The European Union’s leading cybersecurity agency predicts that ‘Supply Chain Compromise of Software Dependencies’ will be the most prominent cyber threat in 2030
Software supply chain attacks are the most concerning threat EU organizations could face in 2030, according to the European Union Agency for Cybersecurity’s (ENISA’s) 2024 update of its Foresight 2030 Threats.
For the second year in a row, ‘Supply Chain Compromise of Software Dependencies’ was the highest-ranking threat in the European cybersecurity agency’s predictive report, published in March 2024.
This is despite a decline compared to past years’ results in the overall score of impact and likelihood.
“More integrated components and services from third-party suppliers and partners could lead to novel and unforeseen vulnerabilities with compromises on the supplier and customer side,” ENISA wrote in the updated report.
The agency estimates that this threat could come from both nation-state and cybercriminal groups, which are likely to conduct sabotage, theft, and network reconnaissance campaigns as well as inject malicious code in commodity software.
This threat’s potential impact spans data leakage and loss to malfunction and disruption.
Human Error, Legacy Systems Still Top Threats
The top three also remain untouched compared to 2024’s ranking, with ‘Skill shortage’ as the second most prominent threat and ‘Human Error and Exploited Legacy Systems Within Cyber-Physical Ecosystems’ as third.
However, a new threat, ‘Exploitation of Unpatched and Out-of-date Systems within the Overwhelmed Cross-sector Tech Ecosystem,’ has been added to the top five.
Top ten ENISA cyber threats for 2030:
- Supply Chain Compromise of Software Dependencies
- Skill Shortage
- Human Error and Exploited Legacy Systems Within Cyber-Physical Ecosystems
- Exploitation of Unpatched and Out-of-date Systems within the Overwhelmed Cross-sector Tech Ecosystem (New)
- Rise of Digital Surveillance Authoritarianism / Loss of Privacy
- Cross-border ICT Service Providers as a Single Point of Failure
- Advanced Disinformation / Influence Operations (IO) Campaigns
- Rise of Advanced Hybrid Threats
- Abuse of AI
- Physical Impact of Natural/Environmental Disruptions on Critical Digital Infrastructure (New)
AI and Deepfake-Related Threats Looming
Other cyber threats cited in the ENISA’s report that do not make the top ten include ‘Manipulation of Systems Necessary for Emergency Response,’ ‘Tampering with Deepfake Verification Software Supply Chain’ and ‘AI Disrupting/Enhancing Cyber-Attacks.’
The first edition of ENISA’s Foresight 2030 Threats report was published in 2023.
The agency uses this report to increase awareness of future threats and countermeasures amongst its member states and EU institutions, bodies, and agencies (EUIBAs) stakeholders, in line with the institution’s sixth strategic objective, ‘Foresight on Emerging and Future Cybersecurity Challenges.’
The ranking is the result of ENISA’s research, which follows an in-house cybersecurity foresight methodological framework grounded in foresight research and future studies.
This framework was developed in 2021 in collaboration with the Ad-Hoc Working Group, which includes futurists, sociologists, forecasters, and foresight experts.
Source: ENISA