Europe’s Cyber Threat Landscape: What the Data Shows
The ENISA Threat Landscape 2025 Report, published by the European Union Agency for Cybersecurity (ENISA), offers a clear, data-driven perspective on what’s actually happening on the digital front lines in Europe. This comprehensive analysis cuts through the noise of the daily news cycle, which is filled with alarming stories of cyberattacks — from massive data breaches to crippling ransomware demands. While these headlines can feel overwhelming and chaotic, ENISA’s latest report provides the clarity needed to understand the real cyber threat landscape.
This article distils the most crucial findings from the report, challenging common assumptions and providing a vital perspective on the real threats facing the EU today.
The Motive: It’s Not About the Money, It’s About the Message
Contrary to the popular belief that cybercrime is primarily about financial gain, the ENISA report reveals a startlingly different reality. The vast majority of cyberattacks in the EU are ideologically motivated.
The data is unambiguous: a staggering 79.4% of attacks were ideology-driven, completely dwarfing the 13.4% that were financially motivated. Cyberespionage accounted for the remaining 7.2%.
Dominated by NoName057(16), accounting for over 60% of incidents via its DDoSia platform, targeting EU geopolitical support and national elections.
Despite an 11% decline, ransomware remained the most impactful cybercrime tool, with Initial Access Brokers trading low-cost VPN and RDP credentials.
State-nexus groups like APT28, APT29, and Sandworm were most active in the EU, targeting public administration, defence, and telecommunications.
This finding reframes the primary threat actor from a profit-seeking criminal to state-aligned groups and hacktivists driven by geopolitical events.
Key Takeaways on Threat Actors and Tools:
- Ideology-driven attacks represented 79.4% of incidents, with NoName057(16) accounting for over 60% via its DDoSia platform, targeting EU geopolitical support and national elections.
- Despite an 11% decline, ransomware remained the most impactful cybercrime tool, with Initial Access Brokers trading low-cost VPN and RDP credentials.
- State-sponsored groups like APT28, APT29, and Sandworm were most active in the EU, targeting public administration, defence, and telecommunications.
- Information Manipulators using sophisticated Foreign Information Manipulation and Interference (FIMI) were highly active, led by the Matryoshka Information Manipulation Set spreading disinformation to EU audiences.
The Target: Public Servants Are on the Digital Front Line
When we think of high-value targets, we often picture banks or tech giants. However, the report shows that the most-targeted sector in the EU is, by an overwhelming margin, Public Administration.
This sector accounts for 38.2% of all recorded incidents. This intense focus is directly linked to the ideological motivations revealed earlier, with the report noting that “state-nexus cyberespionage activities notably targeted the public administration sector.”
Top 5 Known Targeted Sectors in the EU (2025)
| Sector | Share of Incidents (%) |
|---|---|
| Public Administration | 38.2% |
| Transport | 7.5% |
| Digital Infrastructure & Services | 4.8% |
| Finance | 4.5% |
| Manufacturing | 2.9% |
Overall, “essential entities” (those critical to society) accounted for 53.7% of all incidents. While nearly 95% of the attacks on public administration were low-impact DDoS campaigns, ransomware remains a particularly damaging problem for municipalities, placing essential government services squarely in the digital crosshairs.
Other critical sectors highlighted:
- Transport (7.5%): Particularly the maritime sector, which was a notable target for state-sponsored groups seeking to disrupt trade.
- Digital Infrastructure (2.2%): While seeing a lower volume of attacks, it is considered a “high-value target” used as a “launchpad” for follow-up attacks on other sectors.
The Threat: The Loudest Attacks Aren’t the Most Damaging
The ENISA report draws a critical distinction between the volume of cyber incidents and their actual impact.
Highest Volume: Hacktivist-led DDoS (Distributed Denial-of-Service) campaigns are responsible for the highest number of attacks, yet their ability to cause real harm is often minimal. According to the report, only 2% of these DDoS incidents lead to actual service disruption.
Highest Impact: In stark contrast, ransomware remains the most significant threat in terms of damage. Despite an 11% decrease in overall activity, ENISA still identifies ransomware as the most impactful threat in the EU, capable of causing severe and lasting service disruptions. The Akira and SafePay strains were noted as being particularly active.
This shows that the noisiest threats aren’t necessarily the ones we should fear the most.
The Entry Point: The Oldest Trick Is Still the Most Effective
Despite the rise of sophisticated hacking tools, the initial point of entry for most cyberattacks is remarkably low-tech. The report confirms that phishing remains the dominant intrusion vector, accounting for approximately 60% of cases.
This enduring threat vector relies on human error, encompassing everything from malicious spam emails (malspam) and voice phishing (vishing) to malicious advertising (malvertising).
The next most common method, vulnerability exploitation, is a distant second at 21.3%. However, when exploits are used, they are potent; the report notes that 68% of them lead directly to malware deployment. This crucial finding underscores that the human element remains the weakest link and that maintaining basic cyber hygiene is more critical than ever.
The dominant intrusion vector, including malspam, vishing, and malvertising. Relies on human error as the primary attack surface.
A distant second, but highly potent — 68% of exploits led directly to malware deployment.
Includes brute force, supply chain compromise, and other less common initial access methods.
The Future: AI Weaponisation and New Targets
Looking ahead, the report identifies two concerning trends that will shape the future of cybersecurity.
The Weaponisation of AI
Both state-aligned intrusion sets and cybercriminal operators are increasingly leveraging Artificial Intelligence. This signals a new evolution in the cyber arms race, as AI is used for productivity and to optimise malicious activities — from creating more convincing phishing lures to automating vulnerability discovery.
New High-Value Targets
Attackers are shifting their focus to new devices. Mobile devices and internet-exposed services are becoming prime targets. Most critically, this includes Operational Technology (OT) systems — the computers that control physical processes in factories, power grids, and water treatment plants — which are now being targeted by all types of threat actors.
Conclusion
The ENISA Threat Landscape 2025 report makes it clear that the reality of cybersecurity in the EU is far more nuanced than the headlines suggest. The landscape is dominated not by financial criminals, but by ideologically motivated actors. The primary targets aren’t corporations, but the public services we all rely on. And the biggest door for attackers remains the simplest one: a deceptive email.