The European Union Agency for Cybersecurity (ENISA) released its NIS360 report, designed to be an assessment tool to evaluate the cybersecurity maturity and criticality of sectors governed by the NIS2 Directive. The report identifies gaps in the current state of NIS2 compliance readiness and provides recommendations to lawmakers and affected industry verticals on what they need to do to become NIS2 compliant. NIS360 provides additional recommendations to help strengthen intra-nation cyber-resilience across the EU.
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated cybersecurity framework that replaces the 2016 NIS Directive (NIS1). The NIS regulations hope to strengthen resilience by mandating risk management measures, incident reporting, and cross-border cooperation across critical sectors, such as energy, transport, healthcare, digital infrastructure, and public administration. Unlike NIS1, NIS2 automatically pertains to medium and large organizations in critical sectors and introduces stricter supervision, supply chain security requirements, and penalties for noncompliance (up to €10 million or 2% of global revenue).
The report draws on input from national authorities, entity self-assessments, and EU datasets (e.g., Eurostat). ENISA plans to expand the NIS360 assessment in 2025 to track progress and refine sector-specific strategies.
Member states were required to transpose the NIS2 Directive into national law by Oct. 17, 2024, to harmonize cybersecurity standards and enhance EU-wide coordination; however, many nations have yet to legislate NIS2, with only nine EU member states having incorporated the directive into national law. This threatens to slow NIS2 progress dramatically.
With the NIS360 report findings, ENISA hopes to help national authorities, and policy and lawmakers better move forward by providing a cross-sectoral overview of cybersecurity readiness, enabling resource prioritization for sectors with urgent needs, highlighting sector-specific improvement areas, as well as ideas on how to facilitate long-term progress monitoring.
"The NIS360 gives valuable insight into the overall maturity of NIS sectors and the challenges of individual sectors. It explains where we stand and how to move forward," says ENISA Executive Director Juhan Lepassaar.
"NIS2 promises to raise the bar for cyber security within the EU by mandating critical aspects of effective cybersecurity, such as risk management, incident reporting, and a focus on supply chain security. These are the trio of "must haves" for many organizations now, especially larger enterprises," says John Price, founder and CEO at cybersecurity services provider SubRosa. "And encouraging organizations to enhance these areas is a better step toward reducing the vulnerability landscape and improving resiliency," Price says.
In its evaluation, ENISA found the most mature industries to be electricity, telecoms, and banking, which experts attribute to long-standing adequate levels of regulation, high levels of security funding, and high levels of public-private partnerships in these sectors. However, core internet services, cloud providers, and data centers were ranked lower in maturity due to the diverse nature of technology firms and the challenges of effectively regulating these industries across national borders.
The NIS360 report cites three strategic priorities essential to remedying those dynamics and building long-term success: cross-sector and cross-border cooperation through community building, sector-specific strategies such as fostering information sharing and analysis centers, and international EU sector cybersecurity drills, such as in the maritime industry, to identify risks in operational technologies.
The second strategy is to develop Sector-Specific Guidance and tailor risk management frameworks to address unique challenges in each sector. For instance, the health sector needs procurement guidelines for medical devices, while public administrations require shared service models to optimize resources.
Finally, the third strategy is to harmonize cybersecurity requirements across member states, with a special emphasis on digital infrastructure, which includes Internet exchanges, cloud services, and other services that operate across borders.
By addressing these priorities, the EU aims to close cybersecurity gaps and build a unified defense against evolving threats, ensuring the resilience of critical infrastructure across the bloc. However, not everyone is convinced NIS2 will be as effective as many hope in increasing security.
"It's an informative read," says Wim Remes, operations manager at security services firm Spotit, "but it also reinforces what we already know: industries critical to security have historically underspent on cybersecurity. This has left us with a large amount of technical debt that will not be resolved by becoming NIS2 compliant. Europe needs to incentivize cybersecurity investments more than it needs to incentivize compliance. Especially in today's geopolitical climate," he says.
Interestingly, ENISA identified six sectors that it placed in what it terms the "risk zone," which means the security maturity level of these industries lags behind the criticality of adverse cyber incidents occurring. These sectors include ICT service management, space, public administrations, health, maritime, and gas.
ENISA also outlines common success factors for mature sectors—including banking, energy, and telecom—such as robust regulatory oversight, public-private partnerships, and tested incident response plans. It also provides risk management strategies, including supply chain security policies, vulnerability management, and legacy system modernization.
"These findings are not surprising, as energy, banking, and telecom have faced regulatory pressure for a longer time, and the stakes of a security failure are generally higher in those sectors," says Michael Farnum, advisory CISO at technology services provider Trace3.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
