CRISP: Cybersecurity Regulation Impact Study on Practices
Term
4. semester
Education
Publication year
2025
Submitted on
2025-06-03
Pages
82
Abstract
This Master's thesis investigates the real-world consequences of the European Union's cybersecurity regulation, with a focus on the NIS2 Directive. The study examines whether such legislation drives meaningful improvements in organizational security practices or unintentionally promotes superficial, compliance-oriented behavior. Findings indicate that while the directive aims to establish a high common level of cybersecurity, its legal ambiguity, uneven national implementation, and reliance on consultancy-driven interpretation risk undermining those objectives. The study identifies recurring issues such as compliance fatigue, disproportionate burdens on small and medium-sized businesses (SMBs), and fragmented enforcement landscapes. This thesis provides a grounded perspective on how cybersecurity regulation is interpreted and applied in practice. It reveals a significant gap between the directive’s intended goals and the outcomes observed. The study concludes that clearer expectations, harmonized enforcement, and stronger support mechanisms are essential to achieving meaningful improvements in cyber resilience. The research is exploratory and employs a mixed-methods approach. Semi-structured interviews with leading cybersecurity consultants form the core of the qualitative analysis, complemented by a targeted survey and review of related literature. This design enables the study to capture insights and behavioral dynamics that are often overlooked in existing academic discourse.
Keywords
Documents