ENISA report highlights uneven cybersecurity maturity across critical sectors under NIS2
A new ENISA assessment finds that cybersecurity maturity is improving across critical sectors in the EU, although significant differences remain between industries. Banking, electricity and telecommunications continue to lead, while sectors such as health, public administration and water services face greater challenges.
The European Union Agency for Cybersecurity (ENISA) has published the 2026 edition of its NIS360 report, providing an overview of cybersecurity maturity and criticality across sectors covered by the EU’s NIS2 Directive. The report evaluates how effectively sectors manage cybersecurity risks and compares this with their importance to society and the economy.
According to the report, cybersecurity maturity continues to improve across sectors of high criticality as organisations respond to regulatory requirements and evolving cyber threats. Banking, electricity and telecommunications remain the most mature sectors, while trust services, aviation and financial market infrastructures have now joined the highest maturity category. Gas, maritime, road transport and health also recorded improvements compared to previous assessments.
ENISA identifies banking, electricity, aviation, space and digital infrastructure services, including telecommunications, cloud services and data centres, as the most critical sectors because of their role in supporting economic activity and essential services. The agency notes that the growing importance of space infrastructure and rail transport has led to adjustments in their criticality assessments this year.
The report highlights a group of sectors that remain in what ENISA describes as a ‘risk zone’, where criticality exceeds current levels of cybersecurity maturity. These sectors include health, rail, maritime transport, ICT service management, public administration, space, and drinking and wastewater services. ENISA argues that these sectors require further improvements in governance, operational preparedness, information sharing and risk management.
Among the sectors showing progress, ENISA points to stronger information-sharing arrangements, greater operational preparedness and the impact of EU cybersecurity legislation. The report suggests that regulatory frameworks such as the NIS2 Directive and the Digital Operational Resilience Act (DORA) are encouraging organisations to invest in cybersecurity capabilities and adopt more structured approaches to risk management.
The report also identifies several trends shaping cybersecurity across critical sectors. These include the growing use of AI, increasing exposure to supply-chain risks, and geopolitical instability. ENISA warns that organisations are facing greater pressure to detect and respond to cyber threats more quickly while managing increasingly complex dependencies on third-party providers and digital infrastructure.
The NIS360 report is intended to support EU institutions, national authorities and sector stakeholders in identifying cybersecurity gaps and prioritising resilience efforts across critical infrastructure sectors.
