EU Cybersecurity Threat Landscape Report 2024-2025 Identifies Rising Risks From Diverse Threat Groups

Cybersecurity threats in the EU are evolving, with groups reusing tools and techniques, introducing new attack models, and exploiting vulnerabilities. The European Union Agency for Cybersecurity (ENISA) highlighted these issues in its "Threat Landscape" report, analysing 4,875 incidents from July 2024 to June 2025. This report outlines the most significant cybersecurity threats and trends impacting the EU's digital infrastructure.

DDoS attacks were the most common incident type, making up 77% of reported cases. Hacktivists were primarily responsible for these attacks, while cybercriminals played a smaller role. Ransomware was identified as the most impactful threat within the EU. Hacktivism accounted for nearly 80% of incidents, mainly through low-impact DDoS campaigns targeting EU Member States' websites. Only 2% of these incidents led to service disruptions.

Phishing remains a major concern, responsible for about 60% of intrusion cases. New models like Phishing-as-a-Service have made such attacks easier and more automated. Vulnerability exploitation followed at 21.3%. Cybercriminals increasingly exploit digital dependencies in supply chains to amplify their impact across Europe's interconnected systems.

State-aligned threat groups have intensified operations against EU organisations. These actors engage in cyberespionage against public administration sectors and manipulate information targeting EU audiences. A notable trend is the convergence of threat actors, with state-aligned groups, hacktivists, and cybercriminals sharing tactics and tools. "Faketivism" illustrates this convergence where state-aligned actors mimic hacktivist characteristics.

AI plays a growing role in the threat landscape. It optimises malicious activities but also introduces new vulnerabilities. Large Language Models (LLMs) enhance phishing and automate social engineering activities. By early 2025, AI-supported phishing campaigns represented over 80% of observed social engineering activity globally.

Sector-Specific Insights

The report identified public administration as the top targeted sector at 38.2%, driven by hacktivism and state-nexus intrusion sets conducting cyberespionage on diplomatic entities. The transport sector followed at 7.5%, then digital infrastructure and services at 4.8%, finance at 4.5%, and manufacturing at 2.9%. These sectors align closely with those under the NIS2 Directive's scope.

Attacks on AI supply chains are increasing, focusing on consumer-grade AI tools to enhance existing operations. Concerns grow over emergent malicious AI systems due to widespread AI model use.

ENISA Executive Director Juhan Lepassaar emphasised that interconnected systems mean disruptions can ripple across supply chains: "Systems and services that we rely on in our daily lives are intertwined, so a disruption on one end can have a ripple effect across the supply chain." He noted that understanding these threats helps prioritise safeguarding critical infrastructure for a secure digital future.

The ENISA report underscores the importance of informed decision-making to protect essential entities defined by the NIS2 Directive, which account for 53.7% of total incidents reported this year. Public administration has seen a rise in incidents due to increased hacktivist DDoS attacks over two consecutive years.

Increased attacks on mobile devices focus on compromising outdated technology, highlighting vulnerabilities in older systems as threat actors continue adapting their strategies to exploit weaknesses effectively within Europe's digital landscape.

With inputs from WAM