IN Brief:
- ENISA’s 2026 NIS360 report shows cybersecurity maturity improving across EU critical sectors.
- Health, railway, maritime, ICT service management, space, public administration, and water remain in the risk zone.
- Connected embedded systems, industrial networks, and long-life infrastructure products face rising security expectations under NIS2.
ENISA has published its 2026 NIS360 report, showing improved cybersecurity maturity across EU critical sectors while identifying several areas where preparedness still trails criticality.
The report is the third edition of ENISA’s annual assessment of cybersecurity maturity and criticality across high-criticality sectors under the NIS2 Directive. Rather than assessing individual organisations, it examines sector ecosystems, including national authorities, entities, EU bodies, applicable legislation, cooperation structures, and sector-wide preparedness.
Banking, electricity, and telecommunications remain among the most mature and critical sectors. Trust services, aviation, and financial market infrastructures have also moved into the high-maturity band, reflecting stronger governance, investment, regulatory attention, and operational security capability.
Health, railway, maritime, ICT service management, space, public administration, drinking water, and waste water are now identified in the report’s risk zone. Railway, drinking water, and waste water have moved into that zone after previously sitting at its boundary, while gas has begun to move out.
The findings land in a market where industrial and infrastructure electronics are becoming more connected, more software-defined, and more exposed to long service-life cybersecurity demands. Controllers, networked sensors, gateways, drives, medical systems, transport electronics, and communications equipment are increasingly judged by their ability to support secure deployment, authenticated updates, traceability, and monitored operation.
Products such as NXP’s RT1180 crossover MCUs for TSN-enabled industrial control show how device-level design is already moving in that direction, with deterministic networking, security functions, and long-life deployment requirements converging in industrial control hardware.
NIS2 is adding weight to that convergence. Secure boot, authenticated firmware updates, device identity, vulnerability handling, logging, network segmentation, and update governance are shifting from optional features to expected design considerations in connected systems serving critical environments.
The uneven maturity described by ENISA also creates a practical challenge for equipment suppliers. Critical sectors differ widely in their institutional maturity, available skills, legacy infrastructure, procurement discipline, and operational security processes. A field device can enter an environment with sophisticated monitoring and incident response, or one still working through fragmented assets and constrained maintenance windows.
Designing for those conditions requires more than adding isolated security features. Products deployed into critical infrastructure need manageable security over long operating lives, including clear update mechanisms, robust access control, secure defaults, and behaviour that remains predictable in mixed legacy networks.
ENISA expects legislation, perceived cyber risk, threat exposure, interdependencies, and sector expectations to keep pushing investment and preparedness. For embedded and industrial electronics, the direction is already set: connected products entering critical sectors must carry security through design, deployment, operation, and maintenance, not simply through certification paperwork at launch.
