The EU Agency for Cybersecurity (ENISA) has published its latest NIS360 report, recognizing that cybersecurity maturity across high-criticality sectors in the EU has been steadily improving as organisations respond to evolving policy requirements and the cyber threats they face. Banking, electricity and telecommunications remain the most mature and critical sectors, while three sectors, trust services, aviation, and financial market infrastructures (FMIs), moved into the high maturity band. It also noted that four sectors strengthened their maturity within the moderate band, covering gas, road, maritime, and health.
The ENISA NIS360 report identified several compounding factors contributing to these improvements, including developments in cybersecurity legislation, increased political attention, and progress across specific maturity dimensions assessed. Overall, maturity is steadily improving across critical sectors, but progress remains uneven both across and within sectors. Several factors contribute to these variations, including skill shortages, sector-specific characteristics, and even organisational size.
The latest edition marks the third ENISA NIS360 assessment examining the entire sector ecosystem, rather than focusing solely on individual organizations. It covers key stakeholders, such as national authorities, regulated entities, EU bodies, and regulatory frameworks that govern them. Sector criticality, under the ENISA NIS360, is assessed based on factors such as its level of digitalisation, socioeconomic impact of incidents affecting it, and time criticality, considering interconnections with other sectors.
“The findings of this NIS360 report provide grounds to be optimistic. The implementation of the comprehensive EU cybersecurity regulatory framework, and particularly NIS2, has brought significant improvements,” Juhan Lepassaar, ENISA executive director, said in a media statement. “ENISA stands for prioritising cybersecurity and advancing the implementation of EU policies, which are vital now more than ever, to enhance the cyber resilience of our critical infrastructure and societies.”
As these factors typically change gradually, criticality scores tend to remain relatively stable from year to year. For instance, sectors such as banking, electricity, aviation, space, and digital infrastructure, including telecommunications, cloud, and data centres, remain the most critical.
Nevertheless, in this NIS360 edition, limited adjustments were introduced to the criticality dimension of certain sectors to reflect evolving socio-economic conditions and threat landscape. In particular, the criticality score for the space and railway sectors has been revised to reflect changes in how society or other sectors depend on them, and the extent to which they are being targeted. Combining and jointly interpreting the criticality and maturity dimensions helps identify mismatches between the two and helps define the risk zone.
The risk zone includes sectors with lower-than-average maturity and criticality that exceeds their maturity. Its composition changes over time as overall maturity improves across sectors. This is one of the reasons why three sectors previously at the risk zone boundary – rail, drinking water, and wastewater are now within the risk zone. The positive development is that the gas sector has started moving out of the risk zone. This shift is driven by improved information sharing, stronger collaboration, and better implementation of risk management measures that are at a higher maturity.
ENISA NIS360 expects that, as factors such as cybersecurity legislation, perceived cyber risk and threat exposure, experience, interdependencies, and ecosystem expectations continue to act as key drivers for both cybersecurity investment and preparedness efforts, more sectors will be moving out of the risk zone.
The latest NIS360 assessment shows that sector criticality has remained largely stable compared with the previous year. Core Internet, telecommunications, electricity, banking, cloud service providers, datacentre service providers, trust service providers, aviation, and financial market infrastructures continue to rank among the most critical sectors. Rail recorded the most notable increase in criticality, moving into the high-criticality category, while the space sector also experienced an increase. Most other sectors, including health, gas, maritime, public administration, drinking water, wastewater, road transport, oil, hydrogen, and district heating, saw little or no change in their criticality levels.
The report also highlights continued progress in cybersecurity maturity across most sectors. Banking, electricity, telecommunications, and core Internet services remain the most mature sectors, maintaining high scores in both maturity and criticality. Significant improvements in maturity were recorded across several sectors, including banking, aviation, financial market infrastructures, maritime, rail, health, gas, road transport, trust service providers, and cloud service providers. While some sectors remain in the moderate-maturity range, the overall trend indicates steady advancement in cybersecurity capabilities across the NIS2 ecosystem.
The 2025 NIS360 risk map identifies sectors that combine high criticality with comparatively lower cybersecurity maturity and therefore require greater attention. ICT service management remains the only sector positioned within the designated risk zone, reflecting a combination of high criticality and moderate maturity. The space sector also remains relatively close to the risk area due to its lower maturity level.
By contrast, highly critical sectors such as telecommunications, core Internet services, electricity, banking, cloud service providers, datacentre service providers, and trust service providers have achieved stronger maturity levels, reducing their overall risk exposure despite their critical role in supporting European infrastructure and services.
ENISA found that cybersecurity maturity continues to vary significantly across sectors within the risk zone, reflecting differences in organisational size, resources, regulatory oversight, and exposure to cyber threats.
The health sector remains in the moderate maturity band and has shown measurable progress, supported by stronger-performing organisations such as pharmaceutical manufacturers and increased policy attention on hospitals and healthcare providers. However, the sector continues to grapple with challenges linked to digitalisation, growing use of IoT and IoMT (Internet of Medical Things) technologies, reliance on third parties, legacy systems, limited resources, and uneven levels of cyber hygiene and incident preparedness.
The maritime and rail sectors also remain exposed due to the complexity of their operating environments, which involve close coordination among infrastructure operators, transport providers, and technology suppliers. Their dependence on long-lived operational technology and information technology systems, together with extensive supply chain relationships, increases vulnerability to cyber threats.
At the same time, ICT service management remains a particular concern. Although the sector has made some progress as it adjusts to NIS2 requirements, cybersecurity measures and operational preparedness remain inconsistent.
ENISA notes that both regulators and service providers continue to face challenges in developing the expertise, governance, and cross-border coordination needed to strengthen resilience, with potential consequences for the many sectors that rely on managed service providers and managed security service providers.
Other sectors continue to lag in cybersecurity maturity. Public administration remains at a low-to-moderate level as a newly regulated sector, with uneven risk management practices and varying levels of resources and expertise across national, regional, and local authorities.
The space sector also sits at the lower end of moderate maturity, reflecting differing levels of oversight, regulatory obligations, and adoption of cybersecurity standards despite its growing strategic importance. Drinking water and wastewater remain among the least mature sectors assessed, with cybersecurity efforts often reactive and constrained by limited resources, fragmented environments, legacy systems, and lower levels of information sharing. ENISA warns that these sectors still face considerable work to improve their ability to manage cyber risks consistently and effectively.
Each of the sectors covered by the ENISA NIS360 assessment is developing its cybersecurity maturity in an environment increasingly shaped by broader forces that influence how organisations and authorities operate and the threats they face. ENISA identifies three trends as particularly influential, including rapid advancement of artificial intelligence (AI), growing exposure to supply chain and third-party risks, and rising geopolitical volatility.
Together, these factors are reshaping the cybersecurity landscape by expanding attack surfaces, increasing interdependencies across critical sectors, and creating new challenges for risk management, resilience, and incident response. As critical sectors become more connected and digitally dependent, addressing these evolving risks is becoming an essential component of strengthening cybersecurity maturity across the European Union.
ENISA assesses that in the future, it is anticipated that cybersecurity legislation and organisations’ efforts to strengthen their cybersecurity maturity will continue to prompt cybersecurity investment and drive preparedness, leading to more sectors moving out of the risk zone.
