The gist: Overloaded security teams become more vulnerable to errors through cognitive exhaustion that hackers can exploit — regulatory burden has itself become a security risk.
Massive psychological strain from the NIS2 Directive and additional compliance requirements leads to faulty decisions in security teams and thus jeopardizes the IT security of enterprises. 78 percent of security executives fear personal legal consequences in the event of an incident.
The permanent pressure from regulatory requirements such as the NIS2 Directive, the Digital Operational Resilience Act, and the EU AI Act is causing massive cognitive overload for CISOs and their teams. The Splunk CISO Report shows that 78 percent of all security executives fear personal legal consequences in the event of an incident — a marked increase from previous years. The CISO Pressure Index demonstrates that 80 percent of surveyed CISOs face high or extreme daily pressure and 67 percent report weekly or daily burnout symptoms. Almost 40 percent of respondents are considering leaving the profession entirely.
This ongoing strain leads to direct security deficits: tired analysts miss alert notifications or approve risky releases to speed up processes — a phenomenon known in the security industry as alert fatigue. Modern monitoring tools generate thousands of notifications daily, a large portion of which are false alarms. Security teams spend almost half their daily working time solely on maintaining their own security tools rather than taking proactive defensive measures.
Under chronic stress, human decision quality demonstrably degrades. Analysts review complex alert notifications incompletely or prematurely close critical system alarms in the ticketing system. Operational pressure from business departments — who want to accelerate deployments and digital processes — causes exhausted security staff to approve risky exceptions to avoid conflict.
The high turnover rate amplifies this effect: the average tenure of a CISO in European enterprises has fallen to 18 to 26 months. These constant changes undermine the continuity of security strategy and leave structural gaps in the defensive architecture. The lack of experience and context continuity among new security executives further compounds faulty decisions.
Source: www.it-daily.net · Published June 30, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.