| NOTAS: | "This report aims at providing policy makers with evidence to assess the effectiveness of the existing EU cybersecurity framework specifically through data on how Operators of Essential Services (OES) and Digital Service Providers (DSP) identified in the European Union’s directive on security of network and information systems (NIS Directive) invest their cybersecurity budgets and how the NIS Directive has influenced this investment. This fourth iteration of the report presents data from 1,080 OES/DSPs from all 27 EU Member States.
Despite a 25% increase of the cost of major cyber incidents in 2022 compared to 2021, the new report on cybersecurity investment reveals a slight increase of 0,4% of IT budget dedicated to cybersecurity by EU operators in scope of the NIS Directive. However, if organisations are inclined to allocate more budget to cybersecurity, 47% of the total of organisations surveyed do not plan to hire information security Full Time Equivalents (FTEs) in the next two years. Besides, 83% of these organisations claim recruitment difficulties in at least one information security domain. Such hiring issues surfacing in the report could be one of the factors when it comes to managing vulnerabilities. Indeed, an analysis on patching of critical IT and OT assets in the transport sector shows that 51% of the organisations in the transport sector need one month to patch critical vulnerabilities and 21% need a time between 1 month and six months. Only 28% of the surveyed organisations fix critical vulnerabilities on critical assets in one week." |
