The European Union Agency for Cybersecurity’s first NIS360 report identifies areas for improvement and tracking of progress across NIS2 Directive sectors.
The NIS360 is a new product by the EU Agency for Cybersecurity, ENISA, that assesses the maturity and criticality of NIS2 sectors, providing both a comparative and a more in-depth analysis.
The goal of the NIS360 is to help national authorities and cybersecurity agencies in the Member States tasked with the implementation of the NIS2, (1) to understand the overall picture, (2) to help them with prioritisation, (3) to highlight areas for improvement, and (4) to facilitate monitoring of sectors’ progress. The NIS360 also aims to support policy makers at national and EU level, to give input on policy and strategy development, and initiatives to build up cyber resilience.
The report sets out three main priorities.
Firstly, it recommends that collaboration, within and between sectors is strengthened, through community-building events and cooperation at sector, national and EU level.
Secondly, within this NIS2 transposition period, it is becoming more of a priority to develop sector-specific guidance on how to implement the key NIS2 requirements in each sector. The report notes that national sectorial authorities are stepping up to implement the NIS2. While investments are increasing across sectors, further upskilling is required.
Thirdly, the NIS360 emphasises the need for both alignment of requirements across borders in each NIS sector, and for cross-border collaboration.
The EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, highlighted: “ENISA is working closely with the EU Member States to implement the NIS2 Directive by providing expertise and guidance. The ENISA NIS360 gives valuable insight into the overall maturity of NIS sectors and the challenges of individual sectors. It explains where we stand, and how to move forward."
Key Findings at a Glance
Main findings include the following:
Electricity, telecoms and banking are the three most critical and most mature sectors that stand out above the rest. These sectors have benefited from significant regulatory oversight, funding and investments, political focus, and overall a robust public-private partnership.
Digital infrastructures, which includes critical services like internet exchanges, top-level domains, data centres, and cloud services, are a step below in terms of maturity. This NIS sector is very heterogeneous in terms of maturity of entities, and has a strong cross-border nature which complicates supervision, information sharing and collaboration.
Six NIS sectors fall within the NIS360 risk zone, suggesting that there is room for improvement in their maturity relative to their criticality.
ICT service management: The sector faces key challenges due to its cross-border nature and diverse entities. Strengthening its resilience requires close cooperation between authorities, reduced regulatory burdens for entities subject to both NIS2 and other legislation, and close cooperation in cross-border supervision.
Space: Stakeholders’ limited cybersecurity knowledge and its heavy reliance on commercial off-the-shelf components present challenges for the sector. Enhancing its resilience requires better cybersecurity awareness, clear guidelines for pre-integration testing of components, and stronger collaboration with other sectors.
Public administrations: Being very diverse, it is challenging for the sector to achieve a higher common level of maturity. The sector lacks the support and experience seen in more mature sectors. Being a prime target for hacktivism and state-nexus operations, the sector should aim to strengthen its cybersecurity capabilities leveraging the EU Cyber Solidarity Act and exploring shared service models among sector entities on common areas e.g., digital wallets.
Maritime: The sector continues to face challenges with Operational Technology (OT) and could benefit from tailored cybersecurity risk management guidance that focuses on minimising sector-specific risks, as well as an EU-level cybersecurity exercise to enhance coordination and preparedness in both sectorial and multi-modal crisis management.
Health: The health sector with an expanded coverage under NIS2, continues to face challenges such as the reliance on complex supply chains, legacy systems, and poorly secured medical devices. Strengthening its resilience requires the development of practical procurement guidelines to help organisations acquire secure services and products, tailored guidance to help overcome common issues, and staff awareness campaigns.
Gas: The sector needs to continue working towards developing its incident readiness and response capabilities, through the development and testing of incident response plans at national and EU levels but also through enhanced collaboration with the electricity and manufacturing sectors.
The report is based on data from national authorities with a horizontal or sectorial mandate, on self-assessment by companies within the NIS2 sectors, and on EU data sources such as Eurostat. In the ENISA NIS360, the strengths, sectorial challenges, gaps are identified, and recommendations are made to improve sectorial maturity and resilience across the Union.
Contact
For press questions and interviews, please contact: [email protected].
Content written for: National / EU authorities
