EU consistently targeted by diverse yet convergent threat groups

The European Union Agency for Cybersecurity (ENISA) has released its 2025 threat landscape report, which shows that threat groups are reusing tools and techniques, introducing new attack models, exploiting vulnerabilities and collaborating to target the security and resilience of the EU’s digital infrastructure.

ENISA has analyzed 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. Findings reveal that DDoS attacks were the dominant incident type and accounted for 77% of reported incidents, the greater part of which were deployed by hacktivists while cybercriminals represent only a minor portion. While there were a fewer number of ransomware attacks in comparison, ENISA found these had more impact. Phishing (60%), followed by vulnerability exploitation (21.3%) were the two leading intrusion access points.

State-aligned threat groups steadily intensified their operations towards EU organizations. State-nexus actors carried out cyber espionage against the public administration sector, while EU citizens were faced with Foreign Information Manipulation and Interference (FIMI).

The report also highlights AI use both as an optimization tool for malicious activities but also as a new point of exposure. “Large Language Models (LLMs) are being used to enhance phishing and automate social engineering activities,” ENISA said. “By early 2025, AI-supported phishing campaigns reportedly represented more than 80 percent of observed social engineering activity worldwide. Attacks on the AI supply chain are on the rise. While the focus of threat activities involving AI was the use of consumer-grade AI tools to enhance their existing operations, the emergent malicious AI systems is raising concerns about their capabilities in the future due to the widespread use of AI models.”

Attacks on third-party providers are increasing. For example, iIn March 2025, Plus Service, an external provider managing the Telemaco platform for multiple Italian transport companies suffered a data breach involving unauthorized exfiltration to a remote cloud, which impacted several thousand commuters.

ENISA also noted a higher volume of attacks toward mobile devices, with a focus on compromising outdated hardware and software. 

Top of the targeted sectors list in the EU is public administration (38.2%), being the focus of hacktivism and state-nexus intrusion sets conducting cyberespionage campaigns on diplomatic and governmental entities. This sector has seen a notable rise in incidents this year, mostly in the form of DDoS attacks. The second most targeted sector in the EU currently is the transport sector (7.5%), followed by digital infrastructure and services (4.8%), finance (4.5%) and manufacturing (2.9%). 

ENISA says defensive strategies must become intelligence-driven and systemic, focusing on proactive threat hunting, behavioral detection and the integration of cyber risk management into broader operational and policy frameworks. “Organisations should prioritise comprehensive asset discovery, automated vulnerability management and resilience planning for interconnected systems and services,” the agency says, adding that collaboration between Member States, EU institutions and private industry is essential for countering the threats.