
ENISA
EU Agency for Cybersecurity; NIS360 2026 placed railway, water and waste water newly in the risk zone.
Last refreshed: 7 June 2026 · Appears in 3 active topics
Which EU sectors joined ENISA's cyber risk zone in May 2026?
Timeline for ENISA
Mentioned in: NCSC names FSB Centre 16 over routers
Cybersecurity: Threats and DefencesLost access to Anthropic models weeks after joining Project Glasswing in April 2026
European Tech Sovereignty: US order pulls Anthropic's top modelsIdentified water, rail and waste water as highest-risk sectors in NIS360 2026 maturity assessment
Cybersecurity: Threats and Defences: NIS2 fines now reach directors personallyPublished NIS360 2026 placing railway, drinking water and waste water in the EU cyber risk zone
Cybersecurity: Threats and Defences: ENISA puts water and rail in risk zoneMentioned in: Rhysida names Stuttgart on leak site
Cybersecurity: Threats and DefencesWhich EU countries are behind on NIS2 implementation?
What is ENISA's National Capabilities Assessment Framework and why does it matter?
What is ENISA and what does it regulate?
Background
The European Union Agency for Cybersecurity (ENISA) is the EU's central cybersecurity agency, responsible for developing cybersecurity certification schemes, threat-landscape assessments and supporting member-state CERTs. It publishes the annual ENISA Threat Landscape report, manages the EU cybersecurity certification framework under the Cybersecurity Act, and provides technical guidance to the European Commission on NIS2 and CRA implementation. It was established in 2004 and given a permanent, strengthened mandate under the Cybersecurity Act in 2019.
ENISA opened a public consultation on a draft EU Digital Identity Wallet certification scheme on 3 April 2026, a significant milestone in establishing security-assurance requirements for wallet implementations under eIDAS2. The certification scheme defines how the EU Digital Wallet intersects with the Cyber Resilience Act (CRA) product-security requirements that apply from 11 December 2027. On 22 April 2026, ENISA published the National Capabilities Assessment Framework v2 (NCAF 2.0), a structured member-state benchmarking tool for NIS2 maturity, alongside the European Commission's 19 reasoned opinions identifying transposition gaps.
On 28 May 2026, ENISA published the third annual NIS360 report. Three sectors crossed into the risk zone for the first time: railway, drinking water and waste water — placed there because their criticality now exceeds their assessed security maturity. One in three water-sector entities has never carried out a risk assessment, giving regulators a documented maturity gap to enforce against under NIS2. Around half of public administrations give management no cybersecurity training at all, and 63 per cent of all hacktivist attacks target that tier. Three sectors reached high maturity for the first time: trust services, aviation and financial market infrastructures. NIS360 extends NCAF 2.0's member-state scoring to sector-level exposure, completing ENISA's two-track accountability architecture for the current NIS2 enforcement cycle.
For technology vendors building EU Digital Identity Wallet infrastructure, ENISA's certification consultation is the primary technical-standard input. The NCAF 2.0 and NIS360 releases together give national regulators both a member-state maturity score and a sector-level risk map to anchor enforcement decisions.
ENISA's threat-landscape and sector-risk work covers Energy infrastructure, including oil and gas. Its annual threat landscape reports document adversary tactics against European energy operators, and the NIS2 framework it supports applies to energy as an essential sector.