ENISA

EU Water Utilities and Rail Slide into the Cyber Risk Zone

Water utilities
Facebook
X
LinkedIn
Reddit
WhatsApp

The EU cybersecurity agency’s third NIS360 report does credit progress across all critical sectors. But drinking water, waste water, and rail transport are now deemed too poorly equipped for their importance.

The EU Agency for Cybersecurity, ENISA, has published its NIS360 report 2026, the third edition of an assessment that evaluates all 22 sectors and subsectors of high criticality under the NIS2 directive. The result is double-edged: cybersecurity maturity is rising slowly but steadily across the EU. At the same time, three sectors have newly slipped into what ENISA calls the risk zone.

Ad

Unlike conventional maturity models that scrutinise individual companies, ENISA assesses the entire ecosystem of a sector. Maturity rests on four building blocks: legislation and its effectiveness, the preparedness of companies, the institutional capacity of authorities, and the structures of the sector ecosystem. Criticality, in turn, measures how heavily society and the economy depend on a sector and how quickly a disruption would be felt.

Banking, Electricity, and Telecoms Remain the Front-Runners

Little has shifted at the top. Banking, electricity, and telecommunications remain the most mature and at the same time most critical sectors. Three more have newly joined the high-maturity group: trust services, aviation, and financial market infrastructures (FMIs).

For the finance sector, ENISA sees the EU regulation DORA as a key driver. It has bundled resources and made the FMIs’ risk management more structured. At the same time, the sector remains a preferred target. Alongside DDoS attacks, ransomware, and data theft, the report notes a growing number of fraud schemes, many relying on social engineering and increasingly on AI-powered deepfakes.

Ad

Four sectors improved within the moderate maturity band: gas, road transport, maritime, and health. In road transport, the automotive industry in particular is pulling the level up, operating under its own international frameworks such as UN Regulation No 155 and the ISO/SAE 21434 standard.

Three Newcomers in the Risk Zone

ENISA defines the risk zone as the area where sectors show below-average maturity while their criticality exceeds that maturity. In the report’s own words, these are sectors that are “more critical for society and the economy than they are currently prepared to manage cyber risks”. Put differently: these sectors matter more than they are currently equipped to defend against cyber risks.

Newly slipping in are rail transport as well as drinking water and waste water. For the rail sector, the report points to its growing role in military logistics across Europe, which raises its criticality and makes it a more attractive target for cyber and hybrid threats. As a cautionary example, ENISA cites an attack in Poland in which an attacker exploited a weakness in radio-based OT communication and brought a number of trains to a standstill for a couple of hours.

Drinking water and waste water rank among the least mature sectors of all. Drinking water fares somewhat better than waste water, which ENISA attributes to its earlier inclusion in cybersecurity legislation. Both sectors struggle with legacy systems, tight budgets, a shortage of skilled staff, and a predominantly reactive approach. In both, one in three surveyed entities reports never having conducted a risk assessment.

Health, maritime, ICT service management, space, and public administration also remain in the risk zone.

Gas a Bright Spot, Public Administration a Problem Child

There is one positive development: the gas sector is leaving the risk zone. ENISA credits better information sharing, stronger collaboration, and improved implementation of risk management measures.

Things look worse for public administration, which the report describes as “the most targeted sector”. Around one third of administrations have no structured approach to ensuring cybersecurity expertise at management level. About half provide no corresponding training for leadership. Patching often takes longer than three months. Hacktivism accounts for the bulk of incidents, with data breaches and cyber espionage adding to the picture.

ICT service management, meaning managed service providers (MSPs) and managed security service providers (MSSPs), also remains a concern. Because these providers reach deep into other sectors as third parties, their merely moderate maturity is not just their own problem. A compromised provider can serve as a stepping stone to numerous clients, as ENISA illustrates with the example of a ransomware attack spread via the RMM tool SimpleHelp.

AI, Supply Chains, and Geopolitics as Cross-Cutting Risks

Across all sectors, ENISA identifies three defining dynamics. First, the rapid advance of AI, whose benefits have so far materialised faster for attackers than for defenders, for instance through more convincing social engineering attacks and faster vulnerability exploitation.

Second, the growing dependence on supply chains and third-party providers. Anyone who trusts a provider implicitly trusts everyone that provider in turn trusted. The compromise of a single link can cascade through entire sector ecosystems. As examples from the reporting period, ENISA cites, among others, outages at major cloud providers such as Google Cloud and AWS, as well as damage to undersea cables.

Third, geopolitical volatility, which manifests in geopolitically motivated attacks where organisations often get caught in the crossfire of state conflicts.

Conclusion

The message of the NIS360 report is not that the EU is failing at the cybersecurity of its critical infrastructure. On the contrary, the trend points upward, and legislation such as NIS2 and DORA evidently acts not just as a compliance chore but as a genuine investment driver. What is more striking is the unevenness. While regulatorily seasoned sectors such as banking and telecommunications pull ahead, water utilities and parts of the transport sector lag behind. That of all things the water supply, existential for every household, ranks among the least mature areas and that one in three entities has never carried out a risk assessment should give supervisory authorities pause. The report at least offers a clear prioritisation of where EU funding and targeted support should flow next.


Lars Becker, IT Verlag GmbH

Lars

Becker

Deputy Editor-in-Chief

IT Verlag GmbH

Ad
AI, AI Guardrails, LLM guardrails, AI security, open-source AI, remove guardrails from LLM models, Llama 3.3 safety bypass risks, Gemma 3 content filter removal method, Heretic, Artificial Intelligence
3. June 2026
Security Risk “Heretic”: AI Guardrails Can Be Removed in Minutes
AI, Anthropic, Mythos, AI hacking tool, Anthropic Mythos AI hacking tool access, EU gains access to Mythos AI model, ENISA evaluation of Anthropic Mythos, ENISA Mythos AI, Mythos AI, Artificial Intelligence
3. June 2026
Anthropic Opens Mythos AI Hacking Model to EU Review
Logo, Vodafone source code, Vodafone source code leak on dark web, Lapsus$ 180GB data dump Vodafone, data dump Vodafone, Vodafone data breach, Vodafone, Leak
2. June 2026
No Ransom Paid: Vodafone Source Code Ends Up on the Dark Web
Palo Alto, Palo Alto GlobalProtect, GlobalProtect VPN, CVE-2026-0257, PAN-OS vulnerability, Palo Alto Networks exploit, CVE-2026-0257 Palo Alto GlobalProtect VPN authentication cookie bypass, Palo Alto has issued an urgent advisory for administrators of its PAN-OS software, GlobalProtect, vulnerability
2. June 2026
Palo Alto GlobalProtect: Actively Exploited VPN Bypass Threatens Corporate Networks

Weitere Artikel

Security Risk “Heretic”: AI Guardrails Can Be Removed in Minutes
Anthropic Opens Mythos AI Hacking Model to EU Review
No Ransom Paid: Vodafone Source Code Ends Up on the Dark Web
Palo Alto GlobalProtect: Actively Exploited VPN Bypass Threatens Corporate Networks