NIS2 Is in the Budget - Not Yet in the Systems

Published Date:

April 13, 2026

A new study conducted by CIO / CSO / Computerwoche (based on 324 interviews with senior IT decision-makers across DACH, conducted November–December 2025) paints a clear picture: NIS2 is reshaping how organisations think about cybersecurity. But compliance and actual resilience are still far apart.

Below are the findings we think matter most – and what they mean for how you approach security awareness and human risk.

The State of NIS2 Implementation

NIS2 has been in force. The deadline has passed. Yet the gap between being affected and being ready remains significant. The State of NIS2 Implementation

66%

of NIS2-affected organisations have not yet fully implemented the directive.

Only 34% report full compliance. A further 10% cannot even determine whether they are affected at all.

47%

find NIS2 implementation difficult or very difficult. Only 15% report minimal obstacles. The top challenges: high implementation effort (39%), complex requirements (39%), and unclear regulatory scope (34%).

This means a large portion of affected organisations are running behind – not because they don’t care, but because the directive is genuinely hard to operationalise. Unclear boundaries, overlapping requirements with DORA for financial sector players, and limited internal capacity all contribute. The Human Risk Blind Spot

Every Attack Vector Starts with Social Engineering

One of the sharpest findings in the study: all major attack vectors can (and typically do) begin with social engineering. Phishing is not one threat among many. It is the entry point to almost everything else. More than half of respondents fear industrial espionage as a top threat. Yet when it comes to training the human layer, the numbers tell a different story:

Only 43.5%

of organisations offer mandatory NIS2 management training. 37% still classify it as voluntary. At 11% of companies, no such training exists at all.

56%

cite ‘current threats’ as the most common training category – the most frequently mandatory security training in the study. Yet awareness specialists question whether generic threat briefings drive actual behaviour change.

Training that informs but doesn’t change behaviour leaves the human layer exposed. Understanding what a phishing email looks like in the abstract is not the same as being conditioned to spot and report one under time pressure.

Supply chain risk – acknowledged but underweighted

NIS2 explicitly requires organisations to manage supply chain security. The study reveals a significant gap here:NIS2 explicitly requires organisations to manage supply chain security. The study reveals a significant gap here:

85%+ say NIS2 implementation is leading to a larger supplier portfolio – more suppliers, more exposure.
Only one-third of respondents view supply chain risks as a critical area, despite it being an explicit NIS2 requirement.
The number of suppliers is growing, not shrinking – increasing the attack surface even as organisations work to secure it.

Many organisations are getting absorbed in meeting NIS2’s formal requirements and losing sight of what the directive is actually trying to protect against — gaps in the supply chain being one of the most consequential.

AI in Cybersecurity – and the Skynet Problem

AI adoption is accelerating. The study shows two-thirds of organisations are already using AI heavily, and three-quarters are expanding their AI footprint – half of those significantly. The stated end goal of AI use in cybersecurity? Fully automated security operations. That’s not a distant aspiration – it’s already the declared direction of travel for a meaningful share of respondents.

10% overall – 17% at large companies

want completely autonomous security with no human override. Among organisations with 1,000+ employees, almost one in five is willing to remove humans from the security decision loop entirely.

This is worth pausing on. The same study shows that over half of organisations don’t even have mandatory security training in place – yet a significant minority is already comfortable removing humans from the security loop entirely. The risk of that combination is not theoretical.

The irony: attackers are using AI to craft more convincing, personalised social engineering attacks. The answer to that is better-trained humans – not fewer of them in the decision loop 😉

Where IT Budget Are Going in 2026

Despite economic headwinds, IT investment intentions are strong:

49% plan to increase IT spending significantly (10% or more).
43% plan to maintain or moderately increase their budgets.

And the top investment area? Information security — at 45.8%, it leads all other categories. Looking out to 2026–2029, the top four investment areas are IT infrastructure, cloud, AI hardware, and cybersecurity.

Security is not being deprioritised. The challenge is ensuring that investment is directed at the right problems – and that includes the human layer, not just the technical stack.

Compliance is being treated as a documentation exercise, not a behaviour change programme. That gap is exactly where attacks happen. CYBERDISE is built to close it – our solution has been shown to reduce human risk behaviour by up to 60%, as demonstrated in a joint study with the University of Applied Sciences Lucerne (link).

Reference: Study Link