EU Critical Infrastructure Struggles with NIS2 Compliance
The European Union Agency for Cybersecurity (Enisa) has identified significant challenges in six critical infrastructure sectors struggling to comply with the NIS2 directive. The directive, aimed at bolstering cybersecurity across the EU, mandates stringent baseline requirements to address mounting threats. However, sectors including IT service management, space, public administrations, maritime, health, and gas face unique obstacles that hinder compliance efforts.
IT service management is challenged by its cross-border operations and diverse entities, while the space sector struggles with limited cybersecurity knowledge and reliance on commercial off-the-shelf components. Public administrations lack the expertise found in more established sectors, and the maritime sector encounters OT-specific issues requiring tailored risk management guidance. Health systems rely heavily on outdated equipment, complex supply chains, and poorly secured devices, while the gas sector must enhance its incident readiness and response capabilities.
Enisa also highlighted concerns regarding the digital infrastructure sector, encompassing internet exchanges, top-level domains, data centers, and cloud services, which remains less mature compared to electricity, telecoms, and banking. These latter sectors have benefited from robust regulatory oversight, funding, political focus, and public-private partnerships, making them the most compliant under the directive.
OT security gaps further exacerbate compliance challenges, with organizations often neglecting to secure data flows between IT and OT networks. Experts recommend controlling data movement and scanning files in transit to detect malicious payloads, thereby improving NIS2 compliance and overall cybersecurity resilience. Enisa continues to work closely with EU Member States to provide guidance and expertise for implementing the directive.
Source: Six Critical Infrastructure Sectors Failing on NIS2 Compliance
