NIS360 combines data from industry, national authorities, and EU-level statistics to evaluate 22 critical sectors. These include areas such as energy, healthcare, digital infrastructure, public administration and transport. Each sector is assessed based on how vital it is to society and the economy, and how well it is currently managing cyber security risks. The report also sheds light on the strengths, challenges and actionable steps needed to bolster cyber security in those critical sectors. Below are the key takeaways from this document.
The report identifies clear leaders in cyber security maturity: the electricity, telecommunications and banking sectors. These industries emerge as leaders in both maturity and criticality, reflecting years of regulatory oversight, political attention, targeted investment and public-private collaboration. Their example highlights what can be achieved when cyber security is prioritised as a national and strategic objective.
The report also notes the rising importance of digital infrastructure sectors—such as cloud computing, data centres and core internet services. While these are now recognised as highly critical, they face challenges in achieving consistent levels of cyber security maturity across the EU. This is due to their operational diversity, ranging from global hyperscalers to local software providers, and the complexity of regulating their often cross-border operations. Many newly included entities in these sectors are also encountering formal cyber security requirements for the first time under NIS2, while national authorities are still adapting to the nuances of oversight.
To capitalise on these opportunities and avoid the pitfalls of narrow thinking, business leaders must act with intention. Here are five strategic recommendations to position AI as a lever for sustainable growth and competitive advantage:
ENISA draws attention to six sectors it places in the so-called “Risk Zone”—sectors that are highly critical to societal functioning but have low cyber security maturity scores. These are: Healthcare, Gas, Maritime, ICT service management, Public Administration and Space. Each faces unique challenges: for example, the healthcare sector struggles with legacy systems and insecure medical devices; public administration bodies often lack consistent cyber security capabilities; and the maritime sector suffers from gaps in operational technology (OT) security.
These disparities underscore the need for a tailored approach to cyber security. Less mature sectors often lack the resources, internal capabilities, or sector-specific guidance necessary to meet NIS2 requirements. As such, ENISA recommends targeted actions including enhanced supervisory engagement, sector-specific support, more frequent EU-wide cyber exercises, and awareness campaigns to address these gaps.
ENISA’s NIS360 report provides a valuable lens through which to view Europe’s cyber security landscape—and Malta’s place within it. While there is much to be proud of, especially in mature sectors, there is also a clear need to focus resources and attention on less mature but highly critical sectors. On 8 April 2025, the Maltese Government published Legal Notice 71 of 2025 which transposed NIS2 into local law. All essential and important entities that fall in scope should ensure they are already taking the necessary steps towards compliance. With PwC Malta’s expertise, organisations can take meaningful action to strengthen their defences and align with NIS2 requirements.
PwC Malta offers a range of specialised cyber security and privacy services designed to help organisations align with the goals of the NIS2 Directive and enhance their resilience, as highlighted in the NIS360 2024 report. With deep industry expertise and a client-focused mindset, our team supports entities across sectors in strengthening their cyber security posture in a practical, risk-based manner.
Our key offerings include:
