In December 2025, the European Union Agency for Cybersecurity (ENISA) published the NIS Investments 2025 Survey Data Companion Document, a comprehensive dataset presenting the results of a large-scale survey among 1,080 European organizations regarding their cybersecurity investments, capabilities, and challenges.
This document offers an in-depth look at how organizations manage their cyber risks in light of the NIS2 Directive, thus serving as a valuable authority for policymakers and security professionals who wish to align their cybersecurity strategy with contemporary demands. Below, we analyze the key insights and link them to how RiskStudio can support organizations in addressing the challenges identified by ENISA.
1. Cybersecurity investments continue to grow, but focus shifts
The ENISA study shows that organizations spend an average of 9% of their IT budget on cybersecurity, continuing an upward trend compared to previous years. Interestingly, this budget is less used to expand internal teams and more focused on technology, outsourcing, and tooling.
Why this is relevant: Many organizations are looking for scalable solutions that can mitigate risks without linearly increasing staff. RiskStudio addresses this by providing a data-driven overview of cyber risks (such as weaknesses and vulnerabilities) without relying on internal tooling or manual processes. This helps RiskStudio to direct investments more effectively and measurably to where risks truly lie.
2. NIS2 compliance remains the biggest investment driver
A frequently cited reason for investing (more) in cybersecurity is the need to comply with the NIS2 Directive, with approximately 70% of organizations naming this as a significant factor. Although compliance is a strong motivator, the data shows that implementing the requirements is still challenging. Problems such as patching, business continuity, and supply chain management remain bottlenecks.
How RiskStudio helps: RiskStudio simplifies the identification and management of compliance-related risks by automatically analyzing digital business profiles, mapping external dependencies, and continuously monitoring risk indicators. This supports organizations in the practical application of NIS2 requirements rather than just the theory.
3. Cyber talent is scarce: the human factor remains a challenge
ENISA’s dataset shows a persistent shortage of cybersecurity professionals: a significant portion of respondents indicate difficulty in attracting and retaining talent. This talent crisis leads organizations to increasingly rely on automation, outsourcing, and technologies to compensate for capacity shortages.
Role of RiskStudio: By automating repetitive manual tasks, such as identifying digital assets, assessing vulnerabilities, and prioritizing risks, RiskStudio reduces the burden on scarce security professionals. This allows teams to focus on strategic cybersecurity activities instead of operational overhead.
4. Supply chain risks deserve more attention
Another aspect emerging from the ENISA dataset is the increasing importance of supply chain risk management. Third parties and suppliers are increasingly cited as sources of potential risks, and future investments are focused on strengthening this chain.
RiskStudio’s approach: RiskStudio makes it possible to analyze not only an organization’s own risks but also those of third parties and suppliers. By mapping relationships and dependencies, including digital business profiles, open vulnerabilities, and incident history, RiskStudio helps monitor and assess supply chain risks in real time.
5. Data-driven insights accelerate risk-driven decisions
While organizations often struggle with fragmented data and manual reporting, ENISA’s own companion document provides a data-driven basis for insight into cybersecurity practices.
Why this is important: Decisions regarding cybersecurity investments, governance, and compliance must increasingly be supported by measurable data. RiskStudio is built with this same principle in mind: current and structured data forms the core of analyses, reports, and advice.
Conclusion
ENISA’s NIS Investments 2025 study shows that European organizations are making progress in cyber investments, but operational execution, talent shortages, and compliance implementation remain real bottlenecks.
RiskStudio closely aligns with these challenges by providing organizations with continuously updated, data-driven risk insights, efficient automation of risk management tasks, and support for compliance reporting and vendor due diligence. Whether it’s demonstrating NIS2 compliance, prioritizing risks, or monitoring suppliers: RiskStudio helps organizations strengthen their cybersecurity strategy with both depth and scale.
Read the report yourself
You can download the publication via the following link: ENISA NIS Investments 2025
