The European Union Agency for Cybersecurity (ENISA) has released its 2026 NIS360 assessment showing that while cybersecurity maturity is improving across critical sectors covered by the NIS2 directive, progress remains dangerously uneven. Banking, electricity, and telecommunications continue to lead in both maturity and criticality, while trust services, aviation, and financial market infrastructures moved into the high maturity category for the first time. However, seven sectors now occupy what ENISA calls the "risk zone," where their importance to society and the economy exceeds their ability to defend against cyber threats.
The risk zone includes health, railway, maritime, ICT service management, space, public administrations, and drinking and waste water sectors. Rail and water infrastructure entered this zone not because they deteriorated, but because other sectors improved and raised the baseline. The healthcare sector presents a particularly troubling picture, with pharmaceutical manufacturers driving up overall scores while hospitals and healthcare providers struggle with fundamental security practices. Legacy systems, budget constraints, and inadequate cybersecurity awareness plague the parts of the sector most likely to face attacks and where disruptions have direct human consequences.
Basic security gaps persist across critical sectors. One in three water sector entities surveyed has never conducted a risk assessment. In public administrations, which receive nearly 63% of all hacktivist attacks in Europe, about one-third of entities lack structured processes for ensuring cybersecurity expertise at management level, and roughly half provide no cybersecurity training to management. The space sector, increasingly positioned as a cornerstone of European strategic autonomy and underpinning financial systems, telecommunications, agriculture, and military communications, sits at the lower end of moderate maturity with no dedicated EU-level forum for cybersecurity collaboration.
ENISA identifies three dynamics reshaping the threat environment. AI is making offensive capabilities more accessible and effective faster than it helps defenders, requiring organizations to detect and respond at timescales most cannot currently achieve. Supply chain risk is growing as the compromise of a single widely-used dependency can cascade across entire sectors. Geopolitical volatility is increasing the frequency and sophistication of state-aligned attacks while creating pressure to reduce dependency on non-EU technology.
The finance sector demonstrates what sustained regulatory pressure produces. Banking has long treated compliance as a floor rather than a ceiling, and financial market infrastructures jumped a full maturity band this year, driven substantially by DORA implementation providing structured frameworks and supervisory tools. The contrast with ICT service management, where national authorities often lack sector-specific expertise and resources, illustrates that regulation with clear requirements and supervisory capacity changes behavior at scale. Organizations in high-risk sectors should prioritize risk assessments, implement structured cybersecurity governance, establish information-sharing mechanisms, and ensure management receives appropriate training and oversight.
Source: https://securityaffairs.com/193002/reports/enisa-nis360-2026-progress-across-the-board-but-the-sectors-that-matter-most-are-still-falling-short.html