Introduction
The European Union Agency for Cybersecurity (ENISA) has released its inaugural “NIS360” report, offering a comprehensive assessment of cybersecurity maturity across key sectors under the NIS2 Directive.
The report provides a structured analysis of sectoral vulnerabilities, helping policymakers, regulators, and industry stakeholders identify gaps, prioritize investments, and enhance cyber resilience. With cyber threats escalating in complexity, the NIS2 framework is a pivotal tool for tracking progress and ensuring alignment with EU cybersecurity regulations.
Key Findings
The Three Most Mature Sectors
ENISA identifies electricity, telecommunications, and banking as the most mature cybersecurity sectors. These industries benefit from strong regulatory oversight, consistent investments, and deep-rooted public-private partnerships. Their advanced cybersecurity frameworks are benchmarks for other sectors striving to meet NIS2 compliance.
Digital Infrastructure: A Tier Below
Entities within digital infrastructure (internet exchange points, top-level domains, data centers, and cloud services) rank just below the top tier in cybersecurity maturity. While foundational to the digital economy, these sectors struggle with cross-border coordination, regulatory inconsistencies, and diverse maturity levels among stakeholders.
The Risk Zone: Sectors That Require Immediate Action
Six sectors fall within the NIS360 risk zone, meaning their cybersecurity maturity lags behind their criticality. This misalignment exposes them to significant threats, requiring urgent interventions.
1. ICT Service Management
- Faces unique challenges due to cross-border complexities and regulatory overlap with DORA.
- Needs harmonized supervision and reduced compliance burdens to ensure resilience.
2. Space
- Struggles with low cybersecurity awareness and reliance on commercial off-the-shelf components.
- Requires sector-wide collaboration, security testing guidelines, and policy support.
3. Public Administration
- A prime target for hacktivists and nation-state cyber operations.
- Needs EU Cyber Solidarity Act funding, enhanced security protocols, and shared service models to close capability gaps.
4. Maritime
- Operational Technology (OT) remains a key vulnerability.
- Would benefit from sector-specific cybersecurity frameworks and EU-level crisis management exercises.
5. Health
- Faces threats due to legacy systems, supply chain vulnerabilities, and underdeveloped cybersecurity protocols.
- Needs stronger procurement guidelines, cybersecurity awareness programs, and sector-wide cooperation.
6. Gas
- Increasingly targeted due to its interdependencies with electricity and manufacturing.
- Requires better incident response planning and cross-sector coordination.
Recommendations to Strengthen Cyber Resilience
ENISA’s report emphasizes three strategic priorities to enhance cybersecurity across all sectors:
- Stronger Collaboration: Encouraging cross-sector partnerships and coordinated threat intelligence sharing.
- Sector-Specific Guidance: Developing tailored cybersecurity frameworks to meet the unique needs of each industry.
- Harmonization of Regulations: Aligning cybersecurity requirements across national borders to enhance enforcement and compliance.
Conclusion
The NIS360 report provides a roadmap for improving cybersecurity maturity across Europe’s most critical sectors. The EU Agency for Cybersecurity Executive Director, Juhan Lepassaar said: “ENISA is working closely with the EU Member States to implement the NIS2 Directive by providing expertise and guidance. The ENISA NIS360 gives valuable insight into the overall maturity of NIS sectors and the challenges of individual sectors. It explains where we stand, and how to move forward.”
While some industries lead in resilience, others require urgent action to bridge capability gaps. Policymakers, regulators, and industry leaders must act on these insights to fortify Europe’s cyber defenses. As cyber threats evolve, proactive investment, regulatory alignment, and cross-sector collaboration will be key to safeguarding the digital future.
