ENISA Cybersecurity Threat Landscape Methodology

The European Union Agency for Cybersecurity (ENISA) updated its Cybersecurity Threat Landscape (CTL) Methodology in 2025 to provide a structured, transparent, and intelligence-driven framework for analysing cyber threats across Europe. Building on over a decade of CTL reporting, the new methodology refines ENISA’s approach to collecting, processing, analysing, and disseminating cyber threat intelligence to support EU policymakers, security strategists, and practitioners.
The methodology standardises CTL development across ENISA’s annual, sectoral, and thematic reports by defining a full intelligence lifecycle, from direction setting and data collection to analysis, production, and feedback. It integrates open-source intelligence (OSINT), trusted institutional and private-sector inputs, and EU-specific frameworks such as MITRE ATT&CK®, STIX 2.1, and the European Vulnerability Database (EUVD) to ensure accuracy and consistency. Key principles include accuracy, timeliness, and actionability, ensuring the CTL supports both strategic decision-making and operational cybersecurity responses.
ENISA’s process emphasises multi-level analysis strategic, tactical, and operational aspects, tailored to different audiences, with validated data sources, confidence scoring, and structured analytical techniques to remove bias. The reports deliver actionable insights and mitigation recommendations while promoting information sharing and capacity building across Member States. Future developments will focus on automating data processing, expanding machine-readable formats, and strengthening collaboration to make CTL outputs more dynamic, interoperable, and usable by Europe’s cybersecurity ecosystem.