In 2024, cybersecurity saw several significant developments—from new regulations such as the Cyber Resilience Act to the global CrowdStrike incident during the summer. Now that we have entered 2025, the obvious question is: What’s next?
Of course, nobody can answer that question with certainty. Nevertheless, our Practice Heads have taken a look into the crystal ball to share their perspectives on what may shape the cybersecurity landscape in 2025.
Today we’re speaking with Christoph Zajic, Head of Process Consulting.
Although 2024 is behind us, let’s start with a quick look back. From your perspective, what were the biggest cybersecurity challenges for organizations?
Christoph Zajic: One of the biggest challenges was undoubtedly preparing for the growing number of regulatory requirements, including NIS2, DORA and the Cyber Resilience Act (CRA).
At the same time, the delay in adopting Austria’s new NIS Act (NISG 2024) proved counterproductive. It made it much more difficult for those responsible for cybersecurity and NIS2 implementation projects to maintain momentum and internal commitment throughout their initiatives. As a result, keeping projects on track—and ultimately achieving the required level of security—became considerably more challenging.
We are now at the beginning of 2025. Which cyber threats do you expect to be particularly relevant this year?
Christoph Zajic: I believe three closely connected threats will dominate the cybersecurity landscape this year.
Supply chain attacks: Organizations must hold third-party service providers accountable. They need contractual assurances that minimum security standards are implemented—and, equally important, they need evidence that these requirements are actually being met.
Deepfakes: During my security awareness trainings, I regularly demonstrate how dramatically the quality of deepfakes has improved over the past twelve months. This technological leap will inevitably be followed by increasingly sophisticated attack scenarios.
Deep learning systems: These present both technical and societal risks. AI-driven malware, highly convincing phishing emails, fake news and social media manipulation will make fraud increasingly difficult to detect.
How do you expect the regulatory landscape for cybersecurity to evolve during 2025?
Christoph Zajic: The year begins with DORA, which has already required significant effort from affected organizations throughout the past twelve months.
Later this year, Austria’s NISG 2024 is expected to follow, with many implementation projects regaining momentum during the first quarter of 2025.
Although these regulations differ in scope, they share several fundamental objectives. Both require organizations to establish effective ICT risk management, assess third-party risks, and implement structured processes for detecting, handling and monitoring ICT-related incidents.
What role will Artificial Intelligence play in cybersecurity during 2025—both as a defensive tool and as a threat?
Christoph Zajic: Please refer to my earlier answer regarding the cyber threats I expect to become particularly relevant in 2025.
Looking back over the past few years, which developments in cybersecurity have surprised you the most, and what do you expect for 2025?
Christoph Zajic: What has surprised me most is the extraordinary pace at which AI and machine learning have evolved—both as offensive tools for attackers and as defensive capabilities for security teams. And I believe we’re still only at the beginning of this development.
I was also surprised by how quickly the CrowdStrike incident faded from public attention. A faulty software update caused global disruption across aviation, rail transportation, healthcare and access to Microsoft services.
The irony is striking: a security solution itself brought organizations around the world to a standstill, exposing just how dependent we have become on a relatively small number of critical technology providers.
What advice would you give organizations to help them prepare for 2025?
Christoph Zajic: Regardless of whether an organization falls within the scope of NIS2, I would recommend implementing the security measures outlined in Annex 3 of the Austrian parliamentary draft of the NIS Act.
From my perspective, addressing these areas is simply part of good corporate governance. Cybersecurity is ultimately a management responsibility, and executive leadership must actively assume ownership of it.
From the perspective of Process Consulting, what do you hope to see in 2025?
Christoph Zajic: The topics we’ve discussed represent a broad and exciting field of work.
One of the greatest challenges will undoubtedly be recruiting cybersecurity talent.
For 2025, I hope we continue expanding our Process Consulting team with interesting personalities and talented professionals—regardless of whether they’re just starting their careers or bring decades of experience.
