Most Businesses Want to Comply with NIS2. So Why Aren't They?

670 business leaders across the UK and EU reveal the real barriers to NIS2 compliance, and what it means for the partners helping them get there.

Read the Full Report

Book a Call

We surveyed 670 business leaders across the UK, Poland, the Netherlands, Ireland, France, Germany, Italy, Denmark, and Belgium in late 2025. Despite a compliance deadline that has now passed, just 16% of businesses required to comply with NIS2 are confident they are fully compliant. Worryingly, 11% were unsure what NIS2 is, despite falling within its scope.

The findings arrive at a critical moment for European cybersecurity. 2025 saw significant cyber incidents across the continent, including major disruptions to UK retailers, a breach at Jaguar Land Rover estimated to cost the UK government £2.6 billion, and ransomware attacks that brought airports across Europe to a halt. Many of these incidents had significant impact on the wider supply chain.

While the scale of the problem is clear, the reasons behind it are less obvious. The assumption might be that businesses aren't taking NIS2 seriously. Our research suggests otherwise.

Compliance Gap

While full NIS2 compliance remains low, our research makes clear that a lack of motivation is not to blame. Three-quarters (75%) of respondents see at least some competitive advantage to compliance, and over a quarter (27%) believe that advantage is significant.

The top concerns around non-compliance were operational and reputational rather than legal.

When we asked businesses why they hadn't fully complied, the answers were consistent across every region we surveyed. The barriers are practical, not strategic. Budgetary constraints were cited as the leading cause of non-compliance, followed by a lack of guidance on implementation and insufficient internal expertise.

This isn't a story of businesses ignoring regulation. It's a story of businesses that want to comply but haven't had the guidance or resource to do it. Notably, 11% of respondents were unsure what NIS2 is, despite falling within its scope."

"For MSPs, this points to a growing reliance on external providers to operationalise compliance requirements. Businesses need practical support to bridge the gap between what the regulation requires and what they have the internal capacity to deliver.

This pressure is only likely to grow. NIS2 is still a relatively new standard, and as more organisations build it into their supplier and partner requirements, the expectation to demonstrate compliance will become routine rather than exceptional.

NIS2 is changing how trust works in the market. Partners, investors, and customers are already asking organisations to prove compliance, not just promise it.

Board Buy-in

Board ownership is growing, and it unlocks larger deals.

Encouragingly, the survey found strong signs of board-level engagement with cybersecurity compliance.

This matters because board-level ownership changes the nature of the conversation. When a CEO is accountable for cybersecurity compliance, it stops being an IT procurement decision and becomes a business priority. CEOs are most commonly cited as ultimately responsible (34%). Budgets follow.

For MSPs, that shift translates directly into more strategic engagements. MSPs that can speak to business risk and commercial reputation, rather than purely technical implementation, are better placed to win the kind of long-term relationships that follow.

Regulation Fatigue

The shift from one-off projects to recurring compliance services.

Businesses are navigating NIS2 alongside GDPR, the EU Cybersecurity Act, DORA, ISO 27001, and more. The strain is showing.

This fatigue is understandable. An organisation operating within the EU could simultaneously be required to comply with NIS2, DORA, GDPR, the EU Cybersecurity Act, and ISO 27001. These frameworks overlap significantly, but navigating them still requires time, expertise, and resource that most organisations don't have in-house.

There is strong demand for partners who can offer ongoing, multi-regulation compliance support, not just one-off certifications. MSPs that can package compliance into a repeatable, managed service will be best placed to capitalise on this shift.

Beyond regulatory requirements, NIS2 is also reshaping how organisations assess risk across their supply chains. For MSPs, this creates a further opportunity: supporting customers not just in achieving compliance, but in demonstrating it on an ongoing basis.

From Our CEO

On where the market is heading.

On where this leaves businesses and the partners that support them:

NIS2 is part of a wider trend where compliance is becoming continuous, not a one-time exercise. MSPs that can package compliance into a repeatable, managed service will be best placed to capitalise on this shift. NIS2 is also changing how trust works in the market. Partners, investors and customers are already asking organisations to prove compliance, not just promise it. The organisations that succeed will be the ones that turn compliance into routine."

For businesses navigating this landscape, the path forward involves finding partners who can make that routine a reality. For MSPs ready to play that role, the demand is already there.