The European Union continues to face a complex web of cyber threats, according to the 2025 ENISA Threat Landscape report. Covering incidents from July 2024 through June 2025, the report details how a variety of threat actors are targeting the EU’s digital infrastructure with overlapping tactics, highly technical attack models, and heightened collaboration.

The EU Threat Landscape and Converging Threat Groups 

ENISA’s latest analysis, based on 4,875 recorded cybersecurity incidents, reveals a reuse of tools and techniques among threat groups. Many exploit vulnerabilities in supply chains and introduce novel attack methods that amplify the impact on interconnected systems. The report notes that despite the variety of actors involved, ranging from hacktivists and cybercriminals to state-aligned groups, there is a notable convergence in their Tactics, Techniques, and Procedures (TTPs). 

Juhan Lepassaar, Executive Director of ENISA, stressed the systemic risk posed by these attacks: “Systems and services that we rely on in our daily lives are intertwined, so a disruption on one end can have a ripple effect across the supply chain. This surge in abuse of cyber dependencies by threat actors amplifies the impact of cyberattacks.”  

Dominant Attack Types and Entry Points 

Distributed Denial of Service (DDoS) attacks dominated the incident landscape, accounting for 77% of reported cases. These were primarily launched by hacktivist groups, with cybercriminals contributing only a small fraction. Despite their frequency, most hacktivist-driven DDoS attacks resulted in limited-service disruption, with only 2% causing serious outages. 

Ransomware, meanwhile, remains the most damaging cyber threat within the European Union. The report also identified phishing as the leading vector for initial intrusions, responsible for 60% of incidents. Phishing techniques, now increasingly automated through Phishing-as-a-Service (PhaaS) platforms, allow even inexperienced attackers to deploy malicious campaigns effectively. Vulnerability exploitation accounted for 21.3% of intrusion attempts. 

Growing Threats from State-Linked Actors and Ideologically Motivated Groups 

State-aligned threat actors intensified cyber espionage activities targeting public administration sectors across the European Union. These operations frequently target diplomatic and government entities, reflecting geopolitical tensions. Alongside these, Foreign Information Manipulation and Interference (FIMI) campaigns targeted EU audiences, aiming to undermine trust and influence public opinion. 

Hacktivism also remains a motivation, responsible for nearly 80% of incidents. It is largely driven by ideology and manifests through low-impact DDoS campaigns targeting governmental websites and organizations. 

AI and Mobile Device Vulnerabilities 

Artificial intelligence’s role has become increasingly prominent in the cyber threat ecosystem. ENISA’s report stresses how Large Language Models (LLMs) are exploited to enhance phishing and automate social engineering attacks. By early 2025, AI-supported phishing campaigns accounted for more than 80% of observed social engineering efforts globally. Simultaneously, attacks targeting AI supply chains are rising. 

Another notable trend is the increase in attacks on mobile devices, especially on outdated hardware. This shift signals attackers’ focus on exploiting less secure endpoints within the European Union’s digital landscape. 

Public Administration and Beyond 

The report’s sectoral analysis stresses the persistent targeting of critical infrastructure within the EU. Public administration emerged as the most affected sector, accounting for 38.2% of incidents. This increase is attributed mainly to a surge in hacktivist-driven DDoS attacks and state-nexus cyber espionage efforts. 

Following public administration, the transport sector experienced 7.5% of attacks, digital infrastructure and services 4.8%, finance 4.5%, and manufacturing 2.9%. Notably, these sectors closely align with those protected under the NIS2 Directive. Overall, 53.7% of reported incidents involved entities deemed essential under this Directive. 

While three of the top five targeted sectors have consistently remained in the top ranks for the past two years, public administration saw a sharp rise this year, reinforcing its vulnerability to cyber threats in the EU. 

References: 

• https://www.enisa.europa.eu/news/etl-2025-eu-consistently-targeted-by-diverse-yet-convergent-threat-groups 

• https://enisa.europa.eu/topics/cyber-threats