ENISA’s 2024 NIS360 Report Reveals Cybersecurity Gaps in Critical Sectors Across the EU

Key Takeaways

• Top Sectors: Electricity, telecoms, and banking show strong resilience, backed by long-term investments and regulatory oversight.
• Risk Zone Sectors: ICT service management, space, maritime, health, and gas sectors need immediate attention to address gaps in maturity and improve cybersecurity resilience.
• Collaboration is Crucial: Enhanced cooperation within sectors and across borders will be essential to closing the cybersecurity maturity gaps.
• Targeted Guidance Needed: Sector-specific guidance and tailored cybersecurity strategies will help address unique challenges in sectors like maritime and health.
• Upskilling for Resilience: National authorities need better training and reskilling to ensure more effective NIS2 implementation and improved sector resilience.

Deep Dive

Every year, Europe’s cybersecurity landscape grows more complex. With digital infrastructures evolving, cyber threats becoming more sophisticated, and the stakes higher than ever, it’s clear that certain sectors are facing serious challenges when it comes to cyber resilience. ENISA’s 2024 NIS360 report offers a deep dive into the cybersecurity maturity and criticality of sectors that are essential to Europe’s economic and social fabric—and the results are both encouraging and concerning.

The NIS360 report was created to help Member States and national authorities understand where the most significant gaps in cybersecurity exist and to guide resources to areas that need them the most. After assessing 22 highly critical sectors, ENISA has uncovered both areas of strength and some glaring vulnerabilities that need immediate attention.

Telecoms, banking, and electricity stand out as the most resilient sectors in the study. These sectors have benefitted from years of regulatory oversight, political attention, and global investments that have strengthened their ability to weather cyber threats. They’re also supported by strong public-private partnerships that help them adapt and respond to evolving risks. Their resilience isn’t just important for their own operations—it’s vital for the overall stability of society and the economy. Without a strong telecom sector, the internet would falter. Without banking resilience, our economy would come to a halt. And without a robust electricity grid, nothing would function.

But even these sectors face challenges. With cyber threats becoming more pervasive and sophisticated, it’s clear that even the most mature sectors aren’t invincible.

High Maturity, But Not Without Challenges
Then there’s digital infrastructure, including internet services, cloud services, and data centers. These areas also rank highly in terms of both maturity and criticality, meaning they play a huge role in our daily lives and the functioning of the economy. However, they’re not immune to the complexities of cross-border operations and the inclusion of entities that weren’t regulated until recently. These infrastructures are more vulnerable than most to a variety of threats, and their very global nature presents unique hurdles in ensuring consistent cybersecurity standards.

While some sectors are doing well, others are struggling to keep pace, and these are the areas that should be top of mind for national authorities in 2025. ENISA’s analysis flagged four sectors and two subsectors as being in the ‘risk zone’—sectors that have high criticality but low cybersecurity maturity, putting them at significant risk of exploitation. These sectors are ICT service management, space, public administrations, maritime, health, and gas.

• ICT Service Management: This sector faces a significant challenge due to its cross-border nature and the sheer diversity of entities involved. To strengthen resilience, authorities will need to reduce regulatory burdens for entities caught in both the NIS2 and DORA frameworks and harmonize cross-border supervision.
• Space: The space sector is another area of concern, particularly because it’s still catching up with cybersecurity requirements. A heavy reliance on commercial off-the-shelf components and limited cybersecurity awareness among stakeholders are major obstacles. The solution here involves improving cybersecurity knowledge and ensuring proper pre-integration testing of components.
• Public Administrations: Although the public administration sector is growing in maturity, it remains a prime target for cyberattacks, including state-sponsored operations and hacktivism. The report suggests that leveraging EU initiatives like the Cyber Solidarity Act and exploring shared service models could significantly enhance sector resilience.
• Maritime: The maritime sector’s reliance on operational technology (OT) continues to be a weak spot. The report recommends tailored risk management guidance and sector-specific cybersecurity exercises to better prepare for and respond to cyber incidents.
• Health: With its increasingly complex supply chains and legacy systems, the health sector continues to face significant vulnerabilities. Addressing these requires practical guidelines for procurement, improving cyber hygiene, and boosting staff awareness to close common gaps in security.
• Gas: Finally, the gas sector still lags when it comes to incident readiness and response. The report stresses the importance of developing national and EU-level incident response plans and enhancing collaboration with other critical sectors like electricity and manufacturing.

What Needs to Be Done
The NIS360 report serves as both a reflection on where we stand and a wake-up call for the future. While progress is being made, many sectors still face significant challenges that need to be addressed. Stronger cooperation within sectors, across borders, and with national authorities is essential to closing cybersecurity gaps.

The report also underscores the need for tailored guidance for sectors struggling with specific cybersecurity issues, whether it’s maritime OT challenges or the complexities of health sector supply chains. In addition, investing in upskilling and reskilling national authorities is critical to ensure a more harmonized implementation of the NIS2 Directive across the EU. Cybersecurity isn’t just a technological issue—it’s a policy and cooperation issue, and it requires coordinated action at every level.

Finally, the need for cross-border cybersecurity exercises is emphasized to enhance coordination and improve response to incidents that could affect multiple sectors. This approach will help mitigate the cascading effects of cyber incidents and ensure the EU is better prepared for the future.

As the cybersecurity landscape continues to evolve, it’s clear that EU sectors must be proactive in addressing their weaknesses. The NIS360 report is a powerful tool in that effort, highlighting areas of strength, pinpointing vulnerabilities, and offering a roadmap for stronger collaboration and preparedness moving forward.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.