Through a more threat-centric approach and further contextual analysis, this latest edition of the ENISA Threat Landscape analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. At its core, this report provides an overview of the most prominent cybersecurity threats and trends the EU faces in the current cyber threat ecosystem.
ENISA Executive Director, Juhan Lepassaar stated: “Systems and services that we rely on in our daily lives are intertwined, so a disruption on one end can have a ripple effect across the supply chain. This is connected to a surge in abuse of cyber dependencies by threat actors that can amplify the impact of cyberattacks. The ENISA Threat Landscape provides valuable insights to enable informed decision-making and prioritisation to safeguard our critical infrastructure and ensure that our digital future is secure.”
ENISA Threat Landscape 2025 Highlights
- Incident type: DDoS attacks was the dominant incident type and accounted for 77% of reported incidents, the greater part of which were deployed by hacktivists while cybercriminals represent only a minor portion.
- Ransomware is identified as the most impactful threat in the EU.
- Hacktivism took the lead, representing almost 80% of the total number of incidents, primarily through low-impact DDoS campaigns targeting EU Member States organisations’ websites, with only 2% of hacktivism incidents resulting in service disruption.
- State-aligned threat groups steadily intensified their operations towards EU organisations. State-nexus actors carried out cyberespionage against the public administration sector, while EU audiences were faced with Foreign Information Manipulation and Interference (FIMI).
- Phishing (60%), followed by vulnerability exploitation (21.3%) are the two leading intrusion access points.
- With regards to the assessed objectives of these incidents, almost 80% were ideology-driven incidents, exclusively carried out by hacktivists through DDoS.
Deep-dive into Key Trends
Based on the updated ENISA Cybersecurity Threat Landscape Methodology and a new format, the findings include updated key trends. With regards to the primary method for initial intrusion, phishing (including vishing, malspam and malvertising) is identified as the leading vector, accounting for about 60% of observed cases. Advancements in its deployment, such as Phishing-as-a-Service (PhaaS) that allows the distribution of ready-made phishing kits, indicate an automation that paves the way for attackers regardless of their experience.
Closely linked to recent events in the EU, an increase in targeting cyber dependencies has been noted. Cybercriminals have intensified their efforts to abuse critical dependency points, for example in the digital supply chain, to get the most out of their attacks. This method is able to magnify the impact of actions by leveraging the interconnectedness inherent in our digital ecosystems.
What also stands out is convergence between threat groups and the current overlap in their Tactics, Techniques and Procedures (TTPs), targets, objectives, etc. This is best demonstrated by faketivism, where intrusions by state-aligned actors employ hacktivist characteristics, as well as with similarities in tools utilised by both hacktivists’ groups and cybercriminals.
The growing role of AI has become an undeniable key trend of the rapidly evolving threat landscape. The report highlights AI use both as an optimisation tool for malicious activities but also as a new point of exposure. Large Language Models (LLMs) are being used to enhance phishing and automate social engineering activities. By early 2025, AI-supported phishing campaigns reportedly represented more than 80 percent of observed social engineering activity worldwide. Attacks on the AI supply chain are on the rise. While the focus of threat activities involving AI was the use of consumer-grade AI tools to enhance their existing operations, the emergent malicious AI systems is raising concerns about their capabilities in the future due to the widespread use of AI models.
Last but not least, a higher volume of attacks toward mobile devices has been noted, with a focus on compromising outdated devices.
Top targeted sectors in the EU
The sectorial threat analysis of the report is significant to highlight structural target points of the EU’s critical infrastructure. At the top of the targeted sectors list in the EU is public administration (38.2%), being the focus of hacktivism and state-nexus intrusion sets conducting cyberespionage campaigns on diplomatic and governmental entities.
At the second place is the transport sector (7.5%), followed by digital infrastructure and services (4.8%), finance (4.5%) and manufacturing (2.9%). The close match between the sectors with the highest ranking and the sectors under scope for NIS2 Directive underscores the importance of the Directive. 53.7% of the total number of incidents concern essential entities, as defined by the NIS 2 Directive.
Three of the top-five targeted sectors have consistently stayed in the top ranks for two consecutive years, whereas public administration has seen a notable rise in incidents this year, driven by the increased hacktivists’ DDoS attacks.