Evolution of the Threat Landscape Exposes Critical Gaps in Europe’s Cyber Policy
The cybersecurity landscape is undergoing significant transformation, as highlighted by the latest findings from Cisco Talos. Each year, the organization analyzes data points from the global threat environment, revealing patterns that extend beyond mere technicalities. These insights have profound implications for how governments, businesses, and institutions approach security. The recent Talos Year in Review indicates that the threat landscape has undergone structural changes, many of which remain unaddressed by current European cyber policies.
Not Unpatched Devices. Unpatchable Ones.
In Europe, the implementation of the NIS2 Directive and the Cyber Resilience Act (CRA) is underway, alongside discussions regarding the future of the Cyber Security Act (CSA). A critical statistic emerges: 40% of the most targeted vulnerabilities in 2025 pertained to End-of-Life devices. These are not merely unpatched devices; they are unpatchable ones—hardware integral to critical infrastructure that is too outdated to receive support.
This situation presents a unique policy challenge. The CRA mandates that vendors ensure security throughout a product’s lifecycle, while NIS2 requires critical infrastructure operators to adopt robust security measures. However, neither framework directly addresses the management of devices once they reach the end of their lifecycle.
Ideally, explicit guidance on managing obsolete devices would be established at the European level. Unfortunately, such guidance is absent from the NIS2 Implementing Regulation and ENISA’s Technical Implementation Guidance, as well as from the CSA review. Encouragingly, some countries are exploring NIS2 implementation to tackle this issue.
Policymakers should also consider how the European Competitiveness Fund within the EU Multiannual Financial Framework (MFF) could facilitate the replacement of legacy infrastructure in critical sectors.
Technical debt is real, it is growing, and as we will see below, AI is about to make it significantly more dangerous.
AI Is Compressing the Threat Timeline
The report identifies the emergence of agentic malware that not only executes commands but also observes and acts independently. This represents a significant shift from AI-assisted phishing to autonomous exploitation.
The increasing number of devices that can no longer be patched creates a precarious situation. When a vast surface of permanently exposed infrastructure is juxtaposed with adversaries equipped with tools capable of discovering and exploiting vulnerabilities without human intervention, the dynamics shift dramatically. The time available for defenders to respond is rapidly diminishing. Risks that were manageable five years ago are evolving into acute threats.
When Cyber Becomes Sabotage
In 2025, state-sponsored actors expanded their focus beyond espionage. Russian Advanced Persistent Threats (APTs) targeted Western logistics entities and technology companies providing support to Ukraine. Threat actors are now compromising critical infrastructure, telecommunications, and IT providers globally. The trend indicates that adversaries are increasingly treating supply chains and logistics networks as strategic targets.
In this evolving threat landscape, characterized by well-resourced actors with geopolitical motivations, relying solely on technical security measures is insufficient. This scenario underscores the importance of the Trusted ICT Supply Chain Framework proposed in CSA 2, which aims to address vulnerabilities not only in communications but across critical infrastructure.
The Open-Source Transparency Question
In 2025, one in four of the most targeted vulnerabilities resided not in end products but in foundational libraries and frameworks such as Log4j, PHPUnit, and Spring. These components are essential to modern software, and a single flaw can have cascading effects across numerous products and vendors.
The CRA intentionally excludes open-source from liability obligations, a decision that is justifiable. Imposing legal risks on this ecosystem could be detrimental. However, the absence of liability does not equate to a lack of responsibility.
There is a practical role for policy in this context. The CSA could assign ENISA the task of conducting and publishing quality and security assessments of widely used open-source libraries. This approach would enhance transparency without imposing onerous obligations on developers.
Transparency on software security and quality would assist the due diligence of manufacturers integrating open-source software components into their products.
Identity Is Where Attacks Land Now
The Talos report reveals a staggering 178% increase in device compromise attacks, where adversaries register their hardware as a trusted Multi-Factor Authentication (MFA) factor, effectively granting themselves unauthorized access. The most prevalent method involves calling IT helpdesks and persuading administrators to facilitate this process. Voice phishing targeting administrators was three times more common than any other registration fraud technique.
In Brussels, the instinct often leans toward regulation. However, this specific issue cannot be resolved through directives alone. It necessitates investment in awareness and skills training for IT staff, employees, and citizens. The human element remains the most exploited aspect of cybersecurity, and no compliance checkbox can rectify this vulnerability.
Where the New Cyber Landscape Leaves Us
Europe has established a comprehensive cybersecurity policy framework. The challenge now lies in ensuring that it reflects the realities revealed by threat data: the convergence of technical debt, AI-driven speed, critical infrastructure targeting, human vulnerability, and supply chain opacity.
Not all of these issues necessitate new directives or regulations. Some require funding, others demand skills investment, and still others call for institutional action. What they share is a need for a more integrated and adaptive approach to resilience across the EU.
According to publicly available blogs.cisco.com reporting.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
