The European Union Agency for Cybersecurity (ENISA) has just released its annual Threat Landscape 2025 report. Covering July 2024 to June 2025, the study is a detailed snapshot of how Europe’s cyber environment has shifted over the past year.
It’s a story of disruption at scale, powered by hacktivism, ransomware, and the industrialisation of phishing. And while many of the threats are familiar, the speed and scale at which they now unfold should concern every defender.
Public administration stands out. More than a third of incidents—38.2%—hit government networks and portals. Hacktivists, often ideology-driven, are behind the vast majority of these attacks. France, Italy, and Germany took the hardest hits.
The transport sector was also heavily disrupted. Airports, logistics networks, and even maritime operators faced waves of DDoS. In some cases, ransomware took down passenger systems, forcing flights to be grounded.
Digital infrastructure, finance, and manufacturing round out the other high-value targets. Together, these five sectors made up more than half of all recorded incidents.
One trend dominates in volume: DDoS attacks. Cheap tools, readily available, accounted for 77 percent of incidents. Most were short-lived and low impact, but the sheer frequency makes them impossible to ignore.
When it comes to impact, ransomware remains king. Even as major groups like LockBit faced takedowns, new strains and RaaS programs quickly filled the gap. ENISA tracked over 80 different ransomware variants active in Europe during the reporting period.
Phishing continues to open the door. Sixty percent of intrusions started here, often powered by “Phishing-as-a-Service” platforms that let even low-skill operators clone login portals and bypass MFA. And increasingly, adversaries are weaponising AI to make lures nearly indistinguishable from the real thing.
Vulnerabilities are weaponised fast. Exploits were observed just days after public disclosure, with over 21 percent of intrusions starting from unpatched flaws.
Meanwhile, state-aligned activity is intensifying. Russian, Chinese, and North Korean groups all appear in ENISA’s dataset, often focusing on telecoms, logistics, and manufacturing.
The key lesson is that resilience is as important as detection. Attacks may not always aim to steal data. Many are designed to disrupt, embarrass, or destabilise.
Some practical takeaways:
Prepare for supply chain exposure—providers and open-source ecosystems are now part of the attack surface.
At ThreatMon, these findings are no surprise. Our intelligence teams see the same patterns every day. Hacktivist chatter around DDoS campaigns. New ransomware strains emerging weekly. Phishing kits circulating across underground forums, now fine-tuned with AI.
That’s why we built solutions focused on exactly these pressure points:
Layered risk scoring to combine cybercrime, hacktivist, and state-aligned activity into one actionable view.
ENISA’s 2025 report paints a picture of a threat landscape that is converging. Hacktivists, cybercriminals, and state actors increasingly share tools, techniques, and targets. The challenge for defenders is not just to stop attacks, but to stay one step ahead of an environment where disruption, ideology, and profit all overlap.
At ThreatMon, our mission is to help organisations turn these insights into action—moving from blind spots to foresight, and from disruption to resilience.
More posts
Share this article
Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
Subscribe to our blog newsletter to follow the latest posts
