Critical infrastructures are vital for the functioning of modern societies. Over the last decades the number, variety and complexity of critical infrastructures have increased significantly; So has their exposure to different types of threats that vary from natural disasters and human errors to theft or even terrorist attacks. During the last two decades though a new type of threat has made its appearance in the Critical Infrastructure landscape, that of cyberattacks. The drinking water and water transportation sector is unquestionably categorized as a Critical Infrastructure. Within a water digitalisation context, the water sector has followed the example of other sectors, most notably energy, in increasing its dependence on ICT for improving its service, sustainability and affordability. While ICT may increase the water sector’s productivity and reliability, at the same time it makes it increasingly vulnerable to malicious cyberattacks or accidental cyber incidents. The consequences of a possible interruption or compromise of the water sector’s ICS, for example manipulation or disruption of water services, damage to equipment, or compromise of water safety could prove disastrous both for public health and safety and due to economic loss. At the same time, water sector entities are responsible for processing and accordingly protecting personal information, including employees’ records and customers’ billing data. While the current EU regulatory framework on water management has gone through a great reform over the last decades, it does not deal with the protection of water facilities against cyber risks. Even though the EU cybersecurity policy, including the protection regime on Critical Infrastructures, as well as the General Data Protection Regulation find full applicability on the water entities, the new digitalized water landscape calls for a shift in approach in order to create a more cyber resilient water sector.