Understanding the Evolving Cybersecurity Threat Landscape in the EU: An In-Depth Analysis for Compliance

The cybersecurity landscape across the European Union has become significantly more complex and challenging, a reality starkly highlighted by recent reports, including the first-ever Report on the State of Cybersecurity in the Union by the European Union Agency for Cybersecurity (ENISA). This report, adopted in cooperation with the NIS Cooperation Group and the European Commission, provides an evidence-based overview crucial for entities navigating their compliance obligations, particularly under the NIS2 Directive.

Driven by rapid digitisation and a volatile geopolitical climate, the EU has seen a notable escalation in cyber threats. The ongoing conflicts, such as the Russian war of aggression against Ukraine and the escalated Israel-Palestine conflict, continue to significantly impact the cybersecurity realm, contributing to rising Foreign Information Manipulation and Interference (FIMI) and hacktivist activities. Events like the European Elections have also served as motivators for increased hacktivist efforts [from previous turn based on ENISA TL 2024].

EDPB 2024: Navigating the Complexities of Data Protection in a Rapidly Evolving Digital Landscape

The year 2024 marked another significant period for the European Data Protection Board (EDPB), which continued its mission to uphold the fundamental right of privacy and data protection in an increasingly complex digital world. As outlined in its 2024 annual report, the EDPB focused on strengthening, modernizing, and harmonizing data

Compliance Hub WikiCompliance Hub

The Assessed Threat Level: Substantial Risk

During the reporting period covered by the ENISA report, the overall cybersecurity threat level to the EU was assessed as substantial. This assessment means that it is considered likely that entities are being directly targeted by threat actors, or that they could be exposed to breaches by exploiting recently discovered vulnerabilities. Critically for compliance, serious disruptions of essential and important entities, as well as EU institutions, bodies, and agencies (EUIBAs), are deemed a realistic possibility.

The "substantial" severity level is derived from evaluating both the intent and the capability of threat actors. While tracked threat actors have demonstrated intent to cause high-scale incidents across Europe, only a subset have historically shown the capability to execute such widespread disruptions.

Key Attack Vectors and Threat Actors

Based on the ENISA Threat Landscape 2024 report, which informs this assessment, late 2023 to mid-2024 saw cybersecurity attacks escalate, setting new benchmarks in variety, number, and consequences.

The most frequently reported forms of attack observed were Denial-of-Service (DoS/DDoS/RDoS) attacks and ransomware, together accounting for more than half of the reported events. Threats specifically targeting data, such as data breaches or data leaks, were the next most common category.

Baseline Cyber | Cybersecurity Compliance Assessment Tool

Evaluate your organization’s security posture against essential security controls and get actionable recommendations aligned with industry frameworks.

Baseline Cyber Assessment ToolBaseline Cyber Team

The sources identify three primary categories of threat actors continuously targeting EU Member States and EUIBAs:

• Cybercriminals: These actors are predominantly motivated by financial gain. They typically target data or infrastructure where disruption or compromise will have the highest operational impact, allowing them to steal, extort, or monetize the compromised information. Ransomware remains a highly impactful threat emanating from the cybercrime ecosystem [from previous turn based on ENISA TL 2024].
• State-Nexus Actors: Generally well-funded and possessing advanced capabilities, these groups primarily focus on espionage and disruption. Groups linked to Russia and China remain prominent. Russia-nexus actors, while continuing to target Ukraine, are also adapting their infrastructure for cyberespionage against EU countries and institutions, and are engaged in advanced offensive campaigns against technology providers. Notably, many state-nexus hacking campaigns are leveraging AI to generate fake content or develop new methods for spreading misinformation.
• Hacktivists: Geo-political crises have significantly increased hacktivist activity, making it more unpredictable [from previous turn based on ENISA TL 2024]. They commonly employ tactics like DDoS attacks and website defacements [from previous turn based on ENISA TL 2024]. A growing trend is the observed overlap between state-nexus actors and groups presenting themselves as hacktivists [from previous turn based on ENISA TL 2024].

GDPR & ISO 27001 Compliance Assessment Tool

Comprehensive tool for security leaders to evaluate GDPR and ISO 27001 compliance and prioritize remediation efforts

GDPRISO.com

Evolving Threats and Challenges

The threat landscape is not static; threat actors are continuously evolving their tactics, techniques, and procedures (TTPs). Key evolutions and persistent challenges include:

• Ransomware Tactics: While ransomware remains a major threat, there is an observed shift from purely encrypting data to primarily exfiltrating it [from previous turn based on ENISA TL 2024]. Small and medium-sized enterprises (SMEs), which may have fewer resources for robust cybersecurity, are becoming more attractive targets [from previous turn based on ENISA TL 2024]. The tactic of double extortion (encrypting data and threatening to publish it unless a ransom is paid) has become standard practice for established ransomware groups [from previous turn based on ENISA TL 2024].
• Vulnerability Exploitation: Systems across the EU continue to be exposed to the exploitation of both known and unknown vulnerabilities. While state-nexus actors may exploit zero-day vulnerabilities in targeted espionage campaigns, the exploitation of unpatched and out-of-date systems (N-day vulnerabilities) poses a greater overall risk due to the large number of vulnerable systems. According to the ENISA Foresight Cybersecurity Threats for 2030 study, the exploitation of unpatched and out-of-date systems is considered one of the top 10 emerging threats for 2030. This is particularly challenging for sectors with long lifecycles for ICT products, such as energy and transport.
• Supply Chain Threats: These continue to be a major concern due to their potential for wide reach, difficulty in detection, and the risk of catastrophic cascading effects [from previous turn based on ENISA TL 2024]. Threat groups show continuous interest and increasing capability in supply chain attacks. Attacks often target the supplier's code and leverage social engineering to compromise employees with privileged access [from previous turn based on ENISA TL 2024]. Increased reliance on outsourced IT services, especially by SMEs, adds complexity [from previous turn based on ENISA TL 2024]. Supply chain security is identified as one of the least developed areas in cybersecurity risk management. While most Member States are defining measures, implementation by entities, particularly SMEs, and dedicating resources to third-party risk management remains a challenge.
• Foreign Information Manipulation and Interference (FIMI): EU-based organisations are a common target for FIMI activities. Information manipulation remains a key element, with efforts to localize content while globalizing presence. As mentioned earlier, state-nexus actors are using AI in hacking campaigns to create fake content or spread misinformation.
• Influence of AI: The growing prevalence of AI-powered technologies impacts EU societies [from previous turn based on ENISA TL 2024]. As noted, AI is used by state-nexus actors for creating fake content and spreading misinformation. The likelihood that AI will disrupt or enhance cyberattacks is increasing [from previous turn based on ENISA TL 2024].

NIS2 Directive Guide: EU Cybersecurity Compliance Requirements

Navigate the EU’s NIS2 Directive with expert guidance on scope, implementation requirements, risk management frameworks, and compliance strategies for critical infrastructure operators and digital providers.

Compliance Hub WikiCompliance Hub

Targeted Sectors

No sector is immune to cyber threats [from previous turn based on ENISA TL 2024]. Data from the ENISA Threat Landscape 2024 report indicates that organizations in public administration (19%) and transport (11%) were the most frequently targeted sectors [from previous turn based on ENISA TL 2024, referencing ENISA TL 2024 report]. Digital infrastructure (9%) and banking (8%) also constituted substantial portions of targeted entities [from previous turn based on ENISA TL 2024]. Notably, a considerable number of events (8%) targeted civil society, impacting the general public [from previous turn based on ENISA TL 2024]. Sectors like Health and Rail also face a high number of incidents.

The NIS2 Directive covers entities across 18 sectors, each with varying levels of criticality and cybersecurity maturity. For instance, the Internet Infrastructure sector is nearing the criticality of key sectors like Electricity, Finance, and Telecoms, but its maturity still needs improvement. Health, Railway, and Gas sectors are assessed as having moderate criticality and maturity. Hospitals, for example, are primarily targeted by cybercriminals, with incidents potentially affecting confidentiality or availability of services, though typically as isolated events.

Navigating the Landscape: Compliance and Resilience

The EU's cybersecurity policy framework, including NIS2, the Cyber Resilience Act (CRA), and the upcoming Cyber Solidarity Act (CSOA), has matured significantly. The focus is now shifting towards supporting public and private sector entities in implementing this legislation.

Compliance requires addressing several key areas highlighted in the sources:

• Risk Management: Entities must implement appropriate and proportionate technical, operational, and organisational risk management measures. This includes policies on risk analysis, incident handling, business continuity, supply chain security, security in systems acquisition and maintenance, vulnerability handling, assessment of measure effectiveness, basic cyber hygiene, cryptography use, human resources security, access control, asset management, and multi-factor/continuous authentication where appropriate. Enterprises, particularly SMEs, show room for improvement in performing cybersecurity risk assessments and implementing basic cyber hygiene practices. There are also significant deviations in implementing risk management measures depending on company size and sector maturity.
• Incident Reporting: EU legal acts, including NIS2, mandate the reporting of significant incidents to competent authorities. While progress is being made, particularly for telecom and trust service providers, implementation under NIS2 is still ongoing, and some Member States lack dedicated reporting tools. Harmonising reporting obligations across different EU legislation and Member States is crucial for effective situational awareness. The number of reported incidents seems low, suggesting potential under-reporting, likely due to a reluctance by organisations to share this information.
• Supply Chain Security: NIS2 mandates measures on supply chain security as part of risk management. However, implementation by entities, especially SMEs, lags behind. Coordinated EU-wide risk assessments of critical ICT supply chains are recommended.
• Vulnerability Handling: Entities under NIS2 are required to apply vulnerability handling and disclosure measures. However, challenges remain in consistently handling vulnerabilities across all assets and patching systems in a timely manner, particularly with the addition of new sectors and entities under NIS2.
• Cyber Crisis Management: The framework for cyber crisis management at the EU level has matured, involving networks like EU-CyCLONe and the CSIRTs Network. Entities must take measures on crisis management. Situational awareness remains key, but many entities, especially SMEs, lack mature capabilities like Security Operation Centres (SOCs) or significant investment in Cyber Threat Intelligence (CTI).
• Cybersecurity Skills: A significant challenge is the cybersecurity skills gap, which is intensifying. While national strategies address training and education, implementation and funding vary widely across Member States. Many companies, particularly SMEs, are not providing regular cybersecurity training to employees. Addressing this skills shortage requires a common EU approach to training, identifying future needs, coordinating stakeholder involvement, and potentially establishing an attestation scheme for skills.

Looking Ahead to 2030

The future threat landscape will be shaped by increasing dependencies and new technologies. Emerging technologies like Artificial Intelligence (AI) and Post-Quantum Cryptography (PQC) introduce new risks and complexities. While certain threats like supply chain compromise of software dependencies may shift in prominence, they will remain significant [from previous turn based on Foresight report]. Threats such as human error, exploited legacy systems, and the physical impact of environmental disruptions on digital infrastructure are expected to become more prominent [from previous turn based on Foresight report, also see 113]. Advanced hybrid threats, combining interference, social engineering, and disinformation, remain top risks, particularly in contexts like elections [from previous turn based on Foresight report]. The skill shortage threat is intensifying. The increasing power and influence of non-state actors is also a key consideration for 2030 [from previous turn based on Foresight report].

Conclusion

The EU cybersecurity threat landscape is complex, influenced by technology, geopolitics, and the evolving capabilities of diverse threat actors. With a substantial threat level assessed, compliance efforts under NIS2 and other related legislation are more critical than ever. Entities must focus on robust risk management, timely incident reporting, strengthening supply chain security, effective vulnerability handling, and investing in workforce skills and awareness. Maximising the use of existing EU cooperation structures and leveraging technical expertise are essential steps in building resilience against current and future cyber challenges.