Only a third (34%) of organisations across the UK, France and Germany have completed preparations for the European Union’s updated Network and Information Security Directive (NIS2), despite just one year to go until its legislative deadline, according to new research from SailPoint, a leader in enterprise identity security. With fines for non-compliance costing up to €10 million, or 2% of an organisation’s global annual revenue, taking the necessary steps to become compliant must be top of the agenda for businesses.

The research, which surveyed 1,500 IT decision makers, found there is still a lot of preparation for organisations to complete, despite the clock ticking. For UK organisations, which must still comply with the directive if they operate in the EU, four in five (80%) still need to properly secure their supply chains, while three-quarters (76%) must assess the efficiency of existing cyber measures. Three-quarters of organisations also need to add new risk management measures (74%), implement HR security (76%) as well as provide cyber security training to staff (72%). Businesses can’t afford to be complacent – of these five milestones, respondents anticipate each will take five months on average to complete.

The NIS2 directive comes at a time when organisations of all sizes face a growing number of cyber threats, and aims to deliver a broad, comprehensive, and holistic improvement of cyber security across the EU.

Stephen Bradford, Senior Vice President EMEA at SailPoint, said: “With just one year to go, businesses must put their foot to the floor when it comes to NIS2 compliance and get ahead on their cyber preparation. The threat landscape has been growing in volume and sophistication over recent years meaning the stakes have never been higher. Operational downtime, reputational damage, customer loss, and system restoration that follow any breach can cause a real headache for businesses.  

“Organisations must learn from GDPR and use the next twelve months wisely to make sure cyber resilience is at the core of their business models. The extended supply chain is often overlooked, but often this is where threats arise and it’s important for companies to make sure they are securely protected throughout the whole ecosystem. Implementing the right technology is key to this, with AI-driven identity security initiatives helping to identify risks and trigger faster, more impactful responses. Defences like this must be a key consideration in every organisation’s cybersecurity risk management strategy and can give businesses the boost needed to become fully compliant with NIS2.”

To learn more, visit