Navigating cybersecurity investments in the time of NIS 2

Back to News

The latest report of the European Union Agency for Cybersecurity (ENISA) aims to support policy makers in assessing the impact of the current EU cybersecurity framework, and particularly the NIS 2 Directive, on cybersecurity investments and the overall maturity of organisations in scope.

The fifth iteration of the NIS Investments report provides key insights into how organisations in scope of the NIS 2 Directive allocate their cybersecurity budgets, build their capabilities, and mature in line with the Directive’s provisions, while also exploring global cybersecurity trends, workforce challenges, and the impact of AI.

The report further provides insights into the readiness of entities to comply with new requirements introduced by key horizontal (e.g. CRA) and sectorial (e.g. DORA, NCCS) legislation, while also exploring the challenges they face. 

The EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, highlighted: “The NIS 2 Directive signifies a turning point in Europe's approach to cybersecurity. Within a fast evolving and complex threat landscape, the proper implementation of the NIS 2 requires adequate investments and especially into the new sectors which fall under the scope of the updated Directive. The ENISA NIS Investments report provides evidence-based feedback to policymakers and stakeholders regarding NIS-driven investments. These insights are essential for informed decision-making and addressing potential hurdles and gaps in cybersecurity policy implementation.” 

The 2024 edition features a significant enhancement compared to previous versions, as it extends the survey sample to include sectors and entities that are in scope of NIS 2. Through this approach, this report provides a pre-implementation snapshot of relevant metrics for the new sectors and entities under NIS 2, laying a foundation for future assessments of the impact of NIS 2. Additionally, it includes a sectorial deep dive in the Digital infrastructure and Space sectors.

Data were collected from 1350 organisations from all EU Member States covering all NIS2 sectors of high criticality, as well as the manufacturing sector. 

Key findings

  • Information security now represents 9% of EU IT investments, a significant increase of 1.9 percentage points from 2022, marking the second consecutive year of growth in cybersecurity investment post-pandemic. 
  • In 2023, median IT spending for organisations rose to EUR 15 million, with information security spending doubling from EUR 0.7 million to EUR 1.4 million. 
  • For the fourth consecutive year, the percentage of IT Full Time Equivalents (FTEs) dedicated to information security has declined, from 11.9% to 11.1%. This decrease may reflect recruitment challenges, with 32% of organisations—and 59% of SMEs—struggling to fill cybersecurity roles, particularly those requiring technical expertise. This trend is especially notable given that 89% of organisations expect to need additional cybersecurity staff to comply with NIS2. 
  • New NIS2 sectors are comparable in cybersecurity spending to existing NIS Directive entities, with their investments largely focused on developing and maintaining baseline cybersecurity capabilities. Emerging areas, such as post-quantum cryptography, receive limited attention with only 4% of surveyed entities investing and 14% planning future investments. 
  • The majority of organisations anticipate a one-off or permanent increase in their cybersecurity budgets for compliance with NIS 2. Notably, a substantial number of entities will not be able to ask for the required additional budget, a percentage that is especially high for SMEs (34%).  
  • 90% of entities expect an increase in cyberattacks next year, in terms of volume, costliness or both. Despite that, 74% focus their cybersecurity preparedness efforts internally, with much lower participation in national or EU-level initiatives. This gap underscores a critical area for improvement, as effective cross-border cooperation in managing large-scale incidents can only be achieved at these higher levels. 
  • Overall awareness among in-scope entities is encouraging, with 92% being aware of the general scope or specific provisions of the NIS 2 Directive. However, a notable percentage of entities in certain new NIS 2 sectors remain unaware of the Directive, suggesting a potential need for increased awareness campaigns by the national competent authorities. 
  • Entities in sectors already covered by NIS outperform those newly included under NIS 2 across various cybersecurity governance, risk, and compliance metrics. Similarly, entities in new NIS 2 sectors show lower engagement and higher non-participation rates in cybersecurity preparedness activities. This highlights the positive impact the NIS Directive has had on the sectors already in scope; and creates anticipation for the impact NIS 2 will have on the new sectors.

Through the years, the series of the NIS Investments report provide a rich historical dataset which, building on this year’s foundation, will allow us to gain insights into the effect of NIS 2 on new entities within its scope.