European Cybersecurity Agency Warns of Critical Infrastructure Vulnerabilities

ENISA publishes landmark threat landscape report warning of escalating attacks on energy grids, water systems, and transport networks.

Digital Warfare: Europe's Critical Infrastructure Under Siege

The European Union Agency for Cybersecurity published its annual threat landscape report in early 2026 with an unusually stark warning: European critical infrastructure — power grids, water treatment systems, financial networks, and transport management systems — is facing a sustained and intensifying campaign of cyberattacks from state-sponsored threat actors, primarily but not exclusively linked to Russia and China. The agency documented a 35 percent increase in significant cyber incidents targeting critical infrastructure in 2025 compared to the previous year, with energy sector assets accounting for the largest share of attacks.

The attacks have become more sophisticated and more targeted. Early incidents in this category involved relatively crude distributed denial of service attacks or opportunistic ransomware deployments. The new generation of attacks documented by ENISA involves multi-stage intrusions that establish persistent access in target systems over months before deploying their destructive or disruptive payloads at moments of strategic choice. This approach, associated with advanced persistent threat actors operating on behalf of state sponsors, creates the possibility of pre-positioned capabilities that could be activated to cause major disruption during a geopolitical crisis.

The NIS2 Directive, which entered force across the EU in late 2024 and established significantly enhanced cybersecurity requirements for critical infrastructure operators and essential service providers, has begun to improve the baseline security posture of regulated entities. Regular reporting obligations are generating better threat intelligence. Incident response requirements have accelerated the containment of some attacks. But ENISA's experts note that the regulation has not kept pace with the rapidly evolving threat landscape and that significant vulnerabilities remain, particularly in the operational technology systems — industrial control systems, SCADA networks, and programmable logic controllers — that manage physical infrastructure processes.