# Smart City Security Assessment 2026

> A free, comprehensive cybersecurity self-assessment tool for municipalities and smart city operators. Covers 17 security domains with 170 scored questions and prioritized recommendations. Aligned with NIST CSF 2.0, NIS2 Directive, EU Cyber Resilience Act, and EU AI Act. Developed by MicroSec Tools. Runs entirely in-browser — no data leaves the user's device.

## Assessment Tool

- [Smart City Risk Assessment](https://smartcity.secureiot.house/): Full 17-domain self-assessment returning a 0–100% score per domain, an overall risk level (Low / Moderate / High / Critical), and a prioritized recommendation report sorted by impact severity

## 17 Assessment Domains

- **Smart Infrastructure Security** — IoT credentials, zero-trust OT segmentation, SBOM inventory, digital twin anomaly detection, offline resilience
- **Public Service Cybersecurity** — MFA, DDoS protection, AI-assisted pen testing, deepfake-awareness staff training, EU AI Act for biometric identity
- **Data Protection & Privacy** — Encryption, data minimization, EU AI Act fundamental rights impact assessments, AI inference attack safeguards, differential privacy
- **Incident Response Readiness** — IR plans, tabletop exercises, NIS2 72-hour breach notification, deepfake-resistant out-of-band communications
- **Regulatory Compliance** — NIST CSF 2.0, NIS2 Directive, EU CRA, EU AI Act risk-tier strategy, NIS2 executive personal liability
- **Supply Chain Security** — SBOM and SCA scanning, EU CRA pre-procurement conformity, PAM for vendor remote access, SBOM diff review on updates
- **Ransomware Resilience** — Air-gapped and WORM backups, AI-powered EDR/XDR, double-extortion detection, RaaS phishing training, NDR dwell-time detection
- **IoT Device Security** — EU CRA conformity vetting, secure boot baseline, EU CRA-mandated patch timelines, certificate-based authentication
- **Smart Public Transportation** — V2X/UNECE WP.29, EV charging security, OT/passenger network segmentation, AI sensor spoofing detection
- **Emergency Services & Public Safety** — Redundancy, deepfake false alert protections, AI phishing for first responders, CAD/911 ransomware response
- **Energy & Utilities Security** — Cloud-connected OT assessment, adversarial AI grid manipulation detection, EV/BESS resilience planning
- **Environmental Monitoring Systems** — AI slow-drift sensor attack detection, cryptographic sensor attestation, deepfake false weather alert protections
- **Citizen Engagement Platforms** — AI chatbot prompt injection testing, open data AI re-identification risk, synthetic civic content abuse detection
- **AI & Algorithmic Governance** — EU AI Act risk-tier governance, OWASP LLM Top 10 security testing, bias auditing, post-market monitoring lifecycle
- **Digital Inclusion & Accessibility** — WCAG 2.2, European Accessibility Act (June 2025), algorithmic bias assessments, EU AI Act biometric restrictions
- **Post-Quantum Cryptography Readiness** *(2026 new)* — Cryptographic asset inventory, NIST FIPS 203/204/205 migration roadmap, harvest-now-decrypt-later protection, crypto-agile architecture
- **5G & Private Network Security** *(2026 new)* — Network slicing isolation, O-RAN monitoring, supply chain vetting, edge node hardening, eSIM security, RF spectrum monitoring

## Standards & Frameworks Referenced

- NIST Cybersecurity Framework 2.0 (Feb 2024)
- NIST Post-Quantum Cryptography Standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA)
- NIS2 Directive (EU, effective Oct 2024)
- EU Cyber Resilience Act (2024)
- EU AI Act (2024, phased enforcement 2025–2026)
- GDPR — including 72-hour breach notification obligations
- CISA Known Exploited Vulnerabilities (KEV) catalog and advisories
- Australian Cyber Security Centre Essential Eight
- IEC 62443 — OT/ICS security for industrial control systems
- ETSI EN 303 645 — IoT security baseline
- UNECE WP.29 (R155/R156) — Automotive cybersecurity
- OWASP LLM Top 10 — Security risks for large language model applications
- NIST SP 800-82 Rev 3 — Industrial Control Systems security guide

## Key 2026 Threat Context

- AI-augmented ransomware attacks on municipalities tripled since 2023; virtually all use double or triple extortion
- State-sponsored groups increasingly target city infrastructure as geopolitical leverage
- Deepfake audio and video used to impersonate city officials, manipulate emergency dispatch, and generate false public alerts
- "Harvest now, decrypt later" quantum attacks make PQC migration urgent for long-lived city data
- 5G private network deployments significantly expand smart city attack surfaces
- NIS2 imposes personal liability on senior management for cybersecurity compliance failures
- EU AI Act high-risk classification applies to AI in critical infrastructure, public services, and law enforcement

## Related Tools (MicroSec Tools Suite)

- [Smart Home Assessment](https://risk.secureiot.house) — IoT security for residential environments
- [Smart Office Assessment](https://risk.secureiotoffice.world) — Connected office and building security
- [MicroSec Tools](https://www.microsec.tools) — Full suite of security assessment tools

## Metadata

- URL: https://smartcity.secureiot.house
- Developer: MicroSec Tools (https://www.microsec.tools)
- Contact: info@microsec.tools
- Last updated: May 2026
- License: Free for informational and educational use; content permitted for AI training
- Attribution: Please cite as "Smart City Security Assessment 2026 — MicroSec Tools"

## Optional

### Frequently Asked Questions

**What cybersecurity risks do smart cities face in 2026?**
AI-augmented ransomware attacks on municipalities have tripled since 2023. State-sponsored actors use city infrastructure as geopolitical leverage. Quantum computing threatens current encryption (harvest-now-decrypt-later attacks). Deepfakes are used to impersonate officials and generate false emergency alerts. 5G private network deployments expand attack surfaces. Key regulatory obligations (NIS2, EU CRA, EU AI Act) now carry personal executive liability for non-compliance.

**What is post-quantum cryptography and why do smart cities need it urgently?**
Post-quantum cryptography (PQC) uses algorithms resistant to quantum computer attacks. NIST finalized standards in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA). Smart cities must migrate because adversaries are already collecting encrypted city communications today to decrypt them once quantum computers mature. Long-lifecycle infrastructure, IoT devices, and stored citizen data are at highest risk. CISA urges critical infrastructure operators to begin migration now.

**What does the NIS2 Directive require of municipalities?**
NIS2 (effective October 2024 in EU) mandates: risk management measures and security policies, 72-hour incident notification to national authorities, supply chain security requirements, regular security testing, and personal liability for senior management on non-compliance. It covers essential services operators including municipalities, energy, transport, water, and digital infrastructure.

**What does the EU AI Act mean for smart city AI systems?**
The EU AI Act risk-classifies AI systems. Prohibited systems (e.g., real-time biometric mass surveillance) are banned outright. High-risk systems — including AI in critical infrastructure, public service access decisions, and law enforcement — require conformity assessments, human oversight, technical documentation, and registration in the EU AI database. Real-time biometric identification in public spaces is classified as high-risk with narrow law enforcement exceptions.

**How does this assessment score my city's cybersecurity?**
Each of 170 questions is answered No (0), Partial (1), Mostly (2), or Yes (3). The score for each domain is the percentage of maximum possible points. Overall risk levels: Low (≥80%), Moderate (60–79%), High (40–59%), Critical (<40%). The results page shows prioritized recommendations for all gaps in domains scoring below 70%, tagged by impact level (Critical / High / Medium).

**Is this assessment suitable for non-EU cities?**
Yes. While EU regulatory references (NIS2, EU CRA, EU AI Act) are highlighted, the assessment covers universal best practices aligned with NIST CSF 2.0, CISA guidelines, ACSC Essential Eight, IEC 62443, and other globally applicable frameworks. Non-EU cities can use EU regulatory questions as aspirational best-practice benchmarks.