After a very successful 2022 for the EU cybersecurity policy field, which we have analysed in this blog, we looked at 2023 with some predictions of how the threat landscape will evolve. If we have to give an informed guess, here is what we can expect in 2023 for cybersecurity:


  • Supply chain attacks will continue to grow, but the discovery will probably improve. Currently, breach identification takes more than 212 days (IBM), with supply chain attacks taking longer due to complexity and lack of transparency.
  • Ransomware slowed down its exponential growth, with a drop (23%) in ransomware attacks in 2022, following 2021 law enforcement (FBI, Europol, EU national authorities) campaigns and arrests. Yet, the ransomware pandemic persists as no significant policy action was taken (e.g. cryptocurrency tracing, making paying ransomware illegal or cyber insurance coverage limitation). With EU cybersecurity legislation (NIS & NIS2) (further) implementation, forcing critical and government organisations to invest in cyber resilience, the number of successful ransomware attacks (aka losses) may slightly decrease. But if we manage to stop ransomware entirely in 2023, we can save the $14 billion needed to End Hunger, Double Incomes for Poorest Farmers, and Meet Climate Goals.
  • ENISA reported that around 60% of organisations victims of ransomware may have paid the ransom demands. Whilst experts advise not to pay as there is no guarantee of full data recovery, the trend of paying, rather than investing in cybersecurity in the first place, will likely remain in 2023.
  • Data breaches will become a common issue (Avast). This is a worrying trend as the GDPR has been in force in the EU for almost 5 years and organisations ought to have taken the necessary measures.
  • With digital identities gaining traction and accessing more services, we expect the identity theft trend to grow. While the Revised European digital identity Regulation (eIDAS) introduces a secure EU digital wallet, attackers moved faster and already gained access to identity data they can later explore for economic gain or employ in spy or cyberbullying activities. Personal data of a large number of the EU population is already breached (see large-scale data breaches in Bulgaria, Austria, France, Germany). For most types of personal data, such as personal identity/tax/social security numbers, biometrics, health and address, there is no immediate option to change or prevent the use of the breached data for future identity theft attacks.


Industry trends

  • Cybersecurity M&A is on the rise; the market is consolidating with retail/telco/tech companies acquiring cybersecurity solutions and startups (mostly cloud security, identity management, consulting services) to improve their offerings and expand in the fast growing cybersecurity market.
  • Working-from-home cybersecurity will become a priority for businesses (Forbes). This raises another alert of personal IT devices not having the necessary level of security as office-based ones. Businesses will have to invest more on this in 2023 if they continue to pursue the working-from-home business model.
  • AI will play an increasingly important role in cybersecurity, and its use is sometimes referred to as an arms race, as malicious actors and security agents race to ensure the most sophisticated algorithms are working on their side (Forbes). 2023 will see the continued work on the EU AI Act, with negotiators trying to meet the challenging task of getting the scope right.


  • EU and national governments budgets will start fuelling cybersecurity investments through the Recovery and Resilience Facility. The focus areas are on state capacity, incident management and crisis reaction and coordination. However, administrative fees and complex project management procedures may shrink real cybersecurity investments.

Critical infrastructure (CI)


In conclusion, our analysis shows that some trends of 2022 such as the supply chain attacks’ increase will continue throughout 2023, moving to the cloud and impacting everyone – from the smallest to the largest companies, from low to high security maturity organisations. NIS2 has taken measures on the supply chain security: it is now up to the MS to correctly transpose and implement the Directive into national law to contribute to the increase of the common level of security in the EU. Attacks on the CI sectors will likely continue, but, once again, any major successful attacks would exploit incorrect / lack of implementation of 2016 NIS Directive measures such as security policy and risk management. The same goes for any data breaches: organisations handling large amounts of personal data will continue to be targets of malicious cyberattacks. Lack of GDPR security measures implementation (encryption, adequate security for personal data, data anonymisation) will be exploited.

Overall, in the EU we have a robust legislative framework and investment that sets significant cybersecurity requirements for both MS and organisations. Malicious actors will always try to reinvent themselves and target the weakest link – and this trend will carry on in 2023. But organisations can adopt minimum security measures and protect themselves.