Summary
- ENISA has opened the next NIS360 survey cycle for national authorities and high-criticality entities under NIS2.
- The data will feed the 2027 NIS360 report and allow registered entities to receive benchmarking against peers.
- The work gives EU cyber maturity a more measurable basis as NIS2 supervision and accountability develop.
ENISA has opened a new NIS360 survey cycle for national authorities and high-criticality entities under the NIS2 Directive, extending the European Union’s attempt to measure cyber maturity across critical sectors rather than relying on formal implementation alone.
The agency said the latest data collection will feed the 2027 edition of its NIS360 report, following the publication of the 2026 report in May. The survey is aimed at both national authorities and organisations operating in sectors classed as highly critical under NIS2, with information gathered through two structured questionnaires.
The survey notice says responses will be analysed in aggregate and treated confidentially. ENISA has also simplified the process and added benchmarking features that allow registered entities to compare themselves with peers and better understand where they stand.
Benchmarking gives the exercise practical weight. NIS2 has broadened the number of sectors and organisations subject to EU cybersecurity obligations, but regulatory maturity still varies across member states, sectors, and supervisory systems. Annual measurement gives policymakers, regulators, and operators a way to separate implementation activity from practical resilience.
The NIS360 model assesses maturity and criticality across a sector’s wider ecosystem, rather than treating individual organisations in isolation. ENISA says maturity is determined by legislation and its effectiveness, organisational preparedness, authorities’ institutional capacity, and the strength of sectoral ecosystem structures.
That approach asks whether sectors have functioning supervisory relationships, capable authorities, prepared operators, and mechanisms that support information sharing and improvement. Those factors increasingly determine whether NIS2 becomes a working resilience framework or remains a legal overlay on uneven operational practice.
The survey arrives as European organisations are interpreting overlapping obligations under NIS2, the Cyber Resilience Act, sector-specific rules, and resilience requirements in areas such as finance, transport, energy, health, and digital infrastructure. The most exposed organisations will be judged not only by whether they have policies in place, but by whether controls, governance, suppliers, reporting, and incident response can withstand scrutiny.
High-criticality entities may also find the benchmarking difficult to ignore. Sector maturity measures can expose whether an organisation is lagging behind peers, whether a national supervisory regime is underdeveloped, or whether a sector’s operational dependency profile is not matched by its cyber preparedness.
The data collection period runs until 30 October 2026. ENISA said the survey will support the next NIS360 report, scheduled for publication in 2027, and directed questions to its NIS360 mailbox.
Annual measurement will not close capability gaps by itself, but it can make gaps more visible across sectors whose disruption would have wider public, economic, or cross-border consequences.





