Today the European Commission warns 19 Member States for failure to transpose security regulation into national law – referral to the Court of Justice of the European Union could follow
Cisco’s 2025 Cybersecurity Readiness Index found that only 4% of organisations worldwide have achieved the ‘Mature’ level of readiness required to withstand cybersecurity threats. This is a slight increase over last year’s Index, in which 3% were designated Mature. Even so, preparedness regarding cybersecurity remains low as hyperconnectivity and AI complexities that are harder to secure.
AI is revolutionizing security and escalating threat levels, with 86% of organisations reporting AI-related security incidents last year although only 49% of respondents are confident their employees fully understand AI-related threats. Some 48% believe their teams fully grasp how malicious actors are using AI to execute sophisticated attacks. Cisco says this awareness gap leaves organisations critically exposed.
Compounding trouble
AI is compounding an already challenging threat landscape. In the last year, 49% of organisations suffered cyberattacks, hindered by complex security frameworks with disparate point solutions.
Looking forward, 58% of respondents view external threats like malicious actors and state-affiliated groups as more dangerous to their organisations than internal threats, chosen by 42% of respondents.
Lack of urgency
“As AI transforms the enterprise, we are dealing with an entirely new class of risks at unprecedented scale – putting even more pressure on our infrastructure and those who defend it,” said Cisco’s Chief Product Officer Jeetu Patel.
“This year’s report continues to reveal alarming gaps in security readiness and a lack of urgency to address them. Organizations must rethink their strategies now or risk becoming irrelevant in the AI era.”
Cisco’s Index evaluates companies’ readiness in five areas – Identity Intelligence, Network Resilience, Machine Trustworthiness, Cloud Reinforcement and AI Fortification, encompassing 31 solutions and capabilities. Based on a double-blind survey of 8,000 private sector security and business leaders in 30 global markets, respondents detailed their deployment stages for each solution. Companies were then categorised into four readiness stages: Beginner, Formative, Progressive and Mature.
Findings
The lack of cybersecurity readiness globally is alarming as 71% of respondents anticipate business disruptions from cyber incidents within the next 12 to 24 months.
Key findings from the study are:
- AI’ has an expanding role in cybersecurity – 89% of organisations say they use AI to understand threats better, 85% for threat detection and 70% for response and recovery.
- GenAI tools are widely adopted, with 51% of employees using approved third-party tools. However, 22% have unrestricted access to public GenAI, and 60% of IT teams are unaware of employees’ interactions with GenAI, a major oversight challenge.
- 60% of organisations lack confidence in detecting unregulated AI deployments, or shadow AI, which poses cybersecurity and data privacy risks.
- within hybrid work models, 84% of organisations have increased security risks as employees access networks from unmanaged devices, with risk exacerbated by them using Gen AI tools that are not approved by their employers.
- While 96% of organisations plan to upgrade their IT infrastructure, only 45% allocate more than 10% of their IT budget to cybersecurity (down 8% year-on-year). Cisco says this emphasises the critical need for more investment in comprehensive defence strategies as threats expand and accelerate.
- more than 77% of organisations report that their complex security infrastructures, which are dominated by more than 10 point-security solutions, hinder them being able to respond swiftly and effectively to threats.
- 86% of respondents say the shortage of cybersecurity professionals is a big challenge, with more than half reporting that they have more than 10 positions vacant.
Find out more about the Cybersecurity Readiness Assessment Tool
EC reprimands 19 EU states for lack of progress with security
By perfect timing, the European Commission underlined the widespread lack of urgency around cybersecurity. It decided to send a reasoned opinion to 19 Member States (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland and Sweden) for failing to notify full transposition of the NIS2 Directive (Directive (EU) 2022/2555).
Member States were to have transposed the NIS2 Directive into national law by 17 October 2024. The Directive aims to ensure a high level of cybersecurity across the EU. It covers entities operating in critical sectors such as public communications services, ICT service management, digital services, wastewater and waste management, space, health, energy, transport, manufacturing of critical products, postal and courier services, and public administration.
Full implementation of the legislation is key to further improving the resilience and incident response capacities of public and private entities operating in these critical sectors and the EU as a whole. Therefore, the Commission has decided to issue a reasoned opinion to 19 Member States, which now have two months to respond and take the necessary measures. Otherwise, the Commission may decide to refer the cases to the Court of Justice of the European Union.
