Every year, Cisco Talos processes and analyses data points from across the global threat landscape. The patterns that emerge are not just technical, they carry real implications for how governments, businesses, and institutions think about security.

The findings from this year's Talos Year in Review suggest the threat landscape has changed structurally, and that those shifts sit squarely in the blind spots of current European cyber policy.

Not Unpatched Devices. Unpatchable Ones.

Across Europe, policymakers are implementing NIS2 and the Cyber Resilience Act (CRA) while simultaneously debating the future of the Cyber Security Act (CSA). But here is a number that should concern EU regulators but hasn't yet: 40% of the top targeted vulnerabilities in 2025 affected End-of-Life devices. Not unpatched devices. Unpatchable ones. Hardware running across critical infrastructure that are too old to be supported.

This creates a peculiar policy problem: the CRA requires vendors to ensure security throughout their product's lifecycle and NIS2 demands critical infrastructure operators adopt robust security measures. But neither directly addresses how those devices should be managed once their lifecycle expires.

Ideally explicit guidance about management of obsolete devices would be at the European level but it has not been included in the NIS2 Implementing Regulation or Technical Implementation Guidance from ENISA. Nor has it been picked up in the CSA review. We are however, seeing encouraging signs at the national level, where some countries are considering NIS2 implementation to address this.

Policymakers should also consider how the European Competitiveness Fund in the EU Multiannual Financial Framework (MFF) could support the replacement of legacy infrastructure in critical sectors.

Technical debt is real, it is growing, and as we will see below, AI is about to make it significantly more dangerous.

AI Is Compressing the Threat Timeline

The report identifies the emergence of agentic malware that does not just execute instructions but observes and acts autonomously. This is qualitatively different from AI-assisted phishing. It represents a shift toward autonomous exploitation.

Consider how that marries with the build up of devices that can no longer be patched. When you place a vast surface of permanently exposed infrastructure next to adversaries whose tools can discover and exploit weaknesses without human intervention, the arithmetic changes. The time defenders have to react is compressing fast. What was a manageable risk five years ago is becoming an acute one.

When Cyber Becomes Sabotage

State-sponsored actors in 2025 moved beyond espionage. Russian APTs targeted Western logistics entities and technology companies involved in delivering assistance to Ukraine. Threat actors are compromising critical infrastructure, telecommunications, and IT providers across the world. The pattern is clear: adversaries are treating supply chains and logistics networks as strategic targets.

In such a threat landscape, with well-resourced threat actors with geostrategic motivations, technical security measures are unlikely to be sufficient by themselves. This is precisely the scenario that the Trusted ICT Supply Chain Framework in the proposed CSA 2 are designed to address, not only in communications but across critical infrastructure.

The Open-Source Transparency Question

One in four of the most targeted vulnerabilities in 2025 sits not in a product but in the foundational libraries and frameworks beneath it; components like Log4j, PHPUnit, and Spring. These are the building blocks of modern software, and a single flaw in one of them can cascade across dozens of products and vendors simultaneously.

The CRA deliberately excludes open-source from liability obligations, and that makes sense. Burdening this ecosystem with legal risk would do more harm than good. But the absence of liability does not mean the absence of responsibility.

There is a practical role for policy here: the CSA could task ENISA with conducting and publishing quality and security assessments of widely used open-source libraries. This would provide transparency without imposing burdensome obligations on developers.

Transparency on software security and quality would assist the due diligence of manufacturers integrating open source software components into their products.

Identity Is Where Attacks Land Now

The Talos report documents a 178% surge in device compromise attacks, where adversaries register their own hardware as a trusted MFA factor, effectively giving themselves a permanent key to the front door. The most common method? Calling IT helpdesks and convincing administrators to do it for them. Voice phishing against admins was three times more common than any other registration fraud technique.

The instinct in Brussels is often to regulate. But this particular problem will not be solved by a directive. It requires investment in awareness and skills training for IT staff, for employees, for citizens. The human layer remains the most exploited surface in cybersecurity, and no compliance checkbox will change that.

Where the New Cyber Landscape Leaves Us

Europe has built a very comprehensive cybersecurity policy framework. The task now is to make sure it accounts for what the threat data is actually showing: technical debt, AI-driven speed, critical infrastructure targeting, human vulnerability, and supply chain opacity are converging.

Not all of these call for new directives or regulation. Some demand funding, others skills investment, others institutional action. What they share is a need for a more integrated, more adaptive approach to how we think about resilience in practice across the EU.