The rail, drinking water and wastewater sectors joined the risk zone in this year’s edition of NIS360, ENISA’s annual assessment of the cybersecurity maturity and criticality level of the critical sectors covered by the NIS2 Directive, while the gas sector left it.
The other sectors in this risk zone are health, maritime transport, ICT service management, the space sector and public administrations, which were already in this category last year.
The risk zone brings together sectors whose maturity level is below average and whose criticality exceeds their maturity level, which requires “more support” from authorities and companies. Companies should invest more in cybersecurity, while authorities should provide guidance and funding, the report’s author, Jurgita Skritaite, explained, specifying that “legislation is not considered a form of support”.
The report is based on targeted surveys carried out among national authorities and companies, as well as on the analysis of other external reports. The assessment covers both the maturity and criticality of sectors, as well as the links between these two dimensions. The maturity analysis examines the existence of legislation and its effectiveness, cyber risk management by companies and authorities, information-sharing and cooperation between them, as well as their level of operational preparedness. Criticality, for its part, is assessed in the light of the sector’s social and economic impact, its dependence on ICT, and the potential consequences of a cyberattack, including the speed of recovery, Ms Skritaite explained when presenting the report on Thursday 28 May.
The banking, electricity and telecommunications sectors remain the most mature and most critical sectors, while trust services, aviation and financial market infrastructures (FMIs) have also improved their maturity level into the top category. For their part, the gas, road transport, maritime and health sectors strengthened their maturity within the intermediate category.
As for criticality scores, these tend to remain relatively stable from one year to the next. However, the scores of the space and rail sectors were revised because of their growing importance for society and the increased level of threats they face. The banking, electricity, aviation, space and digital infrastructure sectors (including telecommunications, cloud and data centres) are identified as the most critical, while road transport and wastewater show a low level of criticality. The health, public administration, drinking water, hydrogen, district heating, oil and gas sectors are in the intermediate category, alongside rail, which moved from a low to a moderate level.
See the document: https://aeur.eu/f/m2y (Original version in French by Ana Pisonero Hernández)