Introduction

Published on 5 March 2025, the ENISA NIS360 is an assessment of sectoral maturity and criticality under the NIS2 Directive, offering a view of cybersecurity resilience across industries. While national authorities will use this report to guide regulatory priorities, digital compliance professionals in regulated companies need to understand its implications for cybersecurity requirements, sector-specific risks, and evolving compliance expectations. This article provides a focused analysis for businesses, outlining the key takeaways from the NIS360 report and their impact on digital compliance strategies.

Key Findings and Industry Impact

Sectors with the Highest Maturity and Criticality

Electricity, Telecoms, and Banking emerge as the most mature and critical sectors in the EU cybersecurity landscape. These industries have long-standing regulatory oversight, global investments, and strong public-private partnerships, contributing to high resilience and regulatory compliance. For compliance professionals in these industries, the challenge is to stay ahead of evolving requirements by continuously adapting cybersecurity governance models to maintain leadership in regulatory alignment.

Digital Infrastructures: Strong but Facing New Challenges

Sectors like core internet services, trust services, data centers, and cloud providers rank high in maturity and criticality. However, they face increasing challenges due to:

• Cross-border complexities requiring harmonized regulatory approaches
• The inclusion of previously unregulated entities in the NIS2 framework.
• Heightened risks due to digital supply chain dependencies.

Organizations in these sectors must ensure compliance across multiple jurisdictions, build cybersecurity resilience in cloud and internet infrastructure, and manage third-party risks effectively.

Sectors in the Risk Zone: Key Compliance Challenges

The NIS360 report identifies several sectors as being in the risk zone, meaning they require urgent attention to close cybersecurity maturity gaps.

• ICT Service Management: The ICT service management sector faces significant challenges due to its cross-border nature and the diverse range of entities it covers. Many organizations in this sector fall under both NIS2 and DORA (Digital Operational Resilience Act), creating overlapping compliance obligations. What do to? To enhance cybersecurity resilience, companies must adopt harmonized cybersecurity risk management frameworks, streamline regulatory reporting processes, and work closely with authorities to ensure efficient oversight.
• Public Administration: Government institutions are still in the early stages of cybersecurity maturity, making them prime targets for hacktivist groups and state-sponsored cyber threats. The fragmented implementation of NIS2 across Member States further complicates compliance. What do to? To strengthen security, public administrations should leverage the Cyber Solidarity Act, invest in sector-wide cybersecurity awareness programs, and explore shared service models to optimize security operations across agencies.
• Maritime Sector: The maritime industry is highly dependent on Operational Technology (OT), which remains vulnerable to cyber threats due to legacy systems and outdated security measures. Supply chain risks, unpatched vulnerabilities, and geopolitical threats also heighten exposure. What do to? Organizations should focus on tailored cybersecurity risk management frameworks that address sector-specific risks and participate in EU-level cybersecurity exercises to improve incident response coordination across port operations, logistics, and critical supply chains.
• Healthcare Sector: The health sector faces a highly complex regulatory landscape, with overlapping compliance requirements from NIS2, the Medical Device Regulation, the Cyber Resilience Act, the AI Act, and the EU Health Data Space Regulation. The sector’s reliance on legacy systems, third-party vendors, and medical devices with weak security exacerbates cyber risks. What do to? Digital compliance professionals must focus on secure procurement guidelines, risk-based cybersecurity frameworks, and awareness programs for healthcare staff to mitigate vulnerabilities. Additionally, greater clarity on how NIS2, aligns with medical device regulations is needed to ensure a cohesive security strategy across the sector.
• Gas Sector: The gas sector is increasingly interconnected with the electricity and manufacturing industries, making cyber resilience a top priority. However, it still lags in incident readiness and response capabilities. What do to? Organizations must work towards developing and testing incident response plans at both national and EU levels, fostering cross-sector collaboration to mitigate potential cascading cyber risks. Proactive engagement with electricity and energy regulators is critical to ensuring harmonized cybersecurity measures across the energy sector.

Conclusion

The ENISA NIS360 is a valuable resource for compliance professionals looking to understand cybersecurity maturity across industries and prepare for upcoming regulatory expectations. While some sectors lead in maturity, others face significant challenges that require targeted interventions and strategic cybersecurity investments. Digital compliance teams must proactively address regulatory challenges and align security strategies with sector-specific risks to ensure resilience under the evolving NIS2 Directive. Monitoring regulatory overlaps (e.g., NIS2, Cyber Resilience Act, DORA, AI Act) to ensure a coordinated compliance strategy remains one of the key tasks.

📌 EU digital acts mentioned in this article—including NIS2, Cyber Resilience Act, DORA, and AI Act, —can be conveniently accessed on Streamlex.eu, your go-to resource for EU digital laws, all in one place.