The European Union Agency for Cybersecurity (ENISA) published on Wednesday its initial NIS360 report, which identifies areas for improvement and tracking of progress across NIS2 Directive sectors. The NIS360 assesses the maturity and criticality of NIS2 sectors, providing both a comparative and a more in-depth analysis. It provides a cross-sectoral overview and a detailed sector-by-sector analysis of the criticality and maturity of assessed sectors.
Building on the insights gathered, the NIS360 document highlights the strengths of and challenges faced by each sector assessed, identifies discrepancies in maturity perceptions, and provides a clear view of the impact of cybersecurity policy implementation on sectoral maturity and resilience across the EU.
The NIS360 report is based on data from national authorities with a horizontal or sectorial mandate, on self-assessment by companies within the NIS2 sectors, and EU data sources such as Eurostat. In the ENISA NIS360 report, the strengths, sectorial challenges, and gaps are identified, and recommendations are made to improve sectorial maturity and resilience across the Union.
The goal of the NIS360 document is to help national authorities and cybersecurity agencies in the Member States tasked with the implementation of the NIS2 to understand the overall picture, help them with prioritisation, highlight areas for improvement, and facilitate monitoring of sectors’ progress. The NIS360 also aims to support policy makers at the national and EU level, to give input on policy and strategy development, and to provide initiatives to build up cyber resilience.
“ENISA is working closely with the EU Member States to implement the NIS2 Directive by providing expertise and guidance,” Juhan Lepassaar, ENISA’s executive director, highlighted in a Wednesday media statement. “The ENISA NIS360 gives valuable insight into the overall maturity of NIS sectors and the challenges of individual sectors. It explains where we stand and how to move forward.”
Prioritizing collaboration, guidance, cross-border alignment in NIS2 implementation
The report sets out three main priorities. Firstly, it recommends that collaboration within and between sectors is strengthened through community-building events and cooperation at the sector, national, and EU levels. Secondly, within this NIS2 transposition period, it is becoming more of a priority to develop sector-specific guidance on how to implement the key NIS2 requirements in each sector. The report notes that national sectorial authorities are stepping up to implement the NIS2. While investments are increasing across sectors, further upskilling is required. Thirdly, the NIS360 emphasises the need for the alignment of requirements across borders in each NIS sector and cross-border collaboration.
ENISA reported that three sectors stand out above the rest: electricity, telecoms, and banking. These sectors form the foundation of a resilient and interconnected economy, ensuring stability, connectivity, and financial security. Over time, these sectors have benefited from significant regulatory oversight, global investments, political focus, and robust public-private partnerships, enabling them to achieve a higher level of maturity.
The NIS360 report identified that the digital infrastructure sectors, such as core internet, trust services, data centres, and cloud services, are also among the higher-ranking sectors in terms of maturity. These sectors provide foundational support for other industries, serving as the backbone for communication, connectivity, and data services. This NIS sector is very heterogeneous in terms of the maturity of entities and has a strong cross-border nature, which complicates supervision, information sharing, and collaboration.
Given that digital is their primary domain of service, it is perhaps unsurprising that these sectors score highly in certain of the cybersecurity maturity areas assessed. That said, these sectors are also faced with several challenges when it comes to aligning with NIS2 requirements, stemming from their inherent heterogeneity and their cross-border nature. Additionally, the inclusion of previously unregulated entities in scope presents a dual challenge: the requirements are entirely new for these companies, and national authorities are often unfamiliar with the market they are now required to oversee.
Six sectors in risk zone, highlighting gaps in cybersecurity maturity
The NIS360 report noted that six NIS sectors fall within the NIS360 risk zone, suggesting that there is room for improvement in their maturity relative to their criticality. These include the ICT service management, space, public administrations, maritime, health, and gas sectors.
The ICT service management sector faces key challenges due to its cross-border nature and diverse entities. Some of the challenges faced by this sector include the lack of standardized processes, consistency, and resources to keep pace with the growing complexity of supporting digital operations across other sectors. This is compounded by the lack of familiarity with the sector among the authorities responsible for its oversight, the presence of cross-border players within the market, and the weak collaboration among them with implications for both the entities themselves but also others relying on them.
Strengthening its resilience requires close cooperation between authorities, reduced regulatory burdens for entities subject to both NIS2 and other legislation, and close cooperation in cross-border supervision.
The NIS360 document noted that the space sector presents an even more distinct challenge. Despite its role in enabling global connectivity and facilitating data transmission, internet access, television broadcasting, navigation, and real-time communication, it falls just within the ‘moderate’ maturity range and ranks among the lowest compared to other sectors in terms of maturity. Stakeholders’ limited cybersecurity knowledge and its reliance on commercial off-the-shelf components present challenges for the sector. Enhancing its resilience requires better cybersecurity awareness, clear guidelines for the pre-integration testing of components, and stronger collaboration with other sectors.
As a newly regulated sector under NIS2, it is still in the early stages of aligning with the directive’s requirements, which present challenges for both entities and national authorities responsible for sector oversight. The sector’s heavy reliance on supply chains and commercial off-the-shelf products, combined with its limited investment in cybersecurity, further exacerbates these challenges.
At the same time, collaboration and information sharing within the sector remain nascent despite the establishment of the EU Space ISAC in 2024. Recent advancements, such as Eutelsat’s 5G Non-Terrestrial Network (NTN) trial with low Earth orbit satellites, demonstrate the potential for satellite-based 5G services, especially in remote areas. However, these advancements highlight the need for stronger cybersecurity measures and improved cooperation both within the sector and across other sectors, like telecommunications.
The NIS360 report detailed a similarly diverse landscape that emerges when analysing the maturity levels of subsectors within specific EU sectors. In the energy sector, the electricity subsector demonstrates high maturity, ranking among the top tier of all assessed sectors, while gas shows moderate maturity and ranks closer to the middle. In contrast, district heating and cooling, hydrogen, and oil lag significantly, ranking in the low end of maturity among all sectors assessed.
The transport sector shows similar variation, with aviation ranking in the top tier for maturity, railway and maritime falling closer to the middle, and road having a notably lower score. Within the finance sector, banking exhibits higher maturity than FMIs, though both rank high when compared to other subsectors. Finally, in the water sector, drinking water demonstrates higher maturity than wastewater, with both sectors’ scores being on the lower end of the maturity scores ranking.
Discrepancies among subsectors arise from several factors, including variations in cybersecurity policy frameworks, support and oversight levels, and political attention. For instance, the electricity subsector benefits from comprehensive policies like the Network Code on Cybersecurity, while aviation entities receive strong backing from EASA, unlike road entities. Additionally, banking institutions undergo EU-wide stress tests by the ECB, which FMIs do not. Political focus also varies, as seen in 2024 when electricity and gas received more attention than other energy subsectors, leading to targeted actions like a Union-wide risk assessment.
The health sector sits at the upper end of the ‘moderate’ maturity range and mid-level across all maturity rankings. Under NIS2, the sector’s scope has been expanded substantially, adding complexity to an already highly heterogeneous sector (consisting of larger entities that typically demonstrate stronger cybersecurity postures and smaller entities that often struggle even with basic cyber hygiene).
The NIS360 document mentioned that the sector faces several key challenges. One of the most pressing is the disparity in understanding among sector entities of cyber risks facing them – with larger ones having a better grasp and thus more robust measures to deal with risks – than smaller ones. The sector’s fragmented nature and inadequate understanding of the cyber risks facing it further complicate things.
Additionally, the sector’s reliance on complex supply chains, as well as its dependence on legacy systems and inadequately secured medical devices, further exacerbates the situation. Finally, operational preparedness levels are also inconsistent across the sector, with gaps also highlighted during the Cyber Europe 2022 exercise.
The public administration sector is among the least mature sectors assessed despite its role in ensuring the effective governance and delivery of services to society. Newly regulated under the NIS2 directive, the sector is still very much in the early stages of aligning with its requirements and lacks the well-established support and experience seen in more mature sectors.
The NIS360 report added that at the EU level, there is no comprehensive, sector-wide understanding of the risks facing public administration and still not a clear understanding of what is in the scope of the sector, common assets, and threats it faces, further complicating effective risk management practices.
Evidently, sectors with higher maturity levels benefit from enhanced cybersecurity guidance, including sector-specific legislation and standards, as well as stronger oversight from knowledgeable authorities. They possess a deeper understanding of their risk landscape, leading to more effective risk management for their digital infrastructures. Additionally, these sectors foster stronger collaboration and information sharing among stakeholders and demonstrate better operational preparedness through well-tested plans at various levels.
Critical steps for sectors to achieve NIS2 compliance
While many sectors face several common challenges in enhancing cybersecurity resilience to meet NIS2 requirements, such as the need for better information sharing, tailored guidance, upskilling and reskilling efforts, and cross-border cybersecurity exercises, the NIS360 report provided recommendations for six sectors identified as being in the ‘risk zone.’
The ICT service management sector’s cross-border nature and its critical support role for other sectors increase its vulnerability to cyberattacks, necessitating enhanced cyber resilience. Close collaboration between competent authorities across sectors is vital, as incidents in this sector can disrupt critical services elsewhere. A coordinated approach is needed to ensure consistent responses and mitigate cascading impacts. Additionally, mapping cybersecurity requirements from the DORA and NIS2 frameworks will clarify overlaps while aligning certification schemes under the EU Cyber Solidarity Act with DORA regulations will maintain coherence and strengthen sector resilience.
The space sector, now under NIS2, faces challenges from its reliance on off-the-shelf components and limited cybersecurity knowledge, with only 57 percent of stakeholders aware of the directive. Cyber threats to space systems can affect critical sectors like transport, energy, and finance, highlighting the need for improved cybersecurity maturity. To address this, an NIS2 knowledge campaign should be launched, including workshops and guidelines for security analysis, while promoting collaboration within the space sector and with telecommunications to enhance overall security.
Public administrations should prioritize building effective remediation capabilities to comply with NIS2 requirements. This can be achieved through shared service models with other public entities, optimizing resources and enhancing cybersecurity, especially for digital wallets facing higher cyber threats. Additionally, leveraging the EU Cyber Solidarity Act for financial support can help strengthen detection, response, and remediation efforts, allowing administrations to modernize systems and invest in training and staffing to better manage cybersecurity risks and meet NIS2 obligations.
The maritime sector, crucial for global trade, faces cybersecurity risks due to outdated operational technology (OT) systems. To enhance resilience, tailored guidance should be developed for maritime entities to implement robust cybersecurity risk management aligned with NIS2, focusing on secure-by-design principles and proactive vulnerability management. Additionally, conducting an EU-level cybersecurity exercise simulating intermodal scenarios can improve crisis response capabilities by linking sectoral and national frameworks, enhancing coordination for cross-border incidents.
The health sector faces major cybersecurity challenges due to its diverse entities and outdated practices. To address this, practical guidelines should be developed for secure procurement and targeted guidance on essential cybersecurity practices tailored to healthcare’s unique needs. Awareness campaigns can enhance the cybersecurity culture, while collaboration through platforms like the European Health ISAC can address supply chain risks. Additionally, healthcare organizations should engage with national initiatives to strengthen threat detection and overall cybersecurity resilience.
The gas sector’s dependence on digital systems and its connections to electricity and manufacturing make it vulnerable to cyberattacks, risking significant economic impacts. To improve resilience, robust, sector-specific incident response plans should be developed and regularly tested. Additionally, fostering collaboration with the electricity and manufacturing sectors can enhance coordinated cyber defense, facilitate best practice sharing, and strengthen the sector’s ability to detect, respond to, and recover from cyber incidents.
Looking ahead
Laying out its next steps, the NIS360 report assessed all high-criticality sectors under NIS2 to provide a comprehensive understanding of their cybersecurity maturity and criticality. “This year marked the first time we integrated the industry perspective into the assessment, transitioning to an indicator-based evaluation. Additionally, we introduced dual validation of outcomes by both authorities and the industry, enhancing the credibility and robustness of our findings.”
Looking ahead to 2025, “we plan to build on this work by continuing the NIS360 assessment for all highly critical sectors under NIS2, adopting a holistic approach that considers improvements at every level—from the EU to national authorities and individual entities—thereby contributing to enhanced security across the board. The value of this work lies in establishing a dynamic framework that allows us to assess the current state of in-scope sectors, prioritise maturity-building actions effectively, identify areas where targeted improvements can have the greatest impact, drive more informed decision-making to strengthen sectorial resilience, and enable the ongoing monitoring of progress over time.
The NIS360 report added, “We will also continue refining this framework to ensure it fulfils these ambitious objectives and remains a valuable tool for strengthening cybersecurity across sectors.”
In December, the ENISA published its ‘2024 Report on the State of the Cybersecurity in the Union,’ offering evidence-based analysis of cybersecurity maturity and capabilities across Europe. The document gave policymakers at the EU level an evidence-based overview of the state of play of the cybersecurity landscape and capabilities at the EU, national, and societal levels, as well as policy recommendations to address identified shortcomings and increase the level of cybersecurity across the Union.
