Data from December 2024
Planned article update: December 2026
Highlights
In 2023, 21.54% of enterprises in the EU suffered various consequences due to ICT related security incidents.

Source: Eurostat (isoc_cisce_ra) and (isoc_cisce_ic)
This article analyses recent statistical data on information and communication technologies (ICT) security in the European Union (EU). Results were obtained through a specific set of questions in the 2024 questionnaire of the EU survey on ICT usage and e-commerce in enterprises. In this context, ICT security refers to relevant incidents as well as measures, controls and procedures applied by enterprises in order to ensure integrity, confidentiality and availability of their data and ICT systems.
ICT security in EU enterprises

Source: Eurostat (isoc_cisce_ra) and (isoc_cisce_ic)
In 2024, 92.76% of EU enterprises with 10 or more employees or self-employed persons used at least one measure in order to ensure integrity, availability and confidentiality of data and ICT systems. More than 1 in 3 enterprises (35.50%) reported having documents putting in place measures, practices or procedures on ICT security. In a fifth of enterprises (21.82%) these documents were defined or reviewed in the last 12 months. 59.97% of EU enterprises made their staff aware of their obligations in ICT security related issues. Finally, 1 in 5 enterprises (21.54%) experienced consequences due to ICT related security incidents in 2023 (Figure 1).

Source: Eurostat (isoc_cisce_ra) and (isoc_cisce_ic)
ICT security measures
In 2024, 92.76% of EU enterprises used at least one of the ICT security measures presented in Figure 2. The most common measure used was the strong password authentication (83.69%), followed by data backup to a separate location or cloud (79.23%) and network access control (65.43%). Less than half of enterprises reported using Virtual Private Networks (VPN) (49.64%) or maintaining log files for analysis after security incidents (45.16%). Enterprises less frequently used a combination of 2 or more authentication mechanisms (39.84%), encryption techniques for data, documents or e-mails (39.72%), ICT security tests (34.64%), ICT risk assessments (34.10%), or authentication via biometric methods (18.27%) (Figure 2).

(% of enterprises)
Source: Eurostat (isoc_cisce_ra)
Figure 3 provides a closer look at the most and least used ICT security measures according to the enterprise size. The ICT security measure strong password authentication was used by almost all large enterprises (96.78%), by 90.66% of medium-sized ones and more than 8 in 10 small enterprises (82.03%). Similar figures were reported for the second most popular ICT security measure – the data backup to a separate location, which was used by 94.95% of the large enterprises, 88.48% of the medium size enterprises and 77.09% of small enterprises. Larger differences related to the enterprise size were observed in the share of enterprises using the less common ICT security measures. The ICT risk assessment was used by 75.62% of large enterprises, while the share of small enterprises using this particular measure was more than 2 times less (29.35%). Regardless of the enterprise size, the authentication via biometric methods was the least used ICT security measure, although the share of large enterprises using this measure (38.55%) was significantly higher than the figure recorded for small enterprises (16.44%).

(% of enterprises)
Source: Eurostat (isoc_cisce_ra)
Documents on measures, practices or procedures on ICT security
In 2024, 35.50% of EU enterprises had documents which put in place measures, practices or procedures on ICT security. Shares higher than 50% were registered in Finland (59.41%), Denmark (59.11%) and Portugal (54.29%). On the other hand, less than 20% of the enterprises had documents on measures, practices or procedures on ICT security in Greece (18.28%), Hungary (13.75%) and Bulgaria (13.67%) (Figure 4).

(% of enterprises)
Source: Eurostat (isoc_cisce_ra)
More than one-fifth of the enterprises in the EU (21.82%) have defined or reviewed their documents on measures, practices or procedures on ICT security during the last 12 months. For 7.58% this was the case between 12 and 24 months ago and for another 4.58% more than 24 months ago. More than half of large enterprises (57.87%) reported having defined or reviewed their documents on ICT security within the last 12 months, while for medium-sized and small enterprises this share was significantly lower with 35.72% and 17.98% respectively (Figure 5).

(% of enterprises)
Source: Eurostat (isoc_cisce_ra)
In 2024, almost 3 out of 5 EU enterprises (59.97%) made their employees aware of their obligations in ICT security related issues. Voluntary training or internally available information for instance on the intranet was the most common form used (42.59% of enterprises), followed by contracts such as employment contracts (34.25%) and by compulsory training courses or viewing compulsory material (24.51%).
The share of enterprises making persons employed aware of their obligations in ICT security by any of the measures presented in Figure 6, was particularly high for large (92.34%) and medium-sized enterprises (76.45%). Nevertheless, also more than half of small enterprises (55.99%) reported making persons employed aware of their obligations in ICT security (Figure 6).

(% of enterprises)
Source: Eurostat (isoc_cisce_ra)
Among all EU countries, the percentage of enterprises making persons employed aware of their obligation in ICT security ranged from 77.47% in Czechia, followed by Finland (74.81%), Denmark (70.07%) and Ireland (69.16%) to 38.96% in Croatia and 31.68% in Greece. In 21 EU countries, the share of enterprises, which reported making persons employed aware of their obligations in ICT security related issues was higher than 50% (Figure 7).

(% of enterprises)
Source: Eurostat (isoc_cisce_ra)
In 2023, more than 1 in 5 EU enterprises (21.54%) experienced ICT related security incidents leading to consequences such as the unavailability of ICT services, destruction or corruption of data or disclosure of confidential data (Figure 1). The ICT security incidents can be caused by malicious attacks from outside or inside the enterprise, or by non-malicious causes, such as hardware or software failures or unintentional action by own employees. In 2023, enterprises more often reported damages to enterprises' ICT services or data being caused by non-malicious incidents. The most commonly reported consequence caused by ICT security incidents was the unavailability of ICT services due to hardware or software failures (17.97% of enterprises). In comparison, unavailability of ICT services due to attack from outside (e.g. ransomware attacks, Denial of Service attacks) was reported by 3.43% of enterprises. Destruction or corruption of data resulting from hardware or software failure was reported by 3.87% of enterprises, while infection with malicious software or unauthorised intrusion led to destruction or corruption of data in 1.89% of enterprises. Least frequently, enterprises reported disclosure of confidential data due to intrusion, pharming or phishing attack or intentional actions of own employees (1.57%) or due to unintentional actions of own employees (1.15%) (Figure 8).

Source: Eurostat (isoc_cisce_ic)
Considering the economic activity breakdown, during 2023, more than one-fourth of the enterprises in information and communication, professional, scientific and technical activities, electricity, gas, steam, air conditioning and water supply and real estate activities experienced ICT security incidents leading to unavailability of ICT services, destruction or corruption of data or disclosure of confidential data. In construction and transport and storage this was the case for less than 1 in 5 enterprises (Figure 9).

(% of enterprises)
Source: Eurostat (isoc_cisce_icn2)
Source data for tables and graphs
Data sources
Source: Data presented in this article are based on the results of the 2024 EU survey on 'ICT usage and e-commerce in enterprises'. Statistics were obtained from surveys in enterprises conducted by National Statistical Authorities in the first months of 2024.
Sample: In 2024, some 157 000 enterprises, with 10 or more employees or self-employed persons, out of 1.54 million in EU were surveyed. Out of these 1.54 million enterprises, approximately 83% were small enterprises (with 10-49 employees or self-employed persons), 14% medium (50-249 employees) and 3% large enterprises (250 or more employees).
Main concepts: The observation statistical unit is the enterprise, as defined in the Regulation 696/1993 of 15 March 1993. The survey covered enterprises with at least 10 persons employed. Economic activities correspond to the classification NACE Revision 2. The sectors covered are manufacturing, electricity, gas and steam, water supply, construction, wholesale and retail trades, repair of motor vehicles and motorcycles, transportation and storage, accommodation and food service activities, information and communication, real estate, professional, scientific and technical activities, administrative and support activities and repair of computers and communication equipment.
Context
In the context of the survey on enterprises, ICT security refers prominently to measures, controls and procedures applied by enterprises in order to ensure integrity, confidentiality and availability of data and ICT systems. The relevant statistics would be used in the context of the European Strategy for Cyber Security that provides the overall strategic framework for the EU initiatives on cybersecurity and cybercrime. Trust and security are an important element of Europe fit for digital age.
From the legislative point of view, on 7th December 2015, the European Parliament and the Council reached an agreement on the Commission's proposed measures to increase online security in the EU. The Network and Information Security (NIS) Directive is the first piece of European legislation on cybersecurity that was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. NIS includes common provisions across the Union, addressing national capabilities and preparedness, EU-level cooperation, take up of risk management practices and an information sharing culture in NIS and notification of IT incidents. Moreover, on 13th September 2017 the Commission adopted a cybersecurity package. The Cybersecurity Act, which has now entered into force, lies at the core of the package.
Explore further
Other articles
- Digital economy and society statistics - enterprises
- E-commerce statistics
- Use of artificial intelligence in enterprises
- Cloud computing - statistics on the use by enterprises
- Use of Internet of Things in enterprises
- E-business integration
- Social media - statistics on the use by enterprises
- ICT specialists - statistics on hard-to-fill vacancies in enterprises
- Impact of COVID-19 on e-sales of enterprises
- Impact of COVID-19 on the use of ICT in enterprises
Database
- ICT usage in enterprises (isoc_e)
- ICT security (isoc_cisc)
- Security policy, measures, risks and staff awareness by size class of enterprise (isoc_cisce_ra)
- Security policy, measures, risks and staff awareness by NACE Rev. 2 activity (isoc_cisce_ran2)
- Security incidents and consequences by size class of enterprise (isoc_cisce_ic)
- Security incidents and consequences by NACE Rev. 2 activity (isoc_cisce_icn2)
- ICT security (isoc_cisc)
Thematic section
Publications
- ICT security in enterprises, 2010 - Statistics in focus 7/2011
- Recent Eurostat publications on Digital economy and society
Selected datasets
Methodology
- ICT usage and e-commerce in enterprises (ESMS metadata file — isoc_e_esms)
- European businesses statistics compilers' manual for ICT usage and e-commerce in enterprises – 2023 edition
External links
Legislation
- Regulation (EU) 2019/2152 of the European Parliament and of the Council of 27 November 2019 on European business statistics
- Regulation (EC) No 808/2004 of the European Parliament and of the Council of 21 April 2004 concerning Community statistics on the information society
- Regulation (EC) No 960/2008 of 30 September 2008 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EC) No 1023/2009 of 29 October 2009 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) No 821/2010 of 17 September 2010 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) No 937/2011 of 21 September 2011 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) No 1083/2012 of 19 November 2012 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) No 859/2013 of 5 September 2013 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) No 1196/2014 of 30 October 2014 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) 2015/2003 of 10 November 2015 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) 2016/2015 of 17 November 2016 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) 2017/1515 of 31 August 2017 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
- Regulation (EU) 2018/1798 of 21 November 2018 implementing Regulation (EC) No 808/2004 of the European Parliament and of the Council concerning Community statistics on the information society for the reference year 2019
- Regulation (EU) 2019/1910 of 7 November 2019 implementing Regulation (EC) No 808/2004 of the European Parliament and of the Council concerning Community statistics on the information society for reference year 2020
- Regulation (EU) 2020/1030 of 15 July 2020 laying down the technical specifications of data requirements for the topic 'ICT usage and e-commerce' for the reference year 2021, pursuant to Regulation (EU) 2019/2152 of the European Parliament and of the Council
- Regulation (EU) 2021/1190 of 15 July 2021 laying down the technical specifications of data requirements for the topic 'ICT usage and e-commerce' for the reference year 2022 pursuant to Regulation (EU) 2019/2152 of the European Parliament and of the Council
- Regulation (EU) 2022/1344 of 1 August 2022 laying down the technical specifications of data requirements for the topic 'ICT usage and e-commerce' for the reference year 2023, pursuant to Regulation (EU) 2019/2152 of the European Parliament and of the Council
- Regulation (EU) 2023/1507 of 20 July 2023 laying down the technical specifications of data requirements and the deadlines for submission of metadata and quality reports for the topic of ICT usage and e-commerce for the reference year 2024, pursuant to Regulation (EU) 2019/2152 of the European Parliament and of the Council
- Regulation (EU) 2024/1883 of 9 July 2024 laying down the technical specifications of data requirements and the deadlines for submission of metadata and quality reports for the topic Information and Communication Technologies usage and e-commerce for the reference year 2025, pursuant to Regulation (EU) 2019/2152 of the European Parliament and of the Council
- Regulation (EC) No 696/1993 of 15 March 1993 on the statistical units for the observation and analysis of the production system in the Community