European Cybersecurity Market 2030: What’s Actually Driving the Spend

Continental Europe will not double its cybersecurity market by 2030. The press releases promising explosive growth are either selling research subscriptions or measuring something other than what buyers actually spend. The real picture is steadier, more regulated, and more revealing about how money will flow than any headline CAGR suggests.

In 2025, continental Europe (EU plus EEA, without the UK) sits at roughly €50 billion in cybersecurity spending. By 2030, the base case puts the market at €77 billion, growing 9% per year. That’s solid, predictable, and largely driven by one thing most market reports underplay: regulatory compliance has replaced discretionary budgets as the main spending engine.

This report walks through the actual size of the market, why the published forecasts disagree by 67%, where the money is going by country and segment, and what the next five years will reward. If you sell into Europe, buy security in Europe, or invest in the space, the numbers below are the ones that matter.

Key Takeaways

• Continental Europe (EU + EEA, no UK) 2025: about €50 billion. Base case 2030: €77 billion at 9% CAGR. Range across scenarios: €70 to €84 billion.
• Published estimates disagree wildly ($49 billion Statista versus $82 billion IMARC) because each defines “cybersecurity” differently. Use the median, not the headline.
• NIS2, DORA, and the Cyber Resilience Act together create roughly €31 billion per year of mandatory compliance spending. That’s about 60% of the entire base.
• 81% of European organisations expect cybersecurity budgets to rise in 2026 (Forrester). The skills gap of 299,000 unfilled positions (ENISA) keeps managed services growing at double digits.
• US vendors hold 65 to 70% of the European market. European vendors hold 18 to 22%. The “digital sovereignty” narrative hasn’t moved that share in five years and probably won’t by 2030.

Why the published numbers don’t agree

Before believing any single market size, look at the spread.

Source	2025  (Europe incl. UK)	2030	CAGR
Statista	$49 billion	$64 billion	5.6%
MarketsandMarkets	$54.8 billion	$83 billion	8.7%
Fortune Business Insights	$56 billion	n/a	12.7%
Mordor Intelligence	$69.8 billion (2026)	$115.7 billion (2031)	10.6%
Market Data Forecast	$76.2 billion	$194 billion (2033)	12.4%
IMARC	$81.8 billion	$165.7 billion (2034)	8.2%
IDC (full end user spend)	$78 billion	$97 billion (2028)	11.8%

The spread of $49 to $82 billion is 67%. That’s not analyst error. It’s three different things being measured under the same name.

What each source actually counts

Statista counts vendor revenue from primary cybersecurity products. Mordor and MarketsandMarkets include hardware, software, and services together. IDC counts full end user spending including in house personnel. IMARC casts the widest net and includes systems integrators. None of them is wrong. They’re answering different questions.

For practical use: take the all Europe consensus at $55 to $70 billion in 2025, then subtract roughly 23% to back out the UK. That gives continental Europe (EU + EEA) at €45 to €60 billion, with a median near €50 billion. This is the number to plan against.

What’s really driving the spend

Forget “rising threats.” That story has been true for two decades and doesn’t explain why budgets are rising specifically now. The real drivers are four, and they all push in the same direction.

Regulation has crossed into hard spend territory

NIS2 covers about 150,000 to 160,000 entities across the EU (Germany alone has 29,500). The estimated direct compliance cost is €31.2 billion per year (Frontier Economics), which adds roughly 60% to the existing cybersecurity base in covered sectors. DORA covers about 22,000 financial entities plus their critical ICT providers. The cost for a large bank ranges from €2 to €15 million in planning to as much as €100 million for full implementation (McKinsey, Deloitte). The Cyber Resilience Act adds €29 billion in one time compliance costs across product manufacturers (European Commission impact assessment).

The talent shortage is structural, not cyclical

ENISA puts the EU gap at 299,000 cybersecurity professionals in 2025. 75% of organisations cannot attract suitable candidates and 71% cannot retain them. This shortage cannot be closed by graduation rates alone within five years, which is why managed detection and response (MDR) is the fastest growing service category in Europe, with NIS2 alone driving a 40% adoption boost (Gartner, Vectra).

AI sits on both sides of the attack

ENISA’s 2025 Threat Landscape reports that more than 80% of phishing campaigns now use AI generated content. IBM’s 2025 Cost of a Data Breach found that 1 in 6 incidents now involves AI attacking elements. On the defender side, AI driven security operations cut breach costs by an average of $1.9 million per incident. Germany saw the first drop in breach costs in five years (down 24% year over year), almost entirely thanks to AI augmented SOCs.

Geopolitics keeps the floor under public spending

APT activity, cyber espionage (up 150% in 2024 according to Microsoft), and the convergence of hacktivism with state aligned operations have made cybersecurity a national budget item across the EU. Germany alone committed €2.3 billion per year plus €2.2 billion one off to its NIS2 implementation. France’s France 2030 cyber pillar exceeds €1 billion. Italy has put €2 billion plus €623 million from its national recovery plan into the same effort.

These four forces aren’t independent. Regulation expands scope, which exposes the talent gap, which pushes buyers toward managed services and AI tooling, which becomes both a defence against AI driven attacks and a way to keep up with new compliance demands. The market grows because all four pull at once.

The regulatory wave in numbers

If you ask a European CISO where the budget pressure comes from in 2026, the answer isn’t ransomware. It’s compliance.

Regulation	Scope	In force	Direct spending impact
NIS2	150,000+ critical and important entities	Transposing into national law through 2026	€31.2 billion/year compliance (Frontier Economics)
DORA	22,000 financial entities + critical ICT providers	January 17, 2025	€2 to €100 million per major bank; 70% expect permanent opex uplift
Cyber Resilience Act	All products with digital elements sold in EU	Reporting Sept 2026; full Dec 2027	€29 billion one time across manufacturers
AI Act	High risk AI systems and GPAI	August 2024, phased to 2027	New AI TRiSM segment; cited in 12.5% global cyber spend rise 2026
eIDAS 2.0	Digital identity wallets across EU	Wallets by Dec 2026; mandatory acceptance Dec 2027	169 million wallets target by 2026; major IAM driver
Cyber Solidarity Act	EU wide cyber reserve and coordination	Feb 4, 2025	€1.109 billion budget
GDPR	All controllers and processors	May 25, 2018	€7.1 billion cumulative fines; €1.2 billion in 2025 alone

Why CRA changes everything for vendors

The most disruptive of these for vendors is the Cyber Resilience Act. Starting December 2027, any product with digital elements sold in the EU has to meet baseline security requirements, secure by design principles, and vulnerability disclosure obligations. Open source software embedded in commercial products is in scope. Application security testing, software bill of materials (SBOM) tooling, and secure development services are about to become mandatory line items for thousands of vendors that previously treated security as optional.

Why mid market gets pulled in

The regulatory load also explains why mid market and SMB segments are the fastest growing customer categories. NIS2 sets the threshold at 50 employees or €10 million in revenue. Many companies that never thought of themselves as critical infrastructure now find themselves inside the scope, with the same reporting and risk management obligations as the largest banks.

The implementation gap

One important caveat. Member State implementation has been slow. As of mid 2025, only 14 of 27 EU countries had fully transposed NIS2 into national law. The European Commission has opened infringement proceedings against 13 others, including Germany, France, and Spain. Germany’s national NIS2 law was finally published in December 2025; only about a third of in scope German entities had registered by March 2026. Vendor revenue from NIS2 driven spending will land in 2026 and 2027 rather than 2025.

Country breakdown: where the money is

The continental European market is concentrated. Five countries make up about 70% of the spend.

Germany: the structural anchor

Germany is the largest market at roughly €11 billion in 2025 (Bitkom industry data). It accounts for about 25% of continental EU spending. The combination of large industrial base, deep DORA exposure (Frankfurt finance), 29,500 NIS2 entities, and €4.5 billion in dedicated NIS2 funding for 2025 to 2027 makes it the structural anchor of the European market. Mordor’s growth forecast of 11% CAGR is more credible than Statista’s 5.5%, given the regulatory load.

France: the quantum bet

France runs at €5.7 billion to €9.1 billion in 2025 depending on scope, with about 10 to 12% of continental spending. France stands out for two reasons: ANSSI’s 656 full time staff is the largest national cybersecurity agency in Europe, and the €1.9 billion national quantum strategy puts France ahead on post quantum cryptography readiness. The Paris Olympics added an estimated $94 million in one off cybersecurity spending in 2024.

Italy: the underrated market

Italy hits about $4 billion in 2025 with the highest national CAGR among large markets (13% per Mordor). The combination of a $2.2 billion National Strategy 2022 to 2026, €623 million from the recovery plan, and 15% year over year growth in distribution channel sales makes Italy the most underrated mid tier market in the EU.

Spain: the southern accelerator

Spain runs about $2.8 billion with 20% year over year channel growth in 2025. The €1.16 billion Industrial and Tech Plan for Security and Defence approved in May 2025 will accelerate this further. Spain is the southern European success story that most non Spanish vendors have underweighted in their EMEA plans.

Netherlands: regulatory leader

Netherlands sits around €2.6 billion with the fastest CAGR among large EU markets in Mordor’s forecast (12.2%). The country is also the EU leader in GDPR notifications (33,471), which signals high regulatory maturity and willingness to spend.

Sub regional summary

Sub region	2025 size	CAGR base case	Standout
DACH (DE, AT, CH)	$10 to $15 billion	9%	Germany anchor
France	$5.7 to $9.1 billion	9%	ANSSI scale, quantum
Benelux	$3.9 to $4.3 billion	9%	Netherlands fastest
Nordics	$3.9 to $13.8 billion	8%	Norway 10.1%
Southern Europe (IT, ES, PT, GR)	$7.5 to $10 billion	12%	Spain +20% YoY channel
CEE (PL, CZ, HU, RO, BG, SK, EE, LV, LT)	$2.0 to $2.5 billion	13%	Czech +15.4%, Poland +59% channel

CEE: the most overlooked growth pocket

Central and Eastern Europe is the most overlooked growth pocket in the entire market. Czech Republic posted 15.4% year over year growth in 2025 (IDC), Hungary 14.1%, Ireland 13.3%. Poland’s distribution channel grew 59% year over year in 2025. These markets are small in absolute terms but compound the fastest. For vendors looking for share gains rather than margin defence, CEE is where the next five years will be most rewarding.

The segment story: where growth concentrates

Average market growth of 9% is misleading. Some segments will grow at 25 to 30% per year. Others will essentially stagnate. The composition is shifting faster than the totals suggest.

The fastest growing segments

API Security leads at roughly 30% CAGR. Less than 12% of EU companies currently scan APIs at commit, which is a structural gap that the Cyber Resilience Act will force to close. CNAPP (cloud native application protection platforms) follows at 19 to 32%, consolidating four older categories into one. SASE and SSE (secure service edge) sit at 22 to 27%; Gartner expects 70% of SD-WAN purchases to come bundled inside SASE by 2028. Privileged access management runs at 19 to 24% in Europe, partly because cyber insurance underwriters now require it. Managed detection and response is 18 to 22%, with NIS2 alone driving a 40% boost in adoption (Gartner, Vectra). Security awareness training grows at 17%, since NIS2 Article 21 makes training mandatory.

The mature, slower growth segments

Network security (the largest at 33 to 36% of EU cyber spend) grows at 10 to 13% as the firewall installed base refreshes and SASE cannibalises some of it. Endpoint protection platforms grow at 8 to 10%, but EDR and XDR within that category run at 18 to 24%. Vulnerability management sits at 7 to 9%, a mature segment with limited disruption.

Segment summary

Segment	2025 EU share	CAGR to 2030
Network security	33 to 36%	11%
MDR / MSSP / SOCaaS	25 to 28%	11 to 22%
IAM (incl. PAM)	9 to 12%	11 to 22%
OT / ICS security	8 to 10%	13%
Cloud security (incl. SASE, CNAPP)	6 to 8%	15 to 25%
Endpoint and EDR/XDR	7 to 10%	9 to 21%
Application security	5 to 7%	15%
GRC / compliance	7 to 10%	16%

For vendors, the strategic question isn’t which segment is biggest. It’s which one is growing faster than your current product mix. A company that built its business on traditional firewalls is in a different reality than one that built on EDR or cloud workload protection. The first will struggle to keep pace with the market. The second has a tailwind.

For buyers, the segment growth rates also reveal where the market is consolidating. CNAPP isn’t a new category; it’s four older ones (CSPM, CWPP, CIEM, DSPM) being absorbed into a single platform purchase. SASE follows the same pattern. Buyers who keep buying point tools for each function are paying more and getting less integration than buyers who consolidate onto fewer platforms.

The threat picture and what it changes

ENISA’s 2025 Threat Landscape analysed 4,875 incidents between July 2024 and June 2025. The patterns shape what European buyers spend on, even before regulation forces them to.

Phishing remains the dominant entry point

Phishing accounts for 60% of intrusions. What’s changed is who can run it. Phishing as a service platforms have made sophisticated, multi language campaigns accessible to low skill attackers. The Darcula platform alone has impersonated hundreds of European organisations. AI generated content now appears in over 80% of campaigns, making detection by traditional content inspection harder than ever.

Ransomware is the most damaging category

Sophos’s State of Ransomware 2025 found that 49% of EU victims paid the ransom, with average recovery cost at $1.53 million (down 44% year over year, but still material). The attack on Collins Aerospace’s check in software in September 2025 disrupted operations at Heathrow, Brussels, and Berlin airports, a textbook example of how a single supply chain compromise can cascade across multiple critical services in different countries.

Supply chain attacks doubled

Verizon’s 2024 DBIR put third party related incidents at 15% of the total. The 2025 edition put it at roughly 30%. The XZ Utils backdoor discovered in March 2024 was the canonical example of how one open source package can put thousands of organisations at risk simultaneously. IBM’s average supply chain breach cost was $4.91 million with 267 days to recover.

Hacktivism: high volume, mostly symbolic

Hacktivist groups accounted for nearly 80% of recorded incidents, mostly low level DDoS attacks. Only 2% caused real service disruption. Germany became the world’s number one DDoS target in Q1 2025, with 20.5 million attacks per quarter (up 358% year over year, per Cloudflare).

State aligned activity is professionalised

APTs target NATO and European critical infrastructure. Chinese cyber espionage rose 150% in 2024 (Microsoft Digital Defense Report 2024). North Korea’s Lazarus Group stole over $3 billion in cryptocurrency, including $1.5 billion from a single ByBit theft in February 2025.

The takeaway for buyers: the threat landscape isn’t dominated by one type of attacker any more. It’s a continuous, diversified pressure environment. That’s why “best of breed” point solutions are losing ground to platforms that correlate signals across email, endpoint, identity, cloud, and network.

The vendor landscape

Despite a decade of “European champions” rhetoric, the European cybersecurity market is dominated by US vendors.

The European share has held flat at 18 to 22% for at least five years. The narrative around digital sovereignty hasn’t moved the actual numbers. The €1.1 billion Cyber Solidarity Act budget is less than Microsoft Security’s annual EU revenue. Government funding alone cannot create a structural shift in vendor share.

Consolidation is accelerating

Recent landmark deals tell the story. Cisco acquired Splunk for $28 billion (March 2024), the largest cybersecurity and observability deal ever. Google acquired Wiz for $32 billion (March 2025), the largest pure cybersecurity deal in history. Palo Alto Networks announced the acquisition of CyberArk for $25 billion (closing H2 2026), creating an identity security platform. Proofpoint acquired Hornetsecurity (Germany) for $1.8 billion in December 2025, a major US to EU deal. Thoma Bravo took Darktrace private for $5.32 billion (October 2024), removing one of Europe’s largest listed cybersecurity firms from public markets. Sophos acquired Secureworks for $859 million (February 2025), consolidating XDR and MDR capabilities.

European specialists worth watching

European pure plays are increasingly going to private equity or US strategic buyers. Hornetsecurity, Darktrace, and WithSecure have all moved away from European public ownership. Bitdefender and ESET remain the largest independent European cybersecurity vendors with significant scale.

For buyers, this means the field is narrowing. Five to ten platform vendors will dominate enterprise spend by 2030. For investors, the action is in the European specialists: PQC vendors (PQShield, Utimaco, IDQ), AI security startups, OT specialists (Rhebo, Stormshield), and the country specific managed service champions (Orange Cyberdefense at €1.22 billion, Atos/Eviden, Telefónica Tech).

What the next five years will reward

Three patterns will determine who wins from this market through 2030.

Compliance baked into platforms

Vendors that bake regulatory compliance into their platforms rather than as add ons will win. Buyers don’t want a separate tool for NIS2 reporting and another for DORA evidence. The vendors that make compliance a feature rather than a workflow will capture mid market and SMB share, where regulatory complexity overwhelms internal teams.

Services that close the talent gap

With 299,000 unfilled positions and no credible path to closing the gap by 2030, the buyers who can’t hire will buy. Managed detection and response, managed SIEM, managed cloud security, and virtual CISO services will keep growing at 15 to 22% per year. The European MSSP market is more fragmented than the US equivalent, which leaves room for both consolidation and new entrants with strong vertical specialisation.

Post quantum cryptography readiness

The EU has set a hard deadline for critical infrastructure to migrate to post quantum cryptography by end of 2030. Most organisations haven’t started cryptographic inventories, let alone migration plans. France has committed €1.9 billion to a national quantum program. Germany, the Netherlands, and the Nordics are setting up similar initiatives. The vendors that can deliver hybrid PQC and classical solutions over the next five years will see exceptional growth from a small base.

What buyers should do now

For buyers, the practical roadmap is clearer than the headlines suggest. Get a defensible answer to NIS2, DORA, or CRA depending on your sector. Start a cryptographic inventory and PQC plan in 2026, not 2029. Invest in either internal capacity or a managed partner that can deal with AI driven attacks at scale. Doing nothing isn’t a budget neutral position any more; it’s a regulatory and operational risk.

What investors should target

For investors, the segments that matter are managed security services (double digit growth, structural demand from the talent gap), product security tooling (CRA tailwind), PQC infrastructure (2030 deadline), and AI driven detection platforms (arms race economics).

The bottom line

Continental Europe’s cybersecurity market in 2030 will be larger, more regulated, and more concentrated than today. Steady growth of 9% per year, not the explosive 12 to 15% some analysts publish. €77 billion at the base case, with a realistic range of €70 to €84 billion depending on whether NIS2 implementation accelerates or stalls.

The headline number matters less than the composition. About 60% of the base will be compliance driven, mandatory spending. The fastest growing segments will be 3 to 4 times the average growth rate. Central and Eastern Europe will grow faster than Western Europe in percentage terms, even though Germany and France remain the dominant absolute markets. US vendors will keep their 65 to 70% share. European specialists will grow inside their niches but not break through to platform dominance.

The biggest risk to this forecast isn’t a worse threat environment or a sharper geopolitical crisis. It’s regulatory fatigue. Mid market and SMB buyers are absorbing NIS2, DORA, CRA, AI Act, eIDAS 2.0, and PLD revisions all at once. The 2025 channel slowdown to +5.2% (CONTEXT data) is an early signal. Vendors who treat these regulations as a single, integrated story for the buyer will win. Vendors who pile up separate compliance modules will lose mid market share faster than they expect.

The biggest upside is AI driven cost reduction. Germany’s 24% drop in average breach cost in 2025 is the first such decline in five years and almost entirely thanks to AI augmented SOCs. If that pattern repeats across France, Benelux, and Italy in 2026 and 2027, AI security tools shift from a compliance line item into a measurable ROI category. That’s the trigger that could push the market into the 11% CAGR upper scenario rather than the 9% base.

For anyone planning a five year European cybersecurity strategy, the right anchor is this: build around 9% base growth, plan for compliance to drive 60% of the spend, watch CEE for share gains, and treat AI and PQC as the two technologies that will reshape both buyer and vendor economics by the end of the decade.