ENISA NIS360 2026

Why EU Compliance is Leaving Water and Rail Behind

ByKayne
ENISA NIS360 2026

Key quote:

The risk zone includes sectors with lower-than-average maturity and criticality that exceeds their maturity. Its composition changes over time as overall maturity improves across sectors. This is one of the reasons why three sectors previously at the risk zone boundary rail, drinking water, and waste water are now within the risk zone.

Why it matters:

The ENISA NIS360 report from May 2026 confirms what many of us have suspected: the EU’s regulatory machine does work, but it’s leaving the most vulnerable sectors behind. While banking (largely a side effect of DORA), electricity, and telecommunications have maintained their status as high-maturity heavyweights, and aviation finally got into the mile-high maturity club, the “risk zone” is expanding. According to the report, rail, drinking water, and waste water in the EU are sectors where societal importance vastly outstrips cyber readiness. And if you’ve ever rode a train across Europe to see the fountains in Rome, you’ll appreciate just how much EU society and the economy depend on these three industries.

For example, the report found that rail transport is struggling with outdated operational technology and signaling systems that are nearly impossible to patch without disrupting service. Last year, we saw the consequences of this fragility in Poland, where a radio layer exploit brought trains to a standstill. Meanwhile, the space sector has seen its criticality score revised upward due to its role in military logistics and strategic autonomy, but it’s stuck at the lower end of moderate maturity. And transportation might be in for a rough go, particularly with Russian GPS jamming causing persistent navigation issues in the Baltic Sea.

The root cause isn’t just a lack of budget, though that’s part of the equation. It’s the sheer weight of the regulatory burden. Organizations are drowning in overlapping frameworks like NIS2, DORA, and the AI Act. In countries like Croatia and Slovenia companies are still waiting to see how enforcement works, paralyzed by uncertainty and a lack of enforcement. When you add the AI Act and the Cyber Resilience Act into the mix, it becomes a massive challenge to attract talent who can actually figure out how to implement observable controls across these conflicting sets of requirements. Well, that, and the flat salaries that Harvey Nash found earlier this year (yes, that’s from the UK, but it’s not as though things are magically better in the EU).

Surprisingly, the gas sector offers a glimmer of hope. It managed to escape the risk zone by improving information sharing and risk management. This proves that progress is possible over time (it’s only been five years since the Colonial Pipeline thing), but it requires more than just checking more boxes. Regulators need to stop treating all sectors the same. Public administrations and water utilities don’t need more instructions and checklists, they need support to build the specific expertise required to manage legacy OT systems without getting bogged down by conflicting compliance requirements.

If the EU wants to avoid another cascade of failures in critical infrastructure, the focus needs to move away from broad compliance to targeted resilience. The risk zone isn’t a theoretical concept; it’s probably where the next major incident will happen. And honestly, hearing the term “risk zone” makes it impossible not to hear Kenny Loggins singing Danger Zone in the background. If these sectors don’t the help they need, that song won’t just be a catchy tune; it’ll be the soundtrack to the next expensive outage.

Understand the stories that matter.

Every week, I break down the most important updates in cybersecurity and AI law and policy. Human-written, deeply analyzed.

I don’t spam! Read the privacy policy for more info.

Similar Posts