The urgency around addressing the European Union’s cyber shortcomings is well founded. A mere 9% of organizations in Europe have the ‘Mature’ level of readiness needed to be resilient against modern cyber risks, according to Cisco’s first-ever Cybersecurity Readiness Index and its Europe Edition. The report highlights where businesses are doing well and where cybersecurity gap will widen if businesses, security and policy leaders don’t take action.

Over the past months, Europe has intensified its actions to level up its cybersecurity across the board, with a revision of the 2016 Network and Information System Security Directive (NIS 1) and, in September last year, a new proposal for product cybersecurity obligations through the Cyber Resilience Act.

Alongside the stark finding that only 9% of companies in Europe are at the Mature stage, Cisco’s Cybersecurity Readiness Index shows that more than half (64%) of companies fall into the Beginner (9%) or Formative (55%) stages – meaning they are performing below average on cybersecurity readiness. Globally, 15% of companies are at a Mature stage.


Healthcare, financial services rank amongst the most prepared industries, with an average of 20% in a Mature state, both regulated as Operators of Essential Services under the original EU NIS Directive.

This gap is telling, not least because 77% of respondents said they expect a cybersecurity incident to disrupt their business in the next 12 to 24 months, compared to 82% globally. The cost of being unprepared can be substantial. Over half (52%) of respondents said they had experienced a cybersecurity incident in the last 12 months and 32% of those affected in Europe said it cost them at least US $500,000, compared to 41% globally who had similar costs.

With 81% of European respondents planning to increase their security budgets by at least 10 percent over the next 12 months, business leaders understand they need to do more to be cyber resilient and avoid the costs of potentially highly damaging threats.

This must be a reality check for businesses in Europe. While the EU has made tremendous progress with the NIS Directive and its recent revision, and is working on more policy tools to build its cyber resilience, regulation is not sufficient on its own to drive mature security practices. Businesses have to make an investment commitment and prioritize areas where they need more maturity to close the cybersecurity readiness gap.

Organizations have moved from an operating model that was largely static – where people operated from single devices from one location, connecting to a static network – to a hybrid world in which they increasingly operate from multiple devices in multiple locations, connect to multiple networks, access applications in the cloud and on the go, and generate enormous amount of data. This presents new and unique cybersecurity challenges for companies.

About the Cisco Cybersecurity Readiness Index: Resilience in a Hybrid World

The global report measures the readiness of companies to maintain cybersecurity resilience against modern threats. These measures cover five core pillars that form the baseline of required defenses: identity, devices, network, application workloads, and data, and encompasses 19 different solutions. 

An independent third-party conducted the double-blind survey. They asked 6,700 private sector cybersecurity leaders across 27 global markets, including seven in Europe (UK, Germany, France, Spain, Poland, Netherlands and Switzerland), to indicate which of cyber solutions they had deployed and the stage of deployment. Companies were then classified into four stages of increasing readiness: Beginner, Formative, Progressive and Mature.


Chris Gow

Senior Director, EU Public Policy

Government Affairs