The European Union’s recent annual report¹ on cybersecurity incidents highlights a worrying trend: threats to critical infrastructure are intensifying. A whopping 1,276 security incidents were reported across Europe in 2024, up 18% from a year earlier, according to data from the EU’s NIS Cooperation Group.

Services essential to society took the biggest hit, with healthcare, energy and transport emerging as the most affected sectors, followed by digital infrastructure and banking. The report, which comes as EU nations grapple with the implementation of a unified legal framework to regulate cyber risk (NIS2)², demonstrates the scale and scope of cyber and operational threats that companies face today. More than ever, organisations must urgently address these risks not just as an IT security issue, but at the board level, to build cyber resilience and minimize disruption.

Understanding the threats

The number of incidents has been growing steadily in Europe, with the latest figures representing a 69% rise since 2020. The latest report identifies three primary drivers of incidents:

• System failures (51%): software bugs, hardware malfunctions and operational lapses.
• Malicious actions (37%): ransomware, distributed denial-of-service (DDoS), data leak, cable cut and other deliberate cyberattacks.
• Human error (11%): misconfigurations, operational mistakes or negligence.

Notably, in more than 70% of cases the exact technical cause remained unknown, illustrating the complexity of modern infrastructures and the challenges of incident forensics. Moreover, incidents with a very large impact are on the rise from the year earlier period. Drilling down into these details shows that even mature organisations with established safeguards remain exposed.

Executive implications

For decision-makers, the report is a stark reminder that cybersecurity is a strategic matter, not just a technical one. Based on our extensive experience working with organisations on building cyber resilience, we recommend that boards and executives ensure the following key considerations are fully embedded into governance:

• Comprehensive risk management: Anticipate risks and structure mitigation strategies.
• Continuous monitoring and awareness: Maintain vigilant system oversight and strengthen staff training.
• Incident preparedness: Test and refine incident response plans to minimise service disruption.

Organisations can also benefit from independent assessments that provide unbiased insights, validate resilience strategies and identify vulnerabilities overlooked internally.

Strategic takeaway

Analysing the latest EU figures, it is clear that as cyber incidents grow in number, scale and complexity, relying solely on technical safeguards is no longer enough. To protect their business interests, as well as the services that society depends on, organisations must address cyber risks at the board level, taking a proactive approach that integrates strong governance, vigilant oversight and informed decision-making. It is also essential that cyber strategies allow for adaptability to cope with emerging threats.

Independent expert advisors can play a crucial role, offering impartial perspectives, revealing blind spots and providing specialised insights that complement internal capabilities. Their guidance helps ensure that risk frameworks remain robust, strategic choices are validated and critical vulnerabilities effectively addressed.

How A&M can help

At A&M, we support organizations in addressing NIS2 requirements by conducting independent cyber risk assessments, building multi-year roadmaps and aligning initiatives with business goals and regulatory obligations. Our approach provides a clear picture of how investments reduce risk and strengthen resilience.

We provide interim leadership (CISO roles), run crisis simulations and refine incident response plans to improve preparedness. By reviewing and enhancing cyber operating models, we embed best practices and ensure operational efficiency.

With this support, boards and executives can strengthen governance, validate risk frameworks and build confidence that critical vulnerabilities are being addressed in line with NIS2.