Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

ENISA puts water and rail in risk zone

3 min read
10:57UTC

ENISA's third NIS360 report, published 28 May, moved railway, drinking water and waste water into the EU cyber risk zone for the first time. One in three water entities has never run a risk assessment.

TechnologyDeveloping
Key takeaway

ENISA's NIS360 puts water, rail and waste water in the EU risk zone; a third of water bodies never risk-assessed.

ENISA, the European Union Agency for Cybersecurity, published its third annual NIS360 report on 28 May 2026, and three sectors crossed into its risk zone for the first time: railway, drinking water and waste water 1. NIS360 places a sector in the risk zone when its criticality outruns its assessed security maturity, so the designation marks where importance and preparedness have come apart.

One in three water-sector entities has never carried out a risk assessment, the most basic step in managing exposure 2. 63 per cent of all hacktivist attacks hit public administrations, the least-resourced tier of government drawing the most politically motivated fire, and roughly half of public bodies give management no cybersecurity training at all 3. Three sectors did reach high maturity for the first time, namely trust services, aviation and financial market infrastructures, so the picture is uneven rather than uniformly bleak.

NIS360 succeeds the NCAF 2.0 maturity benchmark ENISA released in April , moving the lens from member-state scoring to sector-level risk designation. The shift matters for enforcement: under NIS2 (the EU Network and Information Security Directive), a documented one-in-three never-assessed rate hands national regulators a concrete gap to point penalties at, rather than a general exhortation to improve. For vendors selling into water and rail, the report names the buying demand; for the operators inside the zone, it puts a regulator's timer on closing it.

Deep Analysis

In plain English

ENISA, the European Union's cybersecurity agency, published its annual report on how well different industries are protecting themselves against cyber threats on 28 May 2026. For the first time, it moved railway, drinking water and wastewater networks into its formal risk zone, meaning these sectors face a higher cyber threat than their current security measures can handle. One in three water organisations had never even carried out a basic security check of their systems. About half of public bodies had given no cybersecurity training to their managers. This matters because water treatment and rail signalling systems are connected to the internet in ways they were not a decade ago, making them reachable by attackers who previously could only affect computers, not pipes or signals.

Deep Analysis
Root Causes

The water and wastewater sector across the EU consists largely of municipal operators governed by local or regional authorities rather than national competent bodies. NIS2 Article 2 designates water operators above 50 employees or EUR 10 million turnover as essential entities, but the thresholds exclude a large fraction of European water utilities that operate critical supply infrastructure at sub-threshold scale.

Railway cybersecurity faces a different structural problem: the sector's IT and OT environments were integrated incrementally over decades as European Train Control System (ETCS) and GSM-R communications were layered on top of legacy signalling infrastructure, creating hybrid attack surfaces where a compromise of the IT ticketing or operations network can pivot toward operational rail-control systems via poorly segmented interfaces.

NIS360's risk-zone designation reflects accumulated integration debt rather than a single remediable gap.

What could happen next?
  • Consequence

    ENISA's risk-zone designation for water and rail gives member-state competent authorities a formal basis for prioritising NIS2 enforcement attention and requesting accelerated implementation plans from operators in those sectors.

    Short term · Assessed
  • Risk

    Iran-linked threat actors documented probing EU water and energy ICS targets (cross-reference: iran-conflict-2026 topic) face an expanded documented attack surface now formally acknowledged by ENISA, increasing the probability of a targeted attack before sector maturity improves.

    Medium term · Suggested
  • Opportunity

    ENISA's three high-maturity sectors (trust services, aviation, financial market infrastructure) offer sector-level governance templates, mandatory monitoring frameworks and information-sharing models that water and rail operators can adopt rather than design from scratch.

    Medium term · Assessed
First Reported In

Update #6 · The 2024 patch that is breaking now

SecurityAffairs· 7 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.