On 28 May 2026, the European Union Agency for Cybersecurity (ENISA) published a new report titled NIS360: The bigger picture on maturity and criticality of NIS critical sectors. The document assesses the cybersecurity maturity and criticality of sectors covered by the NIS Directive, including energy, transport, banking, health, and digital infrastructure. It aims to provide a comprehensive overview of how these sectors are performing in terms of cybersecurity preparedness and where gaps remain.
The report is based on data collected from EU member states and ENISA's own analysis. It categorises sectors by their level of criticality and maturity, identifying which sectors are most vulnerable and which have made the most progress. The findings are intended to inform policy decisions and help prioritise resources for cybersecurity improvements.
Key findings and trade-offs
The NIS360 report reveals significant disparities across sectors. The energy and digital infrastructure sectors are rated as highly critical but show varying levels of maturity, with some member states lagging behind. The health sector, while critical, has lower maturity due to legacy systems and underinvestment. The report recommends targeted investments and cross-border cooperation to address these gaps.
A central trade-off identified is between increasing regulatory requirements and the administrative burden on operators. Stricter cybersecurity obligations could improve resilience but may impose disproportionate costs on smaller entities within critical sectors. The report suggests a risk-based approach that balances security needs with economic feasibility.
Impact on stakeholders
- EU regulatory bodies: The report provides evidence to support potential updates to the NIS Directive or sector-specific cybersecurity rules. It may influence the European Commission's legislative agenda.
- National authorities: Member states gain a benchmarking tool to compare their sectors' maturity and criticality, helping them allocate resources more effectively.
- Operators of essential services: Companies in energy, transport, banking, health, and digital infrastructure face pressure to improve cybersecurity measures, potentially increasing compliance costs. However, the report's recommendations could lead to more coordinated support and guidance.
- EU consumers and citizens: Improved cybersecurity across critical sectors would enhance protection of personal data and essential services, reducing the risk of disruptions.
Expected institutional follow-up
ENISA's report is non-binding but is expected to feed into the European Commission's review of the NIS Directive and the implementation of the NIS2 Directive. The agency plans to update the NIS360 analysis periodically to track progress. Member states may use the findings to adjust their national cybersecurity strategies.