Skip to content
You can now search across every topic, entity and event.What's new
ENISA
OrganisationEU

ENISA

EU Agency for Cybersecurity; NIS360 2026 placed railway, water and waste water newly in the risk zone.

Last refreshed: 7 June 2026 · Appears in 3 active topics

Key Question

Which EU sectors joined ENISA's cyber risk zone in May 2026?

Timeline for ENISA

#109 Jul

Mentioned in: NCSC names FSB Centre 16 over routers

Cybersecurity: Threats and Defences
#1012 Jun

Lost access to Anthropic models weeks after joining Project Glasswing in April 2026

European Tech Sovereignty: US order pulls Anthropic's top models
#71 Jun

Identified water, rail and waste water as highest-risk sectors in NIS360 2026 maturity assessment

Cybersecurity: Threats and Defences: NIS2 fines now reach directors personally
#628 May

Published NIS360 2026 placing railway, drinking water and waste water in the EU cyber risk zone

Cybersecurity: Threats and Defences: ENISA puts water and rail in risk zone
#419 May

Mentioned in: Rhysida names Stuttgart on leak site

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
Which EU countries are behind on NIS2 implementation?
The European Commission issued 19 reasoned opinions in April 2026 identifying member states with NIS2 transposition gaps. ENISA's NCAF 2.0 provides the benchmarking framework against which those gaps are now formally assessed.Source: European Commission / ENISA April 2026
What is ENISA's National Capabilities Assessment Framework and why does it matter?
NCAF 2.0, published by ENISA on 22 April 2026, is a structured framework for EU member states to benchmark their national cybersecurity maturity against NIS2 obligations. It was released alongside the European Commission's 19 reasoned opinions on member states that have not fully transposed NIS2 into national law.Source: ENISA / European Commission, April 2026
What is ENISA and what does it regulate?
ENISA is the EU Agency for Cybersecurity, responsible for cybersecurity certification schemes, threat landscape reports and technical guidance to the European Commission on NIS2 and CRA implementation. It opened a consultation on EU Digital Identity Wallet certification in April 2026 and published the NCAF 2.0 NIS2 maturity framework on 22 April 2026.Source: ENISA

Background

The European Union Agency for Cybersecurity (ENISA) is the EU's central cybersecurity agency, responsible for developing cybersecurity certification schemes, threat-landscape assessments and supporting member-state CERTs. It publishes the annual ENISA Threat Landscape report, manages the EU cybersecurity certification framework under the Cybersecurity Act, and provides technical guidance to the European Commission on NIS2 and CRA implementation. It was established in 2004 and given a permanent, strengthened mandate under the Cybersecurity Act in 2019.

ENISA opened a public consultation on a draft EU Digital Identity Wallet certification scheme on 3 April 2026, a significant milestone in establishing security-assurance requirements for wallet implementations under eIDAS2. The certification scheme defines how the EU Digital Wallet intersects with the Cyber Resilience Act (CRA) product-security requirements that apply from 11 December 2027. On 22 April 2026, ENISA published the National Capabilities Assessment Framework v2 (NCAF 2.0), a structured member-state benchmarking tool for NIS2 maturity, alongside the European Commission's 19 reasoned opinions identifying transposition gaps.

On 28 May 2026, ENISA published the third annual NIS360 report. Three sectors crossed into the risk zone for the first time: railway, drinking water and waste water — placed there because their criticality now exceeds their assessed security maturity. One in three water-sector entities has never carried out a risk assessment, giving regulators a documented maturity gap to enforce against under NIS2. Around half of public administrations give management no cybersecurity training at all, and 63 per cent of all hacktivist attacks target that tier. Three sectors reached high maturity for the first time: trust services, aviation and financial market infrastructures. NIS360 extends NCAF 2.0's member-state scoring to sector-level exposure, completing ENISA's two-track accountability architecture for the current NIS2 enforcement cycle.

For technology vendors building EU Digital Identity Wallet infrastructure, ENISA's certification consultation is the primary technical-standard input. The NCAF 2.0 and NIS360 releases together give national regulators both a member-state maturity score and a sector-level risk map to anchor enforcement decisions.

ENISA's threat-landscape and sector-risk work covers Energy infrastructure, including oil and gas. Its annual threat landscape reports document adversary tactics against European energy operators, and the NIS2 framework it supports applies to energy as an essential sector.

More questions
Which EU sectors are most at risk from cyber attacks according to ENISA?
ENISA's NIS360 2026 identifies railway, drinking water and waste water as newly in the risk zone because their criticality outstrips their security maturity. Public administrations draw 63 per cent of hacktivist attacks while being among the least well-trained tiers of government.Source: ENISA NIS360 2026
What did ENISA's NIS360 2026 report find?
ENISA's NIS360 2026 report, published 28 May 2026, placed railway, drinking water and waste water in the risk zone for the first time, because their criticality now exceeds their assessed security maturity. One in three water-sector entities has never run a risk assessment. Trust services, aviation and financial market infrastructures reached high maturity for the first time.Source: ENISA NIS360 2026