ENISA NIS360 2026 (3rd edition) — seven sectors in the persistent risk zone where criticality outpaces maturity

Published 28 May 2026 (ENISA; follow-up coverage 2 June in Security Affairs). The headline finding is structural: a persistent "risk zone" where criticality exceeds maturity comprising public administration, health, railway, maritime, ICT service management, space, and drinking/waste water. Public administration receives nearly 63% of all EU hacktivist attacks and is the most consistently targeted sector, yet roughly one-third of entities lack structured cybersecurity expertise at management level and about half provide no cybersecurity training to management. Water sector: one in three entities has never conducted a risk assessment. The high-maturity sectors — banking, electricity, telecoms, trust services, aviation, financial market infrastructures — share a common driver: regulatory pressure backed by supervisory capacity with real enforcement. Only 16% of NIS2-affected entities consider themselves fully compliant; 41% face uncertainty about national obligations. For NIS2 national authorities: sectors without comparable oversight structures (ICT service management, space) lag structurally. For public-sector SOC managers specifically: the elevated hacktivist pressure confirmed by ENISA should cross-reference directly against current threat-model assumptions and DDoS mitigation capacity, particularly in the June 15–17 G7 Évian window.