This year’s edition of the ENISA NIS360 report shows improvement in cybersecurity maturity of EU critical sectors while the level of criticality in sectors remains comparatively more stable.
The ENISA NIS360 aims to work as an annual assessment tool supporting national authorities, policymakers and other stakeholders in assessing the cybersecurity maturity and criticality of high criticality sectors under the NIS2 Directive.
ENISA Executive Director, Juhan Lepassaar, said: “The findings of this NIS360 report provide grounds to be optimistic. The implementation of the comprehensive EU cybersecurity regulatory framework, and particularly NIS2, has brought significant improvements. ENISA stands for prioritising cybersecurity and advancing the implementation of EU policies, which are vital now more than ever, to enhance the cyber resilience of our critical infrastructure and societies.”.
The report has a comprehensive approach, where each sector is understood to comprise relevant actors (i.e., national authorities, entities, EU bodies) and applicable rules (EU legislation). In this regard, a sector’s maturity under the NIS360 is determined by: legislation and its effectiveness, companies and their preparedness, authorities and their institutional capacity, and sectoral ecosystem structures and their effectiveness.
The assessment relies on a structured methodology developed and continuously refined by ENISA that takes into account the structural and gradually evolving nature of sectoral cybersecurity maturity and criticality. It also builds on evidence gathered over time from organisations operating within the in-scope sectors, national authorities supervising those organisations, but also EU-level data, to reflect our latest evidence-informed understanding of where each sector stands.
As a result, the NIS360 provides both a comparative overview of sectors and a more detailed analysis per sector to help identify gaps and prioritise resources.
Defining the Risk Zone
A combination and joint interpretation of the criticality and maturity dimensions helps identify areas where mismatches exist between the two and define a risk zone.
The risk zone includes sectors with lower-than-average maturity and criticality that exceeds their maturity. This year’s risk zone includes health, railway, maritime, ICT management service, space, public administrations, drinking and waste water.
Its composition changes over time as overall maturity improves across sectors. This explains why three sectors — railway, drinking water, and waste water — previously at the risk zone boundary, are now within the risk zone. A positive development is that the gas sector has started moving out of the risk zone.
Such shift is driven by improved information sharing, stronger collaboration, and better implementation of risk management measures, leading to higher maturity.
Deep-dive on criticality
While criticality of the sectors is defined by NIS2, the NIS360 assessment ranks the sectors taking into account several elements, such as systemic relevance, exposure, and impact of disruption. As these factors typically change gradually, criticality scores tend to remain relatively stable from year to year.
In this year’s edition, sectors such as banking, electricity, aviation, space, and digital-by-default services (including telecommunications, cloud, and data centres) remain the most critical.
Space has joined this group this year, reflecting its growing role in society and across other sectors, which increases dependency, impact, and time criticality. The railway sector increased in criticality due to its growing role in military logistics, and the heightened cyber threat exposure.
Spotlight on maturity
Maturity is measured by how effectively and consistently the sector manages cybersecurity risks and capabilities over time, meaning the overall preparedness of the sector. Since the previous edition of this report, cybersecurity maturity across EU critical sectors seems to be steadily improving as organisations respond to the evolving policy requirements and to the cyber threats they face.
Three sectors, including trust services, aviation, and financial market infrastructures (FMIs) moved into the high maturity band. In addition, four sectors strengthened their maturity within the moderate band: gas, road, maritime, and health.
This improvement is often driven by several compounding factors including developments in cybersecurity legislation, increased political attention, but also progress across specific maturity dimensions assessed. Particularly, on cybersecurity legislation, findings of the 2025 ENISA NIS Investments study also suggest that it has acted as a key driver for cybersecurity investment and has encouraged organisations to strengthen their cybersecurity posture.
Despite maturity steadily improving across critical sectors, progress still remains uneven both across and within sectors. A number of factors contribute to these variations including skill shortages, sector-specific characteristics and even organisational size.
Moving forward
In the future, it is anticipated that cybersecurity legislation and organisations’ efforts to strengthen their cybersecurity maturity will continue to prompt cybersecurity investment and drive preparedness, leading to more sectors moving out of the risk zone.
- NIS360 Report
- ENISA NIS360 2024 report: A comprehensive look at cybersecurity maturity and criticality of NIS2 sectors | ENISA
- ENISA NIS360 2024 | ENISA
- NIS Investments 2025 | ENISA
Contact
For press questions and interviews, please contact: press@enisa.europa.eu.
Content written for: National / EU authorities
