2025 Cyber Benchmark: measured progress, persistent challenges
Published June 4, 2025
Amid rising threats including geopolitical ones, and tighter regulatory pressure (DORA, NIS 2, CRA, etc.), companies must strengthen their cybersecurity posture. Numerous challenges remain: the surge in artificial intelligence usage, still-incomplete resilience, reliance on international third-party providers, and significant disparities across sectors.
In this rapidly changing landscape, where do major companies really stand? What level of security have they achieved? What progress has been made, and where do vulnerabilities persist?
To answer these questions, Wavestone is publishing its Cyber Benchmark for the sixth consecutive year. A key study derived from on-the-ground analysis of more than 170 organizations assessed against the international NIST Cybersecurity Framework v2.0.
This benchmark provides a comprehensive overview of the preparedness of large organizations against cyber threats.
Key figures
- The average maturity level of large corporations (with over €1 billion in revenue) has increased slightly to 54%, up 1 point from 2024, according to international standards (NIST CSF v2.0 and ISO 27001).
- The financial sector remains the leader with an average score of 62.5% (+2.5% compared to 2024), driven by regulatory pressure (DORA) and sustained investments. Some players have reached over 80% maturity.
- Cybersecurity budgets account for an average of 6.4% of IT budgets, slightly down from 6.6% in 2024, and still at the lower end of the recommended range (5 to 10%).
- On average, there is one cybersecurity expert for every 1,016 employees, compared to one for every 1,086 last year. The top performers in the financial sector reach a ratio of one expert for every 80 employees.
- Of the 29 attack vectors used by identified ransomware groups, most large organizations have a strong command of the basics, with an average protection level of 56%, helping to reduce major breaches.
- Four areas show significant improvement: incident response capabilities, detection measures (SOC, Security Operations Center), cloud security, and data protection driven by challenges related to AI.
- The NIS2 regulation is driving organizations to invest in compliance, but none are fully ready yet. Despite an average maturity of 80%, no company is fully compliant. Efforts still need to be made, particularly regarding third-party risks, asset mapping, and governance.
Modest progress, with persistent sectoral disparities
In 2025, the average cybersecurity maturity of large companies reached 54%, marking a slight increase of 1 point compared to 2024. However, this growth represents a noticeable slowdown compared to previous years, suggesting that many large companies have hit a plateau that will be difficult to overcome without significant structural reforms or a new wave of investments.
The financial sector maintains its leadership with an average score of 62.5%, up 2.5 points.
This performance is mainly driven by the combined effects of regulation, particularly the European DORA regulation, and increased human and financial investments. In contrast, less regulated sectors, such as certain industries and public services, lag significantly behind, with an average gap of 6 points between regulated and non-regulated sectors.
Declining budgets, rising headcounts
On average, the companies surveyed allocate 6.4% of their IT budget to cybersecurity, down slightly from 6.6% in 2024. Despite this modest decrease in spending, cybersecurity headcounts are on the rise: there is now one cybersecurity expert for every 1,016 employees, compared to one for every 1,086 last year.
Top performers in the financial sector report much higher ratios, reaching up to one expert for every 80 employees. However, this growth in staffing also highlights a major challenge: the talent war. Demand for cybersecurity experts remains high, and some sectors may find themselves in direct competition to attract qualified professionals, which poses a serious hurdle for organizations with limited resources.
The most mature large organizations are increasingly turning to nearshoring—particularly in Southern Europe—or offshoring to more distant countries to meet their needs.
Ransomware threat: large corporations secure the basics, while smaller organizations work to catch up
Across the 29 attack vectors used by ransomware groups, identified by Wavestone’s incident response teams, large companies show an average protection level of 56%, helping to reduce major breaches.
Among small and mid-sized businesses, 36% of the panel are still considered to be in a critical state: an 18% improvement compared to 2024. While progress has been made, further efforts are needed to reinforce cybersecurity fundamentals across a broader part of the ecosystem.
The solutions are well known and clearly identified; the main challenge now lies in engaging organizations that have traditionally had low awareness of cybersecurity issues.
NIST CSF 2: steady progress across all pillars reflects sustained long-term efforts
Most pillars of the NIST CSF 2 show a consistent maturity level of around 50% (ranging from 48% for the “Identify” pillar to 52% for the “Govern” and “Protect” pillars) reflecting a broad strengthening of cybersecurity practices.
However, with a maturity level of just 41%, the “Recover” pillar lags behind, highlighting that crisis resilience remains a major area for improvement across many organizations.
These findings point to clear opportunities for progress, particularly in resilience and crisis management. In this context, the implementation of the NIS 2 directive is raising the bar for regulatory expectations and could serve as a real accelerator of maturity by imposing higher standards on a growing number of organizations.
Clear areas of progress: detection, response, cloud, and data
Among the 16 cybersecurity domains tracked by Wavestone, four show notable progress:
- Incident response has improved by 3%, driven by the professionalization of cyber crisis management. Organizations are establishing dedicated cyber units within crisis response frameworks, conducting regular simulation exercises, and improving coordination with business functions.
- Detection rates have increased by 4%, thanks to SOCs that are progressively integrating AI into their operations. Security Operations Centers are gaining in maturity and improving their ability to detect weak signals. Maintaining operational effectiveness, however, remains a key challenge.
- Cloud security has advanced by 3%, supported by more integrated and centralized governance, standardized security policies, and the earlier integration of cybersecurity requirements into cloud environment design.
- Data protection has risen by 4%, strengthened by new AI-driven use cases. The rollout of updated classification and encryption policies, along with the emergence of AI use cases focused on preventing data leaks (DLP, behavioral monitoring), has reinforced this area.
Artificial Intelligence: foundations laid, but maturity still low
Artificial intelligence is currently a major focus of investment for large organizations. Security teams have often had to react urgently to ensure these new systems are properly secured. At Wavestone, our teams have been heavily involved in these efforts, allowing us to assess the current state of market maturity across 20 major organizations:
- 64% now have a dedicated AI security policy in place.
- 67% apply a cybersecurity validation process (go/no-go) for AI use cases.
- 60% have established a team responsible for assessing the compliance of AI projects.
- 40% have updated their third-party risk assessment methodology to include AI providers.
However, when it comes to actual protection, the numbers are significantly lower:
- Only 7% of companies have implemented defense mechanisms against prompt injection attacks or other AI-specific threats.
NIS 2 Directive: a strategic priority but only partial compliance
The European NIS 2 directive, currently being transposed or already implemented in several European countries, is pushing companies to strengthen their cybersecurity. While the average maturity level for large enterprises reaches 80%, no company is fully compliant yet. The main obstacle is the requirement for a consistent security level across the entire information system, which breaks from current approaches often focused on critical segments only.
Key challenges for achieving compliance include:
The directive requires a clear, up-to-date view of digital assets (infrastructure, applications, workstations) to ensure their ongoing security. However, this mapping remains incomplete, especially in hybrid and cloud environments. To date, only 45% of companies maintain a centralized CMDB.
NIS 2 mandates rigorous and continuous cybersecurity assessments of providers and partners. Companies need to professionalize these controls, which are still often partial or manual. Currently, only 37% of organizations regularly audit their critical suppliers.
Administration requires enhanced protection (dedicated admin accounts, dedicated workstations, dedicated admin networks), especially for directory services, where a breach could have severe consequences. Despite deployments of PAM (Privileged Access Management) solutions, practices remain fragmented. Only 37% of organizations have implemented dedicated workstations for administrators.
A maturing market reaching high levels of compliance
The top 10 organizations in the benchmark have achieved an average maturity level of 71%. These leaders are now investing in technologies and approaches that are not yet explicitly covered in international standards, which will need to be updated accordingly. To keep pace with these innovations, Wavestone has decided to create a dedicated maturity level for pioneers, aimed at tracking the evolution of cybersecurity practices.
Launched in 2025, this new indicator will help identify the most advanced organizations and facilitate sharing of insights on the technologies and approaches they are currently testing.
These include challenges related to post-quantum cryptography, the use of AI in cybersecurity, platform consolidation and streamlining of security tools, the creation of security data hubs to accelerate and simplify control processes, and the adoption of just-in-time approaches for access management.
Methodology
Maturity levels were assessed against international standards (NIST CSF & ISO 27001/2) during evaluation assessments conducted by Wavestone consultants, primarily through interviews with the security leaders of the organizations involved. The sample, as of May 1, 2025, includes over 170 organizations—more than 100 of which have revenues exceeding 1 billion euros—representing nearly 7 million employees. Data from these individual assessments were then consolidated and analyzed by Wavestone’s team of specialists.