Cybersecurity ETF EU 2026: ISPY vs R2SC vs BUG UCITS

TL;DR

EU investors can access cybersecurity through three main UCITS ETFs: iShares Digital Security (ISPY/LOCK) at 0.40% TER, Rize Cybersecurity & Data Privacy (R2SC/CYBR) at 0.45% TER, and L&G Cyber Security (ISPY equivalent in some lines, ticker USPY/CYBR variants). AUM ranges from ~EUR 280M (R2SC) to ~EUR 2.6B (L&G ISPY). 5-year annualised return runs around 9-11%, broadly tracking but slightly trailing the Nasdaq-100 while outperforming MSCI World over the same window. Key risk: deal-cycle elongation in enterprise software during macro slowdowns and valuation compression when 10-year yields rise. Informational content, not investment advice. Thematic ETFs concentrate risk; consider role in overall portfolio.

---

Why Cybersecurity in 2026

Cybersecurity spend in 2026 is approaching USD 250 billion globally, growing at ~12% CAGR versus broader IT spend at 6-7%. Underlying drivers:

• Regulatory pressure. EU NIS2 directive (in force from October 2024) extended scope to 160,000+ entities across 18 sectors, with personal liability for boards and fines up to EUR 10M or 2% of global turnover.
• AI-driven attack surface. Generative AI lowered the cost of phishing and social engineering; deepfake-driven CEO fraud rose roughly 3x year-over-year in 2024-2025 per industry reports.
• Ransomware monetisation. Average ransom paid per incident is around USD 1.5M in 2025, with downtime costs typically 5-10x that figure.
• Cloud-native shift. Identity (Okta, CrowdStrike Falcon Identity), SASE (Zscaler, Cloudflare), and SaaS security posture (Wiz, Palo Alto Prisma) — each segment growing 25-40% annually.
• State actor activity. Geopolitical tensions (Russia/Ukraine, China/Taiwan, Israel/Iran) increased nation-state cyber budgets globally.

Historical data shows cybersecurity as a sub-segment has outperformed broad software (IGV) by ~3% annualised since 2018, with higher Sharpe ratio thanks to recurring-revenue resilience. Many thematic investors include cyber as a growth-tilted satellite alongside a broad core.

---

Top UCITS Cybersecurity ETFs Comparison

The L&G USPY is the oldest and largest by AUM but carries the highest TER. iShares LOCK offers the cheapest cost in the category at 0.40%. The newer funds (BUGG, WCBR) provide alternative index methodologies.

---

Holdings Breakdown and Overlap

Top recurring names across all five UCITS cybersecurity ETFs at end-2025:

CrowdStrike, Palo Alto Networks, Fortinet, Zscaler, Cisco, Check Point, Cloudflare, Okta, Akamai, SentinelOne, Tenable, Rapid7, Qualys, F5, Gen Digital (Norton + Avast).

Overlap analysis: roughly 70-80% holdings overlap by name between LOCK and USPY; weight differences are meaningful — USPY caps at 6% per position and rebalances semi-annually, LOCK uses a modified market-cap method capped at 5%.

Geographic exposure (LOCK approx end-2025):

• United States: 79%
• Israel: 7% (Check Point, CyberArk)
• Japan: 4% (Trend Micro, NTT)
• United Kingdom: 3%
• Other: 7%

Sub-segment mix (typical cybersecurity ETF):

• Endpoint / EDR: 22%
• Network security & SASE: 24%
• Identity & access: 14%
• Cloud security: 13%
• Application & data security: 12%
• Services / consulting: 15%

R2SC and WCBR add data privacy / DLP names (OneTrust, Varonis) that the bigger LOCK/USPY don't carry, pushing thematic purity higher but liquidity lower.

---

Performance Snapshot

Historical data (approximate annualised total return in EUR, to end-2025):

Tracking error for LOCK and USPY versus their respective indices (STOXX Global Digital Security; ISE Cyber Security) is ~0.10-0.20% annualised.

---

Does Cybersecurity Outperform Broad Index After Fees

Mixed result. Over 5 years, cybersecurity ETFs delivered ~10-11% annualised versus ~11.6% MSCI World and ~14.9% Nasdaq-100. Cyber slightly trailed broad indices despite the secular narrative — because 2022 was brutal for high-multiple software (-30 to -36% drawdown), and the recovery in 2024-2025, while strong, didn't fully close the gap.

Over 3 years (post-2022 trough), cybersecurity outperformed MSCI World by 2-3% annualised and roughly matched the Nasdaq-100. The thesis works when you can stomach the volatility. Pricing power and recurring revenue models have held through two macro cycles — cyber budgets are stickier than discretionary IT spend.

---

Total Cost for EU Investor

For a EUR 10,000 position in LOCK held 5 years:

• TER: 0.40%/year = ~EUR 200 cumulative
• Spread (Xetra typical): ~0.10%
• One-way commission: typically EUR 0-1 at Trade Republic, free at Scalable plans
• FX impact: ~79% USD underlying; PLN/EUR investors carry significant indirect USD exposure

Total expected drag vs index: ~0.45-0.55%/year.

USPY at 0.69% TER adds roughly EUR 350 over 5 years on a EUR 10k position vs LOCK — meaningful difference. For a Polish investor on an accumulating UCITS, the Belka 19% applies on sale only, declared on PIT-38.

---

Tax Treatment by Country

• Germany. Accumulating UCITS: Vorabpauschale applies; equity ETF Teilfreistellung 30% applies (equity quota >50%).
• France. Cybersecurity thematic ETFs are not PEA-eligible (US-heavy holdings >25%). Held in CTO; PFU 30%.
• Italy. 26% on realised gains; no offset against ordinary income.
• Spain. 19-28% sliding scale on capital gains.
• Netherlands. Box 3 fictitious yield until 2027 reform.
• Poland. 19% Belka on sale; PIT-38 declaration.

---

Broker Availability

Polish IKE/IKZE users: LOCK (IE00BG0J4C88) and USPY (IE00BYPLS672) are routinely accepted at BOSSA and mBank IKE since both have multi-year listing history on Xetra and LSE. Newer funds (BUGG, WCBR) may need a manual request.

---

When Cybersecurity ETF Makes Sense

1. Growth satellite to a broad core. A 5-10% sleeve in LOCK/USPY adds secular-growth exposure with strong recurring revenue characteristics.
2. Tech overweight with diversification. Investors heavy in Nasdaq-100 already get ~5% cyber via NVDA/MSFT halo; a dedicated cyber ETF deepens the bet on pure-plays (CrowdStrike, Palo Alto).
3. Regulatory tailwind play. NIS2, SEC cyber-disclosure rules (2023), and growing board-level mandates drive multi-year budget commitments.
4. Long-horizon DCA. Cyber budgets grow even in recessions (2008, 2020, 2022) — high-conviction 10-year hold suits.

---

When Cybersecurity ETF Does NOT Make Sense

1. Risk-averse income investor. ACC distribution, high volatility, and no dividend yield make it unsuitable for retirement income.
2. Already heavy in Nasdaq-100. QQQ/Nasdaq-100 ETFs already include CRWD, PANW, FTNT — meaningful double-counting risk.
3. Short-term traders. Single quarterly miss from a top-5 holding can move the ETF 5-8% intraday.
4. PEA-only French investors. No PEA wrapper crushes the after-tax case.

---

Sector-Specific Risks

• Deal-cycle elongation. In macro slowdowns, enterprise customers stretch evaluation cycles from 60 to 120+ days; CrowdStrike Q4 2022 commentary highlighted this; revenue growth decelerates from 50%+ to 25-30% even with solid pipelines.
• Valuation compression. Cyber stocks trade at 8-15x forward revenue; every 100 bps of 10-year yield move historically correlated with 10-15% derating.
• Concentration in top 10. Top 10 typically = 55-62% of ETF weight. CRWD/PANW/FTNT/ZS together can drive single-day ETF moves of 3-5%.
• M&A risk. Frequent M&A (Splunk-Cisco 2024, plenty more pending) reshuffles top constituents and can trigger index reconstitution events.
• AI commoditisation. Generative AI is enabling new entrants; established names face the question of whether they have defensible moats vs hyperscaler-native security (Microsoft Defender, Google Mandiant + Chronicle).

---

Worked Example: EUR 10,000 DCA Over 5 Years

EUR 167/month into LOCK for 60 months (EUR 10,020 total). Using trailing 5-yr annualised return of 11.2% net of TER:

• Final value (approximate): EUR 13,260
• Net gain: EUR 3,240 (+32.3%)

Same DCA into VWCE:

• Final value: EUR 13,180
• Net gain: EUR 3,160 (+31.5%)

Roughly a tie over this window — but cyber delivered the result with 2x the volatility and a 2022 drawdown of -31% vs VWCE's -19%. Risk-adjusted, broad index won. But cyber's last 3 years (post-2022) annualised 13.4% vs MSCI World 11.0% — sequencing matters.

---

Polish Reader Angle

For Polish investors:

• IKE/IKZE viability. LOCK and USPY are routinely held in BOSSA IKE and mBank IKE. Polish IKE annual limit for 2026 sits around PLN 26,000+ (3x average wage formula). For a long-horizon investor (15-20 years), a 5-10% cyber sleeve inside IKE compounds tax-free until withdrawal.
• DTT relief. Ireland-domiciled ETFs benefit from the Ireland-US tax treaty; US-sourced dividends suffer 15% WHT instead of 30%. The accumulating share class reinvests gross at fund level.
• FX risk. ~79% USD underlying. PLN strengthening 5% versus USD takes ~4% off the position even if the fund itself was flat.
• Polish broker considerations. mBank Brokers and BOSSA support LOCK and USPY on Xetra/LSE; commission typically 0.29% min PLN 19 for foreign markets — material for small DCAs, so monthly minimum DCA of EUR 500+ recommended.

Tracking thematic allocation drift

Cyber tends to drift up fast in good years and crash hard in bad ones — a 5% target sleeve can easily become 9% after a 2024-style rally. Freenance monitors per-theme weight drift, correlation between cyber and your core MSCI World holding, and the Financial Freedom Runway impact of letting concentrations grow — useful for disciplined rebalancing.

---

FAQ

Q: Is LOCK the same as the US-listed HACK or CIBR? No. HACK (ETFMG) and CIBR (First Trust) are US-listed and not available to EU retail under MiFID II. LOCK is the UCITS equivalent tracking STOXX Global Digital Security — different index, similar exposure.

Q: USPY costs 0.69% — why is it the largest cyber ETF in Europe? First-mover advantage (launched 2015), strong L&G distribution into UK pension/ISA wrappers, and good index design (capped exposure, broad cybersecurity definition). Many investors stayed despite cheaper alternatives.

Q: Should I prefer LOCK (0.40%) or USPY (0.69%)? On cost, LOCK wins. On track record and AUM, USPY is the safer institutional choice. Performance over 5 years is within ~0.6% annualised of each other — the cost difference compounds materially over 20+ years (~12% of terminal value).

Q: Are there hedged share classes? Hedged UCITS cybersecurity ETF share classes are rare; investors accept USD currency exposure or pair the position with a EUR-hedged broad equity hedge.

Q: Does cybersecurity hold up in recessions? Mixed evidence. 2022 drawdown was deep (-31 to -36%) but customer churn at top cyber vendors stayed below 5% — operational resilience was real, valuation pain was severe. Both can be true.

Q: Can I use a cyber ETF instead of buying CrowdStrike directly? The ETF gives diversification across 30-40 names; concentrated single-stock bets (CRWD or PANW alone) carry 2-3x the idiosyncratic risk. The ETF wrapper smooths individual blow-ups (Okta breach 2022, SolarWinds 2020, MOVEit 2023).

Q: How concentrated is the cybersecurity ETF universe at the top? Very. Across LOCK, USPY, R2SC and BUGG, CrowdStrike + Palo Alto Networks + Fortinet + Zscaler + Cisco typically account for 35-45% of total weight. A meaningful guidance miss from any one of these moves the ETF noticeably — CrowdStrike's July 2024 outage caused a single-day -11% drop in the stock and a roughly -3.5% drop in LOCK that day.

Q: What's the typical revenue growth rate for top holdings? At end-2025 consensus: CrowdStrike ~30% YoY revenue growth, Palo Alto Networks ~16%, Fortinet ~13%, Zscaler ~25%, Cloudflare ~28%, SentinelOne ~30%. This is 2-3x the broad software sector average, which is the structural argument for the premium valuation multiples cyber names carry.

Q: Do any cybersecurity ETFs include private companies via late-stage funds? No — UCITS rules restrict to listed equity. Private names like Wiz (acquired by Google in 2024 for USD 32B) and Snyk are not directly accessible. This is one disadvantage versus US 40-Act funds, which can occasionally hold pre-IPO shares.

---

Additional Considerations for Long-Horizon Investors

Microsoft and Google as cybersecurity competitors. A real strategic risk for pure-play cyber vendors is hyperscaler-native security. Microsoft Defender for Cloud, Microsoft Sentinel SIEM, Google Mandiant + Chronicle bundle directly into M365/GCP licensing — undercutting standalone vendors on price. Estimated cybersecurity revenue at Microsoft passed USD 20B in fiscal 2025, making it larger than any pure-play vendor. This dynamic is not captured in cybersecurity ETFs (Microsoft and Google sit in broad tech indices, not cyber). Investors who want defensive exposure to the security spend explosion sometimes also overweight QQQ or VGT alongside a cyber sleeve.

M&A consolidation cycle. The cyber sector is structurally fragmented — 3,500+ vendors globally, top 10 hold under 35% combined share. Consolidation is accelerating: Cisco-Splunk (2024), Palo Alto-IBM QRadar (2024), Thoma Bravo's repeated take-privates (Proofpoint, SailPoint, Sophos, Imperva). When listed targets are acquired, the ETF receives cash and the index drops the holding — sometimes at attractive premiums (Splunk premium was ~30% to undisturbed price), sometimes mid-cycle (SailPoint at modest premium). This is a low-key positive contributor to ETF returns over 5-year periods.

Regulatory-driven demand floor. EU NIS2 (October 2024), DORA financial-services regulation (January 2025), SEC cyber-incident disclosure rules (December 2023) all create non-discretionary cyber spend commitments. Boards and CFOs now face personal liability and 8-K disclosure obligations on cyber incidents — this structurally floors demand, even in macro downturns. Estimated regulation-driven incremental spend in EU alone: EUR 8-12B annually by 2027.

AI-driven security tooling. CrowdStrike Charlotte AI, Palo Alto Strata Copilot, Microsoft Security Copilot — generative AI is being baked into SOC workflows, lifting per-seat pricing and improving detection efficacy. Industry analysts estimate 20-30% pricing uplift for AI-augmented security tiers by 2027. This is the forward-looking earnings catalyst that the current valuations partly bake in.

---

Sources

• Issuer factsheets and KIIDs: BlackRock (iShares), L&G ETF, ARK Europe (Rize), Global X, WisdomTree
• Index methodology: STOXX, ISE Cyber Security, Indxx
• Tax: country tax authority general guidance; consult local tax adviser
• EU NIS2 directive publicly available text
• Industry growth: aggregated public disclosures from listed cybersecurity vendors

Informational content, not investment advice. Thematic ETFs concentrate risk; consider role in overall portfolio.