ENISA reports on cybersecurity investments, impact of NIS directive with deep dives into energy, health sectors

The European Union Agency for Cybersecurity (ENISA) published Wednesday a new report on network and information security investments in the European Union (EU). The report details insights on how the NIS directive has impacted the cybersecurity budget of operators over the past year with deep dives into the energy and health sectors. It also gives an overview of the situation in relation to such aspects as IT security staffing, cyber insurance, and organization of information security in OES (operators of essential services) and DSP (digital service providers).

The report called ‘NIS Investments’ provides insights into how OES and DSP invest their cybersecurity budgets and comply with the requirements of the NIS directive. It also looks into the impact that the NIS directive has had on these operators, and collects data on various operational and organizational aspects of OESs and DSPs in the EU. In addition, global cybersecurity market trends are presented through Gartner security data and insights observed globally and in the EU, in order to provide a better understanding of the relevant dynamics.

“The resilience of our EU critical infrastructures and technologies will highly depend on our ability to make strategic investments,” Juhan Lepassaar, executive director at the EU Agency for Cybersecurity, said in a media statement. “I am confident that we have the competence and skills driving us to achieve our goal, which is to ensure we will have the adequate resources at hand to further develop our cybersecurity capacities across all economic sectors of the EU.”

The objective of the NIS Directive (Directive on Security of Network and Information Systems) is to achieve a high common level of cybersecurity across member states. One of the three pillars of the NIS directive is the implementation of risk management and reporting obligations for OES and DSP. 

OES provides essential services in sectors of energy (electricity, oil and gas), transport (air, rail, water, and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries), while DSP operates in an online environment, such as online marketplaces, online search engines, and cloud computing services.

The ENISA report presents data collected from 1080 OES/DSPs from all 27 EU member states and provides a historical dataset that allows for year-on-year comparison and identification of trends. Moreover, sectorial deep dives were conducted for the energy and health sectors. 

From a global perspective, investments in ICT (Information and Communication Technology) for the health sector seem to be greatly impacted by COVID-19 with many hospitals looking for technologies to expand healthcare services to be delivered beyond the geographical boundaries of hospitals. Still, cybersecurity controls remain a top priority for spending with 55 percent of health operators seeking increased funding for cybersecurity tools.

The ENISA reported that 64 percent of health operators already resort to connected medical devices and 62 percent already deployed a security solution specifically for medical devices. Only 27 percent of surveyed OES in the sector have a dedicated ransomware defense program and 40 percent of them have no security awareness program for non-IT staff.

Moving to the energy sector, the ENISA reported that oil and gas operators seem to prioritize cybersecurity with investments increasing at a rate of 74 percent. The energy sector shows a trend in investments shifting from legacy infrastructure and data centers to cloud services.

However, 32 percent of operators in this sector do not have a single critical OT (operation technology) process monitored by a SOC (security operations center). OT and IT are covered by a single SOC for 52 percent of OES in the energy sector.

The survey data also indicated that in 68 percent of the OESs in the energy sector, critical OT systems are monitored by a SOC, of which 16 percent possess a dedicated SOC for such OT systems. “Notably, however, 32% of the OESs within the Energy sector indicate that none of their critical OT processes are monitored by a SOC.”

Additionally, 89 percent of the organizations that do not monitor critical OT systems also do not have a formal SOC in place, ENISA reported.

The ENISA report said that the proportion of the information technology (IT) budget dedicated to information security (IS) appears to be lower, compared to last year’s findings, dropping from 7.7 percent to 6.7 percent, compared to last year’s findings. These numbers should be conceived as a general overview of information security spending across a varied typology of strategic sectors. Accordingly, specific macroeconomic contingencies, such as the COVID-19 pandemic, may have influenced the average results. 

“In 2022, the market for information security and risk management will reach EUR 170 billion, with an estimated global growth of 6.5% by 2025,” the ENISA report said. “This growth is driven by the reinitiating of projects that were put on hold at the beginning of 2020, an increase in remote and hybrid working, and an increase in incidences of data breaches. The uncertainties at macroeconomic level caused by geopolitical conditions, inflation, and the talent crunch will be at play as well, dampening growth in information security.” 

Another significant disclosure is that cyber insurance has dropped to 13 percent in 2021 reaching a low 30 percent compared to 2020, with a mere 5 percent of SMEs subscribing to cyber insurance and 86 percent have implemented third-party risk management policies.

On the basis of the survey data, the ENISA report noted that OESs and DSPs in Bulgaria, Latvia, Malta, Slovakia, and Slovenia hardly possess any cybersecurity insurance. “This could imply the cybersecurity market has yet to be established or materialise fully within these Member States. Furthermore, around 50% of the OESs and DSPs in Austria, Czech Republic, Italy, the Netherlands, and Spain possess cybersecurity insurance,” it added.

The report also said that the NIS directive, other regulatory obligations and the threat landscape are the main factors impacting information security budgets. “The survey data indicates that the cybersecurity investment strategy of 69% of the OESs and DSPs in the EU was mostly influenced by the threat landscape, closely followed (66%) by obligations under the NIS Directive. Furthermore, the regulatory environment and the current geopolitical situation are taken into consideration as determinants of investments by 52% and 43% respectively of the organisations surveyed,” it added.

The report also pointed to the sectoral analysis of important external factors impacting spending on information security, showing that behind the threat landscape and the NIS directive, the geopolitical situation had a very high impact in the energy and transport sectors while the impact was much lower for digital infrastructures and online search engines. For healthcare, the overall regulatory environment was as important as the NIS directive in driving cybersecurity investments.

The ENISA report also disclosed that large operators invest significantly more in cyber threat intelligence (CTI) compared to smaller ones with the median spend on CTI across OES/DSPs being EUR 50 000. Large operators invest EUR 120 000 on CTI compared to EUR 5 500 for SMEs, while operators with fully internal or insourced SOCs (security operations centers) spend around EUR 350 000 on CTI, which is 72 percent more than the spending of operators with a hybrid SOC. 

The increasing awareness of the importance of cybersecurity and the realization of the need to support decision-making and processes with operationalized threat intelligence is driving spending in the area, the report said.

“Regardless of these increased spending priorities, the CTI market remains fairly fragmented with an increasing number of established providers acquiring and driving CTI market consolidation, and the presence of vendors offering differing sets of focused specialisations and capabilities,” the report said. “The market variation is characterised by differences in demand between more mature and better staffed security teams contrasted by less mature adopters. The more mature security teams tend to require more technical-focused CTI, while the less mature organisations are more likely to prefer less extensive, tactically oriented solutions rather than strategic intelligence that offers too much information that is difficult to leverage due to limited resources.” 

Small and midsize enterprises (SMEs) often opt for solutions that deliver prioritized and contextualized TI information that is more closely integrated with other security controls versus enterprise-specific CTI offerings such as dedicated threat intelligence platforms, the report added.

The report also identified that the health and banking sectors bear the heaviest cost among the critical sectors in case of major cybersecurity incidents with the median direct cost of an incident in these sectors amounting to EUR 300 000. Additionally, 37 percent of OES and DSPs do not operate a SOC, while 69 percent, the majority of their information security incidents are caused by vulnerabilities in software or hardware products with the health sector declaring the higher number of such incidents.

Earlier this month, ENISA published its ENISA Threat Landscape 2022 (ETL) report, covering the state of the cybersecurity threat landscape for the reporting period from July 2021 up to July 2022. The ETL report found that with the geopolitical context giving rise to cyber warfare and hacktivism, alarming cyber operations and malignant cyberattacks have altered the trends of the 10th edition of the report.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.