On December 3, 2024, the European Union Agency for Cybersecurity (ENISA) announced that it published a report on the state of cybersecurity in the EU, according to Article 18 of the Directive on measures for a high common level of cybersecurity across the Union (the NIS 2 Directive).

Main findings

ENISA outlined that the main findings of the report include:

• substantial cyber threat level to the EU, including the existence of vulnerabilities exploited by threat actors targeting EU entities;
• development of cybersecurity strategies in the Member States presenting overall alignment in objectives;
• heterogeneousness of critical sectors in terms of size and criticality, which complicates supervision and uniform implementation of cybersecurity measures; and
• cybersecurity awareness has likely increased among EU citizens.

Policy recommendations

ENISA explained that the report identifies policy implementation, cyber crisis management, supply chain, and skills, as priority areas to be addressed by policy recommendations.

Moreover, ENISA highlighted that the report includes the following policy recommendations, among other things:

• strengthening the technical and financial support given to EU institutions, bodies and agencies, and national competent authorities, and to entities falling within the scope of the NIS 2 Directive;
• revising the EU Blueprint for coordinated response to large-scale cyber incidents;
• strengthening the EU cyber workforce by implementing the Cybersecurity Skills Academy, particularly establishing a common approach to training, a coordinated approach to address the skills gap, and an attestation scheme for cybersecurity skills;
• stepping up coordinated risk assessments and the development of horizontal policy framework for supply chain security to face cybersecurity challenges in public and private sectors;
• enhancing the understanding of sectorial specificities and needs; and
• promoting a unified approach by building on existing policy initiatives and by harmonizing national efforts to achieve a common high level of cybersecurity awareness and cyber hygiene.

Expectations for the future

ENISA clarified that the following areas may require policy attention in the future:

• adaptation of EU and national authorities to their new roles; and
• artificial intelligence (AI) and Post-Quantum Cryptography.

You can read the press release here and the report here.