ENISA NIS360 2026: Progress Across the Board, But the Sectors That Matter Most Are Still Falling Short

Pierluigi Paganini
June 02, 2026

ENISA NIS360 2026 shows cybersecurity improving across EU critical sectors, but health, water, rail, and space remain in the risk zone.

ENISA has published its third annual NIS360 report, assessing the cybersecurity maturity and criticality of all sectors covered by the NIS2 directive. The headline finding is that things are improving across the board. The more important finding is that the improvement is uneven, slow where it matters most, and being outpaced by a threat landscape that’s getting harder faster than defenses are getting better.

Banking, electricity, and telecommunications remain the most mature and most critical sectors, as they have been since the assessment began. Three sectors moved up into the high maturity band for the first time: trust services, aviation, and financial market infrastructures. Four more strengthened their position within the moderate band: gas, road, maritime, and health.

The drivers behind this progress are consistent across the board: cybersecurity legislation that organizations are actually using to unlock investment rather than just checkbox compliance, increased political attention translating into guidance and resources, and gradual improvements in information sharing and incident preparedness.

“Since the previous edition of this report, cybersecurity maturity across sectors of high criticality in the EU, has been steadily improving as organisations respond to evolving policy requirements and cyber threats they face.” reads the report published by ENISA. “Banking, electricity and telecommunications remain the most mature and critical sectors, while three sectors, trust services, aviation, and financial market infrastructures (FMIs) moved into the high maturity band. Four sectors strengthened…

Source

ENISA NIS360 2026: Progress Across the Board, But the Sectors That Matter Most Are Still Falling Short