Electricity, telecoms and banking are the three most critical and most mature sectors in terms of cyber security, according to ENISA, the European Union’s agency for cybersecurity. Its NIS360 report assesses the maturity and criticality of sectors of high criticality under the NIS2 Directive, covering cyber across the EU.
The report adds that ICT service management, space, public administrations, maritime, health and gas as sectors ‘need extra attention’. For example, health relies on complex supply chains, has legacy IT systems, and poorly secured medical devices. All sectors that the report covers ‘face challenges in building their maturity and meeting NIS2’, according to the report. And space, as a newly regulated sector under NIS2, is ‘still in the early stages of aligning with the directive’s requirements which present challenges for both entities and national authorities responsible for sector oversight’, the report says.
ENISA Executive Director Juhan Lepassaar says: โENISA is working closely with the EU member states to implement the NIS2 Directive by providing expertise and guidance. The ENISA NIS360 gives valuable insight into the overall maturity of NIS sectors and the challenges of individual sectors. It explains where we stand, and how to move forward.”
ENISA based the report on data from national authorities with a horizontal or sectorial mandate, on self-assessment by companies within the NIS2 sectors, and on EU data sources such as Eurostat.
Comment
James Neilson, SVP International at OPSWAT, says: โENISAโs NIS360 report findings are welcomed, and the push for further guidance and collaboration within and between sectors is essential. Security teams in sectors under NIS2 are often expected to manage unfamiliar systems, and few individuals possess deep expertise in both IT and operational technology (OT), creating knowledge gaps in threat assessment and defence development. This is further evidenced by SANS Institute research published this week, which identified that 38 per cent of European organisations that rely on Industrial Control Systems (ICS) / OT only allocate 26โ50% of their cybersecurity budgets to ICS/OT. However, many organisations lack dedicated ICS/OT security professionals, and only 27% of ICS/OT budget decisions are directed by a CISO or CSO team.
“IT systems, internet connectivity, and transient devices remain major attack surfaces for ICS/OT infrastructure. Data flow between IT and OT reveals a lack of understanding among security teams regarding the impact of IT threats on OT environments. Many organisations neglect to secure data that moves in and out of their OT networks. By controlling data flows and scanning files in transit between devices, employees, and digital supply chain members, organisations can detect and neutralise hidden malicious payloads that may infiltrate their critical systems. This not only contributes to their NIS2 compliance but also strengthens their overall cybersecurity posture.โ
You can freely download the 60-page report at https://www.enisa.europa.eu/publications/enisa-nis360-2024.
