The European Union Agency for Cybersecurity (ENISA) is the EU’s centre of expertise for cyber-security and resilience. Each year, ENISA publishes a “Threat Landscape” report that aggregates publicly available incident data across EU Member States, summarizing the dominant threats, threat actors, and attack patterns.
The 2025 edition covers 4,875 incidents between 1 July 2024 and 30 June 2025.
For organizations worldwide, including businesses, public institutions, and critical infrastructure providers, this report offers a valuable external lens into evolving cyber risk. The 2025 findings reveal trends that challenge traditional perimeter-based security models and demand a rethink of how we protect networks, data, and operations.
Understanding the 2025 Threat Landscape: Trends, Patterns & Threat Taxonomy
The 2025 ENISA Threat Landscape underscores that DDoS attacks are by far the most commonly reported incident type. 77% of the total 4,875 incidents were DDoS, mostly low-impact, hacktivist-driven campaigns.
Although these are often more nuisance than destructive events, their frequency and scale signal a shift: many attackers no longer aim for complex, high-reward breaches, instead, they rely on saturation, disruption, and visibility.
Hacktivism accounted for nearly 80% of all incidents, an indicator that ideology-driven campaigns remain a major driver of volume attacks.
Phishing & Vulnerability Exploitation Remain Primary Entry Vectors
- ENISA’s 2025 data shows that phishing (including vishing, malspam, malvertising) was the initial intrusion vector in about 60% of intrusion cases.
- Vulnerability exploitation, meaning exploitation of unpatched software, misconfigurations, or public-facing services was responsible for 21.3% of intrusion cases.
- These patterns highlight that attackers increasingly rely on social engineering, simple exploit paths, and known vulnerabilities, rather than zero-day exploits or extremely sophisticated tools.
Ransomware: Fewer but Far More Impactful
Although DDoS and hacktivism dominate numerically, ENISA identifies ransomware as the most impactful threat, meaning that when it hits, it delivers the greatest damage in terms of downtime, data loss, and recovery costs.
The combination of high-frequency nuisance attacks and lower-frequency high-impact attacks makes the threat landscape both noisy and dangerous.
Targeted Sectors
More than half of all incidents (53.7%) impacted entities considered “essential” under the EU’s regulatory definitions.
This underlines how cyber-risk has become a systemic threat, not merely an IT concern, with potential cascading effects across public services, transport systems, financial institutions, and digital infrastructure.
| Sector | Share of All Reported Incidents |
| Public Administration | 38.2% |
| Transport | 7.5% |
| Digital Infrastructure & Services | 4.8% |
| Finance | 4.5% |
| Manufacturing | 2.9% |
Emerging Complexity: Threat Actor Convergence and AI-Assisted Tactics
The 2025 report signals that threat groups, hacktivists, cybercriminals, and state-aligned actors increasingly reuse tools, share techniques, and converge in their modus operandi.
Moreover, ENISA and related commentary report a rising role for AI and automation, especially in phishing campaigns and social-engineering attacks. AI-supported phishing, synthetic-voice/video impersonation, and automated exploit tooling are now becoming the norm rather than the exception.
This evolution marks a shift in the threat taxonomy: attackers rely less on handcrafted, bespoke exploits, and more on automation, scale, and deception.
Sector-Level Insights: What ENISA Data Means for Finance and Health
Given rising use of cloud-based medical record systems, remote access tools, and third-party integrations, healthcare, like finance and public infrastructure, remains among the most vulnerable sectors.
Combined with the 2025 trends, health providers must update security posture beyond classic perimeter defense.
Finance Sector
ENISA’s 2025 finance-sector report highlights the evolving threat landscape for banks and credit institutions:
- DDoS/service disruption: 46% of reported incidents.
- Data theft/fraud: 15% of incidents.
- Social engineering/phishing: 13% of incidents.
- Ransomware: 10% of incidents.
- Most affected assets: IT infrastructure (35%), operations (29%), and customer data (19%).
Implications: Financial institutions face combined operational and data risks. Traditional perimeter defenses are no longer enough.
Strong identity protections, encryption, network segmentation, monitoring, and remote-access security are critical, especially for cross-jurisdiction or digital banking services.
Healthcare & Other Critical Sectors
Critical sectors share common threats with finance: disruption, data theft, social engineering, and supply-chain vulnerabilities. Defense-in-depth, IAM, encryption, patching, and staff awareness remain essential.
- Ransomware: 54% of incidents.
- Data breaches/leaks: 46% of incidents.
- Supply-chain attacks: 7% of incidents.
- Hospitals: 42% of incidents.
Why Traditional Perimeter-Based Security No Longer Suffices?
Given those patterns, legacy security strategies centered around perimeter defense. firewalls, network segmentation, on-prem gatekeeping face fundamental limitations:
- Perimeters are blind to social-engineering and phishing. Attackers often enter via legitimate credentials or compromised accounts.
- Trusted services and cloud platforms are being weaponized. Attack commands can be disguised within normal traffic to legitimate services, bypassing perimeter filters.
- Volume-based threats (DDoS, automated phishing) overwhelm reactive defenses. Static infrastructure defenses can be saturated or bypassed with minimal effort.
- High-impact attacks (ransomware) exploit gaps in endpoint security, identity controls, and backup/response planning, which perimeters alone don’t cover.
- Critical sectors increasingly under persistent, multi-vector threat, requiring defense models that assume compromise is possible, not just preventable.
In essence, modern cyber-threats “erase the perimeter.” Trust boundaries shift, and attackers exploit scale, automation, and legitimate infrastructure making static defenses inadequate.
Looking Ahead: What the ENISA Findings Suggest for a 2030 Threat Landscape
Based on ENISA’s latest analysis and observed trends, the cyber-threat landscape is expected to evolve significantly by 2030:
- AI-driven attacks will become mainstream. ENISA identifies “Abuse of AI” as a top emerging threat, with AI-powered phishing and social-engineering campaigns already accounting for over 80% of observed social-engineering incidents in early 2025.
- Hybrid, multi-vector campaigns will rise. ENISA’s 2025 report analyzed 4,875 incidents across the EU, finding 77% involved DDoS, ≈60% involved phishing, and ≈21% involved vulnerability exploitation. By 2030, attackers are expected to combine DDoS, ransomware, supply-chain exploits, and AI-based social engineering in coordinated campaigns.
- Perimeter defenses are no longer enough. Stealthy attacks in encrypted traffic and legitimate services can bypass firewalls and IDS.
- Systemic risk is rising. Supply-chain compromises can cascade across sectors, especially critical infrastructure.
- Shift to resilience and zero-trust. Identity-aware design, segmentation, encryption, and continuous monitoring become essential, replacing the traditional perimeter model.
Strategic Lessons for Security Planners & IT Leaders
ENISA’s 2025 threat findings highlight the need for proactive, layered, and identity-aware security strategies.
| Lesson | Recommended Actions |
| Assume compromise is inevitable | Build detection, response, and network segmentation, don’t rely on prevention alone. ENISA 2025 analyzed 4,875 incidents, including 77% DDoS and ≈60% phishing. |
| Protect identity & communication channels | Use encryption, multi-factor authentication, and continuous monitoring rather than trusting network location implicitly. |
| Isolate critical workloads | Treat finance, transport, and public infrastructure as micro-domains with strict access controls; supply-chain attacks affect a significant portion of systems. |
| Plan for multi-vector attacks | Combine prevention (patching, firewalls) with resilience (backups, recovery, and incident response). |
| Update threat taxonomy | Include AI-assisted phishing, living-off-trusted-services, supply-chain abuse, and hybrid campaigns. |
How PureVPN White Label VPN Solution Helps
PureVPN White-Label VPN Solution helps organizations strengthen security by providing fully encrypted, private connections for employees, partners, and remote teams. It allows businesses to maintain secure communication channels, protect sensitive data, and manage access across multiple devices and locations with ease.
Additionally, the white-label VPN offers custom branding and seamless integration, enabling IT leaders to deploy a tailored security solution without heavy infrastructure investments. Its centralized management, dedicated IPs, and scalable architecture help organizations implement zero-trust principles and maintain continuous control over network access.
Conclusion
The ENISA 2025 Threat Landscape shows that cyber threats are now continuous, automated, multi-vector, and increasingly stealthy. Legacy perimeter defenses are no longer enough. Organizations across finance, public administration, transport, health, and infrastructure must focus on resilience, identity security, encrypted communications, network segmentation, and adaptive defenses.
The era of “inside vs outside” security is ending, giving way to zero-trust architectures, secure connectivity, and continuous vigilance, essential for surviving and thriving in today’s evolving threat landscape.
Sources
ENISA Threat Landscape 2025 – Full Report
ENISA Threat Landscape 2025 – Summary / News Release
ENISA Threat Landscape 2025 – Booklet (Sector Breakdown)
ENISA Threat Landscape – Finance Sector
ENISA Threat Landscape – Health Sector (2023 Report PDF)