solution specifically for medical devices. Only 27% of surveyed OES in the sector have a dedicated ransomware defence programme and 40% of them have no security awareness programme for non-IT staff.
- Energy
Oil and gas operators seem to prioritise cybersecurity with investments increasing at a rate of 74%. Energy sector shows a trend in investments shifting from legacy infrastructure and data centres to cloud services.
However, 32% of operators in this sector do not have a single critical Operation Technology (OT) process monitored by a SOC. OT and IT are covered by a single SOC for 52% of OES in the energy sector.
Background
The objective of the Directive on Security of Network and Information Systems (NIS Directive) is to achieve a high common level of cybersecurity across all Member States.
One of the three pillars of the NIS Directive is the implementation of risk management and reporting obligations for OES and DSP.
OES provide essential services in strategic sectors of energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries).
DSP operate in an online environment, namely online marketplaces, online search engines and cloud computing services.
The report investigates how operators invest in cybersecurity and comply with the objectives of the NIS Directive. It also gives an overview of the situation in relation to such aspects as IT security staffing, cyber insurance and organisation of information security in OES and DSP.
Further information
NIS Investments – ENISA report 2022
NIS Investments – ENISA Report 2021
NIS Investments – ENISA Report 2020
Contact
For press questions and interviews, please contact press (at) enisa.europa.eu