The European Union Agency for Cybersecurity (ENISA) has published its comprehensive 2026 NIS360 assessment, shedding light on the current state of cybersecurity across various critical sectors governed by the NIS2 directive. The report indicates that while there are improvements in cybersecurity maturity, the advancements are alarmingly inconsistent among sectors. Notably, the banking, electricity, and telecommunications sectors are leading in both maturity and critical importance. Additionally, for the first time, trust services, aviation, and financial market infrastructures have reached what is classified as a high maturity level in cybersecurity.
However, a worrying aspect of the assessment is the identification of seven sectors that now inhabit what ENISA describes as the “risk zone.” This designation highlights sectors whose significance to both society and the economy outstrips their current capabilities to defend against cyber threats. The sectors identified as being in the risk zone include health, railway, maritime, ICT service management, space, public administrations, and drinking and waste water.
Interestingly, the rail and water infrastructure sectors entered this risk zone not due to any deterioration in their own cybersecurity capabilities, but rather because advancements in other sectors raised the benchmark for cybersecurity maturity. The healthcare sector, in particular, presents a grave concern within this context. While pharmaceutical manufacturers are boosting overall metrics, hospitals and healthcare providers are lagging when it comes to adopting fundamental security practices. They are burdened by legacy systems, constrained budgets, and a general lack of cybersecurity awareness, putting them at increased risk for cyber attacks, which can have dire human consequences.
Furthermore, the report underscores the persistence of basic security vulnerabilities across critical sectors. For instance, one-third of entities within the water sector have never undertaken a risk assessment. Public administrations, which are currently facing nearly 63% of all hacktivist attacks in Europe, demonstrate a significant lack of structured processes aimed at ensuring cybersecurity expertise at the management level. Alarmingly, about half of these organizations do not provide any cybersecurity training for management personnel.
The space sector, increasingly recognized as a vital component of European strategic autonomy—reinforcing financial systems, telecommunications, agriculture, and military communications—holds a position at the lower end of moderate cybersecurity maturity. This is compounded by the absence of a dedicated EU-level forum for cybersecurity collaboration within this critical realm.
ENISA has also identified three overarching dynamics that are redefining the threat landscape. Artificial intelligence (AI) is making offensive cyber capabilities more accessible and effective, outpacing defenses and necessitating that organizations enhance their detection and response times to match evolving threats. Moreover, the risk associated with supply chains is growing; a breach of a single widely-used dependency has the potential to cause cascading effects across entire sectors. Lastly, geopolitical volatility is contributing to both the frequency and complexity of state-sponsored attacks, coupled with increasing pressures to reduce dependency on non-EU technological solutions.
The finance sector serves as a case study in how sustained regulatory pressure can enhance cybersecurity practices. Historically, the banking sector has treated compliance as the bare minimum. However, thanks to the rigorous implementation of the Digital Operational Resilience Act (DORA), financial market infrastructures have made remarkable strides this year, jumping an entire maturity band. This progress underscores the importance of having structured frameworks and adequate supervisory tools.
In contrast, challenges remain in the ICT service management sector, where national authorities often lack the necessary sector-specific expertise and resources. This discrepancy illustrates how effective regulation with clearly defined requirements and supervisory capabilities can significantly change cybersecurity behavior across sectors at scale.
To address these challenges, organizations operating in high-risk sectors are advised to prioritize comprehensive risk assessments, implement structured governance frameworks for cybersecurity, establish mechanisms for information sharing, and ensure that management personnel receive thorough training and oversight.
Overall, the findings outlined in ENISA’s report compel a re-evaluation of existing strategies in cybersecurity, emphasizing that while progress is being made, a coordinated effort is required to fortify the sectors that are integral to the functioning of society and the economy.
For further details, the full assessment can be referenced at ENISA’s official website and various other cybersecurity platforms.