Data Gathering 2026: the annual report on the state of cyber security in Italy

What were the main attack technique in 2025? How is the international cybercrime landscape evolving? What priorities should companies adopt to protect data, infrastructures, and users’ digital identities? Read the Data Gathering report to discover trends, real threats, and what to expect in the upcoming digital year.

DOWNLOAD THE DATA GATHERING

We would like to say that the growth trend of cyber-attacks stopped in 2025, but it didn’t. On one hand, threats increased in volume, sophistication, and impact; on the other, the enforcement of NIS2 has made it even more urgent for companies to establish solid defense processes based on continuous monitoring, event correlation, and incident response procedures.

The new edition of the Data Gathering report collects and analyzes thousands of real data points gathered during our security team’s detection and response activities, offering a privileged observatory and an accurate snapshot of the state of cyber security in our country.

Here is a preview of the most relevant findings.

Dati salienti (in breve)

• +48% malicious activity in 2025

• +7,000 ransomware attacks

• +3,600 phishing campaigns recorded in Italy

• +425 million breached accounts worldwide

• +48,000 new CVEs published in 2025

• NIS2 fully in force

Cyber security 2025: attacks keep rising

2025 confirms an already well-established trend: cyber-attacks continue to grow in volume, complexity, and impact. The number of events handled by our SOC has increased, both due to the expansion of our client base and a cybercrime ecosystem that is more active and insidious than ever. Clusit data reflects the same trend, showing a 48% rise in malicious activity.

Data is the primary target of cyber criminals, driven mainly by economic reasons:

• financial fraud

• ransom demands

• selling information on the dark web

• espionage

The most exploited attack techniques are ransomware, social engineering, and compromised accounts.

Ransomware and the double-extortion model

Ransomware remains one of the most effective attack techniques worldwide, with more than 7,000 claimed incidents, 1,173 of which confirmed by victim organizations. In our dataset, 27% of incidents with significant impact were caused by ransomware.

Beyond attacks attributed to major international ransomware groups such as Qlin and Akira, this technique is widely used due to the spread of Ransomware‑as‑a‑Service platforms, which allow actors with limited technical skills to access complex attack tools.

A major development has been the rise of the double‑extortion model: ransomware groups no longer simply encrypt data; they also demand a second ransom to prevent stolen data from being published on the dark web. The threat of data exposure makes the attack effective even when the targeted company has working backups.

Social engineering and compromised accounts: credential theft remains a weak link

Phishing and social engineering are still one of cyber criminals’ favorite techniques.

CERT‑AGID recorded more than 3,600 malicious campaigns in Italy in 2025. The use of generative AI has made these campaigns even more deceptive, reaching a 54% click‑through rate, compared to 12% for manually written texts.

Credential theft is one of the main goals of phishing campaigns. This leads to the topic of digital identity, an area of increasing focus for EU regulations. Worldwide, there are more than 425 million breached accounts. These accounts can be used for further attacks such as sending malicious emails from legitimate addresses, data exfiltration, malware distribution and espionage.

Employee training can help mitigate this threat, but alone it is not enough. It’s not possible eliminating human‑related risk, that’s why corporate cyber security strategies must include systems to protect digital identity and remediation processes to promptly detect and isolate potential breaches.

CVEs and vulnerabilities: 130 new threats every day

Another critical issue for companies is the exploitation of vulnerabilities.

According to CISA in 2025:

• Over 48,000 new CVEs were registered
• 8% were classified as critical
• 28% of vulnerabilities were exploited within the first 24 hours of publication

Managing 130 new vulnerabilities a day is unthinkable for companies. This makes it necessary to transform patching processes by adopting models that prioritize updates based on a combination of CVE score, exploitability level, real environment exposure, and the company's specific infrastructure context.

Cyber security 2026: forecast

The forecast for 2026 is not optimistic. The defensive perimeter is getting wider and complicated due to complex infrastructure and sophisticated attacks. Experts have to monitor new issues, including:

• the evolution of AI used to write malware, automate exploits, and create increasingly convincing phishing messages and deepfakes
• supply chain risk management: third parties are becoming a preferred entry point for cyber criminals targeting larger companies
• expansion of the digital perimeter due to increasingly complex hybrid‑cloud infrastructures and vulnerabilities linked to IoT and OT systems

2026 is also the year NIS2 comes fully into force, imposing stricter obligations on organizations regarding security requirements, responsibilities, and notifications. By the end of the year, this will be translated into audits and inspections by ACN.

Companies have to strengthen governance, monitoring, and internal procedures, while also enhancing collaboration with authorities and security providers to fight the cybercrime.

Read the full Data Gathering

The report is much more than a technical document: it is a strategic tool based on real data, comparative analyses, and operational insights that provide a detailed snapshot of the cyber security landscape, emerging risks, and the priorities needed to protect organizations.