The NIS 2 directive – where are we now?
The deadline for the transposition of the EU’s second Network and Information Systems Security directive (NIS 2) came and went in October 2024 with only a handful of member states having completed the task. As it became clear that this was not just a minor case of not submitting the paperwork on time, the European Commission (EC) swung into action, initiating infringement proceedings against 23 member states in November 2024, with those countries given until January 2025 to provide updates on their progress or demonstrate that they had achieved compliance. Only Belgium, Croatia, Italy, and Lithuania escaped the wrath of the Commission.
Changes
Through the first half of 2025 the picture gradually changed, although decisive numbers depend on the interpretation of what it means to be compliant. In May 2025, 19 member states were on the receiving end of another ultimatum from the EC. However, by July 2025, the list of countries that had enacted laws on the implementation of NIS 2 had swelled to 14 states, with Cyprus, Denmark, Finland, Greece, Hungary, Latvia, Malta, Romania, Slovakia, and Slovenia joining the first four countries noted above. Denmark, Finland, Hungary, Latvia, and Slovenia were the countries with the dubious honour of having transposed the directive but still making the EC’s naughty list. The nuance is that countries not only have to transpose the law, they also have to provide full notification of all applicable legislation to the Commission.
Note that EC saber-rattling is not confined to NIS 2: the Commission provides a monthly list of its infringement decisions and recent iterations have included calls around energy legislation, emissions trading, corporate sustainability reporting, and more.
It’s also worth looking at why some of the non-compliant states have not made the required progress. In several cases, the countries in question have gone through changes in government, often multiple times. In Portugal, the government has toppled three times in three years, most recently in March 2025. Germany’s elections in February 2025 meant that all pending legislation either had to be reintroduced or was put on hold. The collapse of the Dutch government at the beginning of June 2025 further set back a process that was already behind schedule.
Legislative processes are complex and any disruption can lead to delays both initially and then further down their carefully calibrated calendars.
Under pressure
What does this mean for all the organizations covered – or likely to be covered – by the Directive? How should a company with operations in 10 EU member states, for example, build its compliance strategy and roadmap if 5 of those member states have transposed the Directive and 5 have not? The legislation is already extensive and complex enough without such additional uncertainty layered on top.
Uncertainty impacts organizational planning. According to IDC’s 2025 EMEA Security Technologies and Strategies Survey, almost two-thirds of organizations covered directly by the legislation had not yet started compliance work, as of spring 2025. Allocation of dedicated funding is difficult under these circumstances, with 82% of organizations saying they had not seen any change in their security budget to address NIS 2 requirements. That does not mean no funding is available – but when the directive comes into force in their relevant markets, it may require reallocation of existing funds from other initiatives.
Of course, there are measures that can be taken that do not require technology investments, with 19% of organizations saying they have updated their security policies and processes in relation to NIS 2 requirements. Still, that is less than 1 in 5.
Up the hill backwards
Delays in transposition of the legislation may lead some organizations to consider that time is on their side and there is little need to press ahead with preparations for compliance. Until a European law has come into force, there is no legal basis to enforce compliance. Nevertheless, there are legal principles that caution against taking this approach.
The so-called doctrine of effectiveness principle created by the European Court of Justice in relation to EU laws puts obligations on EU member states to act in certain circumstances. It may seem like there is little incentive to pursue such cases but bear in mind that NIS 2 aims to build cyber resilience in critical and important entities, in the face of ever-increasing cyberattacks. So, when a major cyber incident disrupts operational capability in a critical vertical, after the initial impact has been contained and services restored, investigations and audits will follow. In that situation, there is no guarantee that the principle of effectiveness will not be invoked, if it is deemed that an in-scope organization failed to take appropriate measures to manage the risk.
Most member states have set up registration mechanisms through which in-scope organizations have to provide certain information such as designated personnel, contact details, IP ranges, and more. The designated authorities in each member state are required to compile those lists of critical and important entities and share the number of entities, along with the sector and subsector breakdown, with the EC and the NIS 2 Cooperation Group. These coordinated actions serve a broader function of enabling the EU’s supranational cybersecurity operational bodies to track and address major incidents that may transcend national borders and lead to impacts spreading across sectors and countries. Consequently, even in member states that have not completed transposition it is crucial that in-scope entities fulfill the registration requirements for their organization.
The area of incident response also bears scrutiny. Article 23 of the NIS 2 directive details incident reporting obligations, which include an initial alert that must be made within 24 hours of becoming aware of the incident, full notification within 72 hours, and a final, detailed report within one month. Even before full transposition, member states themselves are required to run Computer Security Incident Response Teams (CSIRTs) that are obliged to support in-scope entities in case of an incident. Subject to the findings of those cases, compliance demands could be applied retroactively or specific requirements imposed with compressed deadlines to address key issues.
It’s no game
Despite delays in transposing the legislation, the NIS 2 directive is moving inexorably towards being enforced across the EU and even beyond, when we take into account international companies with operations in EU member states or companies that are suppliers to in-scope organizations. According to IDC’s survey, 41.1% of organizations said that despite not being in-scope for NIS 2, they are still facing compliance requests from some of their partners that are covered by the directive. Individual countries continue to make progress: in Finland the legislation came into force on April 8th 2025; in Slovenia on 19th June; and in Denmark and Estonia on July 1st. Cyber incidents and the risk of extended legal actions make a very strong case for all in-scope entities to prioritize achieving NIS 2 compliance. And even if the auditors aren’t watching you – maybe the cybercriminals are.
To learn more about how European organizations are preparing for NIS 2 compliance, visit IDC’s European Security Technologies and Strategies page. If you have a specific query about NIS 2, drop it in this form.
Mark will be speaking at IDC’s CISO Xchange, which takes place 9-11 November in Marbella, Spain.
Unlocking measurable business value: the essential guide for technology sellers
Discover strategies to quantify ROI, build buyer confidence, and drive growth in a competitive tech market.
In today’s technology landscape, having an innovative product is just the starting point. What truly sets successful tech vendors apart is their ability to demonstrate clear, measurable business value and return on investment (ROI) to their customers. This shift is driven by evolving buyer expectations, economic pressures, and the need for technology investments to deliver tangible outcomes aligned with broader business goals.
Why ROI and business value matter more than ever
The market environment has transformed significantly in recent years. Economic uncertainties and tighter IT budgets mean that decision-makers—from CFOs to CIOs—are monitoring investments with higher levels of scrutiny. Digital transformation must prove its worth through quantifiable results.
Three key forces are shaping this new reality:
- Economic pressure: Organizations must justify every expenditure, making financial accountability paramount.
- Rapid technological change: Businesses need to adopt solutions that not only innovate but provide competitive advantages.
- Increased accountability: IT leaders are under growing pressure to demonstrate measurable impact to stakeholders.
In this context, ROI has become the deciding factor for investment decisions. It translates technology benefits into financial terms, aligns technology initiatives with strategic business objectives, and reduces risks by offering assurance through proven value.
Moving beyond features: how to prove business value
Tech buyers today demand more than product specs—they want evidence of how a solution will improve their operations, reduce costs, or increase revenue. To meet this demand, vendors must embrace a comprehensive, data-driven approach to showcase business value:
- Use data-backed documentation: Whitepapers, case studies, and analyst reports grounded in credible research help tell a compelling story.
- Offer tailored financial models: Interactive ROI calculators and TCO analyses customized to specific client scenarios provide clarity and confidence.
- Highlight operational KPIs: Metrics like productivity gains, time savings, and efficiency improvements resonate alongside financial data.
- Leverage customer insights: Real-world success stories and testimonials add authenticity and build trust.
A holistic approach to business value
Demonstrating business value requires more than just numbers—it demands a strategic, customer-centric mindset:
- Validate with industry research: Third-party validation from trusted sources enhances credibility and trust.
- Tailor to customer needs: Align your messaging with the unique challenges and goals of each prospect.
- Present a multifaceted value proposition: Beyond cost savings, emphasize strategic benefits such as improved agility, innovation enablement, and enhanced customer experience.
Why IDC Is your ideal partner for business value success
At IDC, we specialize in supporting tech vendors quantify and communicate the real-world impact of their solutions. Our Business Value services combine rigorous research, tailored financial analysis, and compelling storytelling to empower your sales and marketing teams. We provide:
- Detailed ROI and TCO models that resonate with CFOs and finance teams.
- Strategic presentations and case studies that speak to CIOs and IT decision-makers.
- Training and tools to equip your sales force to confidently address objections and demonstrate value.
By partnering with IDC, you gain access to trusted expertise and proven methodologies that accelerate buyer journeys, reduce sales cycles, and ultimately drive revenue growth.
Final thoughts
In a market where every investment must have a return, demonstrating ROI and business value is essential. Tech vendors who can clearly articulate the economic and operational benefits of their solutions will not only win more deals but build lasting partnerships grounded in trust and measurable success.
Are you ready to unlock the full potential of your technology offerings by proving their true business value? Connect with us to learn how IDC can help you transform your sales approach and drive impactful results.
European ICT spending implications of NATO’s 5% GDP spending target
At the 2025 NATO Summit in The Hague a few weeks ago, member states pledged to allocate 5% of their annual GDP to core defense requirements and defense- and security-related expenditures by 2035. This represents a significant departure from the alliance’s longstanding 2% benchmark, particularly given that the current average defense spending among NATO members only marginally meets the 2% target.
European nations constitute the majority of NATO’s members. And since the onset of Russia’s invasion of Ukraine, several Eastern European countries—such as Poland—have substantially increased their defense budgets. Nevertheless, many European allies remain below the alliance average, rendering the new 5% objective highly ambitious. The United States continues to lead in defense investment, with expenditures approaching $1 trillion in 2024— double the combined defense spending of Europe and Canada — and has been an advocate for heightened commitments among NATO.
The new target of 5% of GDP is structured to address both immediate military needs and broader security challenges, with an ideal split of spending among 2 categories:
3.5% of GDP: core defense requirements
- Purpose: This portion is dedicated to traditional military expenditures.
- Coverage: Includes funding for active personnel, acquisition and maintenance of weapons systems, military equipment, R&D, and operational readiness.
1.5% of GDP: defense and security-related investments
- Purpose: This segment is allocated to areas that support and enhance national and alliance security beyond conventional military assets.
- Coverage: Encompasses investments in critical infrastructure (such as energy grids, transportation networks, and communication systems), network defense, and resilience against hybrid threats.
Direct ICT Spending Impact
Core defense Spending: A larger budget is expected to drive more funding for defense organizations and spark a ripple effect in ICT spending. According to IDC Worldwide ICT Spending Guide Enterprise and SMB by Industry, aerospace and defense ICT investments in Europe will top $11 billion in 2025—about 1% of the region’s total ICT expenditure.
Military modernization efforts are focused on upgrading command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) systems, strengthening cyber defenses, integrating artificial intelligence for battlefield operations, and enhancing encryption to secure communications and protect against cyber threats. However, this category will likely represent only a small portion of the overall 3.5% GDP allocation to core defense requirements.
Assuming the 3.5% target equates to approximately $665 billion, it is expected that initially less than $20 billion will be directed towards digital modernization and related technologies. This restrained allocation stems from several pressing priorities:
- Many NATO members must rearm and modernize legacy military equipment, much of which is outdated or exceeded its operational life.
- There is an urgent need to rebuild naval fleets and replenish armament supplies, particularly after significant stocks were transferred in support of Ukraine.
- Substantial investment in unmanned aerial systems (drones), which are increasingly central to modern warfare, will also consume a major share of the available resources.
Therefore, while digital modernization is strategically important, the immediate proportion of defense spending dedicated to these initiatives will be modest in comparison to the broader requirements of re-equipping and reinforcing conventional military forces. Over time, this share may increase as foundational rearmament needs are addressed and digital technologies become further integrated into military operations.
Indirect ICT spending impact
Defense and security-related investments: Efforts are focused on securing critical infrastructure from both cyber and physical threats, enhancing national and international cybersecurity through advanced tools, investing in IoT and digital twin technologies for real-time monitoring, and promoting post-quantum cryptography and secure digital identities. However, the most significant portion of spending in this area will be dedicated to fundamental cybersecurity measures and the development of sovereign data and cloud capabilities. Much of this investment will address foundational requirements, such as fortifying existing networks, implementing robust data protection protocols, and ensuring compliance with national security standards.
While initiatives involving emerging technologies—such as post-quantum cryptography—are important for long-term resilience, these areas are likely to attract only limited funding initially. The focus will remain predominantly on basic cybersecurity infrastructure and sovereign data management until Europe further develops a robust innovation base in the defense technology sector. Heavy investment in more advanced and experimental digital solutions will depend on the establishment of this foundation and the maturation of European defense-driven technological ecosystems.
Induced ICT spending impact
This growth will create new opportunities for core defense solutions and benefit related industries, fueling wider momentum in the Defense Ecosystem. This momentum has therefore set off significant induced ICT spending, especially among major European defense contractors. As these companies prepare to deliver more advanced and diverse products and services, the demand for innovative IT solutions and digital transformation initiatives has surged. This effect spans not only traditional leaders such as Leonardo, Dassault, and Rheinmetall, but also extends to BAE Systems, SAAB, Indra, Thales, and Airbus, among others.
The current environment provides a strong opportunity for the European defense industry to enhance its position in the global market. By accelerating investments in areas such as digital platforms, cybersecurity, cloud infrastructure, and advanced analytics, the sector can differentiate itself while building greater resilience and competitive strength. Examples of current IT and digital transformation-related initiatives include:
- Development of secure, sovereign cloud platforms for defense applications and data management.
- Deployment of AI-driven command and control systems to improve operational decision-making and mission effectiveness.
- Launch of pan-European projects to promote interoperability, digital sovereignty, and cybersecurity across defense networks, often supported by the European Defence Fund and broader EU digital policy frameworks.
These initiatives foster a more interconnected and technologically advanced defense ecosystem, ensuring that European contractors can respond to evolving demands and capture new growth opportunities in a global context
NATO’s new 5% GDP spending target signals a major shift for Europe’s defense sector, promising record investment in military capabilities and key enabling technologies by 2035. However, long-term commitment is uncertain, as future governments may redefine priorities.
This shift opens the door for technology providers—whether established contractors or innovative startups—to play an essential role in shaping the continent’s security future.
For technology providers, the key imperatives are clear:
- Make the defense market a top priority. With traditional defense budgets swelling and new funding streams available, tech vendors – especially those historically focused on enterprise or civil solutions – should prioritize defense within their broader industry strategies. Consider how your technology – especially AI-driven solutions for logistics, scheduling, or intelligent automation – could be adapted for military use. With rising defense investment and a growing need for innovation, now is the time to explore how your products can address emerging defense challenges and open new markets.
- Embrace broader collaboration: Leverage increased funding and European Union support for joint ventures and R&D initiatives to accelerate adoption and scale innovation across national boundaries.
- Drive dual-use innovation: Develop technologies that bridge defense and civilian markets, maximizing addressable opportunity while supporting national security objectives. In doing so, it is essential also to consider the spillover effects beyond pure core defense spending in adjacent sectors.
The path forward demands agility, innovation, and collaboration, but the rewards – in terms of both market opportunity and societal impact – are substantial.
To learn more about how ongoing geopolitical dynamics are shaping IT spending strategies, visit IDC’s Digital Economy Strategies page.
Shadow AI: How stealth productivity is strangling enterprise AI adoption. And creating a security nightmare…
Remember the good old days when “Shadow IT” was just about rogue Excel spreadsheets and unauthorized Dropbox accounts? But the times they are a-changing! Now we’re dealing with something far more insidious: Shadow AI. And no, it’s not just lurking in the corners of your or anyone’s organization anymore. Now, it’s driving productivity gains while simultaneously creating security nightmares that, hopefully, keep CISOs wide awake at night.
From private drives to GPT instances
Shadow IT has been the bane of enterprise administrators’ existence for decades. We’ve all seen it: marketing teams building up their own CRM systems, sales departments hoarding customer data in personal cloud drives, and finance teams creating elaborate Excel macros that, unnoticed, somehow have become mission-critical applications. But nowadays we have Shadow IT on AI steroids.
Because instead of innocent unauthorized OneDrive instances, we have unauthorized ChatGPT accounts, private Perplexity subscriptions, custom Copilots, and Excel automation scripts integrated with GPT APIs. And they ALL operate completely outside of IT oversight.
As many experts repeat: shadow IT hasn’t disappeared – it has evolved. And artificial intelligence has given it turbocharged engine.
The staggering scale of unauthorized AI adoption
IDC’s Global Employee Survey from April 2025 reveals that 39% of EMEA employees are using free AI tools at work, another 17% use AI tools they privately pay for. Only 23% of employees declare they use AI tools provided by their organization, and it still does not mean they are not using private tools simultaneously. Another survey I’ve come across shows that 52% of workers won’t admit to using AI in their jobs. And the percentage of sensitive corporate data being fed into AI tools has skyrocketed from a not insignificant 10% to over 25% in just one year.
Why are these numbers so high? The answer is frustratingly simple: on a basic level, AI can be ridiculously easy to use. You need a browser, a prompt, and you’re done. No coding, no server configuration, no IT tickets that sit in queues. Just pure, immediate productivity enhancement. Maybe with a bit of compliance catastrophe on the side, but who’s looking?
March or die
However, let’s be brutally honest about why else these numbers are so high. Employees aren’t just using AI tools to work smarter – they’re often using them to survive increasingly unreasonable workplace expectations. In an era where headlines scream about companies replacing entire departments with AI, workers are fighting hard to prove their relevance.
The pressure is palpable and justified. When employees read about firms cutting 30% of their workforce while boasting about AI-driven efficiency gains, the message is clear: march or die. Shadow AI adoption isn’t just about productivity enhancement, more than anything it can be about professional self-preservation.
This creates a weird dynamic where the very people organizations depend on feel compelled to hide the tools that make them valuable. Are they being rebellious or just rational? When your job security depends on meeting targets that seem designed for superhuman capabilities, you’ll probably use whatever tools necessary to achieve them, authorized or not.
Most AI tools don’t require dedicated client applications. They operate seamlessly through web browsers or as mobile apps, making them almost invisible to traditional IT monitoring systems. The vast majority of ChatGPT, Google Gemini or other tools usage at work happens through non-corporate accounts, meaning corporate data or IP is being processed by AI models that organizations have zero visibility into, zero control over, and zero ability to audit.
How pursuit of productivity kills strategic AI adoption
Many organizations, in their relentless pursuit of productivity metrics and efficiency gains, are creating an environment where employees feel compelled to hide their AI usage to meet impossible expectations. This creates a vicious circle where leadership demands productivity improvements while threatening job cuts, employees discover AI tools that help them meet unrealistic expectations, IT blocks access, so employees use unauthorized tools to avoid becoming the next layoff statistic.
The result? Organizations end up with lower overall AI adoption rates than they could achieve, precisely because they created a fear-based environment where survival instinct eats strategy for breakfast. Define irony: companies that publicly celebrate AI’s potential to replace human workers are simultaneously frustrated by their inability to achieve coordinated, strategic AI implementation.
The education paradox or one-time is here to fail you
And here’s where most organizations spectacularly miss the mark. They roll out a single “AI Awareness” training session, check the compliance box, and wonder why employees still go rogue.
Basic communication theory tells us that people need to hear a message seven times before it truly registers. Yet organizations treat AI education like a software update: deploy once, assume adoption. The learning curve for responsible AI usage isn’t a gentle slope. Or maybe gentle but the road will be long and winding. Employees need ongoing, contextual education that evolves with the changing AI landscape. They need to understand not just the “what” and “how,” but the “why” behind AI governance policies. (And you need AI governance, do we even need to say that?) When people understand the reasoning behind restrictions, compliance rates soar. When they don’t, Shadow Everything thrives.
Smart organizations recognize that AI literacy requires sustained and strategically planned education programs. They build comprehensive learning pathways that revisit core concepts with increasing depth over time, ensuring employees develop genuine understanding rather than superficial compliance. This investment isn’t just about risk mitigation – it’s about creating a workforce capable of strategic, responsible AI adoption.
Hope for the transparency solution? BYOAI!
The IEEE Computer Society proposes a solution that might make traditional IT nervous: BYOAI (Bring Your Own AI). This approach emphasizes transparency, risk assessment, and responsibility while allowing employees to work with their preferred AI tools.
The concept acknowledges a fundamental truth that many organizations refuse to face, although they should have learnt already: you can’t stop Shadow AI, or anything else for that matter, adoption through prohibition. Prohibition will only drive it deeper underground, where it becomes even more dangerous. Think about Chicago, Valentine’s Day, circa 1929, So if a ban is not the answer, then what? The easiest, yet most reliable, way to mitigate risk is good old, albeit boring, education…
Embrace reality, manage risk
Shadow AI isn’t going away. The productivity gains are too compelling, the tools are too accessible, and the competitive pressure too intense. Organizations have two choices: build frameworks for managing Shadow AI or watch it manage them.
What will smart companies do?
- Invest heavily in ongoing employee AI education (not one-shot training)
- Create transparent AI governance frameworks
- Design security policies that enable rather than restrict innovation
- Build trust through collaboration rather than control
- Measure success by strategic AI adoption, not just productivity metrics
The question isn’t whether Shadow AI is a threat or an opportunity – it’s whether your organization will respond with wisdom or wishful thinking. Choose wisely!
Listen back to Ewa on the following webcast: AI in 2025: Deliver or Wither
To learn more about how International Data Corporation (IDC) can support your technology market data needs, please contact us.