Cyber Threats in Europe: Key Learnings from the Latest ENISA Threat Landscape Report

Ransomware groups are increasingly using zero-day exploits and more advanced attack techniques, state actors disguise their campaigns as ordinary cybercrime, and geopolitical tensions are increasingly leading to attacks on suppliers, managed service providers, and public institutions.

The latest ENISA Threat Landscape Report clearly shows that the traditional distinction between cybercrime, hacktivism and state-sponsored actors is becoming less meaningful. Attackers increasingly adopt each other’s tools, infrastructure and tactics, making attribution more difficult.

For IT administrators and security professionals, this means one thing above all: the threat landscape is becoming more complex – and it increasingly affects smaller organizations as well.

The ENISA Threat Landscape Report 2025 analyzes 4,875 verified security incidents between July 2024 and June 2025, highlighting which attack techniques are currently most relevant.

The Key Development: Converging Threats

One of the key terms in the ENISA report is convergence.

In the past, cyber threats could often be categorized more clearly—for example as financially motivated cybercrime or state-sponsored espionage. Today, however, these boundaries are increasingly blurred. According to ENISA, hybrid attack campaigns are becoming more common, where different threat actors use similar tools and techniques.

Examples include:

• Cybercriminals using APT techniques and zero-day exploits
• State actors disguising operations as ordinary ransomware campaigns
• Hacktivist groups combining political messaging with financial extortion

This development not only makes attribution more difficult—it also accelerates the spread of new attack techniques.

Who Is Currently Being Targeted

Many organizations still assume that cyber attackers mainly focus on large corporations. The ENISA report paints a different picture.

The most frequently targeted sector in the EU is public administration, accounting for around 38.2% of the observed incidents.

Other frequently affected sectors include transport and logistics, digital infrastructure, financial services and industry. One important reason is the growing interconnectivity of organizations: attackers deliberately target suppliers or IT service providers as entry points to reach larger targets.

Many smaller companies assume they are too insignificant to attract attackers. In reality, the opposite is often true. SMEs are frequently targeted because they are part of larger supply chains, have fewer IT security resources, or can serve as an entry point into larger organizations. Basic cyber hygiene and resilience measures are therefore essential for organizations of all sizes.

The Most Important Current Threat Trends

The ENISA report highlights several key developments.

1. Ransomware Remains One of the Biggest Threats
   Ransomware continues to be one of the most impactful forms of cyberattack. However, attacker tactics are evolving: traditional encryption is now often combined with data theft, additional DDoS threats increase pressure, and attackers may even contact customers or business partners directly.

   This so-called triple-extortion strategy is designed to maximize financial impact.

2. DDoS Attacks Are Making a Comeback
   DDoS attacks account for a large share of observed incidents. A significant portion of reported hacktivist activity consists of DDoS campaigns.

   Many of these attacks target government institutions, banks, and transportation or infrastructure companies. In some cases, DDoS attacks are used as a distraction, while deeper intrusions occur in parallel.

3. Supply Chain Attacks Are Increasing
   As large organizations strengthen their security posture, attackers are increasingly shifting their focus to indirect targets. Typical targets include managed service providers (MSPs), software vendors, cloud service providers, or smaller IT service providers.

   A compromised service provider can potentially give attackers access to multiple organizations at once.

4. AI Is Changing Social Engineering Attacks
   Social engineering attacks are also evolving rapidly. Today’s phishing emails are often linguistically flawless, highly personalized and context-aware.

   The ENISA report notes that AI tools significantly lower the barrier for social engineering attacks, for example by enabling automated generation of convincing phishing messages or deepfake audio.

Security Checkliste: Key Actions to Take Now

Based on the findings of the ENISA report, organizations should regularly review their security strategies. The following points provide a practical starting point for internal security reviews.

1. Secure Identity and Access

Strengthen MFA

• Use FIDO2 tokens or number matching
• Implement protection against MFA fatigue attacks

Review Service Accounts

• Identify outdated service accounts
• Remove unnecessary domain admin privileges
• Regularly audit privileged accounts

2. Ensure Resilience and Recovery

Immutable Backups

• Maintain at least one immutable backup system (WORM storage)
• Ideally maintain air-gapped backups

Offline Emergency Plans

• Maintain offline contact lists
• Keep incident response checklists on paper

If central systems such as Active Directory or VoIP fail, digital incident response documentation may no longer be accessible.

3. Evaluate Supply Chain Risks

Vendor Risk Management

• Identify critical IT service providers
• Review their security certifications
• Define incident notification procedures

Identify Shadow IT

• Inventory SaaS services in use
• Decommission forgotten cloud instances

4. Prepare Employees for AI-Driven Attacks

Update security awareness training with a focus on:

• AI-generated phishing emails
• Deepfake audio
• Manipulated video calls

Implement verification processes:

• For sensitive actions such as payment instructions, password resets, or access to critical systems, an out-of-band verification process should always be used.

5. Technical Hardening and NIS2 Preparation

Many of the measures mentioned in the ENISA report directly correspond to requirements of the NIS2 Directive. Especially important:

• Network segmentation
• Separation of guest networks
• Restricted access to critical systems
• The least privilege principle

Prioritize patch management — especially for systems exposed to external networks:

• Firewalls
• VPN gateways
• Mail servers
• Remote access systems

The time between vulnerability disclosure and the first exploits appearing is now often less than 24 hours.

Conclusion

The ENISA Threat Landscape Report 2025 clearly shows that the cybersecurity landscape is becoming increasingly hybrid and complex. Cybercriminals, hacktivists and state-sponsored actors are using similar tools and infrastructure—and increasingly targeting indirect entry points such as suppliers or IT service providers.

Cybersecurity is not a one-time project but an ongoing process. Organizations should regularly review their security architecture, particularly with regard to identity management, resilience and backup strategies, supply chain risks, awareness against social engineering, network segmentation and patch management.

.