chevron_left Back
Compliance 10 February 2026

Cybersecurity Spending vs Effectiveness in the EU (ENISA 2025): Why Resilience Stalls Under NIS2

Cybersecurity budgets across the European Union continue to rise, yet many organisations report limited improvement in their actual security posture. According to ENISA’s NIS Investments report published in December 2025, the gap between expenditure and effectiveness is not driven by a lack of tools or regulation. It is driven by structural constraints that prevent investments from delivering measurable outcomes. In practice, organisations may increase spending year over year while still seeing recurring incidents, slow recovery cycles, and uneven maturity across business units.

This disconnect matters. For organisations subject to NIS and NIS2 requirements, cybersecurity is no longer a discretionary IT expense. It is a regulated operational capability with direct implications for business continuity, liability, and governance. Under NIS2, cybersecurity increasingly becomes a board-level responsibility, not just a technical function. That shift raises expectations around oversight, reporting, and the ability to demonstrate readiness under real incident pressure.

Cybersecurity spending is increasing, but unevenly

ENISA data shows a steady increase in cybersecurity investment across sectors covered by the NIS Directive. Large enterprises and operators of essential services allocate significantly more resources to security than small and medium-sized organisations. Financial services, energy, and telecommunications lead in absolute spend, while public sector entities and smaller operators lag behind. The result is an investment landscape where regulated organisations operate under similar obligations but with very different execution capacity.

Why higher budgets don’t translate into resilience

However, higher budgets do not translate directly into higher resilience. ENISA highlights wide disparities in maturity between organisations operating under the same regulatory framework. In many cases, spending concentrates on technology acquisition rather than on long-term operational capability. Security programmes accumulate tools, but teams struggle to keep configurations consistent, integrate telemetry across environments, and maintain operational discipline over time.

The result is a security stack that looks complete on paper but performs inconsistently under pressure. Controls exist, but they do not always behave predictably during incidents, especially when multiple teams and external providers are involved. In those moments, gaps in ownership and decision authority quickly become visible.

Compliance pressure shapes investment decisions

Regulatory obligations remain one of the strongest drivers of cybersecurity spending in the EU. The introduction of NIS2 has expanded the scope of regulated entities and increased accountability at management level. Boards and executive teams are now directly responsible for security oversight, reporting, and incident response readiness. For many organisations, this changes the internal conversation: cybersecurity is no longer framed only as risk reduction, but also as governance exposure.

This pressure influences how budgets are allocated. ENISA observes that many organisations prioritise controls that are easiest to demonstrate during audits. Documentation, policy frameworks, and certification efforts often receive funding ahead of detection capability, response readiness, or recovery planning. Audit readiness becomes a visible success criterion, while incident execution capability remains harder to measure and therefore easier to postpone.

From a compliance perspective, this approach is understandable. From an operational perspective, it creates blind spots. Investments serve reporting requirements but do not always strengthen the organisation’s ability to handle real incidents. Over time, organisations can become “audit-ready” without being reliably “incident-ready,” particularly in environments with complex sourcing and high system heterogeneity.

Skills shortages limit the return on investment

One of the most persistent barriers identified by ENISA is the shortage of qualified cybersecurity professionals. The issue affects both technical roles and governance functions. Organisations struggle to recruit and retain staff who can operate, tune, and improve security systems over time. The shortage becomes especially visible in security operations, where workload scales with the environment and requires continuous tuning rather than one-time setup.

As a result, tools are underused or misconfigured. Security platforms generate alerts that teams cannot triage effectively. Response procedures exist but are not exercised. External providers fill some gaps, but fragmented sourcing often increases coordination overhead rather than reducing risk. Vendors may deliver services, but responsibility for prioritisation, decision-making, and escalation still has to sit inside the organisation.

In this context, additional spending increases complexity instead of capability. Each new platform introduces new telemetry, new workflows and new operational dependencies. If execution capacity remains constrained, complexity grows faster than resilience.

Operational complexity undermines effectiveness

ENISA points to operational fragmentation as a key challenge. Many organisations operate heterogeneous environments built over years of incremental change. Legacy systems coexist with cloud platforms, outsourced services, and sector-specific technologies. Over time, these environments become difficult to secure consistently because security controls must span different architectures, ownership structures and operational cadences.

Security controls are deployed per system rather than across processes. Incident handling responsibilities are split between IT, security teams, compliance, and external partners. Decision paths during incidents remain unclear. When response depends on multiple handoffs, speed declines and accountability becomes diluted, even in organisations with significant budgets.

This fragmentation limits visibility and slows response. Even well-funded security programs struggle when ownership and execution are dispersed. In practice, resilience declines not because controls do not exist, but because coordination fails under time pressure.


Why effectiveness lags behind investment

The ENISA report makes a consistent observation across sectors: cybersecurity effectiveness depends less on how much is spent and more on how investments are structured. The limiting factor is not the presence of controls, but the organisation’s ability to operate them continuously, improve them over time, and execute under incident pressure.

In many organisations, investment still prioritises tooling over operational ownership. Compliance requirements often shape priorities in a way that favours what can be demonstrated during audits, even when it does not translate into stronger detection, response, or recovery capability. At the same time, internal capacity remains a constraint. Security is treated as a function that can be “implemented”, rather than an ongoing operational discipline that requires skilled teams, routines, and continuous tuning. These gaps become even more visible when security is weakly integrated with IT operations and business risk management, leaving decision-making fragmented when incidents require speed and coordination.

Without addressing these structural constraints, higher budgets produce diminishing returns. Over time, investments can increase the control surface faster than the organisation can manage it, creating a posture that looks mature but behaves unpredictably in real operating conditions.

What improves outcomes under regulatory pressure

ENISA does not position regulation as the problem. Instead, it shows that organisations achieving better results treat compliance as a baseline rather than a goal.

More effective approaches share several characteristics:

  • security investments linked to concrete risk scenarios
  • clear ownership for detection, response, and recovery
  • realistic assessment of internal skills and sourcing strategy
  • integration of security into operational decision-making

These organisations spend with intent. Their controls support daily operations, not only audits.

What to do next under NIS2 (practical actions)

What organisations should do next under NIS2 (without just expanding the tool stack)
ENISA’s findings point to a practical conclusion: cybersecurity improves when organisations strengthen execution capacity, not only procurement. The following actions help translate investment into measurable operational outcomes:

  1. Define clear ownership for critical controls
    Assign accountable owners for detection, incident response, vulnerability management, and recovery. Ownership must include escalation authority during incidents.
  2. Shift from “audit-ready” to “incident-ready” capability
    Evidence and documentation are required under NIS2, but they do not guarantee operational performance. Build incident-ready security by rehearsing response paths end to end, including cross-team and vendor handoffs.
  3. Set operational cadence for patching and assessments
    If assessments and patching happen “when there is time,” resilience will drift. Establish review routines and SLAs for critical vulnerabilities, and track compliance as an operational metric.
  4. Reduce fragmentation in sourcing and escalation paths
    If external providers are involved, clarify who owns triage, containment, and communication. Complex sourcing can increase response time unless escalation paths are rehearsed and measurable.
  5. Link investment decisions to risk scenarios
    Prioritise controls that reduce exposure in high-likelihood, high-impact scenarios relevant to the organisation (e.g., ransomware recovery, identity compromise, supply chain incident). This improves both risk management and board-level oversight.
  6. Measure what matters: outcomes, not inventory
    Track measurable indicators such as mean time to detect (MTTD), mean time to respond (MTTR), patch SLA compliance, recovery time objectives (RTO/RPO feasibility), and incident drill performance over time.

Cybersecurity as an operational responsibility

The cost of cybersecurity in the EU cannot be assessed purely through budget size. The real cost emerges when investments fail to reduce exposure, shorten response times, or stabilise operations during incidents.

ENISA’s findings point to a structural conclusion: cybersecurity spending delivers value only when treated as an operational responsibility, not a procurement exercise. Regulation sets the minimum. Effectiveness depends on execution.

For organisations navigating NIS2 obligations, the challenge is no longer whether to invest, but how to ensure that each investment improves the organisation’s ability to operate under adverse conditions.

FAQ: ENISA NIS Investments 2025, NIS2 and cybersecurity spending in the EU

1) What does ENISA report about cybersecurity spending in the EU?
ENISA’s NIS Investments report shows that cybersecurity spending continues to grow across NIS sectors, but maturity and capability remain uneven between organisations and sectors.

2) Why does cybersecurity effectiveness stall despite growing budgets?
Because cybersecurity outcomes depend on execution capacity: skills, ownership, response coordination, and operational integration. If investment expands the control surface faster than the organisation can operate it, effectiveness stalls.

3) How does NIS2 influence investment decisions?
NIS2 increases accountability at management level and strengthens reporting requirements. This can bias investment toward controls that are easiest to demonstrate during audits rather than those that improve incident response and recovery in practice.

4) Why do skills shortages reduce the ROI of cybersecurity investments?
Security tooling requires tuning, triage, and continuous improvement. When organisations cannot recruit or retain enough skilled professionals, platforms become underused or misconfigured, increasing noise and complexity without improving outcomes.

5) What is the difference between compliance and resilience under NIS2?
Compliance focuses on meeting regulatory obligations and being able to demonstrate controls. Resilience depends on operational readiness: clear ownership, exercised response, and the ability to maintain continuity under real incident pressure.

Sources

Joanna Maciejewska Marketing Specialist
Next post chevron_right

Related posts

    Blog post lead
    Compliance Operations Security

    Why DORA-Compliant Banks Still Fail Operational Resilience in 2026

    Operational resilience shifted from obligation to execution risk Operational resilience in financial services entered a different phase once DORA came into force. Regulatory alignment stopped being a differentiator and became a baseline requirement that most large institutions were able to meet. By 2026, however, the most severe failures no longer originate from missing policies, incomplete […]

    Blog post lead
    Architecture Compliance Operations Security

    Secure by design as an operating discipline: building products that can be maintained and audited

    “Secure by design” is widely used and frequently cited, but rarely defined in a way that holds up once a product is in production. In many organisations it becomes a reassuring label rather than an engineering discipline. Controls exist at design time, yet months later the same products struggle during audits, incident investigations, or urgent […]

    Blog post lead
    Operations Security Technology

    Incident response in 2026: why detection speed outweighs the promise of perfect protection

    For years, cybersecurity strategy was framed primarily around prevention. Organisations invested in stronger controls, broader coverage, and additional layers designed to keep attackers out at all costs. That logic fit a more static IT reality, where environments changed slowly and threats evolved at a manageable pace. By 2026, that world no longer exists. Modern IT […]

This website uses cookies

We use cookies to optimise the content on our website. Data may also be shared with our partners for analytics purposes or to personalise advertising. You can accept all cookies or choose individual settings. Detailed information about cookies is available in the footer of our website and in the Cookie Policy.

Adjust consent preferences

We use cookies to help you navigate efficiently and perform certain functions. Below, you will find detailed information about all cookies in each consent category.

Cookies classified as “Necessary” are stored in your browser as they are essential for enabling the basic functionalities of the website.

Necessary

These cookies are essential to enable you to navigate the website and use its features, for example by displaying the website properly depending on the device you are using. These cookies will be stored and used even if you do not consent to the use of cookies.

Preferences

These cookies allow the website to be tailored to users' needs and preferences, for example by remembering the preferred language or region. This information has very limited use and is stored only for a specified period of time. It is completely anonymous and is not used for any other purpose. We use these cookies only if you have given your consent via the cookie banner.

Statistical

These cookies collect information about how you use the website, for example which pages you visit most often, in order to determine whether the content we present is useful, what users are interested in, and how the website's performance can be improved. We also use tracking pixels to count website visits and performance cookies to check how many individual users and how often they visit our website. This information is used exclusively for statistical purposes. We use these cookies only if you have given your consent via the cookie banner.

Marketing

These cookies are used to deliver advertisements that are more relevant to you and your interests, both on external websites and on our website, in line with user preferences regarding service selection. They also help measure the effectiveness of advertising campaigns. They remember that you have visited our website, and this information may be shared with other organizations, such as advertisers. We only use these cookies if you have given your consent via the cookie banner.

Privacy Policy Cookies Policy
© Copyright 2026 by Onwelo