Cyber-attacks in the EU: 10,000 in the last year, 19% against the Administration

In the last year, some 10,000 cyber attacks were recorded in the European Union, 41.1% of which were denials of service, 25.7% malware and 19% personal data breaches. The sectors most affected were public administration (19%), transportation (11%) and banking and finance (9%). This is shown in the annual report of ENISA, the European agency responsible for monitoring the state of cybersecurity in the EU, which is an important part of the architecture set up to ensure cyber resilience in the Union.

The European Union Agency for Cybersecurity (ENISA), particularly attentive to the increased risks posed by Russia's invasion of Ukraine, which used cyberspace as one of the fronts for its attacks, points out in its latest report the main threats facing the EU in this field. These include the compromise of the software supply chain, disinformation campaigns, increased digital surveillance and loss of privacy, targeted attacks on smart devices, the rise of advanced hybrid threats and the abuse of artificial intelligence.

According to ENISA's report data , between July 2023 and June 2024 the most frequent types of threats were Denial of Service (DoS), Distributed Denial of Service (DDoS) and Ransomware Denial of Service (RDos). This group accounted for 41.1% of the total, with 4,120 incidents; it reference letter attacks whose goal is to disable the use of a system, an application or a machine, in order to block the service for which it is intended. Each web server can allow a certain issue of parallel connections; when this issue is exceeded, the servers slow down and may even crash or disconnect from the network. The difference between DoS and DDoS lies in the issue of computers or IP addresses performing the attack.

Ransomware represented the second most common threat with 2,590 incidents (25.79%). This is a subject malicious software (malware) that holds a victim's confidential data or device, threatening to keep it locked or worse, unless the victim pays a ransom to the attacker. In third place, with 1,910 incidents (19.01%), were "personal data breaches," defined as incidents that result in the accidental or unlawful destruction, loss or alteration of personal data transmitted, retained or otherwise processed, or unauthorized communication or access to such data. Other threats include social engineering threats, malware attacks, supply chain attacks, among others, but none accounted for 10% of the total.

The report concluded that during the last year studied, the sectors most affected by attacks were public administration (19%), transportation (11%) and banking and finance (9%). Other areas impacted include business services, as well as digital infrastructure and the general public. Additionally, it can be seen that cybercrime activity has increased compared to the past decade, peaking in July 2023 with more than 800 incidents. Subsequently in 2023, this issue contracted, hovering between 220 and 400 incidents each month. In 2024, there was a slight increase from less than 400 incidents in January to almost 600 in June 2024.

The increase in cybercrime activity is of concern to the European Police Office (Europol), which in its 2023 'Internet Organised Crime Assessment' report noted that growing geopolitical crises around the world have increased disruptive cyberattacks. It further states that European Union member states have been the most affected.

EU cybersecurity regulations

The EU has long been building its structure to deal with a risk that has been accelerated by the exponential growth of digital applications in all activities. The creation of ENISA in 2004 was an important step; its mission statement is to ensure European cybersecurity, supporting authorities and institutions at national and EU level and contributing to the development of specific laws and policies. Other instruments have been adopted and implemented in these two decades. A new EU Cybersecurity Strategy was presented in December 2020.

One of the latest achievements was the entrance into force in February 2025 of the EU Cybersecurity Regulation, which sets out the objectives, tasks and organizational aspects that ENISA precisely must have. The document had been C June 2019 by the European committee ; in December 2024 an amendment was agreed whereby the future adoption of certification schemes for managed security services was allowed. These services include incident management , penetration testing and audits, among other aspects. Also, last December, the Cybersolidarity Regulation was adopted, which seeks to address cybersecurity threats more effectively, increasing solidarity and cooperation between European countries.

One of the main pillars of the Cybersecurity Regulation is the Security Alert System, composed of national and cross-border cyber centers across the EU, which is responsible for detecting, preventing or stopping cyber threats, exchanging information to strengthen cooperation between nations. Another pillar is the Cybersecurity Emergency Mechanism, which involves private companies that support states in the event of serious mishaps and focuses on potential threats in the health, transport and energy sectors. A third pillar is the Incident Review Mechanism for taking appropriate measures in emergency situations. ENISA will be in charge of assessing threats and submitting reports dictating the most effective action plans in each status. Additionally, the Regulation underlines the need for information exchange and cooperation between private and public bodies and between cross-border institutions, as well as the protection of data, emphasizing data confidentiality and the protection of entities' interests.

Another Regulation of great importance in this context is the Cyber Resilience Regulation, adopted in October 2024 and published in the Official Journal of the European Union in November, although it dates back to September 2021 when it was announced in a speech by Commission President Ursula van der Leyen.

This regulation establishes a legal framework for manufacturers of products connected to the network. It includes requirements for the safe use of digital products, such as cameras, televisions or toys, which are directly or indirectly connected to the Internet. It seeks to supervise the design, development, manufacture and market introduction of hardware and software products that are connected to the network. All products that meet the safety requirements are marked with the letters 'CE'. Likewise, penalties are established for companies that fail to comply with them. This regulation is expected to achieve a more transparent use of products of this subject, to keep consumers informed of the products they purchase and to protect them from possible threats.