Public administration increasingly targeted by DDoS attacks

Set as highly critical under the NIS2 Directive, the public administration sector plays a key role in delivering essential services to European citizens. 

Because it ensures effective governance and delivery of important services to civil society such as education, healthcare, public transportation, etc.  public administration is a fundamental sector of the economy.

However, being newly regulated under the NIS2 Directive, the sector is still developing its cybersecurity resilience as it remains in the early stages of aligning with the requirements. Public administration was therefore assessed as standing in the “risk zone” in the study published in the ENISA NIS360 report. With 38% of all incidents in the latest ENISA cyber threat landscape report, public administration reportedly is the most targeted sector in the EU.

ENISA Executive Director, Juhan Lepassaar stated: “Cyber-securing public administrations is central to citizens’ welfare and to the good functioning of the single market across the EU. Public administrations provide reliable and effective public services, so it is essential to ensure a high-level of cybersecurity within their wider network of national, regional and local bodies.”

The new analysis offers an overview of 586 publicly reported cyber incidents that occurred in the course of 2024.    

Because they manage high volumes of sensitive data and deliver important services in an increased digitization context, public administrations can be heavily disrupted by cyber incidents. These incidents can also contribute to undermining public trust. 

Such threats include Distributed Denial of Service (DDoS) attacks, data-breaches, ransomware and incidents involving social engineering. 

ENISA’s new sectorial report provides an overview of such threats with the objective to support risk assessment, mitigating measures and relevant policy making. 

Key findings 

Central governments were the most targeted, accounting for 69% of incidents. The majority of incidents targeted the websites of parliaments, ministries and national authorities/agencies, largely skewed by DDoS attacks. 

Distributed Denial-of-Service (DDoS) attacks accounted for 60% of all incidents. 

These attacks were typically short-lived and rarely resulted in significant impact. Data breaches and ransomware, even if lower in numbers, were more disruptive. 

Threats against data include data breaches (17,4%) or data exposures (1%). Data-related incidents represent the second most frequent threat type recorded against public administration entities in the EU in 2024. Targets notably include employment services, local government platforms, law enforcement portals, and educational systems.  

Public administration represents a high-value target for state-nexus intrusion sets mainly due to the strategic value of data collection, for economic or defence purposes. Cyberespionage campaigns in 2024 only accounted for 2.5% of all incidents. Despite being limited in number, their impact on EU Member States’ national security can be significant. 

Still, hacktivist activities remain the most prevalent in sheer volume. In 2024, hacktivists accounted for nearly 63% of incidents, while cybercrime operators and state-nexus intrusion sets represented approximately 16% and 2.5%, respectively. ​  

Ideologically motivated hacktivist groups mainly seek to draw attention and cause disruption. Targets notably included municipal websites, and ministry portals. 

Despite being observed in fewer incidents, phishing is still a common initial access vector. 

The trends identified in the report show that public administrations in the EU are likely to remain the most targeted sector in the short-to-mid- term.  

Besides, the surge and increased capacity of AI tools are likely to increase AI-powered social engineering for follow-up malicious activities.  

Multi-extortion campaigns can have worse adverse effects on service outage of tax portals, e-ID systems, court scheduling— undermining confidence in digital services. Additionally, incidents involving shared systems or service providers show how one single compromise can cascade across multiple public entities. 

With public administration sector covered by the NIS2 Directive, acknowledging the sector’s criticality, ENISA sets strategic priorities to enhance its capacity to address those challenges.

Recommendations

Actions to be taken largely depends on the threats public administration face and wish to mitigate, such as DDoS attacks, data-related incidents, ransomware or state-nexus campaigns, etc.

DDoS attacks 

ENISA suggests controls enhancing architectural resilience and operational readiness like enrolling critical portals behind content delivery network (CDN) or web application firewall (WAF) with always-on network–application layer protection. Another action is to publish static-fallback sites with Domain Name System (DNS) failover, etc. 

Data related threats 

Data-related incidents can cause significant disruption to an organisation’s operations. Recommended actions include for instance Multi-Factor Authentication (MFA) to be implemented everywhere with conditional access and Privileged Access Management (PAM). 

Ransomware 

Specific controls can be set, such as the deployment of Endpoint Detection and Response (EDR) with behavioural rules and segmenting networks, etc. 

Other recommendations are included in the ENISA NIS360 report, such as: 

• Build effective remediation capabilities through shared service models; 

• Make use of the Cybersecurity Reserve as provided for by the EU Cyber Solidarity Act;
• Enhanced preparedness & response. 

By proactively adopting these strategic priorities and fostering closer collaboration across Member States, public administration bodies in the EU will be better positioned to safeguard critical services and uphold citizen trust in an increasingly volatile cyber threat landscape. 

• ENISA Sectorial Threat Landscape: Public Administration 2024
• ENISA 2025 Threat Landscape 

• ENISA NIS360 report