With digitalization advancing, artificial intelligence multiplying the speed and scale of attacks and geopolitics increasingly entering the digital perimeter, the cybersecurity It is no longer a technical line of defense. It has become one of the more sensitive fronts for businesses, institutions and citizens. The Cyber Security Report 2026 photograph this leap in quality: the cyber threat it is not only growing in numbers, but changes intensity, targets and damage outputAttacks are becoming more targeted, ransomware is accelerating, malware campaigns are moving globally, and vulnerabilities are taking on increasing strategic importance.
The report, created by Tim and the Cyber Security Foundation With the contribution of the TIM Research Center, it is based on evidence collected by the TIM Group's defense units during 2025 and integrates the insights of Insikt Group, Recorded Future's Threat Intelligence unit. The goal is not to simply count attacks, but read the evolution of cyber risk connecting threats, vulnerabilities, most exposed sectors, regulations and emerging technologies.
La Cybersecurity is no longer a matter for insiders onlyIt is an essential condition for ensuring operational continuity, industrial competitiveness, and national security. When an incident blocks a service, interrupts a supply chain, exposes sensitive data, or paralyzes public infrastructure, the impact isn't confined to the targeted party. It ripples throughout the entire economic and social system.
Cyber Security Report 2026: More targeted DDoS attacks, accelerating ransomware
On the DDoS front, acronym for Distributed Denial of Service, attacks that aim to make a site, platform or digital service unreachable by overloading it with an enormous amount of traffic generated by multiple sources, 2025 shows an apparent paradox. approximately 4.300 events were detected, down 36% compared to 2024, partly due to the actions taken to strengthen the overall defense. However, the decrease in volumes does not correspond to a weakened threat. The campaigns are more concentrated, especially in March, June and October, and generate a higher overall pressure.
The shape of the attacks also changesHigh-intensity incidents exceeding 20 Gigabits per second are decreasing, from 39% to 29%, while the average exposure time is increasing by 19%. Most incidents continue to resolve within 30 minutes, but their increased persistence signals a tactical evolution. Some techniques can also leverage artificial intelligence to increase speed and effectiveness. Among Italian businesses and institutions, excluding incidents targeting families and citizens, which represent approximately seven out of ten cases detected by the TIM SOC, the Government sector accounts for 46% of DDoS attacks, nearly one in two. Professional services, telecommunications, and transportation follow, the latter sector experiencing strong growth compared to 2024. The pressure is therefore shifting toward entities of high systemic relevance.
Even more marked is the acceleration of ransomware, i.e., attacks that block or encrypt data and computer systems to demand a ransom in exchange for restoring access. In 2025, over 7.400 claims were recorded globally, a 42% increase compared to 2024. In Italy, there were 166 cases, a 14% increase. Almost one in two events concerns the United States, while the European Union is the second most affected area with 16% of cases, ahead of Canada and the United Kingdom.
In the European framework, hierarchies are also changingGermany surpasses the United Kingdom as the most affected country, while Italy falls to fourth place. In Italy, approximately four out of ten cases are concentrated in the Northwest, and Lombardy accounts for over 30% of the national total. Manufacturing and professional services are the most affected sectors, confirming the importance of industrial density, operational continuity, and reputational pressure as exposure factors.
At the basis of growth is theindustrialization of cybercrimeThe number of detected ransomware groups is increasing by 40%, and artificial intelligence is helping to automate the production of malicious code and refine luring techniques. Attacks are becoming more scalable, faster, and more opportunistic.
Cyber Security Report 2026: Global Malware, Vulnerabilities, and Zero-Days
The report also devotes ample space to malware campaigns, malicious software designed to infect devices and systems, steal data, take remote control or prepare more complex attacks. According to the Insikt Group evidence, in the first half of 2025 the activity involved subjects in approximately 200 countriesNearly 90% of cases involve the United States, while in Europe the most affected country is the United Kingdom. The prevalence of phishing in English helps explain the greater exposure in markets where this language is most widely used online.
Among the most widespread threats Rats' weight increases, tools that allow the remote control and can open the way to data exfiltration or more complex attacksThreats to mobile devices, particularly Android, are also increasing, with growing attention paid to NFC-based contactless payment systems. On the ground of vulnerabilities, the dynamics are equally relevant. In 2025 the CVEs (Common Vulnerabilities and Exposures) known vulnerabilities, or published vulnerabilities, have reached nearly 48.500, a 20% increase compared to 2024 and nearly double the figure from three years earlier. Artificial intelligence is accelerating both the identification of vulnerabilities for remediation and their potential conversion into attack tools.
The most sensitive data concerns the nature of the actors involvedOver 50% of the attributed exploitation activity is attributable to state-sponsored actors. Vulnerability is no longer just a technical or criminal problem: it takes on a strategic dimension, because it can be quickly transformed into operational capability.
And then there are zero-days. It is flaws not yet known to the manufacturers and therefore without patches, capable of exposing systems and devices to immediate risks. The most severe vulnerabilities don't always reach the mainstream disclosure channels: some acquire a high market value and can be exploited not only by cybercriminals, but also by governments, intelligence agencies, and surveillance companies for espionage, targeted monitoring, or strategic cyber operations.
Cyber Security Report 2026: From Standards to European Resilience
The second part of the report shifts the focus from the operational data to the risk readingIn a digital-dependent society, an attack is not confined to the victimBusiness disruptions, service interruptions, data loss, and reputational damage can spread throughout essential services and supply chains, generating ripple effects on customers, suppliers, and counterparties. Since 2012, the cyber threat has consistently ranked among the ten most significant medium-term concerns in the World Economic Forum's global risk rankings, with the sole exception of 2016. It is a persistent and priority threat, especially for European companies.
In ransomware, however, the dynamic remains largely opportunistic. Attackers don't follow stable strategies; they change their tactics and targets, striking wherever the opportunity arises. Analyses over the last three years show a low level of specialization both globally and in Italy. In our country, only four groups show a certain sectoral preference, while actors such as LockBit, Rhysida, Hunters International, and RansomHub strike in a generalist manner.
In this scenario, the regulatory framework becomes an answer to transforming risk into a systemic problem. When the effects of an incident ripple through services and supply chains, cybersecurity cannot be managed solely with more technology or one-off measures. Common rules, processes, and responsibilities are needed.
The European center of gravity is aiming for an organized system, based on obligations and processes for organizations operating at the most critical hubs, with NIS2 and DORA, minimum requirements for products and components through the CRA, and attention to managing supply chain dependencies. The CSA2 and CAIDA proposals address the issue of technological dependencies and jurisdictional constraints related to cloud, data, and artificial intelligence, aspects that can interfere with European sovereignty and strategic autonomy.
Cyber Security Report 2026: AI, quantum, and space open new frontiers
The final part of the report looks at the emerging technologies and new risk perimeters. The the main catalyst is artificial intelligence, which acts as a multiplier. On the offensive front Accelerates phishing, fraud, cloud and LLM abuse, prompt injection, and manipulation. On the defensive front can strengthen triage, vulnerability analysis, and Security Operation Center activities. Then emerge new threats that require new definitions, such as promptware, quishing and QRishing. It also opens a critical area in theintersection between physical and digital, with attacks that can involve smart glasses and virtual or augmented reality systems.
Another decisive front is the quantum oneIncreased computational capacity could undermine current cryptographic security systems. Hence the need for quantum-safe solutionsThe risk, however, isn't limited to the future. Some hostile actors can already intercept and store encrypted data today, only to decrypt it tomorrow, when quantum technologies allow it. It's the "harvest now, decrypt later" logic that requires protections to be implemented in advance. Space also enters the perimeter of cyber securityWith satellite networks increasingly central to critical services, protection can no longer be limited to a single satellite or mission. It becomes a matter of governance, resilience, and accountability among the players operating in a segment that has become crucial for the economy and security.
“The growth of cyber threats confirms that Digital security can no longer be considered an exclusively specialist or merely defensive issueTelecommunications networks, data, cloud infrastructure, and communication systems are essential strategic assets for the country's operational continuity and the competitiveness of the economic system. Therefore, the response cannot be limited to emergency management: it is necessary to invest in digital sovereignty, skills development, and secure technologies, while strengthening collaboration between institutions, industry, and the research community. From this perspective, the Cybersecurity represents a real lever for growth and innovationIt helps build trust, protect national strategic assets and make digital transformation more resilient, sustainable and competitive in the long term,” he said. Alexandra Michelini, managing director of Telsy.
“Digital security is no longer a technical issue: it is a democratic questionCyber attacks are now tools of geopolitical pressure, levers of economic destabilization, and vectors of interference in democratic processes. Ignoring this dimension means leaving citizens, businesses, and institutions without the tools to understand what is happening. The Report arises precisely from this responsibility: to make it possible to understand a threat that is constantly changing in form and intensity, transforming knowledge into a first, concrete form of collective defense. As the Cyber Security Foundation, we believe that cybersecurity must become a widespread culture, capable of speaking to institutions, businesses, and citizens. Because a more digitally aware country is, first and foremost, a safer country," he emphasized. Marco Gabriele Proietti, founder and president Cyber Security Foundation.
"When a hospital is unable to provide care after a cyber attack, when a municipality is paralyzed by a ransomware attack, we are not talking about something abstract: we are talking about families, workers, communities affected at the heart of their fundamental rights. The data in this Report are not statistics: they are the concrete measure of a threat that has assumed full parliamentary and national significance. As an Intergroup, we believe that addressing it requires a clear political vision and structural collaboration between the public and private sectorsInstitutions alone are not enough, just as businesses or the technical community acting in a scattered manner are not enough. We need a national system capable of jointly protecting citizens, strategic infrastructure, and the competitiveness of our businesses. This is why it is essential to invest in a culture of cybersecurity that is preventative and widespread, from public administration to SMEs, from schools to essential services. Digital security is a condition of freedom and a democratic priority: Parliament has the responsibility to translate it into clear rules, adequate resources, and concrete protections for all," he declared. Alessandro Colucci, president ofParliamentary Intergroup for Information and Technological Security.
The challenge is not only digital, but also human. We need increasingly widespread awareness of the cyber world, because the ability to protect networks, data, and infrastructure also depends on the behavior, skills, and responsibility of those who use digital tools and services every day.
