The European Union Agency for Cyber security (ENISA) has released its first-ever NIS360 report, a landmark study evaluating the maturity and criticality of key sectors under the NIS2 Directive. This Directive, which came into force in January 2023, aims to strengthen cyber security risk management across essential and important entities in the EU. ENISA’s NIS360 helps national authorities and organisations understand where their cyber resilience stands—and where improvements are most needed.
NIS360 combines data from industry, national authorities, and EU-level statistics to evaluate 22 critical sectors. These include areas such as energy, healthcare, digital infrastructure, public administration and transport. Each sector is assessed based on how vital it is to society and the economy, and how well it is currently managing cyber security risks. The report also sheds light on the strengths, challenges and actionable steps needed to bolster cyber security in those critical sectors. Below are the key takeaways from this document.
Key takeaways
The report identifies clear leaders in cyber security maturity: the electricity, telecommunications and banking sectors. These industries emerge as leaders in both maturity and criticality, reflecting years of regulatory oversight, political attention, targeted investment and public-private collaboration. Their example highlights what can be achieved when cyber security is prioritised as a national and strategic objective.
The report also notes the rising importance of digital infrastructure sectors—such as cloud computing, data centres and core internet services. While these are now recognised as highly critical, they face challenges in achieving consistent levels of cyber security maturity across the EU. This is due to their operational diversity, ranging from global hyperscalers to local software providers, and the complexity of regulating their often cross-border operations. Many newly included entities in these sectors are also encountering formal cyber security requirements for the first time under NIS2, while national authorities are still adapting to the nuances of oversight.
To capitalise on these opportunities and avoid the pitfalls of narrow thinking, business leaders must act with intention. Here are five strategic recommendations to position AI as a lever for sustainable growth and competitive advantage:
- Sectoral challenges and the ‘Risk Zone’
- Strategic priorities for EU cyber resilience
- Malta’s position and path forward
Sectoral challenges and the ‘Risk Zone’
ENISA draws attention to six sectors it places in the so-called “Risk Zone”—sectors that are highly critical to societal functioning but have low cyber security maturity scores. These are: Healthcare, Gas, Maritime, ICT service management, Public Administration and Space. Each faces unique challenges: for example, the healthcare sector struggles with legacy systems and insecure medical devices; public administration bodies often lack consistent cyber security capabilities; and the maritime sector suffers from gaps in operational technology (OT) security.
These disparities underscore the need for a tailored approach to cyber security. Less mature sectors often lack the resources, internal capabilities, or sector-specific guidance necessary to meet NIS2 requirements. As such, ENISA recommends targeted actions including enhanced supervisory engagement, sector-specific support, more frequent EU-wide cyber exercises, and awareness campaigns to address these gaps.
Strategic priorities for EU cyber resilience
To help Member States navigate these challenges, the NIS360 report outlines three strategic priorities:
Foster collaboration—both within and across sectors—by encouraging community-building efforts and cooperation at national and EU levels.
Align regulatory frameworks across countries to reduce fragmentation and create consistency in cyber security expectations.
Coordinate joint actions to respond to and manage cross-border cyber threats more effectively.
These priorities are meant to serve as a roadmap for governments, regulators, and private-sector actors seeking to improve their sectoral resilience in line with the NIS2 Directive.
Malta’s position and path forward
For Malta, the findings of the NIS360 report provide both validation and a call to action. The country’s telecommunications and financial services sectors are to benefit from strong regulatory oversight and institutional capabilities. These sectors are well-positioned to lead by example and support broader cyber security awareness across other industries.
However, Malta also faces pressing challenges in areas highlighted in the Risk Zone. The public administration sector, which includes ministries, agencies and local councils, would benefit from a more coordinated cyber security governance structure. Similarly, the healthcare sector must prioritise the replacement of outdated systems, secure procurement processes, and continuous staff awareness training. As an island nation, the maritime sector—so central to Malta’s economy—must begin addressing gaps in OT security and incident preparedness.
The ICT services and digital infrastructure sectors—including cloud providers and data centres—are also areas where new NIS2 compliance requirements will apply.
Looking ahead, Malta has an opportunity to build on existing strengths while addressing emerging gaps. This will require close collaboration between regulators, private sector players, and critical infrastructure operators. Participating in EU-level exercises, sharing knowledge across sectors, and maintaining momentum with clear national guidance will be essential to translating the NIS2 transposition into meaningful and lasting cyber resilience.
Final thoughts
ENISA’s NIS360 report provides a valuable lens through which to view Europe’s cyber security landscape—and Malta’s place within it. While there is much to be proud of, especially in mature sectors, there is also a clear need to focus resources and attention on less mature but highly critical sectors. On 8 April 2025, the Maltese Government published Legal Notice 71 of 2025 which transposed NIS2 into local law. All essential and important entities that fall in scope should ensure they are already taking the necessary steps towards compliance. With PwC Malta’s expertise, organisations can take meaningful action to strengthen their defences and align with NIS2 requirements.
How can PwC Malta support your NIS2 journey?
PwC Malta offers a range of specialised cyber security and privacy services designed to help organisations align with the goals of the NIS2 Directive and enhance their resilience, as highlighted in the NIS360 2024 report. With deep industry expertise and a client-focused mindset, our team supports entities across sectors in strengthening their cyber security posture in a practical, risk-based manner.
Our key offerings include:
Our services enable organisations to close critical gaps, strengthen their digital infrastructure, and foster a proactive, security-first culture.
Contact us
