Summary
- ENISA’s 2026 NIS360 report assesses cybersecurity maturity and criticality across high-criticality sectors under NIS2.
- The report gives EU authorities and regulated operators a benchmark for sector resilience, supervisory focus, and investment pressure.
- The publication strengthens the evidence base for judging whether NIS2 is translating into operational cyber capability.
ENISA has published the 2026 edition of its NIS360 report, giving European authorities and operators a fresh view of cybersecurity maturity across sectors classed as highly critical under the NIS2 Directive.
The European Union Agency for Cybersecurity said the third edition of NIS360 assesses both the maturity and criticality of all sectors listed under Annex I of NIS2. Rather than treating resilience as a narrow technical issue, the assessment considers the wider sector ecosystem, including national authorities, regulated entities, EU bodies, and applicable legislation.
The report gives a more concrete basis for judging the operational effects of NIS2. The directive has created a broad legal framework for cybersecurity obligations across essential and important entities, but the harder test sits in implementation: whether the rules are producing stronger governance, better incident handling, more reliable supplier oversight, and measurable improvements in sectors carrying economic and social consequence.
ENISA says the latest edition shows improvement in the cybersecurity maturity of EU critical sectors, while sector criticality remains comparatively stable. The agency’s NIS360 publication page presents the work as a sector-level assessment, not as an audit of individual organisations.
That sector-level view is useful because resilience rarely turns on one organisation alone. Energy, transport, health, water, digital infrastructure, banking, financial market infrastructure, and public administration all depend on chains of suppliers, regulators, operators, software providers, cloud platforms, and communications infrastructure. A sector can improve tooling and still remain exposed if reporting routes are weak, dependencies are poorly mapped, or national authorities lack the capacity to use the data they receive.
NIS2 is now moving from legislative design into supervisory practice. Member states and regulated entities are working through obligations covering incident reporting, business continuity, vulnerability handling, supplier controls, and senior management accountability. The pressure is not simply to show that policies exist, but to demonstrate that they can hold during disruption.
Sector maturity assessments also influence procurement and assurance. Where NIS2 pushes responsibility deeper into supply chains, suppliers supporting essential functions may face more structured evidence requests, tighter contractual controls, and more scrutiny over their own resilience. A weak supplier may become a regulatory problem for the operator that depends on it.
The report may also sharpen comparisons between member states. NIS2 is an EU-wide framework, but supervision, enforcement capacity, and sector structure remain national in practice. Similar sectors can therefore carry different levels of operational maturity depending on local regulatory expectations, market concentration, and the quality of information-sharing between authorities and operators.
NIS360 should not be read as a simple league table. Its value lies in showing where European critical sectors are building capability, where structural exposure remains, and where policy still needs operational follow-through. The next phase will be shaped by how regulators use the findings in supervision, how operators turn them into investment decisions, and whether suppliers are pulled into the same resilience discipline.
