The European Union Agency for Cybersecurity ('ENISA') issued, on 23 November 2022, its latest report on Network and Information Security Investments in the EU. In particular, the report investigates how Operators of Essential Services ('OES') and Digital Service Providers ('DSPs') invest in cybersecurity and comply with the objectives of the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'), whilst also giving an overview of the situation in relation to such aspects as IT security staffing, cyber insurance, and organisation of information security in OES and DSPs.

More in detail, the report outlines that, overall, a number of absolute values, such as IT and information security budgets or percentages of IT budgets spent on information security was significantly lower compared to the previous year.

In addition, other key findings of the report include:

• the NIS Directive, other regulatory obligations, and the threat landscape are the main factors impacting information security budgets;
• the estimated direct cost of a major security incident is €200,000 on median, twice as large as the previous year, indicating an increase in the cost of incidents;
• healthcare and banking remain the top two sectors in terms of incident cost;
• 86% of OES and DSPs have implemented third-party risk management policies; and
• 40% of surveyed OES have no security awareness programme for non-IT staff.

You can read the press release here and the report here.