Logo
Become a Client

Resource Regions: Western Europe

Cyber risk is no longer just a technical issue, it is a core business concern discussed at the highest levels of the organization. Across EMEA, boards are demanding clearer visibility into risk exposure, regulatory impact, and resilience. This blog explores the latest IDC insights on how CISOs can translate cyber risk into business language, align with board expectations, and strengthen decision-making in an increasingly complex threat and regulatory landscape.

How cyber risk became a board-level business risk

IDC research confirms that cyber risk has become a top board-level concern across EMEA and globally. Boards increasingly recognize that cyber risk is synonymous with business risk, prompting them to ask CISOs to translate the risk of cyber compromise into tangible business and compliance impacts.

As highlighted in IDC’s perspectives, board members are no longer satisfied with technical metrics alone they want to understand how cyber threats could affect organizational resilience, regulatory standing, and overall business continuity.

Cyber risk appetite vs. security investment: Key EMEA trends

Cybersecurity remains the primary barrier to CIO success in Europe, with 16–18% of organizations identifying it as their top challenge. Despite ongoing economic volatility, security budgets are generally protected, though not immune to cuts. IDC’s EMEA Security Tech and Strategies Survey reveals that 33% of financial services organizations kept their security budgets flat, 29% increased them by less than 10%, and 14% decreased them by more than 10%.

Boards are demanding greater clarity on risk acceptance, transfer, and mitigation strategies. A common pitfall is treating security metrics as mere program performance indicators rather than as expressions of risk and compliance management. Boards are now asking, “What is the risk cyber presents to the organization, and how well are we positioned to address it?”

CISO best practices for communicating cyber risk to the board

IDC recommends that CISOs translate cyber risk into financial terms, expressing exposure as realistic cost-of-breach scenarios rather than relying solely on severity labels. Structured exercises should identify which risks threaten financial stability and which are critical for certification or compliance. At the board level, metrics should focus on governance, risk, and compliance trends, answering questions such as: “What are our minimal viable operations? Are we cyber crisis ready? How resilient are we? How long will our business, systems, and production be offline in the event of a severe cyber compromise?”

A robust risk management framework can address 70% of board questions by identifying mission-essential assets, evaluating threats, monitoring controls, and clarifying risk ownership. While boards seek benchmarks and industry comparisons, they are cautioned against adopting a “do $1 more than our competitor” mentality.

IDC advocates for quarterly red teaming and realistic tabletop exercises to educate boards and executives, clarify escalation policies, and better identity and assess third party risk. Boards are also increasingly interested in the impact of AI and emerging technologies such as quantum key encryption and Model Context Protocol (MCP) deployment on organizational risk posture. CISOs should review use cases, implement human-in-the-loop controls, assess data security, and continuously audit AI assets.

Cyber risk and regulation in EMEA: Key insights for CISOs

Regulatory pressure is intensifying in Europe, with frameworks like NIS2, DORA, and the EU AI Act resulting in governance, risk, and compliance (GRC) as the top security technology priority for large organizations. Over 40% of these organizations now place GRC at the forefront, with liability for infringements increasingly assigned to senior management.
In European financial services, cyber security for clients (59%) and internal cyber security (57%) are the primary drivers of risk management investment. But only 43% of CISOs in large UK enterprises report having monthly board engagement, while 48% engage on an ad-hoc basis. IDC recommends establishing regular, structured communication to align risk appetite and investment decisions.

Practical steps to improve cyber risk management and board engagement

To enhance board engagement and risk management, IDC advises quantifying risk in business terms using financial impact, loss scenarios, and regulatory exposure. Cyber risk management should be continuous, using process automation where possible.
Boards must align security investment with risk appetite, and balance resilience, compliance, and operational priorities. Regular, meaningful engagement beyond ad-hoc updates is essential, as is benchmarking against peers while avoiding herd mentality. Integrating GRC platforms to automate reporting, audit, and compliance can support board-level visibility and informed decision-making.

Key takeaways for CISOs and boards in 2026

IDC’s EMEA and worldwide research underscores that effective cyber risk assessment and CISO-board communication require translating technical risk into business impact, quantifying risk appetite, and aligning security investment with strategic objectives.
Boards seek clarity, context, and actionable insights not operational minutiae. CISOs must become influential partners, guiding risk acceptance, transfer, and mitigation in a language the board understands. As regulatory and threat landscapes evolve, disciplined, data-driven communication is essential for resilient, compliant, and secure organizations.

Join the conversation: Deep dive in our upcoming webinar

Want to go beyond the headlines and understand what these shifts mean for your organization? Join our upcoming IDC webinar on May 12 to hear directly from our analysts as they break down the latest EMEA cybersecurity trends, evolving board expectations, and what it takes to translate cyber risk into business impact. Gain practical insights, benchmark your approach, and learn how leading organizations are aligning security strategy with business priorities.

Register here!

Joel Stradling - Senior Research Director, European Security - IDC

As senior research director for IDC's European Security practice, Joel Stradling leads the content and analyst team for tracking the European security segment. His main focus areas include Zero Trust Network Architecture, Managed Security Services, and Cyber Risk and Resiliency. Stradling has 22 years of experience as an analyst of cyber security, and international managed enterprise network and IT services. He is a regular speaker at major industry conferences talking about security and privacy, Digital Trust and Managed Security Services in B2B enterprise services. Joel is a well-known and highly regarded expert in the industry, offering insight and advice to C-level executives on security technology competitive landscapes and evolving security market segments including: managed security services ZTNA, cloud security, risk and compliance, end point, identity and access management, IT/OT security, secure IoT and 5G, and secure operations.

David Clemente - Research Director, European Security - IDC

Dave Clemente is a Research Director in IDC's European Security practice, with a focus on security services (including managed services and professional services). He is a research professional with more than fifteen years of experience in cyber security, including in think tanks (Chatham House and the International Institute for Strategic Studies), professional services (PwC and Deloitte), and market analysis. Dave is a regular conference speaker and media contributor, and has authored numerous publications on topics including C-suite technology and security priorities, security policy and governance, risk management, and data protection.

What is really shaping IT investment across EMEA in 2026? 

Across EMEA, IT spending continues to grow, but the forces shaping that growth are becoming more complex. Geopolitical tensions, regulatory developments and economic uncertainty are increasing the pressure on organisations to prioritise resilience and operational stability, even as executive expectations around artificial intelligence continue to rise. Many enterprises are now moving beyond experimentation and beginning to explore how AI can be operationalised at scale. The question for 2026 is not simply whether AI investment will continue, but how organisations balance innovation ambitions with resilience priorities in a rapidly evolving market environment. 

Growth remains stable but increasingly concentrated 

IT spending across EMEA is expected to grow by 7% in 2026, driven primarily by the continued double‑digit expansion of the software market. While 2025 was marked by a surge in the Service Provider segment, 2026 shows a more balanced outlook, with both Enterprise and Service Provider spending following similar growth trajectories. The only exception is the Consumer market, which remains flat (Source: IDC Worldwide Black Book, March 2026). 

Geopolitical tensions, supply chain disruptions and an increasingly complex regulatory landscape continue to reshape investment priorities across EMEA. As explored in our recent analysis of how ongoing conflicts are stress-testing the digital economy, organisations are placing greater emphasis on resilience, operational continuity and regional autonomy in their technology strategies. IT spending is therefore not slowing, but becoming more deliberate and selective, with investment increasingly directed toward capabilities that strengthen stability and long-term adaptability in an uncertain global environment. 

Executive expectations are raising the bar 

At the same time, executive ambition around AI continues to intensify. IDC research indicates that 50 percent of CEOs believe AI will offer their organisation the opportunity to reinvent its business model within the next three to five years. 

This signals a shift in how AI is positioned within enterprise strategy. AI is no longer viewed primarily as a tool for experimentation or incremental efficiency gains. Instead, it is increasingly expected to deliver tangible transformation, automation and competitive differentiation. 

However, survey data also shows that some organisations are reassessing elements of their AI programmes. Concerns around return on investment, governance, data readiness and skills availability are influencing decision-making across the region. The result is a more demanding environment in which expectations are rising but scrutiny is increasing as well. 

From experimentation to operational AI 

Across EMEA, AI maturity is evolving. The early phase of generative AI experimentation is giving way to a stronger focus on operational deployment. 

Organisations are now moving beyond isolated pilots towards integrating AI capabilities into core workflows, enterprise applications and decision-making processes. This transition reflects a broader shift towards operational AI and the emergence of more agentic enterprise models. 

At the same time, scaling AI requires far more than access to models. Infrastructure readiness, data management capabilities, governance frameworks and organisational skills are becoming decisive factors in determining whether organisations can move from experimentation to sustained operational impact. 

Resilience, governance and execution will define the next phase 

The evolving EMEA technology landscape is therefore shaped by a combination of innovation pressure and structural constraints. Geopolitical uncertainty, regulatory requirements and resilience priorities are increasingly influencing technology investment decisions. 

For technology providers operating in the region, understanding these dynamics is critical. Growth opportunities remain significant, but they are tied more closely to execution readiness, operational maturity and the ability to support organisations as they scale AI responsibly. 

Join the conversation

In our upcoming webcast on April 28, IDC analysts Andrea Siviero, Stephen Minton, and team will explore what these shifts mean for the EMEA IT market in 2026, including: 

  • How geopolitical developments and resilience priorities are influencing IT investment across the region 
  • Where growth is concentrated across EMEA markets and industries 
  • How organisations are moving from AI experimentation to operational deployment 
  • What the rise of more agentic enterprise models means for enterprise technology environments 

Register for the webcast here.

Got a question? Drop it in here.

Andrea Siviero - Senior Research Director, MacroTech, Digital Business, and Future of Work - IDC

Analyst Profile
Andrea Siviero leads IDC's European Digital Business and Future of Work Research group. The group provides market research insights to foster a purposeful and fair adoption of technologies supporting digital societies, businesses and workforce and empower tech providers in strategic decision making, planning and go-to-market activities. Siviero also co-leads the IDC Worldwide MacroTech Research program, focused on the intertwined connection between the Economical and Digital worlds - analyzing the impact key MacroEconomic factors have on the digital landscape and viceversa, how technologies are impacting economies around the world.