ENISA’s Threat Landscape meets a patchy NIS2 rollout

Two pictures of Europe’s security posture landed this month. The European Union Agency for Cybersecrurity’s (ENISA) Threat Landscape 2025 paints a continent under persistent pressure from converging state-aligned groups, cyber-criminals and hacktivists, with attackers borrowing one another’s tooling and rhythm. At the same time, Europe’s Network and Information Systems’ NIS2 regime—Europe’s central lever for raising baseline security—remains unevenly embedded in national law. The European Commission issued reasoned opinions to 19 Member States on 7 May 2025 for failing to notify full transposition. The combination is uncomfortable: supervisory expectations are rising, but the on-the-ground rules, timelines and penalties still vary across borders.

What ENISA says—by the numbers

This year’s ENISA Threat Landscape (ETL) draws on 4,875 analysed incidents across the EU ecosystem. The patterns are familiar but sharper: DDoS dominates by volume, ransomware remains the most damaging by business impact, and industrial/OT exposure increases as previously isolated networks connect for efficiency and data. ENISA’s press note stresses the convergence of threat actors and the reuse of tooling, which narrows defenders’ reaction time and makes “one-and-done” compliance exercises obsolete. The report’s methodology was refreshed in August 2025 to systematise how scenarios are built and scored—useful if you’re aligning your own tabletop drills and dashboards. 

NIS2: a single directive, 27 flavours (for now)

NIS2 set minimum-harmonisation requirements, but Member States can add national specifics. With transposition still incomplete in many capitals, entities deemed “essential” or “important” face a moving target: reporting thresholds, timelines, and supervisory practice differ pending domestic laws and guidance. The Commission’s May notice names the laggards; ECSO’s Transposition Tracker gives a live view of who has landed what. Legal advisories through summer underscore the practical reality: buyers will tighten contract language and procurement controls ahead of full supervisory maturity. Vendors will meet hardened tender clauses long before a regulator knocks.

What good looks like in the meantime

Absent uniform national rules, there’s a pragmatic path that satisfies most supervisors and most smart customers. Start with an evidence-first posture that maps directly to ENISA’s priorities and the NIS2 articles you know won’t change in spirit: asset inventories that include OT, network segmentation diagrams, MFA coverage for external and admin access, backup integrity tests with restore proofs, supplier access controls, and IR/notification playbooks with named roles. Present these as a living pack, not a PDF you dust off in Q4. The point is credibility: if an assessor asks “show me,” you have artefacts, not aspirations. 

OT and the board: move from “awareness” to “assurance”

ENISA’s data continues the drift of real risk to plants, depots and transport hubs. That pushes segmentation, logging and fail-over drills out of the security office and into operational management, where downtime is existential. In practice, that means site-level network maps tied to tested isolation procedures, generator/UPS run-books, and supplier SLAs for remote access to machinery. When you walk a board through cyber posture now, bring graphs for OT incident KPIsalongside the usual IT telemetry. If you depend on managed service partners, ask for their NIS2 track to be documented and mapped to your own—not “we’re compliant,” but shared chain-of-evidence. ENISA

DDoS is loud; pre-positioning is quiet—plan for both

ETL 2025 highlights the duality defenders face: noisy volumetric attacks that demand resilient capacity and quiet footholds that sit for weeks before a timed disruption. The right answer is operational, not rhetorical. On the loud side: tested scrubbing arrangements, anycast-friendly architectures, and service contracts that spell out activation times and comms. On the quiet side: east-west visibility, workload baselining, and tabletop exercises that include “is this an incident yet?” decision points with legal and communications at the table. ENISA

Procurement will harden before supervision does

Even where NIS2 isn’t fully transposed, buyers are already shifting language in RFPs. Expect explicit asks for ENISA-aligned controls, log schemas, SBOM/SaaS attestations, and evidence of backup restore tests, not just a certificate wall. If you sell across borders, track the ECSO map and keep a country-delta annex that lists any deviations in reporting windows or sector scoping. When the inevitable update lands in Berlin, Madrid or Warsaw, you should be tweaking a living document—not writing from scratch. ECSO

TQS bottom line

Europe’s threat tempo is up while rulebooks are still settling. Treat ETL 2025 as the scenario pack to tune your controls and your board narrative; treat NIS2 as the evidence discipline that forces those controls to be demonstrable. If you operate or sell in multiple Member States, build once to the stricter intersection, then maintain a light country overlay as laws complete. That is the quickest path to credible audits, faster tenders and fewer Friday-evening surprises.

Companion read: *“EUDI Wallet: Electronic Attestations of Attributes move from draft to deploy.” (Available 28.10.2025)

Sources

1. ENISA, Threat Landscape 2025 (PDF). ENISA
2. ENISA press release on ETL 2025. ENISA
3. ENISA publications hub (methodology update, Aug 2025). ENISA
4. European Commission — NIS2 transposition notice (reasoned opinions, 7 May 2025). Digital Strategy+1
5. ECSO — NIS2 Directive Transposition Tracker. ECSO
6. Legal/market perspective on NIS2 implementation and national deltas. Greenberg Traurig