The median cybersecurity budget for European organizations has settled at 1.5 million euros, a figure that suggests stability but masks a profound transformation in how the continent defends its digital borders. Beneath the flatlining budgets lies a strategic reallocation: organizations are moving resources from personnel to technology and managed services. This pivot is necessitated by a talent crisis that has evolved into a structural shortage.
This transition from human-centric defense to automated systems is the primary finding of the NIS Investments 2025 report by the European Union Agency for Cybersecurity (ENISA). Drawing on data from 1,080 professionals across the 27 Member States, the study outlines an industry facing dual pressures. On one side, the regulatory requirements of the NIS2 Directive—the European Union’s updated Network and Information Security framework, which expands cybersecurity obligations across critical sectors—are increasing demands for resilience. On the other hand, a deficit of 299,000 skilled professionals in the EU makes meeting those demands with human capital alone increasingly difficult.
The Human Capital Challenge
For years, the industry has monitored the skills gap, but the 2025 data indicates the issue has become a persistent barrier to resilience. Three-quarters of organizations now report difficulties in attracting qualified personnel, while 71% struggle to retain the staff they already have. The challenge is no longer simply finding a candidate with specific credentials; in many instances, the available labor pool has been effectively exhausted.
This scarcity has created a difficult cycle of turnover. The report details a reinforcing loop in which understaffed teams face escalating workloads, leading to burnout and departures, which in turn intensify the shortage among remaining staff. It is a persistent operational challenge that few organizations are resolving through recruitment alone.
In response, Information Security (IS) leaders are adjusting their strategies. The data shows a distinct decline in the ratio of cybersecurity staff to IT staff, reaching 10.6%. Rather than competing for limited headcount, Chief Information Security Officers (CISOs) are directing budgets toward outsourcing and technological solutions to bridge the capacity gap.
For professionals navigating this shortage, the most effective strategy is shifting from aggressive recruitment to focused retention. Organizations that succeed in this environment are those that prioritize upskilling existing staff rather than relying on external hires. Investing in micro-credentials and defining clear internal career paths can disrupt the turnover cycle, stabilize teams, and build internal capability.
Compliance: The Regulatory Framework Driving Investment
If the talent shortage is a constraint on cybersecurity progress, regulation is the primary accelerator. Seventy percent of organizations identified regulatory compliance—specifically with frameworks such as NIS2, DORA (Digital Operational Resilience Act), and the Cyber Resilience Act—as the primary driver of their investment decisions. While compliance is sometimes viewed as an administrative burden, the ENISA findings suggest it generates operational value.
The push for audit readiness is delivering tangible benefits. Forty-one percent of respondents credited compliance-driven investments with strengthening their risk management processes, while over a third reported faster incident detection. European regulation is effectively raising the collective baseline of cyber hygiene.
However, this regulatory push creates operational friction. Half of all organizations cited vulnerability and patch management as their top challenge under NIS2, followed closely by business continuity planning. These fundamental domains remain difficult to master at scale, particularly for organizations operating across borders where jurisdictional interpretations vary.
The Transatlantic Ripple Effect
While NIS2 is a European directive, its impact creates a ripple effect across the Atlantic, influencing compliance strategies for U.S. enterprises. U.S.-based multinationals with subsidiaries or critical operations in the EU are finding their global governance models tested by Brussels’ stringent requirements.
The “Brussels Effect”—where EU regulations effectively set global standards—is visible here. As EU entities mandate stricter incident reporting and risk management, U.S. parent companies often adopt these higher standards globally to maintain a unified security posture rather than managing fragmented compliance stacks.
Furthermore, the report’s emphasis on supply chain security places non-EU vendors under the microscope. Major U.S. technology providers serving European clients are increasingly subject to rigorous third-party audits driven by NIS2 mandates. This dynamic is creating a de facto global baseline, with EU policy driving compliance upgrades across the U.S. supply chain. For global governance professionals, this signals a necessity to align transatlantic strategies, viewing NIS2 not as a regional hurdle but as a preview of the global regulatory direction.
The Persistence of Hygiene Gaps
A critical finding in the 2025 dataset is the continued challenge of basic cyber hygiene. Despite significant capital investment in the sector, fundamental processes are frequently delayed. The report indicates that 30% of organizations have not conducted a cybersecurity assessment—such as a penetration test or audit—in the past 12 months.
The situation with patching presents similar risks. In an environment where vulnerabilities are rapidly exploited, 28% of organizations report taking more than three months to patch critical vulnerabilities on critical systems. This “patching gap” leaves a substantial window of opportunity for threat actors, potentially undermining investments in more advanced defenses.
For Small and Medium-sized Enterprises (SMEs), this gap is wider. Over half of the SMEs surveyed take over three months to patch critical flaws, and 63% have not tested their security posture in a year. The disparity between large enterprises and SMEs creates a two-tier security landscape where smaller entities face higher exposure.
To bridge this gap, security leaders must prioritize resources. Automating the patching process for non-critical systems and establishing a protocol to address internet-facing assets within 48 hours can reduce the attack surface, even for resource-constrained teams.
Supply Chain Vulnerabilities
As organizations strengthen internal defenses, risk is increasingly migrating to the supply chain. This domain has emerged as the second greatest concern for the future, with 47% of entities fearing third-party compromises. While 90% of organizations claim to have supply chain risk management practices in place, the data suggests a lack of confidence in these measures.
The reliance on external providers is deepening. The shift toward outsourcing IT and security functions means that an organization’s risk posture is frequently inherited from its vendors. When those vendors are resource-constrained SMEs, the risk is amplified. The report highlights a lack of visibility, with many organizations unable to verify the security maturity of their suppliers.
This challenge creates a governance gap where organizations mandate security certifications in contracts but often lack the mechanisms to enforce them. The banking sector stands alone in reporting higher preparedness, likely due to the rigorous demands of DORA. For other sectors, the supply chain remains a challenge. A practical step for governance professionals is to move beyond passive contract clauses and institute verification audits for critical suppliers, focusing specifically on incident response integration.
Divergence in Threat Perception
The report also highlights a divergence between the attacks that occur frequently and those that dominate strategic planning. In the past year, Denial of Service (DoS) attacks were the most common operational disruption, causing the most “noise” in daily operations.
However, when asked about future concerns, ransomware remains the primary fear. Fifty-five percent of organizations cite ransomware as their top concern, driven by the risks of data encryption and extortion. This concern persists even though many entities report feeling relatively prepared to handle it. Conversely, preparedness for supply chain attacks is lower, creating a gap where the industry is focused on the high-visibility threat of ransomware while potentially underestimating the complexity of third-party compromise.
Sectoral Variances
The NIS Investments 2025 data reveals distinct maturity levels across sectors. The banking industry shows high maturity in dealing with third-party risk and maintains high spending efficiency. In contrast, sectors like Health and Transport face greater challenges. The Energy sector balances high investment with high stakes, particularly in protecting Operational Technology (OT) environments where patching is often operationally constrained.
These sectoral differences dictate the flow of capital and talent. As banking stabilizes, talent competition may shift to less mature sectors like healthcare or public administration, where the needs are acute but budgets may be more constrained. Understanding these macro-flows is essential for policy-makers attempting to harmonize resilience across the Union.
The Road Ahead
As 2025 draws to a close, the European cybersecurity landscape reflects a pragmatic recalibration. Regulation has imposed discipline; resource scarcity has forced efficiency. The shift toward technology-centric defense is less a strategic preference than an adaptation to market reality.
Yet the data exposes an uncomfortable gap between investment and execution. Organizations are acquiring modern toolsets while fundamental processes—patching, assessments, supplier verification—remain inconsistent. The challenge ahead is not procurement but operational follow-through: ensuring that automation serves as a force multiplier for sustainable teams rather than a substitute for the procedural rigor that no tool can automate away.
Postscript: Implications Across the Organization
The preceding analysis draws primarily on findings relevant to large enterprises with dedicated cybersecurity functions. However, the ENISA data carries distinct implications for two additional constituencies—SMEs and executive leadership—while also raising questions about technology’s role in addressing the structural talent deficit.
For Small and Medium-Sized Enterprises
The two-tier security landscape documented in the ENISA report places SMEs at disproportionate risk. With 63% reporting no security assessment in the past year and over half taking more than three months to patch critical vulnerabilities, smaller organizations face exposure levels that enterprise-scale recommendations cannot address.
For SMEs operating under resource constraints, the data suggests a triage approach. First, prioritize internet-facing assets: if full patching cycles are impractical, focus remediation on systems directly exposed to external threats. Second, leverage managed security service providers where internal capacity is absent—though the report’s finding that 43% of ICT service management entities have not undergone security testing themselves warrants careful vendor diligence. Third, engage with sector-specific Information Sharing and Analysis Centres (ISACs) where available; the ENISA data indicates that organizations in sectors new to NIS2 remain notably disengaged from collaborative information-sharing initiatives, leaving threat intelligence on the table.
Budget limitations are real, but the cost of a breach—operational disruption, regulatory penalty, reputational damage—scales differently for organizations with thinner margins. The baseline investment may not be optional; but may be existential.
For Boards and Executive Leadership
NIS2 introduces management accountability provisions that elevate cybersecurity from an operational concern to a governance obligation. Executive leadership should read the ENISA findings through three lenses.
First, liability exposure. The directive’s requirements around risk management, incident reporting, and supply chain oversight carry enforcement mechanisms that can reach individual decision-makers. The 30% assessment gap and 28% patching delay documented in the report represent quantifiable compliance risk.
Second, budget justification. The finding that 70% of organizations cite regulatory compliance as their primary investment driver provides a clear frame for resource allocation. Cybersecurity spend is no longer discretionary; it is a cost of market access in the European Union. For organizations with transatlantic operations, the ripple effect into U.S. governance frameworks may follow.
Third, strategic risk. The talent shortage is not a temporary hiring challenge—it is a structural market condition. Organizations competing for a finite pool of 299,000 missing professionals will not recruit their way to resilience. Boards should expect cybersecurity strategies that incorporate outsourcing, automation, and retention-focused workforce development rather than headcount expansion alone.
The Automation Question
The ENISA report documents a shift from personnel-heavy strategies to technology-centric defense, but does not examine what that technology entails. This is a gap worth watching.
Automation and AI-assisted security operations—including Security Orchestration, Automation, and Response (SOAR) platforms, AI-driven threat detection, and automated vulnerability management—are increasingly positioned as force multipliers for understaffed teams. Whether these tools can meaningfully close the capacity gap remains an open question. Early indicators suggest they can accelerate routine tasks (log analysis, alert triage, patch deployment for standardized environments) but struggle with the judgment-intensive work that defines senior cybersecurity roles.
For organizations evaluating this path, the calculus is straightforward: automation should extend the reach of existing personnel, not substitute for foundational expertise that remains absent. The risk lies in treating technology acquisition as a proxy for capability. The ENISA data on patching delays and assessment gaps suggests that toolsets alone do not guarantee operational follow-through—a caution that applies equally to automated systems.
The 2026 edition of this report may offer clearer evidence on whether automation is absorbing functions that cannot be staffed or merely adding complexity to already overstretched teams. Until then, measured investment with realistic expectations is the prudent stance.
News Sources
- European Union Agency for Cybersecurity (ENISA). (2025). NIS Investments 2025. Athens, Greece: European Union Agency for Cybersecurity.
- What’s Driving Cybersecurity Investments and where lie the challenges? (ENISA)
- NIS Investments 2025 (ENISA)
- NIS Investments 2025 – Survey data companion document – PDF (ENISA)
Assisted by GAI and LLM Technologies
Source: HaystackId published with permission from ComplexDiscovery OÜ
