Brussels – The public administration is as greedy as it is an easy target for cyber attacks. Despite being one of the EU’s priority areas for action in cybersecurity, the defence of public digital infrastructure has lagged, exposing a range of services fundamental to citizens’ lives to increasing risks. Sounding the alarm is ENISA, the European Union Agency for Cybersecurity, in its November 2025 report.
The public administration (PA) sector, recalls the Athens-based body, is considered “highly critical” under the so-called NIS2 directive, with which the 12-star co-legislators (EU Parliament and Council) updated the relevant legislation in 2022. Those rules established a unified legal framework to ensure minimum security levels in 18 critical sectors, urging member states to define national cybersecurity strategies.
Yet, ENISA’s report warns, the PA’s digital infrastructure remains too vulnerable to malicious action, despite its centrality in providing indispensable services to citizens, from education to healthcare, from transport to waste collection. The sector is “still developing its cybersecurity resilience,” reads an agency statement. Translated: it takes little to compromise it, even seriously.
The report analysed 596 cyber incidents that occurred in 2024, targeting the public administrations of the Twenty-Seven. With 38 per cent of the reports, the Public Administration sector is defined as “at risk” and is the most affected in the EU. Specifically, the most affected were the central governments (69 per cent of the total), mainly through attacks on the websites of parliaments, ministries, and national authorities or agencies.
Among the most frequent types of incidents are Distributed denial of service (DDoS), which consist of an overload of requests directed at the targeted server, which stops working. They account for 60 per cent of the total but usually have short durations and produce a limited impact. More dangerous, though less frequent, are data breaches and so-called ransomware, i.e., malicious programmes (malware) that “infect devices” in various ways, demanding a ransom to unlock the devices or the files on them, if they are encrypted to prevent their use.
Data-related threats, ENISA explains, include both breaches per se (17.4 per cent of cases) and data exposures (1 per cent), and represent the second most frequent type of incidents recorded by PAs in 2024. The employment services, the platforms of local administrations, as well as the sites of law enforcement and educational systems, were in the crosshairs.
At the level of malicious actors, 2.5 per cent of total incidents are entities linked in some way to state powers, responsible for what the Agency calls cyberspionage campaigns. A small share, but one whose impact on national security may prove to be “significant.” The lion’s share—just under 63 per cent—is taken by the so-called hacktivists, i.e., individuals or collectives ideologically motivated to defend a political cause. Finally, “cybercrime operators” account for about 16 per cent of the total.
“EU public administrations are likely to remain the most affected sector in the short to medium term,” ENISA predicts, especially given the new possibilities offered by artificial intelligence (AI) developments. Among the services most at risk, according to the report, are those of tax portals, electronic identification systems, and court work management.
What to do, then? To counter DDoS, the EU Agency suggests strengthening controls to improve “architectural resilience and operational readiness,” also through operations such as enrolling critical sites in a “content distribution network” or protecting them with a “firewall for web applications.”
Regarding incidents involving data, recommendations include multi-factor authentication with conditional access and privileged access management. Regarding ransomware, the implementation of specific protocols, such as Endpoint Detection and Response (EDR), is mentioned. In general, ENISA recommends improved preparedness and response, and greater cooperation between Member State authorities, both domestically and across countries.
English version by the Translation Service of Withub
