By Danny Zeegers
“What if the hacker isn’t some guy in a hoodie in a basement, but a sovereign nation’s digital shock troop — riding AI and proxies into your cloud dashboard?”
In the ever-thickening fog of cyberwarfare, a haunting truth echoes across boardrooms, data centers, and ministries alike: resilience isn’t optional anymore — it’s existential. As the ENISA Threat Landscape 2025 reveals, the line between state attacks, cybercrime, and digital sabotage is blurring so rapidly that regulation like NIS2 may be the EU’s last solid ground before the tide breaks.
And make no mistake: the tide is rising — faster than most organisations are adapting.
🔥 The New Threat Geometry: Convergence, Automation, Industrialisation
Three tectonic shifts are shaking up Europe’s cyber risk surface:
1. Convergence
State-sponsored actors are dressing as cybercriminals. Hacktivists are moonlighting as ransomware gangs. Espionage, sabotage, and extortion now share infrastructure, tooling, and objectives.
From Russia-nexus Sandworm to North Korea’s Kimsuky, even “independent” ransomware operators are turning into proxy combatants — weaponised for geopolitical disruption.
2. Automation
AI is the great enabler. 80% of phishing emails in late 2024 were AI-generated. Deepfake voice scams, QR-based session hijacking, and LLM-powered malware engineering are now commercialised at scale.
Adversaries are using WormGPT, FraudGPT, and even standalone malicious AIs like Xanthorox to craft spearphishing and automate social engineering — leaving traditional SOC playbooks behind.
3. Industrialisation
Attacks aren’t handcrafted anymore. They’re outsourced, modular, and productised.
- Phishing-as-a-Service (PhaaS) is now delivering Netflix-style toolkits for low-skill criminals.
- Supply chain attacks on npm, Chrome extensions, and cloud APIs target not just one company — but everyone downstream.
- Zero-day exploitation is now frequent, affecting even core infrastructure (Juniper, Cisco, Qualcomm, Microsoft Copilot, etc.).
The dark web no longer sells malware. It sells operations-as-a-service.
What This Means for NIS2 Resilience
NIS2 mandates are no longer checklists. They’re survival playbooks. But the gap between compliance and capability is growing dangerously wide.
Here’s where organisations need to act immediately:
🧩 1. Full-spectrum Asset Discovery & Dependency Mapping
If you don’t know what’s in your ecosystem — your software repos, third-party APIs, browser plugins — you’re not resilient. You’re blind.
“Secret sprawl” in GitHub and cloud repos rose 25% in 2024. Supply chain compromise is no longer rare — it’s a strategy.enisa report 2025
🔐 2. AI-Enhanced Threat Hunting
Signature-based defenses won’t save you from polymorphic malware or voice-generated vishing. Detection must go behavioural, context-aware, and automated.
ENISA recommends building capabilities for proactive threat hunting, not just log analysis.
🧠 3. Operationalise Risk
Integrate cyber risk into core business planning — not as a post-breach mitigation, but as continuous posture tracking.
Use red team simulations, tabletop exercises, and third-party risk assessments to align with NIS2 Article 21 obligations on risk management.
🧭 4. Cyber-Physical Awareness
Attacks like “nearest-neighbour Wi-Fi” breaches, targeting of Android vulnerabilities via battlefield-collected devices, and SS7/Diameter protocol exploits bypass traditional security entirely.
Critical sectors — transport, energy, healthcare — must expand risk assessments to include non-IT vectors.
🤝 5. Real Cross-Border Collaboration
The use of EU infrastructure as command-and-control hosts is surging. So is the impersonation of EU institutions in spearphishing. Without collective situational awareness, detection remains fragmented and attribution breaks.
The Big Lie: That You’ll Have Time to React
In the world that ENISA sketches for 2025–2026, reaction time is dead. Your perimeter? Already breached. Your cloud API? Already mimicked. Your trusted vendor? Already compromised.
So in 2026, winning against hacking attempts isn’t everything — it’s the only thing.
📊 Threat Landscape Breakdown:
🔍 Top Threat Domains and Vulnerability Vectors (% based on ENISA 2025 reporting)
| Threat Domain | Estimated Share of Threat Activity | Notable Techniques & Trends |
|---|---|---|
| Phishing & Credential Harvesting | ~22% | AI-enhanced phishing, QR code phishing (quishing), PhaaS kits like Darcula, Lucid, FlowerStorm enisa report 2025 |
| Ransomware (incl. RaaS) | ~18% | Encrypting malware, extortion, double extortion, LockBit, FunkLocker, and politicised ransomwareenisa report 2025 |
| Supply Chain Exploits | ~15% | Compromised npm packages, Chrome/VPN extensions, poisoned AI model repos, CI/CD pipeline injectionenisa report 2025 |
| Mobile & IoT Targeting | ~13% | Android RATs (Rafel, Medusa), SIM protocol exploits (SS7), IoT botnets, telecom SS7/Diameter attacksenisa report 2025 |
| Data Breaches & Initial Access | ~12% | Marketplace sales, VPN and RDP exposure, IAB economy growth, leaked police/telecom recordsenisa report 2025 |
| AI-Powered Threats | ~10% | WormGPT/FraudGPT, deepfakes, impersonation, malware from fake AI tools, poisoned ML modelsenisa report 2025 |
| Hacktivism / State-Backed IO | ~8% | Fake DDoS, Telegram recruitment, platform abuse, EU/NATO branding in phishing kitsenisa report 2025 |
| In-memory Malware & Anti-EDR | ~2% | EDRKillShifter, sandbox-evasion, anti-VM payloads, memory-only payloads (e.g., GRAPELOADER)enisa report 2025 |
Note: Percentages are based on reported cases, ENISA prevalence analysis, and severity of systemic impact.
CALL TO ACTION: “Defend the Edge Before It Folds Inward”
The clock isn’t just ticking — it’s accelerating.
Organisations subject to NIS2 need to treat resilience not as a checkbox, but as a live-fire readiness exercise.
Here’s what to do before Q2 2026:
1. Build AI-Native Defenses
- Deploy behavioural analytics capable of detecting AI-generated phishing, polymorphic malware, and deepfakes.
- Monitor employee-targeted LinkedIn impersonation or LLM abuse.
- Don’t just block WormGPT—simulate it.
2. Automate Exposure Discovery
- Use asset intelligence to map cloud, shadow IT, GitHub repos, and third-party plug-ins.
- Adopt automated secret scanning and vulnerability scoring.
- Harden your AI pipeline: scan PyPI, Conda, and GitHub Copilot config files for backdoors.
3. Integrate Threat Intel Into Governance
- Link threat intelligence feeds with NIS2-mandated risk registers.
- Conduct board-level briefings on ransomware TTPs.
- Elevate your CISO’s visibility across procurement, legal, and communications.
4. Form Regional Coalitions
- Don’t wait for Brussels.
- Build sectoral CERT alliances. Share IOCs with peers and local governments.
- Simulate cross-border tabletop incidents with other NIS2 entities.
5. Prepare for Coordinated Multi-Vector Attacks
- Assume the adversary already has initial access.
- Rehearse scenarios: fake EU emails, telecom protocol hacks, cloud key exfiltration, and simultaneous ransomware + misinformation campaigns.
Closing Thoughts:
Resilience doesn’t mean absorbing damage. It means staying upright when the cyber hurricane hits.
With NIS2 enforcement, the regulators are watching. But more importantly — so are the attackers.
NIS2 is not just about proving compliance. It’s about building digital war rooms in peace time.
If you’re waiting for the perfect regulation update before acting, here’s a reality check: the attackers aren’t waiting.
https://www.enisa.europa.eu/sites/default/files/2025-10/ENISA%20Threat%20Landscape%202025_0.pdf
