CSRD Audit: Where the IT Data Chain Breaks
Eva Mickler
5 Min. reading time The first CSRD audits for the 2025 financial year will be signed in the second quarter ...
Read Article
7 Min. Read Time
Gartner has upped its global IT forecast for 2026 to 13.5 percent growth. In DACH reality, little remains of this: budget increases typically lie between four and nine percent, with the rest expected to come from reallocation. Concretely, this means 30 to 40 percent of the existing IT budget must be redirected so that the AI infrastructure is not financed solely from the additional budget. Most CIOs know the number, but few have a reliable answer as to where the money comes from. This answer is the actual task for the Q3 budget discussion with the CFO.
The Essentials at a Glance
- Reallocation is the real story. AI infrastructure costs an average of 30 to 40 percent of the IT budget; the additional budget typically brings only four to nine percent. Those who don’t actively plan the difference finance AI through silent cuts elsewhere.
- Legacy licenses are the largest free reserve. In DAX companies, eight to fourteen percent of the IT budget lies in licenses without a clear migration path. This is not a savings potential; it’s a liability.
- Two items you must not cut. Security modernization and data foundation. Both are prerequisites for AI effectiveness; both appear in CFO scrutiny as “cost items without immediate output.”
RelatedGartner: 13.5 % IT growth 2026 / Managed Services: CEOs misjudge AI budget
Why the 40-Percent Question is Rarely Asked Correctly
The typical budget discussion for 2026 unfolds in two steps. In the first step, the CIO presents the AI roadmap to the CFO: inferencing platform, data pipeline modernization, new GPU footprints, and platform engineering augmentation. The CFO asks about the costs. The CIO names a figure in the range of 30 to 40 percent of the IT budget. In the second step, the CFO asks where the money comes from. At this point, most preparation stops.
The gap between step one and step two is the real issue. Those who enter the discussion with a roadmap but without a reallocation plan receive two responses: either a reduction of the AI roadmap to the additional budget or an implicit expectation that reallocation happens “in the course of operations.” Both outcomes damage the AI strategy without being visible in the meeting.
The clean variant is to put the 40-percent question on the table yourself. Which three items come down, in which stages, with what residual risk. This preparation completely changes the discussion. From defending AI investment, it becomes a joint discussion about the largest free reserves in the IT budget.
Where the money is: three reservoirs with varying maturity
8 – 14 %
of the IT budget in DAX companies is tied up in legacy licenses without a clear migration path. Prime candidate for AI reallocation, but faces significant political resistance.
Source: Gartner reference to DACH budget reality, April 2026
The first reservoir is legacy licenses. Mainframe maintenance contracts, unused Oracle Database editions, old Microsoft server bundles, Citrix footprints that no one seriously audits anymore. In most DAX companies, between 8 and 14 percent of the IT budget is tied up here. The reservoir is large, but tapping it is slow: contract terms, dependent applications, lack of migration roadmap. Those who start in 2026 won’t see real savings until 2027.
The second reservoir is vendor consolidation. Duplicate tools for monitoring, logging, endpoint management, identity providers, backup. Six to nine percent is typical here, with more in companies that have grown rapidly. Tapping this reservoir is faster because contracts are often annually terminable. Still, it’s politically tough because each duplicate tool has an owner in the organization who can prepare arguments for its existence.
The third reservoir is Capex deferral. Hardware refresh cycles delayed by a year, on-prem storage moved to hyperscaler reservations, employee endpoint refreshes stretched from 36 to 50 months. This is the fastest tap, but it’s temporary. Those who tap the third reservoir in 2026 will have to answer in 2027 whether to catch up on the refresh or continue to stretch it out.
What you shouldn’t cut: two items with delayed ROI
The temptation to also trim security modernization and data foundation in the reallocation sprint is great. Both consume budget, both have no immediately visible output, and both could be cut without hurting in the current quarter. That’s exactly why these two items are the wrong lever.
Security modernization is a prerequisite for AI models to safely access data. Those who delay SIEM consolidation in 2026, don’t modernize their identity platform, or stretch out the network segmentation project will have two problems in 2027: less security and an auditor who won’t clear the AI pilot pipelines. The costs of delaying will appear in the next NIS2 reporting round, not in the current quarter.
Data foundation is the second taboo. Data catalogs, data quality tooling, master data management, a functioning BI backbone. AI models are only as good as their data foundation – trivial in theory, difficult in practice. Those who cut the data project because the AI platform gets more visibility will undermine the effectiveness of AI before the first model goes live.
90-Day Plan: Reallocation Inventory by Q3 Meeting
The plan is tight but realistic. Most of these steps are already part of daily business; what really takes time is synthesizing them into a one-page template. This synthesis is the tool that prevents the AI roadmap from becoming a bargaining chip in the budget meeting.
What Makes the Difference in the CFO Meeting
In the meeting with the CFO, one detail makes all the difference: the distinction between “can we reallocate” and “will we reallocate.” Those who present a list of reallocation options will spark a discussion about each individual option and be put on the defensive. Those who present a recommendation with three clear numbers will get a decision.
The three numbers are: the volume from legacy licenses, the volume from vendor consolidation, and the volume from Capex postponement. Plus a fourth number, the protected list: what won’t be touched and why. This format respects the CFO’s time and provides a basis for decision-making rather than an open-ended discussion.
What’s left is the follow-through. A reallocation on paper is not the same as a reallocation in reality. Contract negotiations drag on, political owners resist, and hardware postponement slots may still be needed in an emergency. Having answered the 40-percent question is the most important preparatory work, but implementation typically takes longer than a quarter in most organizations.
Frequently Asked Questions
Isn’t the additional budget sufficient if we cut the AI roadmap?
A shortened AI roadmap is a political decision, not a technical one. Most companies that take this path cut back on data foundations and platform engineering because these items are the easiest to eliminate. The result is usually the pilot graveyard that Gartner describes as the main pattern of failed AI projects. Those who want to cut the AI roadmap should do so cleanly, not by canceling the prerequisites.
What to do if the CFO doesn’t approve the reallocation?
Then the issue isn’t the CFO, but the executive board. Reallocation on the order of 30 to 40 percent isn’t a decision for the CFO alone; it’s a strategic decision for the executive board. The CIO brings the proposal to the executive board meeting, not to a one-on-one meeting. Those who don’t enforce this have a mandate problem, not a budget problem.
What role does managed services play in reallocation?
Managed services contracts are a separate reservoir that often isn’t included in the license inventory. Typically, 2 to 4 percent of the IT budget lies here, which is rarely renegotiated. Those who review the contracts usually find agreements from 2018 or earlier that are no longer market-compliant today. Renegotiation is slower than vendor consolidation, but it’s cleaner than switching.
How much reallocation is realistic in the first year?
In most companies, 12 to 18 percent is realistic in the first year. The full 30 to 40 percent takes two to three years because contract terms and migration efforts dominate. Those who achieve 18 percent in the first year are at the upper end of realism. The AI roadmap pace must match this path, not the other way around.
Are there industries where reallocation happens faster?
Yes, in medium-sized businesses without classic mainframe loads and in young tech companies with small vendor footprints, it goes faster, often 25 percent in 18 months. In banks, insurance companies, and large industrials with mainframe connections, the lower end of the path is realistic because legacy applications with five-year migration paths dominate. The industry determines the pace, not the ambition.
Source title image: Wikimedia Commons / Dietmar Rabich (CC BY-SA 4.0)
Editor’s Picks