The annual NIS Investments report presents the findings of a survey conducted by ENISA to explore how cybersecurity policy translates in practice across organisations in the EU and its effects on their investments, resources, and operations. The report’s objective is to provide national and EU-level policymakers and practitioners with insights into how EU cybersecurity policies are implemented in organisations and where challenges exist.
This year’s edition has been redesigned to focus on the story the data tells and built around key insights.
ENISA Executive Director, Juhan Lepassaar stated: “The NIS Investments Study provides insights, central to ENISA’s role to support EU Member States in building cyber resilience in critical sectors. The findings help us to better understand the challenges, target our support and inform our recommendations for the future.”
This year, the survey was carried out across 1080 public and private organisations in all Member States and covered all sectors and subsectors of high criticality under the NIS2 Directive. The NIS2 Directive is a cornerstone of the European Union's efforts to ensure a high common level of cybersecurity across all Member States, strengthening rules to better protect critical sectors. The sample for this year’s survey included 83% large enterprises and 17% SMEs, enabling comparative insights between different types of organisations.
For in-depth exploration of the data gathered through this survey, a dedicated data companion has been published alongside the report. The companion contains two separate views of the dataset: a Member State view and a sector-by-sector view.
Key insights from this year’s report are summarised below:
1. Investment focus shifts from people to technology and services
While organisations have maintained cybersecurity investment at levels comparable to last year’s (9% of IT budgets; median 1.5 million euro), spending is increasingly targeted towards technology and outsourcing rather than expanding internal cybersecurity teams.
2. The cyber talent crunch shows no signs of easing
Difficulties in attracting (76%) and retaining (71%) cybersecurity professionals persist, intensified by a shortage of skilled professionals and fierce competition for limited talent. High turnover further reinforces this gap, raising risk and reshaping staffing strategies.
3. Compliance is the main investment driver but not the only outcome
Compliance remains the main driver of cybersecurity investment (70%) yet its benefits extend beyond regulation. These investments have strengthened risk management (41%), detection (35%) and response (26%). Looking ahead, organisations plan to focus more on upgrading tools, improving recovery capabilities and building internal skills, indicating that policy is steering progress in the right direction.
4. NIS2 is raising the bar, yet implementation remains a challenge
Although NIS2 is prompting entities to strengthen some of the most demanding yet essential areas of cyber resilience, implementing it is widely perceived as challenging. Organisations report patching (50%), business continuity (49%) and supply-chain risk management (37%) as key areas of difficulty. Differences in the size of organisations point to distinct challenges, for example for larger entities, harmonised approaches and paths for the transition from legacy to modern technology. For SMEs, accessible guidance, affordable tooling (including managed and cloud services) and skills development remain top challenges.
5. Patching still takes months; many still don’t test their security
Timely patching and regular assessments remain challenging even amid regulatory efforts. Almost 1 in 3 organisations across sectors have not conducted a cybersecurity assessment in the past 12 months, while 28% take more than three months to patch critical vulnerabilities. This is especially difficult for SMEs, where both testing (63%) and patching (51%) present persistent challenges. As vulnerability exploitation is a leading intrusion access point, patching and implementation of the Cyber Resilience Act provisions to advance cybersecurity and resilience remain critical across the EU.
6. Supply chain risk: stronger controls, deeper dependence
While supply-chain risk management is improving, increasing reliance on outsourced ICT and security services introduces new vulnerabilities — particularly when suppliers are resource-constrained SMEs. Reflecting this, supply chain and third-party compromises are the second most frequently cited concern for the future (47%). This aligns with ENISA Threat Landscape report key trend, showing an increase in targeting cyber dependencies, with cybercriminals increasingly aiming at third-party providers.
7. DoS caused the noise, ransomware causes the nightmares
While DoS attacks put the most strain on daily operations, ransomware (55%), supply-chain attacks (47%) and phishing (35%) dominate organisational concerns looking ahead. Preparedness is uneven, with SMEs reporting the lowest confidence in their ability to anticipate, withstand and recover from cyber incidents across all scenarios.
How ENISA uses the data gathered
The data gathered through this study, contributes to ENISA’s wider analytical work, including the NIS360 report assessing sectoral criticality and maturity, as well as the EU Cybersecurity Index. Additionally, the study insights feed into the State of Cybersecurity in the Union report and inform its recommendations.
Contact
For press questions and interviews, please contact: press@enisa.europa.eu.
Content written for: National / EU authorities | Private Sector
