preloader

· security eu nis2 compliance enisa healthcare cloud

ENISA NIS360 2026: EU Critical Sectors Gain Cybersecurity Maturity, but Healthcare and Public Administration Still Lag

Source: ENISA

ENISA, the EU Agency for Cybersecurity, published its 2026 NIS360 report on 28 May, providing the most comprehensive assessment yet of where European critical sectors stand on cybersecurity maturity under the NIS2 Directive. The report is ENISA’s primary mechanism for tracking progress across the sectors that NIS2 covers and identifying where the gap between a sector’s criticality to society and its actual security maturity remains dangerously wide.

The sectors doing well

Banking, electricity, and telecommunications retain their positions at the top of the maturity rankings, reflecting years of regulatory pressure, dedicated sector CSIRT coordination, and significant internal investment. Three sectors moved into the high maturity band for the first time: trust services, aviation, and financial market infrastructures (FMIs). These improvements follow the implementation of targeted sector-level guidance from ENISA and the establishment of more effective information-sharing structures within each sector.

The risk zone sectors

The risk zone in the NIS360 framework identifies sectors where cybersecurity maturity is lower than the level demanded by their criticality to EU society and economy. In 2026, these sectors are:

Healthcare remains the most concerning. It is one of the most targeted sectors by ransomware operators and, at the same time, one of the least mature in its cybersecurity posture. The combination of legacy clinical systems, fragmented IT environments across hundreds of hospitals and healthcare providers, limited security budgets, and high sensitivity of patient data creates persistent exposure.

Maritime transport operates critical logistics infrastructure with significant legacy operational technology (OT) and IT convergence challenges. Port authorities and shipping operators have struggled to apply NIS2 frameworks consistently.

Railways face similar OT/IT convergence issues, with signalling and control systems that were never designed to be networked now connected to centralised operations platforms.

Public administration covers an extremely broad set of organisations with highly variable maturity levels. Central government bodies in larger member states show reasonable maturity; smaller agencies and municipal administrations often have little dedicated security capability.

Space infrastructure is new to the risk zone this year, added to the NIS360 framework to reflect the growing role of satellite systems in critical services including navigation, financial clearing, weather forecasting, and emergency communications. The sector has high criticality but immature cross-operator coordination.

Water utilities and ICT management service providers also remain below the maturity threshold relative to their criticality.

What the NIS360 means for organisations under NIS2

NIS2 significantly expanded the scope of entities subject to EU cybersecurity requirements compared to the original NIS Directive. Essential entities in the risk zone sectors face the most urgent gap to close, as ENISA’s findings will inform Commission-level actions and national supervisory priorities.

National competent authorities are now expected to use NIS360 findings as an input to their supervisory planning. Sectors identified as lagging are more likely to see active inspections, information requests, and enforcement action in the coming regulatory cycle. For healthcare organisations, this is particularly relevant: ENISA’s 2026 report gives national authorities in every member state a clear justification for focusing enforcement resources on hospital networks and health data processors.

For ICT management service providers, the risk zone designation means that managed service providers and cloud service operators serving critical sectors face increased scrutiny not only of their own compliance but of the security posture they provide to their customers.

The compliance deadline picture

Member states are still in the process of fully transposing NIS2 into national law, and several are expected to complete transposition in 2026. As transposition progresses, the supervisory and enforcement mechanisms that give the ENISA findings operational weight will come into full effect. Organisations that have not yet conducted a NIS2 gap assessment, established a cybersecurity governance structure, or implemented incident reporting procedures face increasing exposure.

If your organisation operates in a sector covered by NIS2 and you want to understand your compliance obligations, assess your current security posture against NIS2 requirements, or prepare for national supervisory review, contact Excello Digital. We help organisations in critical sectors translate regulatory frameworks into operational security programmes with practical timelines and measurable outcomes.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!