The 6th edition of the NIS Investments report highlights a realignment in how organizations across the European Union allocate their cybersecurity investments, with funding steadily shifting from staffing toward technologies and outsourced services. The findings come from ENISA’s annual survey, which examines how EU cybersecurity policy, particularly the NIS2 Directive, translates into practice and influences operational decisions, resources, and long-term planning.
ENISA Executive Director Juhan Lepassaar highlighted the study’s importance, stating: “The NIS Investments Study provides insights, central to ENISA’s role to support EU Member States in building cyber resilience in critical sectors. The findings help us to better understand the challenges, target our support, and inform our recommendations for the future.”
For last year’s cycle, the survey gathered responses from 1,080 public and private organizations across all EU Member States. The sample represented sectors deemed highly critical under the NIS2 Directive.
Large enterprises made up 83% of respondents, while 17% were SMEs, allowing comparisons between organizations with very different resource structures. A detailed data companion was published alongside the main report, offering both sector-based and Member State views for deeper analysis.
Cybersecurity Investment Becomes a Priority
Compared to last year, overall cybersecurity investments remained stable, averaging 9% of IT budgets with a median spend of 1.5 million euros. However, the data shows a clear pivot away from expanding internal cybersecurity teams and toward enhanced technology stacks and outsourced services. This shift marks one of the report’s central trends.
The cyber talent shortage remains a defining challenge across the EU. Organisations reported persistent difficulties in attracting (76%) and retaining (71%) cybersecurity professionals. High turnover, limited talent availability, and competitive hiring conditions continue to widen the workforce gap, prompting organizations to reassess staffing models and increase reliance on external support.
Compliance, especially related to NIS2, is still the main catalyst behind cybersecurity investments, cited by 70% of organizations. Yet the report notes that these efforts produce benefits beyond regulatory adherence. Respondents pointed to improvements in risk management (41%), detection capability (35%), and incident response (26%). Future investment priorities include upgrading cybersecurity tools, strengthening recovery processes, and improving internal skills development.
NIS2 Implementation is Essential but Difficult
While NIS2 is prompting organizations to raise their cybersecurity baseline, the directive implementation poses challenges across multiple domains. Entities reported obstacles in patching (50%), business continuity (49%), and supply-chain risk management (37%). Larger organizations struggle with harmonizing approaches and transitioning from legacy systems, while SMEs face barriers such as limited guidance, high tooling costs, and insufficient skills.
The report reveals ongoing difficulty in timely patching and conducting security assessments. Nearly one in three organizations had not performed a cybersecurity assessment in the previous 12 months. Additionally, 28% require more than three months to patch critical vulnerabilities, a pressing issue given that vulnerability exploitation remains a leading attack vector. SMEs face the steepest hurdles, with 63% struggling with testing and 51% with patching.
Supply-Chain Exposure Rising
As supply-chain risk management slowly improves, dependence on outsourced ICT and security services continues to introduce vulnerabilities, especially when suppliers are SMEs with limited resources. Supply-chain and third-party compromises were identified as the second most concerning future threat (47%), aligning with trends in the ENISA Threat Landscape report, which notes a rise in attacks targeting cyber dependencies.
Organizations cited DoS attacks as the most disruptive to daily operations, yet ransomware (55%), supply-chain attacks (47%), and phishing (35%) dominate long-term concerns. SMEs consistently reported the lowest confidence in their ability to prepare for, withstand, and recover from cyber incidents across any threat category.
Findings from the NIS Investments report feed into several ENISA initiatives, including the NIS360 assessment of sectoral maturity, the EU Cybersecurity Index, and the State of Cybersecurity in the Union report. These insights help refine policy recommendations and guide future actions to strengthen the EU’s overall cyber resilience.