New research from CyberSmart has revealed that, despite a compliance deadline that has now passed, only 16% of businesses required to comply with the EU’s Network and Information Security Directive 2 (NIS2) are confident that they are fully compliant. Worryingly, 11% of respondents were unsure what NIS2 is, despite falling within its scope.
The CyberSmart NIS2 Survey, reveals insights from 670 business leaders across the UK, Poland, the Netherlands, Ireland, France, Germany, Denmark and Belgium. The survey, completed in late 2025, was conducted by OnePoll.
NIS2 is a European Union directive aimed at enhancing the security of network and information systems across EU member states. It applies to organisations operating in designated critical and important sectors, including some non-EU entities that provide services within the EU. The directive establishes cybersecurity requirements, mandating organisations to implement appropriate security measures and report significant incidents to relevant authorities. The deadline for member states to transpose the directive into national law was October 2024.
The findings also arrived at a critical moment for European cybersecurity at large. 2025 saw significant cyber incidents across the continent, including major disruptions to UK retailers.
While full NIS2 compliance remains low, CyberSmart’s research makes it clear that a lack of motivation is not to blame. 75% of respondents see at least some competitive advantage to compliance, and over a quarter (27%) believe that the advantage is significant. The top concerns around non-compliance were operational and reputational: loss of productivity (18%), reputational damage (18%), and loss of customers (18%) all ranked higher than fines (16%) or legal percussions (14%)
Instead, the primary barriers to full compliance are practical. Budgetary constraints were cited as the leading cause of non-compliance (20%), followed by a lack of guidance on how to implement the measures (16%), insufficient internal expertise (11%), and a further 11% who were unsure what NIS2 is, despite falling within its scope.
The pressure to comply is also coming from the market itself. As part of standard due diligence, 42% of respondents have been asked to prove NIS2 compliance by partners, 41% by investors, and 36% by customers or prospects. For UK and Irish businesses in particular, investor scrutiny was notably higher, with 58% reporting that they had been asked to demonstrate compliance.
Encouragingly, the survey also discovered signs of board-level engagement with cybersecurity. 60% of organisations have placed responsibility for cybersecurity compliance at the board or C-suite level, with CEOs most commonly cited (34%). Meanwhile, 95% of respondents believe their board at least somewhat understands the legal and reputational risks of non-compliance.
Alongside the NIS2-specific findings, the research paints a picture of broader regulatory strain. Most businesses across the UK and EU are required to comply with multiple frameworks simultaneously, from DORA (Digital Operational Resiliency Act) and the EU Cybersecurity Act to the UK’s GDPR (General Data Protection Regulation), and others.
The result clearly points to signs of fatigue: 42% of respondents indicated that there are too many regulations to comply with, 35% felt there was too much overlap, and 27% said that there is too much emphasis placed on regulation.
This points to a significant opportunity for managed service providers (MSPs). As businesses struggle to navigate an increasingly complex compliance landscape, there is strong demand for partners who can offer ongoing, multi-regulation compliance support, not just one-off certifications.
Jamie Akhtar, CEO and Co-Founder of CyberSmart said: “Our research shows that most organisations aren’t ignoring NIS2 – they’re stuck trying to implement it. Only 16% feel fully compliant, despite growing board-level ownership, real budget allocation, and a clear belief that compliance matters”,
“The problem is not motivation. It’s the gap between what the regulation asks for, and the practical support businesses have to deliver it – especially while juggling overlapping standards and limited internal expertise”.
“NIS2 is also changing how trust works in the market. Partners, investors and customers are already asking organisations to prove compliance, not just promise it. The organisations that succeed will be the ones that turn compliance into routine – and move from uncertainty to confidence.”
