14JUN

ENISA puts water and rail in risk zone

3 min read

11:51UTC

ENISA's third NIS360 report, published 28 May, moved railway, drinking water and waste water into the EU cyber risk zone for the first time. One in three water entities has never run a risk assessment.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

ENISA's NIS360 puts water, rail and waste water in the EU risk zone; a third of water bodies never risk-assessed.

ENISA, the European Union Agency for Cybersecurity, published its third annual NIS360 report on 28 May 2026, and three sectors crossed into its risk zone for the first time: railway, drinking water and waste water ¹. NIS360 places a sector in the risk zone when its criticality outruns its assessed security maturity, so the designation marks where importance and preparedness have come apart.

One in three water-sector entities has never carried out a risk assessment, the most basic step in managing exposure ². 63 per cent of all hacktivist attacks hit public administrations, the least-resourced tier of government drawing the most politically motivated fire, and roughly half of public bodies give management no cybersecurity training at all ³. Three sectors did reach high maturity for the first time, namely trust services, aviation and financial market infrastructures, so the picture is uneven rather than uniformly bleak.

NIS360 succeeds the NCAF 2.0 maturity benchmark ENISA released in April , moving the lens from member-state scoring to sector-level risk designation. The shift matters for enforcement: under NIS2 (the EU Network and Information Security Directive), a documented one-in-three never-assessed rate hands national regulators a concrete gap to point penalties at, rather than a general exhortation to improve. For vendors selling into water and rail, the report names the buying demand; for the operators inside the zone, it puts a regulator's timer on closing it.

Deep Analysis

In plain English

ENISA, the European Union's cybersecurity agency, published its annual report on how well different industries are protecting themselves against cyber threats on 28 May 2026. For the first time, it moved railway, drinking water and wastewater networks into its formal risk zone, meaning these sectors face a higher cyber threat than their current security measures can handle. One in three water organisations had never even carried out a basic security check of their systems. About half of public bodies had given no cybersecurity training to their managers. This matters because water treatment and rail signalling systems are connected to the internet in ways they were not a decade ago, making them reachable by attackers who previously could only affect computers, not pipes or signals.

Deep Analysis

Root Causes

The water and wastewater sector across the EU consists largely of municipal operators governed by local or regional authorities rather than national competent bodies. NIS2 Article 2 designates water operators above 50 employees or EUR 10 million turnover as essential entities, but the thresholds exclude a large fraction of European water utilities that operate critical supply infrastructure at sub-threshold scale.

Railway cybersecurity faces a different structural problem: the sector's IT and OT environments were integrated incrementally over decades as European Train Control System (ETCS) and GSM-R communications were layered on top of legacy signalling infrastructure, creating hybrid attack surfaces where a compromise of the IT ticketing or operations network can pivot toward operational rail-control systems via poorly segmented interfaces.

NIS360's risk-zone designation reflects accumulated integration debt rather than a single remediable gap.

What could happen next?

Consequence
ENISA's risk-zone designation for water and rail gives member-state competent authorities a formal basis for prioritising NIS2 enforcement attention and requesting accelerated implementation plans from operators in those sectors.
Short term · Assessed
Risk
Iran-linked threat actors documented probing EU water and energy ICS targets (cross-reference: iran-conflict-2026 topic) face an expanded documented attack surface now formally acknowledged by ENISA, increasing the probability of a targeted attack before sector maturity improves.
Medium term · Suggested
Opportunity
ENISA's three high-maturity sectors (trust services, aviation, financial market infrastructure) offer sector-level governance templates, mandatory monitoring frameworks and information-sharing models that water and rail operators can adopt rather than design from scratch.
Medium term · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The February 2021 Oldsmar, Florida water-treatment facility attack, in which an attacker accessed the supervisory control and data acquisition (SCADA) system via TeamViewer and increased sodium hydroxide levels to 111 times the safe limit before an operator noticed, established the life-safety consequence of water-sector OT under-governance.

ENISA's NIS360 2026 finding that one in three water entities had never conducted a risk assessment maps precisely to the governance condition that made Oldsmar possible: no baseline to detect deviation.

Counter-parallel: Israel's National Cyber Directorate responded to the April 2020 attempted cyberattack on water infrastructure in the Sharon region within hours, attributing it to Iran-linked actors and releasing indicators of compromise within 24 hours.

Israel's model, in which OT network monitoring is mandatory for all licensed water utilities and the national directorate maintains real-time visibility into SCADA telemetry, demonstrates that the Oldsmar governance condition is not universal. ENISA's high-maturity sectors, aviation and financial market infrastructure, achieved that maturity partly through sector-specific mandatory monitoring frameworks that water and rail lack.

NIS2 enforcement fines against essential entities reach 2 per cent of global annual turnover, capped at EUR 10 million. For municipal water utilities, the fine ceiling is often lower than the cost of a serious incident.

The 2022 ransomware attack on South Staffordshire Water in the UK involved 4.1 terabytes exfiltrated and a 20-month undetected dwell; the ICO's eventual EUR 963,900 fine arrived three years after the incident and was reduced 40 per cent for early admission. The fine ceiling for a typical European water utility is structurally weaker than the cost of reaching minimum NIS2 compliance, creating a perverse incentive to defer investment until after an incident.

Consensus view: The Oxford Internet Institute's Cybersecurity Capacity Centre and the Atlantic Council's Cyber Statecraft Initiative both document that critical-infrastructure operators outside the financial and aviation sectors habitually conflate IT network risk assessments with operational technology (OT) risk assessments, producing compliance artefacts that do not capture control-system exposure.

ENISA NIS360's finding that one in three water entities had never conducted any risk assessment confirms the absence of even IT-level governance, before reaching the OT gap.

Counter-view: Germany's BSI (Bundesamt fur Sicherheit in der Informationstechnik) argued in its 2025 critical-infrastructure report that NIS360's methodology conflates high-maturity with high-investment, disadvantaging smaller member states with proportionally well-defended but lightly resourced sector bodies.

BSI's position: ENISA's risk-zone designation for water and rail triggers NIS2 enforcement attention that smaller operators cannot absorb without sector-level funding mechanisms not currently in the Directive.

Key tension: Whether ENISA's NIS360 risk-zone designations carry practical enforcement weight without a binding article in NIS2 that mandates ENISA to notify the European Commission when a sector crosses the risk threshold, or whether the designation remains an advisory signal that member-state competent authorities may choose to act on or ignore.

Sources:SecurityAffairs

Mentions:ENISA →NIS360 →NIS2 →NCSC →Atlantic Council →Florida →Iran →European Commission →Germany →European Union →Israel →ENISA NCAF 2.0 →

First Reported In

Update #6 · The 2024 patch that is breaking now

SecurityAffairs· 7 Jun 2026

Read original →

Causes and effects

Caused by

ENISA scores NIS2 maturity with NCAF 2.0

ENISA released NCAF 2.0 in April to benchmark EU member-state NIS2 maturity (ID:2922); NIS360 2026 is the sector-level companion, moving from member-state scores to sector risk-zone designation.

Occurred 22 Apr 2026

Read story →

This Event

ENISA puts water and rail in risk zone

The EU regulator now holds a documented maturity gap in critical water, rail and waste-water sectors, giving it an evidence base to enforce against under NIS2.

Led to

NIS2 fines now reach directors personally

ENISA NIS360 2026's identification of water, rail and waste water as highest-risk sectors provides the enforcement basis underlying the Commission's referral of untransposed member states to the CJEU.

Occurred 1 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.