ENISA identifies risk zone sectors in EU cybersecurity assessment

Banking, electricity and telecommunications remain among the most mature and critical sectors in ENISA’s latest NIS360 report.
ENISA NIS360 report showing cybersecurity maturity and criticality across EU high-criticality sectors

The European Union Agency for Cybersecurity has released its 2026 NIS360 report, assessing the cybersecurity maturity and criticality of high-criticality sectors under the NIS2 Directive.

The report says cybersecurity maturity across the EU critical sectors has steadily improved as organisations respond to evolving policy requirements and cyber threats. Banking, electricity, and telecommunications remain among the most mature and critical sectors, while trust services, aviation, and financial market infrastructures have moved into the high maturity band.

Gas, road, maritime, and health strengthened their maturity within the moderate band, although ENISA says progress remains uneven across and within sectors. Factors behind the differences include skills shortages, sector-specific characteristics, and organisational size.

The report identifies a ‘risk zone’ covering sectors with lower-than-average maturity and criticality that exceeds their maturity. ENISA lists health, railway, maritime, ICT management services, space, public administrations, and drinking and wastewater as risk-zone sectors, while gas has started moving out of the category.

ENISA says improvements have been driven by cybersecurity legislation, increased political attention, information sharing, collaboration, and operational preparedness. Regulation, including the NIS2 Directive and the Digital Operational Resilience Act, has helped increase investment and encouraged organisations to address vulnerability management, business continuity, disaster recovery, and supply-chain risk.

The report also points to AI, supply-chain and third-party exposure, and geopolitical volatility as major dynamics shaping the cybersecurity environment. ENISA says AI can improve threat detection and response, but can also support more convincing social engineering, shorter exploitation timelines, and broader access to offensive capabilities.

Why does it matter?

The NIS360 report gives the EU policymakers a comparative view of where cybersecurity maturity is improving and where critical sectors remain underprepared. The risk-zone concept is especially useful because it identifies sectors whose importance to society and the economy exceeds their current level of cyber readiness. That makes the report relevant for NIS2 implementation, national supervision, investment priorities, and resilience planning across sectors such as health, public administration, transport, space, and water.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.