ENISA Report: Cybersecurity Investments and NIS2 Challenges

ENISA News

Published December 8th, 2025

Detected March 13th, 2026

Summary

ENISA's 6th NIS Investments report reveals a shift in cybersecurity spending from personnel to technology and services across 1080 EU organizations. The report highlights persistent talent shortages and challenges in implementing the NIS2 Directive, despite compliance being a key investment driver.

View original document View source feed page

What changed

The European Union Agency for Cybersecurity (ENISA) has released its 6th annual NIS Investments report, based on a survey of 1080 public and private organizations across all EU Member States. The report indicates a significant shift in cybersecurity investment priorities, with organizations increasingly allocating budgets towards technology and outsourced services rather than expanding internal cybersecurity teams. Key findings include persistent difficulties in attracting and retaining cybersecurity talent, with 76% reporting challenges in recruitment and 71% in retention. While compliance with regulations like the NIS2 Directive remains the primary driver for cybersecurity investments (70%), the report also notes that implementation of NIS2 presents significant challenges, particularly in areas such as patching, business continuity, and supply-chain risk management.

This report provides crucial insights for policymakers and practitioners regarding the practical implementation of EU cybersecurity policies and the associated challenges. For regulated entities, the findings underscore the ongoing need to address talent gaps, adapt investment strategies to focus on technology and services, and navigate the complexities of NIS2 compliance. The report highlights that while NIS2 is driving improvements in cyber resilience, specific areas like patching and supply-chain management require focused attention. Organizations, especially SMEs, may need to seek accessible guidance and affordable tooling to meet these evolving requirements.

What to do next

Review cybersecurity investment allocation towards technology and services.
Assess current strategies for attracting and retaining cybersecurity talent.
Evaluate NIS2 implementation progress, focusing on patching, business continuity, and supply-chain risk management.

Source document (simplified)

What’s Driving Cybersecurity Investments and where lie the challenges?

Back to News

Press Release Dec 08,2025

The 6 th edition of the NIS Investments report reveals investments shifting from people to technology, talent shortages deepening, compliance and NIS2 driving action but implementation posing a challenge.

The annual NIS Investments report presents the findings of a survey conducted by ENISA to explore how cybersecurity policy translates in practice across organisations in the EU and its effects on their investments, resources, and operations. The report’s objective is to provide national and EU-level policymakers and practitioners with insights into how EU cybersecurity policies are implemented in organisations and where challenges exist.

This year’s edition has been redesigned to focus on the story the data tells and built around key insights.

ENISA Executive Director, Juhan Lepassaar stated: “The NIS Investments Study provides insights, central to ENISA’s role to support EU Member States in building cyber resilience in critical sectors. The findings help us to better understand the challenges, target our support and inform our recommendations for the future.”
This year, the survey was carried out across 1080 public and private organisations in all Member States and covered all sectors and subsectors of high criticality under the NIS2 Directive. The NIS2 Directive is a cornerstone of the European Union's efforts to ensure a high common level of cybersecurity across all Member States, strengthening rules to better protect critical sectors. The sample for this year’s survey included 83% large enterprises and 17% SMEs, enabling comparative insights between different types of organisations.

For in-depth exploration of the data gathered through this survey, a dedicated data companion has been published alongside the report. The companion contains two separate views of the dataset: a Member State view and a sector-by-sector view.

Key insights from this year’s report are summarised below:

1. Investment focus shifts from people to technology and services

While organisations have maintained cybersecurity investment at levels comparable to last year’s (9% of IT budgets; median 1.5 million euro), spending is increasingly targeted towards technology and outsourcing rather than expanding internal cybersecurity teams.

2. The cyber talent crunch shows no signs of easing

Difficulties in attracting (76%) and retaining (71%) cybersecurity professionals persist, intensified by a shortage of skilled professionals and fierce competition for limited talent. High turnover further reinforces this gap, raising risk and reshaping staffing strategies.

3. Compliance is the main investment driver but not the only outcome

Compliance remains the main driver of cybersecurity investment (70%) yet its benefits extend beyond regulation. These investments have strengthened risk management (41%), detection (35%) and response (26%). Looking ahead, organisations plan to focus more on upgrading tools, improving recovery capabilities and building internal skills, indicating that policy is steering progress in the right direction.

4. NIS2 is raising the bar, yet implementation remains a challenge

Although NIS2 is prompting entities to strengthen some of the most demanding yet essential areas of cyber resilience, implementing it is widely perceived as challenging. Organisations report patching (50%), business continuity (49%) and supply-chain risk management (37%) as key areas of difficulty. Differences in the size of organisations point to distinct challenges, for example for larger entities, harmonised approaches and paths for the transition from legacy to modern technology. For SMEs, accessible guidance, affordable tooling (including managed and cloud services) and skills development remain top challenges.

5. Patching still takes months; many still don’t test their security

Timely patching and regular assessments remain challenging even amid regulatory efforts. Almost 1 in 3 organisations across sectors have not conducted a cybersecurity assessment in the past 12 months, while 28% take more than three months to patch critical vulnerabilities. This is especially difficult for SMEs, where both testing (63%) and patching (51%) present persistent challenges. As vulnerability exploitation is a leading intrusion access point, patching and implementation of the Cyber Resilience Act provisions to advance cybersecurity and resilience remain critical across the EU.

6. Supply chain risk: stronger controls, deeper dependence

While supply-chain risk management is improving, increasing reliance on outsourced ICT and security services introduces new vulnerabilities — particularly when suppliers are resource-constrained SMEs. Reflecting this, supply chain and third-party compromises are the second most frequently cited concern for the future (47%). This aligns with ENISA Threat Landscape report key trend, showing an increase in targeting cyber dependencies, with cybercriminals increasingly aiming at third-party providers.

7. DoS caused the noise, ransomware causes the nightmares

While DoS attacks put the most strain on daily operations, ransomware (55%), supply-chain attacks (47%) and phishing (35%) dominate organisational concerns looking ahead. Preparedness is uneven, with SMEs reporting the lowest confidence in their ability to anticipate, withstand and recover from cyber incidents across all scenarios.

How ENISA uses the data gathered

The data gathered through this study, contributes to ENISA’s wider analytical work, including the NIS360 report assessing sectoral criticality and maturity, as well as the EU Cybersecurity Index. Additionally, the study insights feed into the State of Cybersecurity in the Union report and inform its recommendations.