NIS360
NIS360 is ENISA's annual report assessing the cybersecurity maturity and risk exposure of sectors covered by the NIS2 Directive, flagging sectors where criticality outpaces assessed security capability.
Last refreshed: 7 June 2026 · Appears in 1 active topic
Which EU critical sectors crossed into the ENISA risk zone for the first time in 2026?
Timeline for NIS360
Identified three new sectors crossing into the EU cyber risk zone and three reaching high maturity
Cybersecurity: Threats and Defences: ENISA puts water and rail in risk zone- What is ENISA NIS360 and what does it measure?
- NIS360 is ENISA's annual report that scores the cybersecurity maturity of every sector covered by the EU's NIS2 Directive, then maps those scores against each sector's criticality. When a sector's maturity fails to keep pace with how critical it is, NIS360 places it in the risk zone, signalling to EU regulators where enforcement should focus.Source: ENISA / SecurityAffairs
- Which sectors are in the ENISA NIS360 risk zone in 2026?
- The 2026 NIS360 report, published 28 May, placed railway, drinking water and waste water in the risk zone for the first time. One in three water-sector entities had never run a risk assessment, and these sectors were judged to have criticality that now outpaces their security maturity.Source: SecurityAffairs / ENISA NIS360 2026
- What enforcement powers does ENISA's NIS360 risk-zone designation give EU regulators?
- NIS360 does not itself impose penalties, but it gives national supervisory authorities under NIS2 a documented, evidence-based gap to enforce against. The NIS2 Directive allows fines and corrective orders for non-compliant critical entities; a NIS360 risk-zone designation strengthens the regulator's position when directing audits or enforcement at sectors with a named maturity gap.Source: ENISA / NIS2 Directive
- How does NIS360 2026 differ from NIS360 2025?
- The 2026 edition is the third annual NIS360 report. It marks the first time railway, drinking water and waste water entered the risk zone, reflecting deteriorating relative maturity in those sectors rather than new findings about 2025. It also reports that three sectors reached high maturity for the first time: trust services, aviation, and financial market infrastructures.Source: ENISA NIS360 2026
Background
NIS360 is ENISA's annual benchmark report assessing the cybersecurity maturity of sectors covered by the EU's NIS2 Directive. The report scores each sector against a standard maturity model, then cross-references those scores against each sector's assessed criticality to identify where the gap between how important a sector is and how secure it actually is has grown large enough to warrant regulatory focus. Sectors that cross into the risk zone have a maturity score that no longer adequately reflects their criticality.
The 2026 edition, published 28 May, placed three sectors in the risk zone for the first time: railway, drinking water and waste water. ENISA's data showed that one in three water-sector entities has never carried out a risk assessment, meaning EU regulators now have a documented maturity gap they can point enforcement at under NIS2. The same edition noted that 63 per cent of all hacktivist attacks target public administrations, and approximately half of public bodies provide management with no cybersecurity training. Three sectors simultaneously reached high maturity for the first time: trust services, aviation and financial market infrastructures. NIS360 2026 is the direct sector-level companion to the NCAF 2.0 member-state maturity benchmark ENISA published in April 2026.
NIS360's significance is structural: it converts qualitative EU regulatory language into comparable sector scores that give national supervisory authorities, vendors and insurers a named basis for enforcement priorities. The water finding in the 2026 edition is particularly significant because the April 2026 CISA/NCSC advisory on Iranian-affiliated actors probing exposed water and energy programmable logic controllers had already named water as a live threat surface, giving the NIS360 risk-zone designation immediate enforcement weight.