Insight

Cyber Benchmark 2026: Progress slows as complexity rises

Published June 2, 2026

  • Cybersecurity

In a context of rapidly rising threats, including those of geopolitical origin, and increasing regulatory pressure (DORA, NIS 2, CRA, etc.), French and international companies must strengthen their cybersecurity posture. Numerous challenges remain: the rapid growth in artificial intelligence use, still-incomplete resilience, dependence on international third-party providers, and significant disparities across sectors.

In this fast-evolving landscape, where do large organizations really stand? What level of security have they achieved? What progress has been made, and where do vulnerabilities persist? To answer these questions, Wavestone is publishing its cyber benchmark for the seventh consecutive year, a reference study based on field analysis of more than 200 organizations assessed against international standards, including the NIST Cybersecurity Framework v2.0 and ISO 27001, through in situ interviews.

This benchmark provides a comprehensive overview of the level of preparedness of large organizations against cyber threats.

 

Key figures

  • The average maturity level of large organizations (revenue > €1bn) has slightly increased to 3%, representing a +1.3 point improvement compared to 2025.
  • The financial sector remains the leader with an average score of 6% (+5.1 points compared to 2025), driven by regulatory pressure (DORA) and sustained investments. Some players reach maturity levels above 89%.
  • Cybersecurity budgets represent, on average, 7% of total budgets, up compared to 2025 (6.4%), but still at the lower end of the recommended range (5 to 10%).
  • On average, organizations have one cybersecurity expert for every 979 employees, compared to 1 for 1,016 last year. The best-performing organizations in the financial sector reach a ratio of approximately 1 to 83.
  • Across the 29 attack vectors used by identified ransomware groups, most large organizations show strong control of the fundamentals, with an average protection level of 58% (+2 points compared to 2025), contributing to a reduction in major compromises. Additionally, 25% of mid-sized companies are in a critical situation, compared to 36% in 2025.
  • Five key areas are showing significant progress: governance, risk management, detection capabilities (SOC – Security Operations Center), incident response capabilities, and resilience, all driven by challenges related to AI.
  • Artificial intelligence is a major concern for large organizations, which are only beginning to implement structured actions to secure its use. While security rules are defined in most cases (76%), overall market maturity remains low at 38%, with significant gaps in platform protection and in the detection of attacks targeting AI systems (10%).
  • NIS 2 regulation is pushing organizations to invest in compliance, although no company is yet able to fully and sustainably meet all requirements. Large organizations reach approximately 60% maturity with respect to NIS 2. This analysis is based on a sample of more than 15 organizations from various sectors, assessed against different local NIS 2 frameworks, with analyses carried out either at the scale of the whole organization or on specific perimeters. Further efforts are needed, particularly in third-party risk management, asset mapping, administration, and resilience. In addition, French players are still lagging behind in NIS 2 compliance, while large international groups and already regulated organizations are more advanced, despite heterogeneous requirements across Europe that force them to harmonize practices across their subsidiaries.

Limited improvements amid enduring sector gaps

In 2026, the average cybersecurity maturity level of large companies reaches 55.3%, reflecting a slight increase of +1.3 points compared to 2025. However, this positive trend is gradually slowing down year after year, suggesting that several large organizations have reached a plateau that is difficult to overcome without deep structural reforms or a new wave of major investments.

The financial sector confirms its leadership with an average score of 67.6%, representing an increase of +5.1 points. This performance is mainly driven by the combined effects of regulation, particularly the European DORA regulation, as well as increased human and financial investments. Conversely, less regulated sectors lag significantly behind, with an average gap of 8.8 points between regulated and non-regulated sectors. This gap is further emphasized compared to last year, as maturity in regulated sectors increased by 2.1 points, while non-regulated companies did not experience any significant improvement.

Growing budgets and headcount

Surveyed companies allocate on average 6.7% of their budgets to cybersecurity, compared to 6.4% in 2025. At the same time, cybersecurity headcount continues to grow: there is now 1 cybersecurity expert for every 979 employees, compared to 1 for 1,016 last year.

Leaders in the financial sector show significantly higher ratios, reaching approximately 1 expert for every 83 employees. However, this increase in staffing also highlights a major challenge: the war for talent. Demand for cybersecurity experts remains high, and some sectors may find themselves competing directly to attract qualified profiles, making it more difficult for organizations with limited resources. The most mature organizations are also increasingly relying on nearshoring, particularly in Southern Europe, or offshoring in more distant countries.

Ransomware risk: large enterprises strengthen fundamentals, smaller ones lag behind

Among the 29 attack vectors used by ransomware groups identified by Wavestone’s incident response teams, large companies reach an average maturity level of 58% (+2 points compared to 2025), contributing to a reduction in major compromises.

Among small and mid-sized companies, 25% of the sample are considered to be in a critical situation, representing an improvement of 11 points compared to 2025. While progress has been made, further efforts are still required to strengthen fundamentals across a large portion of the ecosystem. The solutions are well known; the main challenge now lies in mobilizing organizations that remain less aware or less mature in cybersecurity. Despite this, these figures remain encouraging, as a significant increase of 18 points had already been observed the previous year. The rollout of the NIS 2 directive appears to be triggering renewed momentum, the sustainability of which will need to be monitored in the coming years.

Consolidated progress across security pillars, but persistent gaps in resilience

Most NIST CSF 2.0 pillars show a consistent maturity level of 56–57% across Govern, Protect, Detect, and Respond, reflecting a uniform evolution of cybersecurity practices. The Identify pillar lags slightly behind at 54%, but is progressing at a similarly steady pace. At only 44%, the Recover pillar highlights a clear gap, showing that crisis resilience remains a major area for improvement for many organizations. Only the financial sector stands out, with a higher maturity level of 58%.

Notable progress in governance, risk, detection, response, and cyber resilience

Among the 17 cybersecurity domains tracked by Wavestone, five show notable progress:

  • Governance (+2%) has been strengthened under regulatory pressure and increased involvement from executive leadership. Organizations have formalized their structures with clearer roles (CISO functions and their extended teams, including industrial systems and digital products), better integration of cybersecurity into overall strategy, and growing awareness at executive committee level, fueled by strong media exposure. This contributes to faster and more structured decision-making.
  • Risk management (+2%) is improving thanks to the wider adoption of formalized approaches and more refined risk mappings, enabling better prioritization of actions. Risk treatment is becoming more concrete through structured and monitored action plans, greater adoption of proactive approaches such as bug bounty programs, and better integration of cyber risk into agile development cycles.
  • Detection (+5%) is driven by stronger SOC capabilities and advanced technologies. Monitoring is improving through SIEM, EDR/XDR, and AI, enabling better identification of weak signals. This evolution is reinforced by enriched detection scenarios leveraging internal logs (e.g., CMDB) and external threat intelligence, improving alert contextualization. Organizations are also structuring risk-based use cases and enhancing the analysis of application logs related to security events.
  • Incident response (+2%) is progressing significantly thanks to improved 24/7 availability of internal teams, the use of specialized third parties, and the definition, communication, and implementation of structured incident management processes, enabling faster, better coordinated, and more effective responses to major incidents.
  • Cyber resilience (+3%) has improved significantly in recent years through stronger preparedness measures. Organizations are developing their cyber insurance policies, increasing crisis management exercises, and intensifying restoration testing, thereby improving their ability to ensure business continuity in the face of major incidents. However, this remains a key area of risk within the overall cybersecurity landscape.

Evolving cyber landscape: accelerating integration of AI into governance, risk management, and cyber operations

Alongside these developments, artificial intelligence is emerging as a structuring driver, deeply transforming cybersecurity practices and associated organizational models. This transformation is reflected first in the emergence of new specialized roles, such as AI Risk Management, responsible for designing and maintaining AI-specific risk frameworks and overseeing associated assessments, and AI Compliance Officer, responsible for ensuring alignment with regulations and frameworks (AI Act, NIST AI RMF) and defining system classification based on criticality. These roles are complemented by AI Governance, which structures policies, standards, and decision-making processes related to AI usage, as well as the AI Third-Party Risk Manager, responsible for assessing vendors and managing risks linked to SaaS solutions, APIs, and large language models (LLMs).

At the same time, the rise of AI is reshaping the threat landscape. Attacks are becoming more sophisticated, with the increasing use of automated phishing, highly credible deepfakes, and the emergence of early malware leveraging AI (e.g., PromptFlux, PromptLeak) in propagation or evasion mechanisms. In response to these increased risks, organizations are beginning to transform their defense capabilities. Early successful deployments of AI within SOCs already enable automation of spam and phishing handling, improved alert triage, and enhanced operational efficiency.

The gradual integration of AI into detection tools also enables more advanced behavioral analysis and better modeling of complex, tailored attack scenarios.

While dedicated AI response teams remain limited at this stage, their development is an emerging trend likely to expand, reflecting the need for organizations to build specific capabilities to address these new risks. Overall, AI is acting both as an accelerator of defense capabilities and as a driver of increased threat complexity, requiring continuous adaptation of governance, risk management, and cybersecurity operations.

Artificial intelligence: groundwork established, yet maturity remains limited

Artificial intelligence is now at the core of investments for large organizations. Security teams often have to mobilize urgently to support the securing of these new systems.

Within historically mature areas, such as governance or security validation of projects, companies are generally able to adapt and keep pace with the trend. However, areas that were already lagging behind, such as third-party risk management, as well as more recent and complex topics, such as security testing of AI systems and anticipating new AI-related threats, still show very low levels of maturity.

Our teams have been heavily involved in these topics, allowing us to assess the current level of market maturity across more than 20 large organizations:

76% now have a dedicated AI security policy in place.
62% apply a cybersecurity validation process (go/no-go) for AI use cases.
57% have established a team responsible for assessing the compliance of AI projects.
48% have updated their third-party risk assessment methodology to include AI providers.

However, when it comes to concrete protection measures, the results remain significantly lower. Only 10% of companies have implemented defense mechanisms against prompt injection attacks or other AI-specific threats.

NIS2 Directive: a key priority with incomplete implementation

The European NIS 2 Directive, currently being transposed or already implemented in several European countries, is pushing organizations to strengthen their cybersecurity. Large organizations reach around 60% maturity with regard to NIS 2 requirements, while the directive will ultimately require full compliance. This relatively low level highlights the scale of efforts still required to achieve full compliance and resilience. This analysis is based on a sample of more than 15 organizations across various sectors, assessed against different local NIS 2 frameworks, either at the global organizational level or across specific perimeters. The main challenge lies in the requirement for a consistent level of security across the entire information system, deviating from current approaches that are often focused on critical perimeters.

The French market has not yet experienced a major acceleration, unlike some other countries where regulatory controls have already begun and where large international groups are further advanced in their compliance journeys. These organizations have gained an advantage due to their presence in countries where NIS 2 has already been implemented.

The level of granularity of requirements varies significantly across countries, making implementation at a European scale more complex. Faced with this heterogeneity, large organizations must strike a balance between meeting local expectations and maintaining overall consistency. They therefore aim to harmonize their cybersecurity frameworks and information systems by defining common standards that are robust enough to cover all subsidiaries while remaining adaptable to national specificities.

A detailed analysis of national implementations of the NIS 2 Directive highlights this heterogeneity. Some countries introduce very specific requirements: France emphasizes the security of administrative systems and the traceability of investigations; Belgium requires detailed inventories of critical suppliers and assets; Hungary imposes advanced requirements around continuity, supervision, and incident management automation; and Italy strengthens expectations around visibility of OT, IoT, and cloud environments, often with tight compliance timelines. Other countries adopt contrasting approaches, ranging from highly detailed and technical frameworks (Estonia, Croatia) to more concise and recommendation-based approaches (Netherlands, Finland). Additional national requirements also emerge, such as mandatory sharing of zero-day vulnerabilities with CSIRTs (Greece, Denmark), strict backup rules (Slovakia), or high availability thresholds for critical systems (Lithuania). This diversity, combined with varying constraints in terms of timelines, documentation, and interactions with regulators, further increases the complexity of compliance and reinforces the need for approaches that are both harmonized and adaptable across Europe.

Key challenges for achieving compliance include:

The directive requires a clear, up-to-date view of digital assets (infrastructure, applications, workstations) to ensure their ongoing security. However, this mapping remains incomplete, especially in hybrid and cloud environments.

An evolving market approaching advanced compliance levels

The top 10 organizations in the benchmark have achieved an average maturity level of 78%. These leading organizations are now investing in technologies and approaches that are not yet explicitly covered in international standards, which will therefore need to be updated accordingly. To keep pace with these innovations, Wavestone has introduced a dedicated maturity level for pioneers, aimed at tracking the evolution of cybersecurity practices. Launched in 2025, this new indicator is designed to identify the most advanced organizations and to share feedback and insights on the technologies and approaches they are currently testing.

These include, in particular, challenges related to post-quantum cryptography, the use of AI in cybersecurity, platform-based approaches and the rationalization of security tools, the development of security data hubs to accelerate and streamline control processes, and the adoption of just-in-time approaches for access management.

In addition, two new indices complement this updated maturity framework: the culture change index, which assesses the maturity of processes embedded and disseminated within the company’s culture, and the innovation index, which measures the maturity of new solutions and innovative approaches implemented.

Methodology

Maturity levels were assessed against international standards (NIST CSF v2.0 and ISO 27001/2) during evaluation missions conducted by Wavestone consultants, primarily through interviews with security leaders from the organizations involved.
The sample, as of May 2026, includes more than 200 organizations (including 100 with revenues exceeding €1 billion), representing nearly 7 million employees. Data from these individual assessments were then consolidated and analyzed by Wavestone’s team of specialists.

Download the full benchmark

Cyber Benchmark 2026

pdf · 1136KO

Download

Authors

Share this content