CRISP: Cybersecurity Regulation Impact Study on Practices

Belsnes, Joar ; Lozano Rebollo, Alejandro ; Krab-Johansen, Jacob Sylvest

4. semester

Cyber Security and Privacy, Master

2025

2025-06-03

82 pages

This Master's thesis investigates the real-world consequences of the European Union's cybersecurity regulation, with a focus on the NIS2 Directive. The study examines whether such legislation drives meaningful improvements in organizational security practices or unintentionally promotes superficial, compliance-oriented behavior. Findings indicate that while the directive aims to establish a high common level of cybersecurity, its legal ambiguity, uneven national implementation, and reliance on consultancy-driven interpretation risk undermining those objectives. The study identifies recurring issues such as compliance fatigue, disproportionate burdens on small and medium-sized businesses (SMBs), and fragmented enforcement landscapes. This thesis provides a grounded perspective on how cybersecurity regulation is interpreted and applied in practice. It reveals a significant gap between the directive’s intended goals and the outcomes observed. The study concludes that clearer expectations, harmonized enforcement, and stronger support mechanisms are essential to achieving meaningful improvements in cyber resilience. The research is exploratory and employs a mixed-methods approach. Semi-structured interviews with leading cybersecurity consultants form the core of the qualitative analysis, complemented by a targeted survey and review of related literature. This design enables the study to capture insights and behavioral dynamics that are often overlooked in existing academic discourse.

Cybersecurity ; NIS2 Directive ; EU Cybersecurity Policy ; Security Governance ; Risk Management ; Risk-Based Governance ; Compliance Minimalism ; Regulatory Fragmentation ; Cross-Border Transposition ; Incident Reporting ; Board Accountability ; SME Capacity Constraints

Download
View record in AAU Student Projects