ENISA (The European Union Agency for Cybersecurity), recently published their analysis of 5,000 incidents across the entire European Union, producing a threat landscape for 2025. This key piece of threat intelligence offers an insight to the real attacks, risks and threats that face organisations in Europe and further afield. Cyber attacks have gone from niche discussion topics in IT departments to headline news affecting our entire lives, defining an age of cyber conflict. While it may be easy to panic and worry in the face of these threats, there is a great opportunity to move from reactive security to proactive, intelligence-driven resilience.
Understanding the how, what, who and why of attackers and their attacks allow security teams to focus on the things that matter, and ignore what doesn’t. Prioritising resources like budget and time, towards the most common attack vectors and vulnerabilities in systems. Enable strategic planning to align cybersecurity initiatives with business objectives and risk reduction. For security analysts, a detailed understanding of key TTPs (Tactics, Techniques, and Procedures), provides a concrete basis to strengthen tactical defences. These kinds of reports also can be used to help educate, and inform stakeholders from outside of the security teams.
Converging Attackers, Automated Attacks and the Industrialisation of Attacking
We’ve analysed the entire report, and what stood out for us was the themes of convergence, automation and industrialisation. This year has seen threat groups converge from distinct groups, to a blend of motivations and actor types, with the major changes being in state-sponsored attackers, who now adopt hacktivist personas and are commonly being used to generate revenue for the state via ransomware.
In the meantime threat actors are leveraging new technology like AI to increase the scale of their attacks and chase the same promised efficiency as AI offers traditional organisations, an age of automation is quickly emerging from these trends. Finally we see an increased diversity of attacks, as attackers shift towards continuous campaigns rather than single incidents, targeting many organisations in a specific sector, as attackers scale their operations.
Here are our key takeaways:
Phishing is still how attackers are getting into most corporate networks. However traditional email phishing is just one approach, attackers are also leveraging vishing, malspam and malvertising and while this isn’t new, it’s worth remembering that phishing can come from many places.
It’s not just security teams that are leveraging AI, threat actors have to. We’re now seeing AI-supported phishing, as AI is readily used to craft more convincing phishing emails, to help attackers research organisations or individuals via open source channels like social media.
Hacktivism is still a major motivation for threat actors in Europe but it’s almost always DDoS attacks. DDoS attacks still make up the majority of incidents at over 75% of all attacks. However, even though financially motivated cyber criminals and state-sponsored espionage may make up a smaller percentage of attacks, these are often associated with intrusion, persistence and ransomware.
But even then we see the lines between these threat actors blur, as state-nexus groups from DPRK and China, leverage ransomware as a method to increase state funds and hacktivist personas are adopted by state-sponsored attackers for faketivism.
When it comes to the state-nexus attackers, Russia is home to the most active state-aligned threat actor. Unsurprisingly information manipulation attacks increase around elections, as a number of EU elections in Poland, Romania and Moldova were targeted by Foreign Information Manipulation.
Ransomware is by far the most common malicious payload, this is somewhat unsurprising when we’ve seen many high profile attacks in the past year. Especially as ransomware operators have moved to a service model and have introduced the “double-ransom” threatening to not just encrypt the data but also leak the data if they are not paid.
Even though we hear a lot about attacks on the private sector, of those that can be attributed to a specific sector the most targeted sectors were public administration, transport and digital infrastructure. It is worth remembering though that these attacks primarily are motivated by Hacktivism and are DDoS attacks, rather than the operationally more challenging ransomware.
Moving From Reactive to Proactive Security
This threat landscape isn’t just a basic summary of attacks over the past year, for organisations in Europe and across the world, it provides a strategic tool for teams looking to understand exactly how threat actors are changing and adapting their attacks. Examining these threats, attacks and trends enables your teams to anticipate, mitigate and respond to the changing attack surface and threats. And for those thinking about budget planning going into 2026, it provides a clear focus and justification for supporting specific tools, processes and operations going forward.
For all teams it reinforced the key idea, cyber security is a team sport, a shared responsibility across the entire organisation, and a risk that everyone should be aware of and react to. In a world of AI-enabled threat actors, launching an automated large scale attack in just a few seconds, it can be daunting for security teams to navigate this world. But while threat actors leave a trail of digital footprints across technical signatures, their initial access methods of phishing are firmly rooted in the human-aspects of cyber, and can only be prevented with awareness across the organisation. The greatest security risks can be prevented only in one way, together.
