Title: Alarmingly Low Compliance Rates Among Businesses Regarding EU’s NIS2 Directive
Recent research conducted by CyberSmart has unveiled a disconcerting reality for businesses that fall under the ambit of the EU’s Network and Information Security Directive 2 (NIS2). Despite the compliance deadline passing, only 16% of the surveyed businesses are confident that they achieve full compliance with the regulation. Adding to the concern, a staggering 11% of respondents were unaware of what NIS2 entails, highlighting a significant lapse in knowledge among those who are supposed to adhere to its stipulations.
The insights gleaned from the CyberSmart NIS2 Survey, which involved 670 business leaders from various countries including the UK, Poland, the Netherlands, Ireland, France, Germany, Denmark, and Belgium, illustrate a growing disconnect in cybersecurity compliance. The survey, completed in late 2025, was executed by OnePoll. The NIS2 directive aims to bolster the security of network and information systems within EU member states, extending its jurisdiction even to certain non-EU organizations that provide services within the Union. Businesses encompassed by this directive are mandated to adopt specific cybersecurity measures and must report significant incidents to relevant authorities. The obligation for member states to integrate this directive into national laws fell due by October 2024.
The timing of these findings could not be more critical as Europe grapples with a rising tide of cyber incidents. The year 2025 was marked by substantial disruptions, particularly impacting UK retailers, casting a shadow over the continent’s cybersecurity landscape.
Despite the low figures reflecting NIS2 compliance, CyberSmart’s research reveals that a lack of motivation among businesses is not the underlying cause. In fact, 75% of surveyed leaders acknowledge the competitive advantages associated with compliance, with 27% asserting that such an advantage is significant. However, the top concerns surrounding non-compliance relate more to operational and reputational risks. Notably, 18% of respondents expressed fears regarding productivity loss, reputational damage, and customer attrition, prioritizing these over potential fines (16%) or legal ramifications (14%).
The barriers to compliance pinpointed in the research primarily stem from practical challenges. Among those surveyed, 20% cited budget constraints as the leading impediment to achieving compliance. A noteworthy 16% indicated a lack of guidance on how to fulfill the directive’s requirements, while 11% noted insufficient internal expertise. Additionally, the same percentage of respondents who were unaware of NIS2’s significance underscores the urgent need for increased awareness and education surrounding the directive.
Market pressures are also intensifying as organizations face inquiries regarding their NIS2 compliance status. A substantial fraction of respondents noted that 42% of partners, 41% of investors, and 36% of customers have demanded proof of compliance. The situation is particularly pressing for UK and Irish businesses, with 58% of respondents reporting heightened scrutiny from investors concerning their compliance status.
On a positive note, the survey also indicates heightened engagement at the board level regarding cybersecurity issues. The data shows that 60% of organizations have assigned responsibility for cybersecurity compliance to senior management, with CEOs commonly identified (34%) as the key accountable figures. Furthermore, 95% of respondents believe that their board understands at least to some degree the legal and reputational risks associated with non-compliance.
Alongside the findings specific to NIS2 compliance, the research reflects broader regulatory fatigue among businesses in the UK and EU. The respondents reported feeling overwhelmed, with 42% indicating that the multitude of compliance requirements is excessive. Additionally, 35% noted undesirable overlaps between regulations, while 27% expressed concerns over excessive emphasis on regulatory compliance.
This presents a substantial opportunity for managed service providers (MSPs) in the market. As businesses navigate an increasingly convoluted compliance landscape, the demand for continued, multi-regulation compliance support is rapidly growing, rather than mere one-off certifications.
Jamie Akhtar, CEO and Co-Founder of CyberSmart, articulated the crux of the issue, stating, “Our research shows that most organizations aren’t ignoring NIS2 – they’re stuck trying to implement it. Only 16% feel fully compliant, despite growing board-level ownership, real budget allocation, and a clear belief that compliance matters.” He emphasized the gap between regulatory demands and the practical support that businesses require to meet those demands.
Akhtar also highlighted the changing dynamics of trust in the market, asserting that compliance is no longer merely a promise but a requirement that organizations must fulfill. “The organizations that succeed will be the ones that turn compliance into routine – and move from uncertainty to confidence,” he remarked.
These alarming findings signal an urgent call to action for businesses within the EU and beyond, underscoring the necessity for heightened awareness, practical support, and a concerted effort to enhance cybersecurity compliance amid an escalating digital landscape.