Distributed denial of service (DDoS) attacks largely driven by hacktivist groups represented the majority of cybersecurity incidents in the public sector last year, although data threats were more disruptive, ENISA said today.
The EU’s security agency made the claims in a new study detailing 586 publicly reported cyber incidents in the “public administration” sector last year. It warned that public sector management of large volumes of sensitive data and delivery of critical services makes it a key target.
Some 60% of cybersecurity incidents impacting the sector last year were DDoS, and 63% were attributed to hacktivist groups. Cybercriminals (16%) and state actors (2.5%) accounted for most of the remainder.
However, it is the latter two groups that had the greatest impact on public services, particularly through “data-related incidents” which were the second most common threat type. ENISA said 17% of all incidents in 2024 were classed as data breaches and targeted “sensitive platforms” like employment services and law enforcement portals.
Ransomware comprised 10% of incidents in 2024, with RansomHub, Lockbit 3.0 and 8Base among the main variants.
Read more on ENISA reports: Phishing Dominates EU-Wide Intrusions, says ENISA
DDoS attacks mainly targeted municipal websites and government ministry portals, the report added. Central government accounted for the vast majority (69%) of overall cybersecurity incidents.
“Cyber-securing public administrations is central to citizens’ welfare and to the good functioning of the single market across the EU,” said ENISA Executive Director, Juhan Lepassaar.
“Public administrations provide reliable and effective public services, so it is essential to ensure a high-level of cybersecurity within their wider network of national, regional and local bodies.”
However, the sector’s resilience to cyber-threats is still not where it should be, having been newly added to NIS2. An ENISA report from March 2025 put it in the “risk zone” for compliance, warning that public administrations “lack the support and experience seen in more mature sectors.”
Advice For Public Sector Organizations
ENISA warned that the sector’s “low maturity” and high value as a target would make more attacks highly likely in the mid- to long-term – especially hacktivist DDoS, state-backed cyber-espionage and opportunistic ransomware and data breaches.
ENISA advised public sector bodies struggling with NIS2 compliance and cyber-threats to consider:
- Improving “architectural resilience and operational readiness” for DDoS by putting portals behind content delivery networks (CDNs) and web application firewalls (WAFs)
- Deploying multi-factor authentication (MFA) everywhere, alongside privileged access management (PAM) and data loss prevention (DLP) tools, to mitigate data-related risks
- Deploying endpoint detection and response (EDR), segmenting networks and backing up regularly to tackle ransomware threats
