Cybersecurity 2025: The Year in Review – Incidents, Trends, Lessons

1 min Reading Time

2025 was a year of regulation, AI-driven attacks, and the realization that cyber resilience is not just an IT problem, but a matter of corporate governance. DORA came into force, the first NIS2 fines were issued, and AI has changed both attack and defense methods.

TL;DR

DORA live since January 2025: The financial sector has the strictest digital resilience requirements worldwide.
AI attacks scaled: Phishing, social engineering, and exploit development – all made more efficient by generative AI.
Supply chain still in focus: Several major incidents occurred through compromised third-party software.
Post-Quantum standards finalized: NIST PQC algorithms have been the standard since August 2024 – migration planning begins.
Ransomware groups under pressure: International law enforcement actions are showing results – but no all-clear.

Regulation 2025: DORA, NIS2 Fines, AI Act

2025 was the most densely regulated year in EU cybersecurity history. DORA has been fully applicable since January – and the first supervisory authorities have begun conducting checks. NIS2 has produced its first fines in several member states, primarily due to non-compliance with reporting obligations.

The EU AI Act has been in force since August 2024. The high-risk AI requirements also affect cybersecurity tools – AI-based anomaly detection, facial recognition in security systems, and automated access control fall under strict requirements. This kept compliance departments busy in 2025.

Attacks 2025: AI as a Multiplier

AI changed the attack landscape in 2025: not through new attack vectors, but through increased efficiency and scalability. Phishing campaigns that previously took weeks now run in hours. Voice cloning attacks have moved from the “advanced APT” realm to “organized crime.”

Supply chain attacks remain a dominant pattern: At least two major incidents in 2025 occurred through compromised third-party software, similar to MOVEit in 2023. Awareness of third-party risks is increasing – but the implementation of third-party risk management is lagging behind.

Outlook 2026: What’s a Priority Now

Start Crypto Migration: PQC inventory and roadmap are mandatory for all critical infrastructures in 2026. Anyone who wants to be ready by 2030 needs to start in 2026.

AI Security Operations: AI-powered SIEM, automated threat-hunting routines, and AI-based anomaly detection become standard in 2026. Anyone not planning an AI-augmented SOC will fall behind attackers.

Identity as Perimeter: Zero Trust Identity – passkeys, continuous authentication, device trust – is the security concept that will finally replace old perimeter security in 2026.

Manage Regulatory Fatigue: NIS2, DORA, AI Act, CRA – the compliance burden is increasing. Companies must establish integrated GRC approaches (Governance, Risk, Compliance) instead of handling each regulation in a silo.

Key Facts at a Glance

DORA Effective Date: January 2025 – first compliance checks are underway

NIS2 First Fines: Several EU member states issued first fines in 2025

AI-Driven Phishing Rate: Estimated 40% of all phishing emails in 2025 were AI-generated

NIST PQC Finalized: August 2024 – migration planning in 2025/2026 is critical

Ransomware Payments 2025: Decrease by ~10% due to law enforcement actions (preliminary)

Fact: The BKA (Federal Criminal Police Office) registered over 136,000 cases of cybercrime in Germany in the 2025 Federal Cybercrime Report – an increase of 12% compared to the previous year.

Fact: ENISA Threat Landscape 2025: Ransomware remained the most common attack type in the EU with 34% of all reported incidents.

Frequently Asked Questions

What was the biggest cybersecurity event in 2025?

The implementation of DORA in January 2025 was the most significant regulatory event. Technically, AI-scaled supply chain attacks and voice deepfake BEC cases were the defining patterns.

Do NIS2 fines have a deterrent effect?

Initial signals: Yes. The reporting rates for security incidents have increased in NIS2-mandated sectors – also because companies know that not reporting can be more expensive than reporting. Long-term compliance effects are still difficult to measure.

Has AI done more harm or good (attack vs. defense)?

On the attack side: increased efficiency in phishing, social engineering, and vulnerability scanning. On the defense side: better anomaly detection, faster threat intelligence analysis. The net effect is unclear – but companies without AI in their defense are at a growing disadvantage.

What should a CISO prioritize for 2026?

Three priorities: 1. Create a PQC inventory and roadmap. 2. Develop identity-centric security (passkeys, continuous authentication). 3. Plan and budget for an AI-augmented SOC. Additionally: integrate regulatory requirements into a unified GRC framework.

Have ransomware groups really been weakened in 2025?

Law enforcement actions against LockBit, AlphV/BlackCat, and others had short-term effects – infrastructure taken offline, arrests. But the RaaS ecosystem is resilient: new groups emerge, affiliates switch. Long-term, prevention and resilience are more important than relying on law enforcement successes.