
Mandated by the Cybersecurity Act, the European Union Agency’s (ENISA’s) work is centered on achieving a “high common level of cybersecurity across the Union” and supporting the European Union and Member States to “increase their cybersecurity capabilities”.
Recent years have been characterised by a proliferation of EU cybersecurity policy framework and initiatives with the introduction of key horizontal and sectorial legislation, aiming to elevate the state of cybersecurity in the EU. At the same time, geopolitics and the emerging cybersecurity threats greatly influence the stance and tactics of state and non-state actors.
In this complex landscape, a comprehensive understanding of the current state of cybersecurity maturity of EU Member States is fundamental to achieve these objectives. Continuous and consistent monitoring of the cybersecurity levels across the EU over time, is the primary means of assessing current cybersecurity capabilities and identify areas of improvement in the EU cyber ecosystem.
In accordance to Article 18 of the Directive (EU) 2022/2555 (NIS2 Directive), ENISA was tasked to adopt, in cooperation with the European Commission and the Cooperation Group, a biennial report on the state of cybersecurity in the Union. The first ever biennial report on the State of Cybersecurity in the Union was adopted and published by ENISA on 3 December 2024. The objective of the report is to provide EU policy makers with an evidence-based overview of the state of play with regard to the cybersecurity landscape and capabilities across the EU, national, and societal domains. The report includes policy recommendations to address the gaps and weaknesses identified, leading to the improvement of the cybersecurity level in the Union. The adoption of the biennial report by ENISA in cooperation with the European Commission and the Cooperation Group falls into the provisions of Article 18 of the Directive (EU) 2022/2555 (NIS2 Directive).
From a cybersecurity investment perspective, allocating sufficient budgetary and human resources to cybersecurity is key to maintain existing cybersecurity capabilities and advancing cyber resilience. Through its NIS Investments report, ENISA offers insights on the impact of the EU cybersecurity framework, and particularly the NIS Directive, on cybersecurity investments and the overall maturity of organisations in scope. The annual report examines how essential and important entities of critical sectors are affected by the evolving regulatory landscape and current challenges in the cybersecurity field.
The EU Cybersecurity Index (EU CSI) - Framework and methodological note
Towards enhancing this effort, ENISA has developed the ‘EU Cybersecurity Index’ (EU CSI), which is a tool to describe the cybersecurity posture of Member States and the EU. Making the most of the available data and information, the ‘Index’ provides insights on the respective cybersecurity maturity and capabilities while helping detect opportunities for peer-learning and improvement. This way, it enables the evaluation of progress towards higher levels of cybersecurity vis-à-vis index indicators.
To find more, download the EU CSI - Framework and methodological note.
Public consultation
The public consultation has now concluded. After reviewing the feedback received, we found that no major comments requiring significant revisions were raised.
Thank you to everyone who participated!