Cybersecurity Survey 2025: EU cybersecurity regulations now shape IT strategies, while CIOs call for European providers

Sovereignty moves to the boardroom – 48% of security executives demand EU-based providers, while regulatory pressure reshapes strategy and budgets across the region

Zurich, Switzerland – 25. June 2025 — Cybersecurity decision-making in Europe is undergoing a quiet transformation — driven by rising regulatory pressure and growing demands for digital sovereignty at the executive level. A new report from Open Systems reveals that 48% of CIOs and CISOs now explicitly demand European-based security providers, while 43% of all organizations — and nearly three quarters of C-level executives — say that frameworks like NIS2, DORA and the Cyber Resilience Act directly shape both their security investments and vendor choices.

The study is based on a survey of 371 IT and security decision-makers across Germany, the UK, Austria, and Switzerland.

“The sovereignty debate has left the back office and entered the boardroom,” said Daniel Gerber, Chairman of the Board at Open Systems. “We’re seeing a decisive shift: compliance is no longer a final checkpoint, but a driver of strategy, architecture and supplier shortlists.”

What today’s security leaders say:

Infographic highlighting top priorities: Integrity & Trust (64%), Data Protection & Privacy (62%), and cost of EU Sovereignty, underscoring the impact of EU cybersecurity regulations across EU-wide (46%), DE (58%), and Finance (54%) sectors.

  • Criteria like sovereignty, regulation alignment and certifications far outweighing lock-in concerns including vendor dependency.
  • 48% of CIOs/CISOs demand European-based providers
  • 43% of all organizations — and 72% of the C-suite — say EU regulations dictate both strategy and supplier selection
  • Hybrid-cloud protection and the cyber-skills drought remain the top execution gaps

Key sector & regional findings:

  • 46% of European security leaders now rate EU data-sovereignty as their single most important buying criterion — ahead of cost. In Germany, that figure soars to 58%, and among finance CIOs it reaches 54%.
  • Finance and healthcare sectors continue to lead the EU trust trend: over half prefer EU-based providers, and nearly half report strong pressure from NIS2 and DORA.
  • The least important selection factors when choosing between EU or global cybersecurity providers are: vendor lock-in concerns (23%), flexible pricing/contract models (25%), and best ROI (25%).
  • In contrast, provider integrity and trustworthiness (64%) and data protection and privacy (62%) rank as the most important.
  • Challenges like connecting remote locations (4%) and lack of flexibility in vendor solutions (8%) are barely mentioned — underscoring that it’s the combination of hybrid work, cloud environments, and skills gaps that creates pressure, rather than isolated technical issues.

Security leaders are not just responding to regulation they’re building architectures and teams around it,” said Markus Ehrenmann, CTO of Open Systems. And they’re demanding platforms that combine EU-hosting, zero-trust control, and out-of-the-box audit readiness. 

New Role of Managed Services

Illustration of a person at a laptop with icons, depicting organizational expectations from providers: real-world architecture, support for incidents, transparent data handling, OT security, and compliance with EU cybersecurity regulations across industries.

The limited concern around vendor dependency likely reflects a shift of organizations towards regulatory fit and service quality. While only 25% still consider vendor lock-in a relevant factor, 55% now prefer European-based providers, and 70% feel tangible pressure from frameworks like NIS2 and DORA. This underlines a growing demand for partners who not only meet compliance requirements but also support operational execution.

The top IT challenges cited in the study clearly relate to complex technical environments — including hybrid infrastructure, multi-cloud adoption, and skills gaps in network and security operations. This makes it increasingly important that managed services combine consulting expertise with the underlying technology.

Providers must offer:

  • Effective architecture design that works in practice with the technology deployed and is tailored to each organization’s structure and risk profile.
  • Close support during configuration and operations, filling internal gaps and acting as an extension of the team.

Survey respondents also listed the following top three IT projects driven by new regulations:

  1. Security operations and incident/audit handling (45%)
  2. Data transparency and processing (e.g. SIEM visibility) (37%)
  3. IT/OT convergence and OT security (36%)

These trends place new demands on security providers:

  • There must be a plan for ongoing operations, particularly for organizations without the capacity to manage incidents, changes, or reviews internally.
  • Transparency is critical: how and where security data is processed, whether it remains in the EU, and how it is accessed (e.g. via real-time dashboards, drill-downs, APIs).
  • OT security must be addressed beyond manufacturing: 48% of industrial companies, and 44% of finance and healthcare respondents cite this as a pressing need. Providers must go beyond technology (e.g. ZTNA, OT firewalls) to help design secure architectures and realistic transformational planning and successful migration strategies.

About the Survey
The research was conducted in Q2 2025 and includes responses from 371 qualified IT/infrastructure/security leaders, spanning C-level executives, mid-management, and technical roles. Respondents represent a wide spread of industries and company sizes, with balanced representation across the DACH region and the UK.

About Open Systems
Open Systems is a leading provider of native Managed SASE solutions, converging network and security functions on a cloud-native platform. Founded in 1990, the Swiss cybersecurity company, headquartered in Zurich, supports businesses and organizations in more than 180 countries with a holistic, customer-centric service model that guarantees 24×7 expert support. The combination of an innovative platform, integrated solutions, and excellent service ensures secure, reliable, and worry-free network operations – even within the complex IT infrastructures of global manufacturing companies and NGOs.

This solution delivers reliable connectivity across cloud, on-premises, and hybrid environments, while offering an exceptional user experience through an intuitive customer portal. Powered by a centralized data platform and 24×7 managed services, Open Systems not only enhances security but also boosts operational efficiency and accelerates innovation – enabling secure networks that grow with your business.

Leave Complexity
Behind

To learn how Open Systems SASE Experience can benefit your organization, talk to a specialist today.

Contact Us