7JUN

ENISA puts water and rail in risk zone

3 min read

10:08UTC

ENISA's third NIS360 report, published 28 May, moved railway, drinking water and waste water into the EU cyber risk zone for the first time. One in three water entities has never run a risk assessment.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

ENISA's NIS360 puts water, rail and waste water in the EU risk zone; a third of water bodies never risk-assessed.

ENISA, the European Union Agency for Cybersecurity, published its third annual NIS360 report on 28 May 2026, and three sectors crossed into its risk zone for the first time: railway, drinking water and waste water ¹. NIS360 places a sector in the risk zone when its criticality outruns its assessed security maturity, so the designation marks where importance and preparedness have come apart.

One in three water-sector entities has never carried out a risk assessment, the most basic step in managing exposure ². 63 per cent of all hacktivist attacks hit public administrations, the least-resourced tier of government drawing the most politically motivated fire, and roughly half of public bodies give management no cybersecurity training at all ³. Three sectors did reach high maturity for the first time, namely trust services, aviation and financial market infrastructures, so the picture is uneven rather than uniformly bleak.

NIS360 succeeds the NCAF 2.0 maturity benchmark ENISA released in April , moving the lens from member-state scoring to sector-level risk designation. The shift matters for enforcement: under NIS2 (the EU Network and Information Security Directive), a documented one-in-three never-assessed rate hands national regulators a concrete gap to point penalties at, rather than a general exhortation to improve. For vendors selling into water and rail, the report names the buying demand; for the operators inside the zone, it puts a regulator's timer on closing it.

Deep Analysis

In plain English

ENISA, the European Union's cybersecurity agency, published its annual report on how well different industries are protecting themselves against cyber threats on 28 May 2026. For the first time, it moved railway, drinking water and wastewater networks into its formal risk zone, meaning these sectors face a higher cyber threat than their current security measures can handle. One in three water organisations had never even carried out a basic security check of their systems. About half of public bodies had given no cybersecurity training to their managers. This matters because water treatment and rail signalling systems are connected to the internet in ways they were not a decade ago, making them reachable by attackers who previously could only affect computers, not pipes or signals.

Deep Analysis

Root Causes

The water and wastewater sector across the EU consists largely of municipal operators governed by local or regional authorities rather than national competent bodies. NIS2 Article 2 designates water operators above 50 employees or EUR 10 million turnover as essential entities, but the thresholds exclude a large fraction of European water utilities that operate critical supply infrastructure at sub-threshold scale.

Railway cybersecurity faces a different structural problem: the sector's IT and OT environments were integrated incrementally over decades as European Train Control System (ETCS) and GSM-R communications were layered on top of legacy signalling infrastructure, creating hybrid attack surfaces where a compromise of the IT ticketing or operations network can pivot toward operational rail-control systems via poorly segmented interfaces.

NIS360's risk-zone designation reflects accumulated integration debt rather than a single remediable gap.

What could happen next?

Consequence
ENISA's risk-zone designation for water and rail gives member-state competent authorities a formal basis for prioritising NIS2 enforcement attention and requesting accelerated implementation plans from operators in those sectors.
Short term · Assessed
Risk
Iran-linked threat actors documented probing EU water and energy ICS targets (cross-reference: iran-conflict-2026 topic) face an expanded documented attack surface now formally acknowledged by ENISA, increasing the probability of a targeted attack before sector maturity improves.
Medium term · Suggested
Opportunity
ENISA's three high-maturity sectors (trust services, aviation, financial market infrastructure) offer sector-level governance templates, mandatory monitoring frameworks and information-sharing models that water and rail operators can adopt rather than design from scratch.
Medium term · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The February 2021 Oldsmar, Florida water-treatment facility attack, in which an attacker accessed the supervisory control and data acquisition (SCADA) system via TeamViewer and increased sodium hydroxide levels to 111 times the safe limit before an operator noticed, established the life-safety consequence of water-sector OT under-governance.

ENISA's NIS360 2026 finding that one in three water entities had never conducted a risk assessment maps precisely to the governance condition that made Oldsmar possible: no baseline to detect deviation.

Counter-parallel: Israel's National Cyber Directorate responded to the April 2020 attempted cyberattack on water infrastructure in the Sharon region within hours, attributing it to Iran-linked actors and releasing indicators of compromise within 24 hours.

Israel's model, in which OT network monitoring is mandatory for all licensed water utilities and the national directorate maintains real-time visibility into SCADA telemetry, demonstrates that the Oldsmar governance condition is not universal. ENISA's high-maturity sectors, aviation and financial market infrastructure, achieved that maturity partly through sector-specific mandatory monitoring frameworks that water and rail lack.

NIS2 enforcement fines against essential entities reach 2 per cent of global annual turnover, capped at EUR 10 million. For municipal water utilities, the fine ceiling is often lower than the cost of a serious incident.

The 2022 ransomware attack on South Staffordshire Water in the UK involved 4.1 terabytes exfiltrated and a 20-month undetected dwell; the ICO's eventual EUR 963,900 fine arrived three years after the incident and was reduced 40 per cent for early admission. The fine ceiling for a typical European water utility is structurally weaker than the cost of reaching minimum NIS2 compliance, creating a perverse incentive to defer investment until after an incident.

Consensus view: The Oxford Internet Institute's Cybersecurity Capacity Centre and the Atlantic Council's Cyber Statecraft Initiative both document that critical-infrastructure operators outside the financial and aviation sectors habitually conflate IT network risk assessments with operational technology (OT) risk assessments, producing compliance artefacts that do not capture control-system exposure.

ENISA NIS360's finding that one in three water entities had never conducted any risk assessment confirms the absence of even IT-level governance, before reaching the OT gap.

Counter-view: Germany's BSI (Bundesamt fur Sicherheit in der Informationstechnik) argued in its 2025 critical-infrastructure report that NIS360's methodology conflates high-maturity with high-investment, disadvantaging smaller member states with proportionally well-defended but lightly resourced sector bodies.

BSI's position: ENISA's risk-zone designation for water and rail triggers NIS2 enforcement attention that smaller operators cannot absorb without sector-level funding mechanisms not currently in the Directive.

Key tension: Whether ENISA's NIS360 risk-zone designations carry practical enforcement weight without a binding article in NIS2 that mandates ENISA to notify the European Commission when a sector crosses the risk threshold, or whether the designation remains an advisory signal that member-state competent authorities may choose to act on or ignore.

Sources:SecurityAffairs

Mentions:ENISA →NIS360 →NIS2 →NCSC →Atlantic Council →Florida →Iran →European Commission →Germany →European Union →Israel →ENISA NCAF 2.0 →

First Reported In

Update #6 · The 2024 patch that is breaking now

SecurityAffairs· 7 Jun 2026

Read original →

Causes and effects

Caused by

ENISA scores NIS2 maturity with NCAF 2.0

ENISA released NCAF 2.0 in April to benchmark EU member-state NIS2 maturity (ID:2922); NIS360 2026 is the sector-level companion, moving from member-state scores to sector risk-zone designation.

Occurred 22 Apr 2026

Read story →

This Event

ENISA puts water and rail in risk zone

The EU regulator now holds a documented maturity gap in critical water, rail and waste-water sectors, giving it an evidence base to enforce against under NIS2.

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.