ENISA releases 2025 Threat Landscape report on Europe’s cybersecurity challenges

Published on 1 October, The European Union Agency for Cybersecurity (ENISA) has released the latest edition of its Threat Landscape report, analysing 4,875 cybersecurity incidents that occurred between 1 July 2024 and 30 June 2025. The report paints a picture of an increasingly mature and complex threat environment, where traditional cybercrime, hacktivism, and state-aligned operations are becoming harder to distinguish.

This year’s edition introduces a revised format, offering a “threat-centric” perspective that connects individual incidents with wider trends. ENISA’s analysis highlights how rapid vulnerability exploitation, professionalised criminal ecosystems, and the growing use of artificial intelligence (AI) are reshaping the EU’s cyber risk landscape.

Ransomware and exploitation drive intrusions

Ransomware remains the most disruptive and financially damaging threat across Europe. The report notes the ongoing decentralisation of ransomware operations, as criminal groups adapt to law enforcement actions by spreading their infrastructure and using ransomware-as-a-service models.

Exploitation of software vulnerabilities continues to be a key entry vector, accounting for 21% of incidents, with most leading directly to system intrusions or malware deployment. ENISA warns that attackers now weaponise new vulnerabilities within days of disclosure, underscoring the importance of timely patching and basic cyber hygiene.

Phishing and industrialised social engineering

Phishing remains the dominant entry point for attackers, representing about 60% of all intrusion attempts. These campaigns are more and more supported by AI tools: ENISA estimates that more than 80% of global phishing campaigns now use AI-generated or AI-enhanced content. The rise of phishing-as-a-service platforms has made complex phishing operations accessible to low-skilled actors.

ENISA also highlights the emergence of new techniques, such as ClickFix scams, which trick users into executing malicious commands disguised as CAPTCHA verifications, and quishing, where QR codes in PDFs redirect victims to credential-stealing pages.

Hacktivism

Hacktivist groups accounted for nearly 80% of all recorded incidents, mostly through low-level distributed denial-of-service (DDoS) attacks. These campaigns were typically short-lived and symbolic, with only 2% resulting in actual service disruption. ENISA notes that such activity often spikes around elections or political events, sometimes overlapping with governmental operations, a phenomenon the report calls faketivism.

State-aligned espionage and supply chain risks

State-linked intrusion sets, particularly those associated with Russia, China, Iran, and North Korea, continued to target EU public institutions and strategic industries, including telecommunications, logistics, and manufacturing. ENISA documents cases involving supply chain compromise, such as breaches affecting IT service providers and software repositories, illustrating how attacks on third-party dependencies can cascade across entire ecosystems.

In one example, a 2025 breach at an Italian transport service provider disrupted ticketing systems for thousands of commuters. Similar incidents were reported in Germany and Spain, reinforcing the vulnerabilities of interconnected digital services.

Mobile devices and AI

Mobile devices have become a prime target, representing 42% of observed threats. Android systems were especially affected by remote access trojans, used for both financial theft and espionage.

Artificial intelligence features prominently throughout the report, not just as a tool for defenders but also for attackers. ENISA warns of the emergence of malicious AI systems such as Xanthorox AI, designed to automate social engineering and malware development, as well as the appearance of fake AI tool websites distributing ransomware and trojanised installers.

Converging threats and policy implications

A central finding of the report is the convergence of threat actors. Lines between hacktivists, cybercriminals, and state-sponsored groups are blurring, with shared tools, tactics, and infrastructure becoming increasingly common. This blending of motives and methods, ENISA says, is turning the European threat landscape into a ‘continuous and diversified pressure environment’.

To counter this trend, ENISA emphasises the need for intelligence-driven and systemic defence strategies, including proactive threat hunting, automated vulnerability management, and resilience planning for interconnected systems.

Looking ahead, ENISA expects ransomware, hacktivism, and state-aligned espionage to remain the main pillars of the EU’s cyber threat landscape. The agency warns that increased automation, industrialisation, and convergence of malicious activity will continue to test Europe’s collective resilience, making collaboration between Member States, EU institutions, and private industry more essential than ever.

Click here to read the full report.