Cybersecurity budgets among regulated, industrial, or OT-intensive environments in the Nordics is approximately 15% of the IT budget.

68% of Nordic CISOs reported an increase in cybersecurity budgets, bringing it to the 2024 level, while 14% reported no changes, and 9% reported a decrease in budget.

Cybersecurity budgets among larger or IT-intensive organizations in the Nordics is approximately 2% of the IT budget.

In 2026, 9% of Nordic CISOs reported an increase in severe cybersecurity incidents (vs 53% in 2025), while 91% reported a stable level (vs 28% in 2025), and none reported a decrease (vs 19% in 2025).

In 2026, about 65% of Nordic CISOs report through technology leadership (CIO or CTO) with one or two intermediaries to the CEO (half each).

23% of Nordic CISOs cited ransomware or availability disruption as their primary concern.

17% of Nordic CISOs cited insiders & human error as their primary concern.

14% of Nordic CISOs cited AI-related threats as their primary concern.

14% of Nordic CISOs cited supply chain as their primary concern.

9% of Nordic CISOs cited vulnerabilities as their primary concern.

5% of Nordic CISOs cited DDoS and opportunistic probing as their primary concern.

In 2026, 55% of Nordic CISOs reported an increase in less severe incidents.

32% of Nordic CISOs cited identity-related attacks (e.g., leaked credentials) as their primary concern.

73% of Nordic CISOs either explicitly state that no vulnerabilities have been exploited or are unable to point out concrete cases.

40% of Nordic CISOs report to finance, either directly reporting to the CFO or through a CIO.

32% of Nordic CISOs explicitly state that access, influence, or sponsorship matters more than formal reporting hierarchy.

The dominant range for cybersecurity budgets among Nordic organizations remains approximately 5 to 10% of the IT budget (45% compared to 47% in 2024), with an average of approximately 7%.