ENISA Releases “NIS2 Threat Landscape 2025” – Key Insights for Europe’s Critical Sectors
The EU Agency for Cybersecurity (ENISA) has published the new edition of its “NIS2 Threat Landscape 2025” report — a strategic assessment of the leading cyber threats, trends and vulnerabilities relevant to organizations under the NIS2 Directive.
Covering activity across 2024–2025, the report serves as a critical reference point for CISOs, IT leaders and risk stakeholders preparing for upcoming NIS2 audits in 2026.
Key Trends Highlighted by ENISA TL25
1. Supply-chain attacks continue to grow
ENISA reports a rise in attacks targeting software vendors, cloud integrators, MSP/MSSP partners and CI/CD pipelines.
This places supply-chain compromise among the top NIS2 risks in sectors such as energy, transport, finance, public administration and manufacturing.
2. Identity-based attacks intensify
A sharp increase has been observed in:
credential theft
MFA bypass techniques
OAuth token compromise
session hijacking
privileged account abuse
Identity remains the primary attack vector in 2025.
3. Cloud incidents driven by misconfigurations
The most common cloud risks include:
incorrect IAM privileges
lack of segmentation
exposed cloud assets
unsecured APIs
ENISA ranks cloud security as one of the most critical NIS2 control areas.
4. Zero-day exploitation grows more sophisticated
The report notes higher activity involving:
browser zero-days
VPN/firewall vulnerabilities
supply-chain zero-day compromises
State-aligned APT groups remain the dominant users of zero-day exploits.
5. Human-factor incidents and social engineering
Phishing, BEC fraud, deepfake-enabled manipulation and attacks through legitimate communication channels remain among the most common entry vectors.
What This Means for NIS2-Regulated Organizations
ENISA’s findings highlight the need for organizations to implement:
continuous monitoring across identity, cloud and network layers
validated incident-handling procedures aligned with NIS2 reporting deadlines
visibility into third-party and supplier risks
XDR-level correlation, not only traditional SIEM logging
automated patching and vulnerability management
cloud-security controls based on least privilege principles
DIAMATIX Perspective
The ENISA TL25 report aligns with what the DIAMATIX SOC observes daily: modern attacks are multi-stage, blending identity compromise, cloud misconfigurations and supply-chain exploitation.
Identity as the primary attack surface
Most incidents begin with token theft, compromised accounts or MFA abuse.
Shield SIEM/XDR detects these behavioural patterns that signature-based tools miss.
Supply-chain risks are now operational reality
Compromised integrations, CI/CD pipelines and software dependencies increasingly serve as entry points.
MDR 360° correlates endpoint, network and cloud signals to detect them early.
Zero-day exploitation is rising in frequency and sophistication
Detection requires behavioural analytics and correlation, not static indicators.
Our 24/7 SOC and Threat Hunting teams excel in identifying these early signals.
Cloud misconfigurations outweigh malicious attacks
Incorrect IAM roles, exposed resources and unsecured APIs remain leading contributors to NIS2-related incidents.
DIAMATIX supports clients with cloud hardening and IAM visibility.
NIS2 demands continuous vigilance. TL25 makes it clear this is achievable only through correlated visibility, automation and expert SOC operations.
Sources:
ENISA — Threat Landscape 2025
ENISA — NIS2 security measures and sector guidance
European Commission — NIS2 implementation details
Ready to go further?
Experience how continuous detection and response enhance compliance in action with MDR 360°.
→ Request MDR 360° Demo
