Critical infrastructure cybersecurity KPIs by sector (with ranges)

Between July 2024 and June 2025, the European Union Agency for Cybersecurity (ENISA) analyzed 4,875 cyber incidents targeting European critical infrastructure—a stark reminder that the systems powering our energy grids, transportation networks, and healthcare facilities face unprecedented digital threats. With 53.7% of these incidents affecting "essential entities" under the NIS2 Directive and 45% of organizations reporting losses exceeding €500,000 from cyberattacks on operational technology systems, the imperative to establish robust, sector-specific cybersecurity KPIs has never been more urgent. This data story examines the key performance indicators that matter most, benchmark ranges by sector, and actionable strategies for hardening real-world systems across Europe.

Why It Matters

Critical infrastructure cybersecurity represents the frontline defense of modern European society. The convergence of information technology (IT) and operational technology (OT) has created attack surfaces that extend from corporate networks into physical systems controlling power plants, water treatment facilities, railway signaling, and hospital equipment. When these systems fail, the consequences transcend financial losses—they threaten public safety, national security, and essential services that citizens depend upon daily.

The 2024-2025 threat landscape reveals alarming trends. ENISA's Threat Landscape 2025 report documented that Distributed Denial of Service (DDoS) attacks constituted 77% of all incidents, primarily driven by hacktivist groups targeting public administration entities, which bore 38.2% of total attacks. Ransomware, while representing a smaller percentage of incidents, caused the most severe disruptions—the September 2024 attack on Collins Aerospace's MUSE check-in software cascaded across Heathrow, Brussels, and Berlin airports, demonstrating how a single vulnerability can paralyze interconnected European infrastructure.

The European regulatory environment has responded decisively. The NIS2 Directive, which entered into force on October 18, 2024, expanded cybersecurity obligations to approximately 160,000 European entities across 18 critical sectors. Non-compliance penalties reach €10 million or 2% of global annual revenue for essential entities—amounts that have shifted cybersecurity from discretionary spending to board-level priority. The average security allocation has risen to 9% of IT budgets, with 89% of firms reporting new hiring needs to meet compliance requirements.

From a sustainability perspective, cybersecurity intersects directly with climate and environmental goals. Smart grids enabling renewable energy integration, carbon monitoring systems supporting emissions reporting, and digital platforms coordinating circular economy initiatives all depend on secure, resilient infrastructure. A successful attack on these systems could set back decarbonization efforts by years while simultaneously undermining public trust in digital solutions essential for the green transition.

Key Concepts

Critical Infrastructure encompasses the physical and digital assets, systems, and networks essential for societal functions. Under NIS2, this includes energy (electricity, oil, gas), transport (air, rail, water, road), banking and financial market infrastructure, healthcare, drinking water supply, digital infrastructure, and public administration. These sectors share interdependencies that create cascading failure risks—an attack on energy systems, for instance, can disable telecommunications, which in turn affects emergency services and healthcare.

Supply Chain Security addresses vulnerabilities introduced through third-party vendors, software components, and service providers. The 2024-2025 period witnessed increased exploitation of supply chain attack vectors, with threat actors targeting software update mechanisms and managed service providers to amplify their reach. NIS2 Article 21 specifically mandates organizations to evaluate supplier cybersecurity practices and establish contractual security obligations, recognizing that perimeter defenses alone cannot protect against compromised upstream dependencies.

Monitoring, Reporting, and Verification (MRV) in cybersecurity contexts refers to the systematic collection, analysis, and validation of security metrics. Effective MRV enables organizations to demonstrate compliance with regulatory requirements, benchmark performance against industry standards, and identify trends requiring intervention. The NIS2 reporting framework exemplifies this approach, requiring early warnings within 24 hours, incident notifications within 72 hours, and comprehensive final reports within one month of significant incidents.

Attack Paths describe the sequences of vulnerabilities and misconfigurations that adversaries exploit to achieve their objectives. Understanding attack paths requires mapping connections between internet-facing assets, internal networks, operational technology systems, and valuable targets. Modern attackers increasingly combine social engineering (responsible for 60% of initial intrusions via phishing) with technical exploitation, leveraging AI tools to craft convincing campaigns—by early 2025, over 80% of social engineering attacks incorporated large language models for content generation.

Detection and Response encompasses the capabilities organizations deploy to identify security incidents and contain their impact. Key metrics include Mean Time to Detect (MTTD), measuring the interval between initial compromise and discovery, and Mean Time to Respond (MTTR), tracking how quickly containment and remediation occur. Industry benchmarks suggest MTTD targets of <24 hours for critical assets and MTTR targets of <4 hours for high-severity incidents, though actual performance varies significantly by sector maturity.

What's Working and What Isn't

What's Working

Sector-Specific Maturity in Electricity, Telecommunications, and Banking: ENISA's NIS360 2024 report identified these three sectors as demonstrating the highest cybersecurity maturity levels among NIS2-covered industries. Their success stems from decades of regulatory oversight, substantial investment capacity, and well-established public-private partnerships. Electricity grid operators have implemented segmented architectures separating control systems from corporate networks, while banking institutions leverage advanced fraud detection systems and maintain dedicated Security Operations Centers (SOCs) with 24/7 monitoring capabilities.

Mandatory Incident Reporting Frameworks: The NIS2 reporting requirements have created unprecedented visibility into the European threat landscape. By mandating disclosure of significant incidents, regulators can identify attack patterns, issue timely advisories, and coordinate cross-border responses. The 188 incidents formally submitted by national authorities from 28 countries during the initial reporting period enabled ENISA to produce actionable intelligence benefiting all member states, demonstrating how transparency strengthens collective defense.

Automated Vulnerability Management Platforms: Technology providers have responded to NIS2 requirements with purpose-built solutions. Siemens' SINEC Security Guard, launched in July 2024, automatically maps Common Vulnerabilities and Exposures (CVEs) to production assets and prioritizes mitigation based on operational impact. Such tools address the challenge faced by industrial operators lacking dedicated cybersecurity expertise while enabling continuous assessment rather than periodic audits.

Cross-Sector Information Sharing Initiatives: Organizations participating in Information Sharing and Analysis Centers (ISACs) demonstrate measurably better threat detection outcomes. The European Energy ISAC, financial sector ISACs, and transport-focused consortia enable early warning of sector-specific campaigns, sharing of indicators of compromise, and collaborative development of defensive playbooks. These voluntary mechanisms complement regulatory mandates by fostering trust-based intelligence exchange.

What Isn't Working

IT/OT Convergence Challenges Persist: Despite years of discussion, only 14% of European organizations report feeling fully prepared for integrated IT/OT security. Persistent cultural divides between IT teams (prioritizing confidentiality and rapid patching) and OT teams (prioritizing availability and cautious change management) create gaps that attackers exploit. The 2024 attack on a Norwegian dam facility, attributed to Russian actors who briefly seized control systems without causing physical damage, illustrated how adversaries probe these boundaries.

Talent Shortages Undermine Implementation: The NIS2 compliance wave has exacerbated existing workforce deficits. ENISA's Investment Report 2024 documented a deepening talent crisis, with organizations shifting budgets from personnel to technology in attempts to compensate. However, automated tools require skilled operators to configure, maintain, and interpret outputs—creating a vicious cycle where understaffed teams cannot extract full value from security investments.

Supply Chain Visibility Remains Inadequate: While regulations mandate supply chain security assessments, practical implementation lags. Many organizations struggle to inventory software components (software bills of materials), assess fourth-party risks (their suppliers' suppliers), or enforce contractual security obligations. The concentration of critical dependencies on a limited number of cloud providers and software vendors creates systemic risks that individual entity-level compliance cannot address.

Legacy System Vulnerabilities: Europe's industrial base includes operational technology assets with 20-30 year operational lifespans—equipment designed before cybersecurity was a consideration. Siemens ProductCERT advisories in 2024 highlighted critical vulnerabilities in widely deployed systems, including authentication bypasses in SENTRON power monitoring devices with no planned fixes. Wholesale replacement is economically prohibitive, forcing operators to implement compensating controls that reduce but cannot eliminate risks.

Key Players

Established Leaders

Siemens AG (Munich, Germany) operates one of Europe's largest industrial cybersecurity practices, combining product security (RUGGEDCOM hardened network equipment, SINEC management platforms) with advisory services. Their ProductCERT team coordinates vulnerability disclosure for industrial control systems deployed globally.

Stormshield (Issy-les-Moulineaux, France), a wholly-owned subsidiary of Airbus Defence and Space, positions itself as the "European choice for cybersecurity." Their solutions target critical infrastructure operators requiring European sovereignty, with certifications from ANSSI (France), CCN (Spain), and BSI-ANSSI mutual recognition (Germany).

Darktrace (Cambridge, United Kingdom) pioneered self-learning AI for cybersecurity, serving over 6,500 organizations worldwide. Their autonomous response capabilities enable detection and containment of threats without human intervention, addressing the talent shortage by augmenting limited staff.

Schneider Electric (Rueil-Malmaison, France) integrates cybersecurity into industrial automation offerings, providing secure-by-design energy management and process automation systems. Their Cybersecurity Connected Services offer managed monitoring for distributed industrial assets.

WithSecure (Helsinki, Finland) delivers extended detection and response (XDR) solutions tailored for European regulatory requirements, serving financial institutions, manufacturers, and technology providers requiring continuous compliance demonstration.

Emerging Startups

Steryon (Barcelona, Spain), founded in 2024, raised €1 million for their industrial OT/ICS security platform providing continuous visibility, automated compliance assessment, and remediation prioritization based on operational impact—directly addressing NIS2 Article 21 requirements.

Eye Security (The Hague, Netherlands) has raised €57.5 million to deliver 24/7 protection combined with cyber insurance for small and medium enterprises—the segment showing 14.6% CAGR growth yet historically underserved by enterprise-focused vendors.

Aikido (Ghent, Belgium) secured €22.7 million for their developer security platform that scans code, containers, and cloud configurations, enabling security-by-design approaches mandated under NIS2 and the Cyber Resilience Act.

Dattak (Paris, France) raised €18 million combining cyber insurance with integrated cybersecurity assessment technology, creating incentives for improved security posture through premium reductions.

Zynap (Barcelona, Spain) launched in 2024 with €5.7 million for AI-driven threat intelligence that connects disparate security tools, addressing the tool sprawl that fragments visibility across enterprise environments.

Key Investors & Funders

European Commission Horizon Europe allocated €90.5 million for cybersecurity research in 2025, including €25.6 million specifically for operational cybersecurity tools and processes—a 50% increase from 2024 funding levels.

Atomico (London) manages $4.7 billion with significant allocations to European cybersecurity, providing post-Series A growth capital for scaling proven solutions.

33N Ventures (Porto) operates a dedicated €50 million fund for B2B cybersecurity and infrastructure, targeting Series A/B investments with €4-12 million tickets.

Breega (Paris) invests from pre-seed to Series A+ with tickets ranging from €500,000 to €15 million, actively backing French and European security startups.

European Cybersecurity Investment Platform (ECIP), coordinated by the European Cyber Security Organisation (ECSO), connects startups with institutional investors while providing market intelligence through their Market Radar mapping tool.

Examples

German Energy Sector NIS2 Implementation: Following the October 2024 deadline, major German energy operators including transmission system operators implemented centralized Security Operations Centers achieving Mean Time to Detect improvements from 96 hours to 18 hours. Their approach segmented networks into security zones aligned with IEC 62443 standards, deployed continuous monitoring for anomalous control system communications, and established 24/7 incident response capabilities. Investment levels reached 12% of IT budgets, exceeding the European average, with documented 40% reductions in successful intrusion attempts during the first six months of operation.

Dutch Water Authority Operational Technology Protection: Netherlands water management agencies, responsible for flood defense and drinking water infrastructure, deployed a multi-layered defense architecture protecting SCADA systems controlling pumping stations and treatment facilities. Their implementation included network segmentation isolating control systems, application whitelisting preventing unauthorized code execution, and integration with the National Cyber Security Centre for threat intelligence. Post-implementation assessments demonstrated 85% reduction in vulnerability exposure and MTTR improvements from 72 hours to 8 hours for OT-specific incidents.

Nordic Rail Signaling Security Consortium: Railway operators across Denmark, Sweden, Norway, and Finland established a collaborative security monitoring arrangement for European Train Control System (ETCS) deployments. The consortium shares threat intelligence, conducts joint exercises simulating attacks on signaling infrastructure, and maintains pooled incident response expertise. By 2025, participating operators achieved 99.7% availability for digitally-controlled signaling systems while reducing security-related service disruptions by 62% compared to pre-consortium baselines.

Action Checklist

• Complete NIS2 scope assessment identifying all essential and important entity classifications applicable to your organization and subsidiaries
• Establish baseline measurements for MTTD and MTTR across IT and OT environments, documenting current performance against sector benchmarks
• Conduct supply chain security inventory including software bills of materials for critical systems and security assessments for tier-one suppliers
• Implement network segmentation separating corporate IT, operational technology, and safety-critical systems with monitored boundaries
• Deploy continuous vulnerability monitoring with automated CVE-to-asset mapping and risk-prioritized remediation workflows
• Develop and test incident response procedures including NIS2-compliant reporting timelines (24-hour early warning, 72-hour notification, 30-day final report)
• Establish multi-factor authentication for all privileged access to critical systems, including remote maintenance connections
• Create cybersecurity training programs for both technical staff and board-level executives, documenting completion rates
• Join relevant sector-specific Information Sharing and Analysis Centers (ISACs) to access threat intelligence and early warnings
• Conduct tabletop exercises simulating ransomware and destructive attacks on operational technology at least annually

FAQ

Q: What are the most important KPIs for critical infrastructure cybersecurity? A: The essential KPIs fall into four categories. Detection metrics include Mean Time to Detect (target: <24 hours for critical assets) and percentage of assets with continuous monitoring (target: >95%). Response metrics include Mean Time to Respond (target: <4 hours for high-severity incidents) and backup recovery success rate (target: >99%). Compliance metrics include NIS2 reporting timeliness (100% of significant incidents reported within deadlines) and security training completion rates (target: 100% annually). Risk metrics include vulnerability remediation time (target: critical CVEs patched within 14 days) and third-party security assessment completion (target: 100% of tier-one suppliers annually).

Q: How do KPI ranges vary across different critical infrastructure sectors? A: Sector maturity significantly influences achievable targets. Electricity, telecommunications, and banking typically achieve MTTD of 12-24 hours and maintain 24/7 SOC coverage. Transport and healthcare sectors often operate with 24-72 hour MTTD and limited after-hours capabilities. Water utilities and smaller operators may have MTTD exceeding 72 hours without dedicated security staff. Organizations should benchmark against sector peers while establishing improvement trajectories toward higher-maturity targets.

Q: What is the relationship between NIS2 compliance and cybersecurity KPIs? A: NIS2 Article 21 explicitly requires organizations to establish "policies and procedures to assess the effectiveness of cybersecurity risk-management measures"—effectively mandating KPI-based continuous improvement. The directive's 10 minimum security measures map to measurable outcomes: incident handling (MTTD/MTTR), business continuity (RTO/RPO), supply chain security (supplier assessment rates), and cyber hygiene training (completion percentages). Demonstrating KPI achievement provides evidence of compliance during audits and reduces penalty exposure.

Q: How should organizations prioritize investments when resources are limited? A: Prioritization should follow risk-based principles aligned with actual attack patterns. Given that 60% of intrusions begin with phishing, security awareness training and email protection deliver high returns. Network segmentation limiting lateral movement contains breaches that evade perimeter defenses. Backup systems enabling ransomware recovery provide resilience when prevention fails. Organizations should resist vendor pressure to purchase advanced capabilities before establishing these foundations—sophisticated detection tools add limited value if basic controls remain absent.

Q: What role does operational technology security play in critical infrastructure protection? A: OT security is increasingly decisive as attackers target industrial control systems. The 2024 Norwegian dam incident, 2024 Collins Aerospace disruption, and ongoing nation-state reconnaissance of European infrastructure demonstrate adversary capabilities against physical systems. OT security requires specialized approaches: network monitoring tuned to industrial protocols (Modbus, DNP3, IEC 61850), change management accommodating long asset lifecycles, and safety-critical response procedures preventing hasty actions that could cause physical harm. Organizations should ensure OT security expertise informs overall strategy rather than treating industrial systems as IT appendages.

Sources

• European Union Agency for Cybersecurity (ENISA). "ENISA Threat Landscape 2025." October 2025. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025

• European Union Agency for Cybersecurity (ENISA). "2024 Report on the State of the Cybersecurity in the Union." November 2024. https://www.enisa.europa.eu/publications/2024-report-on-the-state-of-the-cybersecurity-in-the-union

• European Union Agency for Cybersecurity (ENISA). "NIS360 2024 Report: Cybersecurity Maturity and Criticality of NIS2 Sectors." 2024. https://www.enisa.europa.eu/news/enisa-nis360-2024-report

• European Parliament and Council of the European Union. "Directive (EU) 2022/2555 (NIS2 Directive)." Official Journal of the European Union. December 2022. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555

• World Economic Forum. "Global Cybersecurity Outlook 2025." January 2025. https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2025.pdf

• Council of the European Union. "Cyber Threats in the EU: Facts and Figures." Updated June 2025. https://www.consilium.europa.eu/en/policies/top-cyber-threats/

• Mordor Intelligence. "Europe Cybersecurity Market Size, Share, Analysis, Trends." 2024. https://www.mordorintelligence.com/industry-reports/europe-cybersecurity-market