Press Release

NIS Directive has Positive Effect, though Study Finds Gaps in Cybersecurity Investment Exist

New ENISA study examining cybersecurity spending states that 82% of Operators of Essential Services and Digital Services Providers find that the NIS Directive has a positive effect. However, gaps in investment still exist. When comparing organisations from the EU to those from the United States, data shows that EU organisations allocate on average 41% less to cybersecurity than their US counterparts.

Published on December 11, 2020

Today, the European Union Agency for Cybersecurity (ENISA) released a new report on information security spending for network and information services (NIS) under the NIS Directive, the first EU-wide legislation on cybersecurity. The NIS Investments report is based on a survey of 251 organisations of operators of essential services (OES) and digital service providers (DSP) from France, Germany, Italy, Spain and Poland. Eighty-two percent of those surveyed reported the NIS Directive had a positive effect on their information security.

NIS Directive Implementation

The report provides input to the European Commission’s review of the NIS Directive on the 16th of December, four years after the Directive entered into force and two years after the transposition into national law.   

Challenges remain after the implementation of the Directive -- the lack of clarity of the NIS Directive expectations after transposition into national law was a common issue. More than 35% of organisations surveyed believe the NIS Directive expectations are unclear. Twenty-two percent of respondents listed limited support from national authorities as one of their top challenges when implementing the Directive.

Cybersecurity Investments: EU vs. US

When comparing organisations from the EU to organisations from the United States, the study shows that EU organisations allocate on average 41% less to information security than their US counterparts.

The Executive Director of the EU Agency for Cybersecurity, Juhan Lepassaar, said: “This data indicates that the NIS Directive has been a great tool to drive investments, but recognises that certain gaps still exist, and a clearer strategic framework and more elaborated approach is needed. The review of the NIS Directive is timely and can therefore address these challenges -- building a stronger network and information security framework.”

New and unique data on EU information security in the NIS Investment report:
Has your organisation established (or planned) a dedicated program or project(s) to implement the NIS Directive?

 NIS Investments -1

What are the estimated damages incurred by the last major security incident(s) experienced by your organisation? NIS Investments - 2

 Key findings about the NIS Directive implementation in the NIS Investment report

  • The average budget for NIS Directive implementation projects is approximately €175k, with 42.7% of affected organisations allocating between €100k and €250k. Slightly less than 50% of surveyed organisations had to hire additional security matter experts.
  • Surveyed organisations prioritised the following security domains: Governance, Risk & Compliance and Network Security.
  • When implementing the NIS Directive, 64% of surveyed organisations procured security incident & event log collection solutions, as well as security awareness & training services.
  • “Unclear expectations” (35%)  and “Limited support from the national authority” (22%) are among the top challenges faced by surveyed organisations when implementing the NIS Directive.
  • 81% of the surveyed organisations have established a mechanism to report information security incidents to their national authority.
  • 43% of surveyed organisations experienced information security incidents with a direct financial impact to up to €500k, while 15% experienced incidents with over half a million euro.


The NIS Directive represents the first EU-wide legislation on cybersecurity, with the objective to achieve a high common level of cybersecurity across all EU Member States. One of the three pillars of the NIS Directive is the implementation of risk management and reporting obligations for Operators of Essential Services (OES) and Digital Service Providers (DSP). OES provide essential services in strategic sectors of energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries). DSP operate in an online environment, namely online marketplaces, online search engines and cloud computing services.

Further Information

ENISA Topic - NIS Directive


For contacting the authors please use [email protected]

For questions related to the press and interviews, please contact press (at)


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies