ENISA NIS360 Report Identifies Seven Critical Sectors in the Cybersecurity Risk Zone

ENISA has published the third edition of its NIS360 assessment, mapping the cybersecurity maturity and criticality of all sectors classified as highly critical under Annex I of the NIS2 Directive. The headline finding is a widening gap: while overall maturity is rising, several of the sectors most essential to public safety and critical infrastructure are not keeping pace with the threats they face.

The report introduces a risk zone - a classification for sectors where criticality significantly outpaces cybersecurity maturity. Seven sectors now fall within it: health, railway, maritime, ICT service management, space, public administration, and drinking water and wastewater. Three of those - railway, drinking water, and wastewater - have moved into the risk zone since the previous assessment, having previously sat at its boundary. The gas sector, by contrast, has begun moving out of the risk zone, representing one of the few positive shifts at the lower end of the maturity spectrum.

At the other end of the scale, banking, electricity, and telecommunications continue to lead in both maturity and criticality. The financial market infrastructure (FMI) sector made the most significant jump of the year, advancing a full maturity band - a shift ENISA attributes in substantial part to the implementation of the Digital Operational Resilience Act (DORA), which the agency cites as evidence that regulation with clear requirements and supervisory capacity can drive measurable improvement at scale. Trust services, aviation, and financial market infrastructures have all advanced to the high maturity band.

ENISA identifies AI, supply-chain vulnerabilities, and geopolitical volatility as the three dynamics most actively reshaping the threat environment, making it progressively harder for organisations - particularly those in under-resourced sectors - to close the maturity gap. The report is designed to inform NIS2 implementation, national supervision priorities, investment planning, and resilience strategies across the EU.

Acompli perspective: The NIS360 risk zone is a map of where enforcement pressure and regulatory scrutiny are heading. If your organisation operates in health, public administration, water, or transport, the message is clear: the gap between what regulators expect and what most entities in these sectors have in place is growing, not shrinking. A structured risk management framework that aligns cybersecurity measures with NIS2 obligations, supported by accurate records of processing and documented third-party risk assessments, is the minimum starting position - not the end goal.