← Back to all briefings

Cybersecurity · Credibility 92/100 · · 1 min read

ENISA Threat Landscape 2020 Insights — October 20, 2020

ENISA’s 2020 threat assessment catalogued ransomware, phishing, and supply-chain campaigns that still anchor Zeph Tech’s adversary briefings.

Executive briefing: The European Union Agency for Cybersecurity (ENISA) released the Threat Landscape 2020 report on , cataloguing major cyber threats, attack techniques, and sectoral impacts observed between January 2019 and April 2020. Security, risk, and executive teams should leverage the report’s data-backed insights to recalibrate defenses, align investment roadmaps, and coordinate with regulators across the EU and beyond.

Execution priorities for cybersecurity program leads

Compliance checkpoints from ENISA’s 2020 threat landscape

Strategic threat landscape overview

ENISA identified the top eight threat categories: malware, web-based attacks, phishing, web application attacks, spam, distributed denial of service (DDoS), identity theft, and insider threats. The report emphasizes ransomware’s evolution toward double extortion, the industrialization of phishing via COVID-19 lures, and the rising commoditization of botnets for DDoS attacks. It also highlights sector-specific targeting—healthcare, finance, public administration, and manufacturing faced sustained campaigns exploiting pandemic-related disruptions.

For CISOs, the report underlines the need to contextualize risks by adversary capabilities and supply-chain dependencies. ENISA links threat actors such as APT29 and FIN11 to notable campaigns, offering indicators of compromise (IOCs) and attack vectors. Aligning your threat models with ENISA’s taxonomy improves intelligence sharing with EU partners and supports compliance with the NIS Directive’s incident reporting expectations.

  • Update enterprise threat models to reflect ENISA’s top threat categories, mapping each to existing controls and identifying coverage gaps.
  • Prioritize ransomware resilience investments—immutable backups, segmentation, rapid detection—given ENISA’s findings on double extortion prevalence.
  • Integrate ENISA-provided IOCs into security information and event management (SIEM) tooling and managed detection workflows.

Governance, compliance, and reporting

The ENISA Threat Landscape report provides evidence organizations can leverage during audits and board reporting. For EU operators of essential services (OES) and digital service providers (DSPs), referencing ENISA findings demonstrates awareness of state-of-the-art threats—a requirement under the NIS Directive. The report also supports compliance with sector regulations such as the European Central Bank’s cyber resilience oversight expectations and the European Medicines Agency’s good practice guidelines.

Boards and regulators increasingly demand quantitative risk narratives. Use ENISA’s statistics to contextualize incident likelihood and impact, supplementing internal loss data. Embed the report’s insights into risk registers, policy updates, and awareness campaigns. Doing so signals proactive governance and may influence cyber insurance underwriting.

  • Update cyber risk registers with ENISA’s threat rankings, assigning control owners and remediation deadlines for each high-priority vector.
  • Incorporate ENISA metrics into board-level reporting, linking investment requests to documented threat trends.
  • Refresh security policies and awareness training materials to reference ENISA-cited attack techniques and defense expectations.

Operational defense moves across sectors

Sector-specific risk insights

Healthcare organizations faced increased phishing, malware, and DDoS attacks exploiting pandemic urgency. ENISA cites incidents such as the ransomware attack on Brno University Hospital and espionage campaigns targeting vaccine research labs. Financial institutions encountered credential stuffing, card-not-present fraud, and sophisticated business email compromise (BEC) operations. Public administrations dealt with disinformation, website defacements, and espionage targeting COVID-19 response data.

These sectoral insights should drive tailored mitigation plans. For example, healthcare providers must invest in network segmentation around operational technology (OT) and medical devices, while financial firms need advanced fraud analytics and customer authentication enhancements. Public-sector agencies should bolster crisis communication protocols and adopt zero-trust architectures to mitigate remote-work exposures.

  • Construct sector playbooks aligned to ENISA guidance, detailing response steps, partner coordination, and regulatory notifications for high-impact incidents.
  • Engage industry-specific information sharing and analysis centers (ISACs) to cross-reference ENISA observations with regional intelligence.
  • Embed sector risk narratives into executive dashboards to secure budget for the controls ENISA recommends.

Supply-chain and third-party considerations

ENISA underscores supply-chain compromises as a critical theme, referencing incidents involving managed service providers, open-source libraries, and cloud infrastructure. Attackers increasingly target software build systems, certificate authorities, and remote management tools. Organizations must extend governance beyond their perimeter, scrutinizing vendor security practices and implementing monitoring that spans third-party environments.

The report advises adopting certification schemes (e.g., ISO 27001, EU Cybersecurity Act schemes) and contractual clauses to enforce security baselines. It also encourages coordinated vulnerability disclosure and multi-party risk assessments. Enterprises should tailor procurement policies to these recommendations, ensuring that third-party obligations match internal security standards.

  • Integrate ENISA-aligned security requirements into vendor onboarding, covering secure development practices, patching SLAs, and incident reporting timelines.
  • Deploy continuous third-party risk monitoring tools to detect misconfigurations, leaked credentials, or exposed services linked to suppliers.
  • Establish joint incident response exercises with strategic vendors to validate coordinated playbooks for ransomware, data theft, and DDoS scenarios.

Technical countermeasures and architecture priorities

ENISA recommends layered defenses: endpoint detection and response (EDR), multi-factor authentication, secure access service edge (SASE) architectures, and proactive patch management. The report emphasizes vulnerability trends in remote desktop services, VPN appliances, and collaboration platforms—systems heavily used during the pandemic. It also highlights the importance of robust logging and monitoring to detect lateral movement and privilege escalation.

Architecture teams should translate these recommendations into actionable roadmaps. This includes expanding zero-trust network access, automating patch deployment for high-risk CVEs, and instrumenting behavioral analytics to spot credential misuse. Investing in security orchestration, automation, and response (SOAR) can accelerate containment actions aligned with ENISA’s emphasis on timely response.

  • Deploy phishing-resistant multi-factor authentication (e.g., FIDO2, WebAuthn) across administrative accounts and remote access gateways.
  • Automate vulnerability remediation for Internet-facing services, prioritizing CVEs highlighted in ENISA’s annexes and supplemental advisories.
  • Enhance telemetry collection—endpoint, network, cloud—to support threat hunting aligned with ENISA’s MITRE ATT&CK mappings.

Enablement and performance management tasks

Action plan and performance measurement

To operationalize the report, establish a cross-functional task force that includes security operations, IT, legal, and business continuity. Task the group with reviewing ENISA recommendations, prioritizing initiatives, and tracking execution. Define key performance indicators: phishing simulation failure rates, mean time to detect ransomware precursors, patch compliance for high-risk CVEs, and supplier security attestations.

Schedule quarterly reviews to update the organization’s threat landscape view, incorporating new ENISA publications, Europol threat assessments, and national CERT advisories. Continuously iterate incident response playbooks using lessons learned from tabletop exercises and real-world events.

  • Create a 12-month roadmap that sequences ENISA-aligned initiatives, tying each to budget, resource owners, and measurable outcomes.
  • Track control maturity using capability models (e.g., CMMI-based assessments) to evidence progress during internal audits.
  • Publish internal threat briefings summarizing ENISA updates to maintain executive awareness and sustain investment momentum.

Follow-up: ENISA has continued the annual series—publishing the 2023 Threat Landscape in November 2023 and a specialised Threat Landscape for AI in May 2024—to steer EU cyber resilience planning.

Sources

  • ENISA Threat Landscape 2020 — European Union Agency for Cybersecurity; ENISA mapped major cyber threats, trends, and actors affecting the EU from January 2019 to April 2020.
  • ENISA Threat Landscape 2020 — Full Report — European Union Agency for Cybersecurity; The full report provides detailed threat taxonomies, incident case studies, and mitigation recommendations.
  • ENISA releases Threat Landscape 2020 — European Union Agency for Cybersecurity; ENISA underscored ransomware, credential theft, and misinformation as dominant threat vectors during 2020.
  • ENISA
  • Threat Landscape
  • Ransomware
Back to curated briefings