In December 2025, ENISA published the sixth edition of its NIS Investments Report, surveying 1,080 public and private organizations across all EU Member States and all sectors of high criticality under NIS 2. The sample included 83% large enterprises and 17% SMEs, enabling direct comparison of how different organizations are handling cybersecurity investment.
The Headline Numbers
Organizations are spending 9% of their IT budgets on cybersecurity, with a median of €1.5 million — roughly in line with last year. But the composition of that spending is shifting:
- Technology over people. Spending is increasingly directed toward technology and outsourced services rather than expanding internal cybersecurity teams.
- Compliance is the #1 driver. 70% of organizations cite regulatory compliance as their primary investment driver. But the benefits extend beyond box-ticking: 41% report improved risk management, 35% better detection, and 26% stronger incident response.
- NIS 2 is pushing action in the right areas. Organizations are strengthening patching, business continuity, and supply chain risk management — precisely the areas that NIS 2 mandates — even though they report these as the most difficult to implement.
The Talent Crisis Isn't Improving
The numbers are stark:
- 76% of organizations report difficulty attracting cybersecurity professionals
- 71% report difficulty retaining them
- High turnover reinforces the gap: trained staff leave for better-paying roles, and replacements are scarce
For SMBs, this is especially acute. Most cannot compete on salary with large enterprises or consultancies. The result: many SMBs have zero dedicated cybersecurity staff and rely entirely on outsourced services or — more commonly — general IT staff who handle security as a side responsibility.
Where SMBs Struggle Most
The report identifies specific areas where SMBs face disproportionate challenges:
- Security assessments: 63% of SMEs report that conducting regular cybersecurity assessments is a persistent challenge — compared to significantly lower rates at large enterprises.
- Patching: 51% of SMEs struggle with timely patching. Almost 1 in 3 organizations across all sectors hadn't conducted any cybersecurity assessment in the past 12 months.
- 28% take more than three months to patch critical vulnerabilities — a window of exposure that attackers actively exploit.
What This Means for Compliance Strategy
The data tells a clear story: compliance is driving cybersecurity improvement, but implementation — particularly for resource-constrained organizations — remains the bottleneck. The organizations that succeed are those that:
- Automate what they can. Use tools to handle risk assessments, gap analysis, and evidence collection instead of manual spreadsheets.
- Accept proportionate measures. A 3-page procedure that people follow beats a 50-page framework that sits in a drawer.
- Focus on the basics first. Patching, access control, incident detection, backups. These aren't exciting, but they're what regulators — and attackers — care about most.
- Leverage AI-assisted tooling. For organizations without a dedicated CISO, AI-powered compliance platforms can fill the gap between "we know we need to comply" and "here's our documented, assessed, evidence-backed compliance posture."
The Opportunity
ENISA's data confirms something ShieldBase has been built around: the biggest barrier to NIS 2 compliance isn't willingness — it's capacity. Organizations want to comply. They're allocating budget. But they lack the people, the processes, and the practical guidance to get from intention to implementation. That's the gap that structured, AI-assisted compliance platforms are designed to close.