For years the mental model of an attack was a perimeter being breached. In 2026 that picture is outdated. The majority of incidents now begin with a stolen credential and the abuse of legitimate access, then move through third parties and cloud services that were never inside "the firewall" to begin with. The ENISA Threat Landscape 2025 reflects the same shift: identity and supply chain, not the network edge, are where organisations are compromised.
At a glance
- The way in: credentials and legitimate access, not a breached perimeter.
- The path: through suppliers, cloud and identity providers you do not fully control.
- The response: prioritise identity, third-party risk and resilience — and align it with NIS2 and DORA.
Three trends shaping today's incidents
Identity is the new perimeter. Phishing and credential theft give attackers a legitimate way in, so MFA that resists phishing and tight control of privileged access matter more than another perimeter box. This extends to machine identities: service accounts, tokens and API keys — the non-human identities that rarely have an owner and almost never rotate.
The supply chain is part of your attack surface. A compromised provider — software, hosting, a managed service — becomes your incident. Managing third-party risk is no longer optional hygiene; it is front-line defence.
Resilience decides the outcome. When prevention fails, the difference between a bad day and a crisis is how fast you detect, contain and recover. That is a function of monitoring, tested backups and incident response, not of any single tool.
Where to start, without an endless project
The temptation is to launch a multi-year programme. The more useful move is to fix the highest-leverage gaps first: enforce phishing-resistant MFA and review privileged access; inventory who and what can authenticate, including machine identities; map your critical suppliers and what would happen if one failed; and confirm you can actually detect and recover from an identity-driven intrusion. None of that requires a two-year roadmap — it requires deciding what matters most and doing it. A managed SOC and vulnerability management close much of the gap quickly.
How this connects to NIS2 and DORA
NIS2 requires risk-based measures across access control, supply-chain security and incident handling, with board accountability. DORA makes operational resilience and third-party (ICT) risk explicit obligations for financial entities. Both, read plainly, describe exactly the three trends above: identity, supply chain and resilience. Aligning your priorities with them is not extra work — it is the same work, evidenced.
The bottom line
The attacker of 2026 logs in rather than breaks in, and reaches you through people and providers you already trust. Defence follows suit: identity first, suppliers second, resilience throughout. If you want help turning that into a prioritised plan for your organisation, get in touch.