Wavestone's Cybersecurity Report Reveals Sector-Wise Trends and Regulatory Impacts

The 2026 Cyber Benchmark report from Wavestone reveals important trends in cybersecurity maturity among large organizations across Europe. The financial sector has notably taken the lead in this area, attributed largely to the influence of stringent regulatory frameworks such as the Digital Operational Resilience Act (DORA). This legislation compels organizations to enhance their cybersecurity measures, prompting significant investments in cybersecurity tools and consulting services. Despite these improvements, many organizations still face significant challenges associated with new technologies and the evolving cyber threat landscape.

According to the report, the average maturity level of large organizations, particularly those with revenues exceeding €1 billion, has improved modestly by 1.3 points, now reaching a maturity score of 3%. The financial sector, in particular, outperforms others, achieving an impressive average score of 6%, a substantial jump of 5.1 points from the previous year. This is indicative of how regulatory pressures and heightened investments in cybersecurity measures can propel advancements. As noted in the report, larger organizations typically allocate an average of 7% of their total budgets to cybersecurity; however, this remains at the lower end of the suggested investment range of 5 to 10%.

Still, significant hurdles linger. Organizations struggle to secure their infrastructures against artificial intelligence (AI)-related vulnerabilities and manage the risks associated with third-party vendors. The report highlights that while 76% of large organizations have defined security rules pertaining to AI, their overall market maturity regarding these risks is still alarmingly low at only 38%. This suggests that companies are beginning to recognize and address the security challenges posed by AI, but implementation of structured security measures is just beginning in many cases. Moreover, the detection of threats targeting AI systems remains critically low at 10%, indicating an urgent need for development in this area.

In terms of human resources, the report provides insight into staffing levels. On average, organizations now have one cybersecurity expert for every 979 employees, improving from last year's ratio of 1 for every 1,016 employees. The financial sector's leaders boast a much better ratio of approximately 1 to 83, highlighting the importance of specialized expertise in effectively managing complex cybersecurity challenges.

Wavestone's findings also suggest a shift in market dynamics as organizations aim for improved governance, risk management, and incident response capabilities. These factors seem to drive the renewed focus towards cybersecurity maturity, particularly in light of external pressures from regulatory bodies. However, despite this focus, the existence of 29 identified attack vectors used by ransomware groups indicates that businesses are aware of potential threats yet are not fully prepared to mitigate them. As noted, a significant 25% of mid-sized organizations find themselves in a critical cybersecurity situation, improved from 36% in 2025, but highlighting a continuing need for vigilance in augmentation of their cybersecurity frameworks.

The implications of these findings for procurement professionals are clear. There is an increasing demand for cybersecurity solutions that address specific regulatory requirements and gaps identified in ongoing assessments from organizations. As regulations evolve, particularly regarding compliance with NIS 2, there are lucrative opportunities for vendors specializing in AI security, governance frameworks, and third-party risk management services to position themselves for success in the growing landscape of cybersecurity.

In summary, while there have been advancements in the cyber maturity of large organizations across Europe, the complexity of threats and compliance requirements necessitate continued focus and investment in cybersecurity measures to protect against emerging risks. The report serves as a crucial resource for identifying areas where procurement strategies can align with market needs and regulatory demands.