Cyber threats against Europe are becoming more persistent, more sophisticated, and more convergent. This is one of the key conclusions of ENISA Threat Landscape 2025, which analyzes the past year’s cybersecurity landscape in the EU with an increasingly clear focus on actor behavior, vulnerability exploitation, and geopolitical drivers.
Rapporten är fullmatad med statistik, exempel och analys. Men vad betyder den egentligen för svenska verksamheter, i praktiken? Här är fem observationer och reflektioner som bör stå högst upp på agendan just nu.
1. Ransomware and phishing – still the biggest threats, but in new forms
Ransomware remains at the core of intrusion activity, but the ecosystem has changed. Instead of large, centrally organized groups, we now see more fragmented actors using ransomware-as-a-service, access brokers, and leaked builds to lower the barrier to entry.
Add to this the fact that phishing accounts for as much as 60% of initial intrusions,often through sophisticated campaigns leveraging AI, QR codes (“quishing”), and phishing-as-a-service. What we once referred to as “simple methods” have now become industrialized and accessible to threat actors at all levels.
Insight: It’s high time to stop underestimating “old” attacks. They’ve become both smarter and cheaper.
2. The mobile device is the new battlefield
Mobile devices — particularly Android — have emerged as one of the most targeted platforms. ENISA reports a growing number of infections involving banking trojans, remote access trojans (RATs), and spyware targeting both civilians and diplomats.
We are also seeing state-linked groups exploiting legacy mobile protocols (SS7 and Diameter) for silent surveillance, without needing to compromise the device itself.
Insight: The mobile device is no longer just an endpoint. It has become a direct target — technically, tactically, and politically.
3. AI – Both a Weapon and a Target
AI is now used in more than 80% of all phishing campaigns worldwide. Equally concerning is the rise of deepfakes in fraud schemes — it’s no longer enough to hear or see a person to know you’re actually speaking with them.
At the same time, threat actors have begun attacking the AI supply chain itself, with examples including backdoors in code assistants and poisoned machine learning models. What was once seen as a means of protection has now become part of the threat landscape.
Insight: If your organization uses AI — which most do today — it must be integrated into your security architecture. AI can no longer be treated as a separate function.
4. Supply Chains Remain a Weak Link – and One of Attackers’ Favorite Targets
Supply chain attacks continue to rise. These no longer concern only software and code libraries, but also IT service providers, platform vendors, and even browser extensions.
Several attacks over the past year have shown how compromised third-party providers have affected thousands of users and breached established security barriers.Sound familiar? It’s exactly what I warned about in my article on digital supply chains in May last year.
Insight: If you don’t understand how your supplier’s security solutions impact your own environment, then you’re not the one in control.
5. Cybercrime, Hacktivism and State Actors – The Lines Are Blurring
By 2025, the boundaries between different threat actors have become increasingly blurred. Hacktivists act as proxies for state interests. Criminal groups use state-developed tools. And state actors hide their tracks behind DDoS attacks and data breaches that appear to be activism.
ENISA describes this as a converged threat landscape: fewer isolated high-profile attacks, but more persistent, diversified, and parallel campaigns that together erode the resilience of European societies.
Insight: We no longer face separate threats – but a landscape where multiple threats operate simultaneously and reinforce one another.
Conclusion: From Incident Response to Continuous Resilience
Perhaps the most important shift is this: in the past, we focused on responding to incidents. Now, we must think in terms of resilience — the ability to withstand attacks and continue operating despite them. This requires a change in mindset:
- Från punktlösningar till integrerade arkitekturer.
- From a purely technical focus to business-critical security.
- From expected compliance to proactive threat analysis
And above all, it requires us to start asking the right questions — of our suppliers, our partners, and ourselves.