In August 2025, the European Commission published the findings of ENISA’s 2025 Cybersecurity Maturity & Criticality Assessment of NIS2 sectors. This report, also known as the NIS360 2024, is intended to assist Member States in identifying gaps and prioritising resources to improve cybersecurity in sectors covered by the Directive on Protecting Network and Information Systems (Directive 2022/2555), more commonly known as the NIS 2 Directive. ENISA is an EU agency dedicated to achieving a high common level of cybersecurity across Europe.
What did it find?
The report found that the Telecoms and Digital Infrastructure sectors are the two sectors where cyber based disruptions can have the most critical consequences for society. Both sectors received a score of 9.7/10 for criticality, which was based on an assessment of the socio-economic impact of significant incidents, the sectors’ dependency on ICT, and the time it would take for a disruption to have an impact on society.
ENISA found that disruptions lasting just minutes in these sectors could have considerable impacts on access to emergency services and emergency communications, as well as other critical services, such as digital payments. For telecoms, mobile networks were found to face outages within minutes of a cyber-disruption occurring, while fixed lines were somewhat more resilient. In addition, while alternatives such as satellite networks exist for telecoms, ENISA found that these currently lack the scalability to address the effects of large-scale disruptions effectively, and are also quite vulnerable to cyber attack.
However, while the perceived criticality of telecoms and digital infrastructure was found to be almost identical, the maturity of the sectors in addressing these threats differed significantly. Maturity in this context was measured as including the existence of a policy framework for the sector, the quality of risk management and good practices, whether the entities collaborated and shared information on threats, and operational preparedness for large scale incidences and crises.
In what will be positive news for public safety professionals, the telecoms industry was found to be highly mature in its response to the cyberthreats.
In this regard, ENISA found that telecoms, in addition to banking and electricity, had benefitted from significant regulatory oversight, global investments, political focus, and robust public-private partnerships, likely in recognition of the sectors’ crucial role for societal and economic stability. Indeed, while NIS2 had only recently been expanded to cover telecoms, most regulatory authorities stated that the sector was already on track in implementing NIS2 aligned security measures in their jurisdiction. This was attributed to preexisting similar rules for telecoms entities under the EECC, and the knowledge generated by EU initiatives such as the ECASEC expert group, and industry initiatives such as the European Telco ISAC. The Telecoms sector was also considered more operationally prepared for incidences or crises than other digital infrastructure.
In contrast, despite having a similar level of criticality for society as telecoms, national authorities found other digital infrastructure’s alignment with NIS2 to be “much more modest”, though the sector’s perceived awareness and preparation for cyberthreats was found to be quite high. This sector was also perceived to be less operationally prepared for cyber threats compared to telecoms.
ENISA concluded that Member States should build on recommendations from EU-level risk assessments to address remaining gaps in telecoms and digital infrastructure, and to prepare for emerging developments such as post-quantum cryptography. ENISA also called for compliance requirements to be harmonised across countries, to support entities with multi-Member State presences, and for EU measures to streamline cross border supervision, crisis management, and response capabilities.
A lack of maturity in the Space Sector
In addition to addressing multiple other sectors such as electricity and public administration, ENISA raised concerns over the lack of maturity for addressing cyber threats in the space industry. While this industry currently has lower criticality than other sectors, ENISA noted that emergency services were already reliant on space-based location information, and that the sectors importance for telecommunications, including emergency communications, was growing.
ENISA’s findings in this are indicated an industry which is aware of the importance of cybersecurity, but hasn’t yet developed a mature industry wide approach to resolving it. For example, while in relative terms awareness of cyber threats was high, with 80% of entities leaders having cyber risk management controls, ENISA noted this figure was insufficient given the sectors growing criticality. Similarly, while entities in sector were found to have developed preparedness plans, their participation in national-level cyber exercises remained low.
To resolve this, ENISA recommended holding workshops and training programs for the sector, developing guidelines and practices on space cybersecurity, encouraging the sharing of best practices, and to push the sector to improve its cyber preparedness and response. Providers of telecommunications satellites were also recommended to collaborate with terrestrial telecommunications providers to exchange best practices.
What does all this mean for 112?
Overall, ENISA’s findings bring more positive than negative news for public safety professionals. While disruptions to telecoms and digital infrastructure were both found to have very high consequences for society, this is not new information, and is part of the reason why telecommunications have mature regulatory frameworks on cybersecurity. On the other hand, the finding that the telecoms industry is perceived as on track in implementing NIS2 aligned security measures, and was perceived as having strong operational preparedness will be very welcome news for public safety professionals.
For digital infrastructure, the news is less positive. Following the move to packet switched PSAPs, a growing proportion of emergency communications will be routed through non-telecoms digital infrastructure in the coming years, with examples including Wi-Fi based emergency calls, and the use of NIICS to contact 112. It is important that this sector develops equivalent levels of cybersecurity to telecoms if it can be trusted to support emergency communications in the future.
Finally for space, ENISA’s findings contained both positive and negative aspects. While the sector clearly lags behind in cybersecurity preparedness, the identified mix of widespread development of operational preparedness but low participation in Member State exercises indicates a sector which is interested in improving cybersecurity, but is at a less mature stage of cyber-development. As this sector grows in importance, Member States will need to ensure that the sectors cyber-maturity keeps pace with its growing criticality for society, especially if the sector is to be used to support access to 112.