ENISA Threat Landscape 2025 says Europe faces converging pressure from hacktivists, ransomware, and state-aligned actors
ENISA’s 2025 threat landscape report says Europe is facing overlapping pressure from hacktivism, ransomware, phishing, vulnerability exploitation, and state-aligned cyber activity across critical sectors.
Summary
ENISA’s 2025 Threat Landscape argues that Europe’s cyber risk environment is being shaped by multiple overlapping threat pressures rather than one dominant actor class. The report highlights hacktivist DDoS activity, impactful ransomware, state-aligned cyberespionage, phishing, vulnerability exploitation, and growing abuse of cyber dependencies.
Overview
On 1 October 2025, ENISA published its 2025 Threat Landscape report covering 4,875 incidents observed between 1 July 2024 and 30 June 2025. The agency said the report uses a more threat-centric approach and is intended to help decision-makers understand the most prominent cybersecurity threats and trends affecting the European Union.
Key Details
According to ENISA, DDoS was the dominant incident type, accounting for 77% of reported incidents, much of it linked to hacktivist activity. At the same time, ransomware was identified as the most impactful threat in the EU.
ENISA also said phishing remained the leading initial access vector at roughly 60% of observed cases, followed by vulnerability exploitation at 21.3%. The report emphasised intensifying state-aligned activity against EU organisations, abuse of cyber dependencies across digital supply chains, and growing overlap in tactics and tooling between threat groups.
It also flagged AI as both an enabling tool for malicious activity and a new point of exposure, particularly in phishing, social engineering, and attacks involving the AI supply chain.
Why It Matters
This matters because it challenges simplistic threat narratives. Europe is not dealing with a single dominant problem, but with an increasingly blended environment in which nuisance-level hacktivism, serious ransomware, state-linked cyberespionage, and AI-enabled intrusion techniques all coexist.
For organisations, that means resilience can no longer be framed only around one threat type. Defensive priorities have to account for disruption, espionage, dependency risk, and attacker reuse of tools and methods across different campaigns.
Analysis
The most interesting part of ENISA’s framing is the emphasis on convergence. The report suggests that distinctions between threat actors are becoming less operationally useful when tools, access methods, and objectives begin to overlap. That is particularly important for defenders because it means an incident may look like low-grade disruption at first but still reflect broader strategic pressure on digital infrastructure.
The strong emphasis on cyber dependencies is also notable. It points to a future in which systemic weakness in shared platforms, vendors, and infrastructure relationships may matter as much as the sophistication of any one adversary.
Practical Takeaway
- treat phishing, vulnerability exploitation, and dependency risk as connected problems rather than separate tracks
- prioritise resilience for internet-facing and business-critical systems that can turn low-complexity disruption into wider operational impact
- review whether ransomware readiness, DDoS preparedness, and supply-chain visibility are being handled as one coordinated risk picture
- watch how AI-enabled intrusion and social engineering patterns evolve, especially in high-volume access attempts