Europe’s Cyber Resilience Is Improving - But the Weakest Sectors Still Set the Pace
ENISA’s latest NIS360 assessment points to gradual gains in cybersecurity maturity across high-criticality sectors, while leaving enough unevenness to keep systemic risk on the table.
When regulators measure cyber resilience, the most important question is not whether a sector has policies on paper. It is whether the organizations that keep essential services running can withstand disruption when attackers, outages, or supplier failures hit. ENISA’s latest NIS360 report tries to answer exactly that, and its message is blunt: maturity is moving in the right direction, but not evenly enough to relax.
Fast Facts
- ENISA has published a new NIS360 assessment focused on NIS2 Annex I sectors of high criticality.
- The report finds cybersecurity maturity is rising, but progress remains uneven across sectors and subsectors.
- NIS360 separates maturity from criticality, which means a sector can be highly important yet still underprepared.
- ENISA’s current risk zone includes health, railway, maritime, ICT management services, space, public administrations, drinking water, and waste water.
- The broader lesson is operational: resilience depends on the weakest relevant organization, site, or supplier, not just the best-run ones.
Why this scorecard matters
NIS360 is more than a compliance exercise. It is a sector-level framework for comparing two different realities: how critical a sector is to society, and how mature its cybersecurity practices are. That distinction matters because criticality does not automatically produce readiness. A service can be indispensable and still have gaps in incident handling, continuity planning, supplier oversight, or recovery testing.
The report’s latest signal is encouraging, but only in a limited sense. Some sectors are moving into stronger maturity bands, while others are improving more slowly. From a defensive perspective, that means the security baseline across Europe’s essential services is rising, yet the distribution of that progress remains uneven enough to leave residual exposure in the places that matter most.
That unevenness is the real story. In tightly connected environments, one underprepared provider can become the friction point for a much larger ecosystem. The operational risk is not just a direct cyberattack on a flagship entity, but the cascade effects that appear when a fragile supplier, local authority, or supporting platform cannot absorb stress.
The available information supports a risk analysis, not a claim that any specific organization has failed or that every in-scope entity is equally exposed. The technical root cause of sectoral gaps also remains a matter of implementation, governance, and local capacity rather than a single security flaw.
ENISA’s broader guidance pushes this idea further by translating legal expectations into practical controls and evidence. That matters because maturity improves fastest when teams can test what they are supposed to do, not just describe it in policy language. In other words, resilience is measured in exercises, recovery performance, and evidence review - not only in declarations of compliance.
Conclusion
The lesson from NIS360 is not that Europe’s critical sectors are safe now. It is that progress is real, but still fragile, and the gap between criticality and maturity remains a live operational problem. For defenders, the priority is clear: find the weakest link before an attacker, outage, or supplier failure does.
TECHCROOK
Uninterruptible power supply (UPS): A practical backup for homes and small offices, especially where short outages or unstable power can interrupt routers, PCs, and storage devices. It helps maintain uptime long enough for safe shutdowns and basic continuity.
WIKICROOK
- ENISA: The European Union Agency for Cybersecurity, which supports EU cyber policy and resilience work.
- NIS360: ENISA’s sector assessment framework for comparing cybersecurity maturity and criticality in high-criticality sectors.
- NIS2 Directive: The EU cybersecurity directive that defines Annex I sectors of high criticality.
- Cybersecurity maturity: How consistently an organization or sector manages risks, capabilities, and operational readiness over time.
- Criticality: The degree to which a sector or service is vital to society, based on systemic relevance and disruption impact.




