The European Union’s leading cybersecurity agency, ENISA, has raised concerns about the compliance challenges of six critical infrastructure (CNI) sectors with the NIS2 directive. The directive, designed to enhance cybersecurity across essential sectors, sets a strict baseline of requirements to counter growing threats to CNI.

However, a new ENISA report, released alongside the launch of the NIS360 security posture assessment scheme, highlights that these six sectors are “within the NIS360 risk zone.” The report further identifies that the digital infrastructure sector—which includes critical services such as internet exchanges, top-level domains, data centers, and cloud services—is lagging behind in terms of maturity.

The NIS2 Directive and Compliance Challenges

The NIS2 directive was introduced in response to escalating cyber threats targeting CNI, aiming to establish a standardized cybersecurity framework across the EU. However, the recent ENISA findings suggest that several sectors are struggling to meet these new requirements, potentially exposing vital infrastructure to cyber risks.

ENISA’s executive director, Juhan Lepassaar, emphasized the agency’s commitment to supporting EU member states in the directive’s implementation. “ENISA is working closely with the EU Member States to implement the NIS2 directive by providing expertise and guidance,” Lepassaar stated. “The ENISA NIS360 report provides valuable insights into the overall maturity of NIS sectors and the challenges they face. It explains where we stand and how to move forward.”

Sectors Leading in Cybersecurity Maturity

While several sectors are facing compliance difficulties, the report also highlights electricity, telecoms, and banking as the three most mature in cybersecurity readiness. According to ENISA, these industries have benefited from significant regulatory oversight, substantial investment, political focus, and robust public-private partnerships, enabling them to achieve greater resilience against cyber threats.

The Role of OT Security in Compliance

One of the key challenges in achieving NIS2 compliance lies in operational technology (OT) security. According to James Neilson, SVP International at OPSWAT, a critical factor impeding compliance is the shortage of professionals skilled in both IT and OT security.

“IT systems, internet connectivity, and transient devices remain major attack surfaces for ICS/OT infrastructure. Many organizations neglect to secure data that moves in and out of their OT networks,” Neilson stated.

He further emphasized that organizations can enhance their compliance efforts by controlling data flows and scanning files in transit between devices, employees, and digital supply chain members. “By detecting and neutralizing hidden malicious payloads, organizations not only contribute to their NIS2 compliance but also strengthen their overall cybersecurity posture,” Neilson added.

Implications for UK Organizations

Although most UK organizations are exempt from the NIS2 directive post-Brexit, those operating within the EU must adhere to its regulations. The directive serves as a benchmark for cybersecurity governance, and UK firms engaged in EU operations may still need to align with its standards to maintain regulatory and business continuity.

Moving Forward

The ENISA NIS360 report provides crucial insights into the compliance landscape, offering guidance for sectors struggling with implementation. As cyber threats continue to evolve, strengthening regulatory adherence and enhancing cybersecurity capabilities will remain a top priority for European critical infrastructure providers.