ENISA NIS360 2026 — public-sector receives 63% of EU hacktivist attacks; seven sectors in risk zone

Published 28 May 2026 (ENISA; follow-up coverage 2 June in Security Affairs). The headline finding is structural: a persistent "risk zone" where criticality exceeds maturity comprising public administration, health, railway, maritime, ICT service management, space, and drinking/waste water. Public administration receives nearly 63% of all EU hacktivist attacks and is the most consistently targeted sector, yet roughly one-third of entities lack structured cybersecurity expertise at management level and about half provide no cybersecurity training to management. Water sector: one in three entities has never conducted a risk assessment. The high-maturity sectors — banking, electricity, telecoms, trust services, aviation, financial market infrastructures — share a common driver: regulatory pressure backed by supervisory capacity with real enforcement. Only 16% of NIS2-affected entities consider themselves fully compliant; 41% face uncertainty about national obligations. For NIS2 national authorities: sectors without comparable oversight structures (ICT service management, space) lag structurally. For public-sector SOC managers specifically: the elevated hacktivist pressure confirmed by ENISA should cross-reference directly against current threat-model assumptions and DDoS mitigation capacity, particularly in the June 15–17 G7 Évian window.

11 June is the Cyber Resilience Act's first mandatory milestone: EU member states must designate the national authority responsible for assessing and notifying conformity assessment bodies (CABs) for Important and Critical product classes (OpenSSF policy blog, 2026-06-03; ENISA SRP page). Without designated notifying authorities, manufacturers of products such as operating systems, firewalls, smart cards, HSMs and smart meter gateways cannot obtain the third-party certificates needed by the December 2027 full-application date. In the same window ENISA published: (1) the access and registration manual for the CRA Single Reporting Platform (SRP) — the platform manufacturers must use from 11 September 2026 to report actively exploited vulnerabilities within 24 h (early warning) and 72 h (full notification); (2) a draft Technical Advisory on Secure Update Mechanisms for SME manufacturers (public consultation to 10 July). The 90-day window to SRP operational date is shorter than it appears: software vendors deploying into EU environments should validate their vulnerability-disclosure pipeline now, not in September.

ENISA published its third annual NIS360 sectoral-maturity assessment on 2026-05-28, scoring all 18 NIS2 Annex I high-criticality sectors on legislation effectiveness, organisational preparedness, authority capacity and ecosystem maturity. The risk-zone sectors — criticality exceeding maturity — are health, railway (newly entered), maritime, ICT management services, space, public administrations, drinking water (newly entered) and wastewater (newly entered); gas exited after targeted investment. Trust services, aviation and financial-market infrastructures sit in the higher-maturity band, while banking, electricity and telecom are scored among the most critical sectors. The defender-relevant read for this audience: the sectors a Swiss/EU public-sector SOC most often is or serves — public administration, health, water — are precisely the ones ENISA flags as under-resourced relative to their societal importance, which signals where NIS2 supervisory and investment pressure will concentrate next. Use the report as leverage for sector-specific funding and as a benchmark for the maturity axes your own programme is weakest on.

ENISA's 2026-05-06 announcement (W19 forward-looking item) is now confirmed: four organisations have newly joined the CVE Program as CNAs under ENISA Root, and seven existing European CNAs have transferred from MITRE Root to ENISA Root. ENISA's announcement does not name the four new CNAs. ENISA became CVE Root for European entities in November 2025; over 90 European CNAs can voluntarily transfer. ENISA's CVE Root scope covers entities within its mandate including vulnerabilities discovered by or reported to EU CSIRTs. Strengthens European vulnerability-disclosure capacity under NIS2 Article 12 (coordinated vulnerability disclosure) obligations. The undisclosed CNA identities are a transparency gap worth surfacing — defenders cannot pattern-match which EU vendors / institutions have CNA capacity until ENISA publishes the list (ENISA news).

ENISA announced on 2026-05-06 that four organisations have joined the CVE Programme as CVE Numbering Authorities (CNAs) under ENISA Root, and that seven additional European CNAs have migrated from MITRE Root to ENISA Root (ENISA, 2026-05-06). ENISA was designated as a CVE Root in November 2025, establishing a European coordination tier alongside CISA (USA), JPCERT/CC (Japan), MITRE, and Google. Approximately 90 European organisations remain eligible for voluntary transfer — nearly one-fifth of the global CNA population. What changed: EU technology vendors and public-sector organisations now have a European coordination tier for CVE assignment — potentially affecting advisory publication timing and format compared to MITRE Root coordination, particularly for products made by EU software vendors. What defenders need to do differently: EU public-sector CNAs and vendor PSIRTs should re-confirm their root assignment and review whether their disclosure-coordination contacts at ENISA Root differ from their MITRE Root contacts; defender-side SIRT / vulnerability-management functions should expect ENISA-coordinated EU-discovered CVEs to ship through ENISA-supervised channels going forward. The CRA (Cyber Resilience Act) framework drives the migration. Names of the four new CNAs were not disclosed in the press release; more transfers expected.

On 2026-05-06 ENISA announced four additional organisations joined the CVE Program as CVE Numbering Authorities (CNAs) under ENISA Root, bringing the total under ENISA oversight to at least eleven (ENISA press release, 2026-05-06). The names of the four new CNAs were not disclosed in the press release; more are expected. Over 90 European CNAs are eligible to voluntarily transfer from MITRE Root. This is part of the EU Cyber Resilience Act (CRA) implementation framework: the CRA designates ENISA as the EU-level coordination body for harmonised vulnerability reporting, and the CVE Root transfer is the operational mechanism. For defenders: an increasing proportion of EU-discovered CVEs will be assigned and initially coordinated through ENISA-supervised channels, which may affect advisory publication timing and format compared to MITRE Root coordination — particularly for products made by EU software vendors.