In 2024, cybersecurity saw several significant developments—from new regulations such as the Cyber Resilience Act to the global CrowdStrike incident during the summer. Now that we have entered 2025, the obvious question is: What’s next?
Of course, nobody can answer that question with certainty. Nevertheless, our Practice Heads have taken a look into the crystal ball to share their perspectives on what may shape the cybersecurity landscape in 2025.
Today we’re speaking with Michael Brunner, Head of Security Engineering.
Although 2024 is behind us, let’s start with a quick look back. From your perspective, what were the biggest cybersecurity challenges for organizations?
Michael Brunner: Looking back, I believe one of the biggest challenges was the considerable uncertainty surrounding new EU regulations and how they would ultimately be implemented. In particular, the deadlines introduced by the NIS2 Directive—combined with the delayed transposition into national legislation, such as Austria’s still-pending NISG 2024—have unfortunately undermined confidence, especially among small and medium-sized businesses.
As a result, I see a real risk that necessary and worthwhile cybersecurity improvements will once again be postponed. Increasingly difficult economic conditions certainly aren’t helping either.
At the same time, organizations are facing an ever more dynamic threat landscape, increasingly sophisticated attack techniques, and growing operational risks caused by our rising dependence on IT systems and a relatively small number of technology providers.
We are now at the beginning of 2025. Which cyber threats do you expect to be particularly relevant this year?
Michael Brunner: I believe one of the most significant risks will continue to be software supply chain security.
We were actually quite fortunate in 2024 that the XZ Utils backdoor (CVE-2024-3094) was discovered before it could cause widespread damage. What makes that incident particularly remarkable is how malicious actors systematically infiltrated an open-source project over an extended period before attempting to introduce malicious code.
I don’t want this to be interpreted as an argument against open-source software. Quite the opposite.
Rather, I believe software vendors must place much greater emphasis on understanding and securing the third-party components integrated into their own products—regardless of whether those components are open source or proprietary.
How do you expect the regulatory landscape for cybersecurity to evolve during 2025?
Michael Brunner: I expect awareness of the European Cyber Resilience Act (CRA) to increase significantly among manufacturers of connected digital products throughout 2025.
The CRA is already in force and requires organizations to implement the first security measures by September 2026, with full compliance expected by the end of 2027.
The regulation introduces mandatory cybersecurity requirements for virtually all connected hardware and software products—from Bluetooth-enabled toys and desktop or mobile applications to smart household appliances. Even manufacturers of security solutions themselves fall within its scope—which hopefully means we won’t see another incident like the CrowdStrike outage.
Personally, I consider the CRA’s reporting obligations to be one of its most important contributions to improving cybersecurity across Europe.
From September 2026 onwards, manufacturers will be required to notify both their national market surveillance authorities and ENISA of actively exploited vulnerabilities affecting their products—within 24 hours.
To meet these obligations, organizations should begin developing the necessary expertise and capabilities today. Ideally, they should establish the technical, organizational and staffing foundations for a dedicated Product Security Incident Response Team (PSIRT).
What role will Artificial Intelligence play in cybersecurity during 2025—both as a defensive tool and as a threat?
Michael Brunner: AI—and particularly Generative AI—will continue to play an increasingly important role in cybersecurity.
Attackers will continue using these technologies, and we should expect cybercriminal groups to become significantly more sophisticated in how they leverage AI to improve their operations.
At the same time, defenders will continue strengthening their own AI capabilities. I expect this to develop into a prolonged technological arms race between attackers and defenders.
From a defensive perspective, I see modernized Security Awareness programs as one of the most important measures. Equally important will be the continuous evolution of technical security controls through AI-assisted capabilities—not only for prevention, but increasingly for detection and incident response as well.
Looking back over the past few years, which developments in cybersecurity have surprised you the most, and what do you expect for 2025?
Michael Brunner: To be honest, very little has truly surprised me.
One thing that did stand out is the European Union’s consistent commitment to its cybersecurity strategy. Ten years ago, I wasn’t entirely convinced that this long-term approach would actually be pursued with such determination.
Another ongoing issue is the quality—and security—of software products. I often get the impression that, both in our private and professional lives, we’ve almost resigned ourselves to dealing with insecure and unstable software.
That has to change.
It sometimes feels as though the entire world grinds to a halt because of a preventable software defect—and then, almost immediately, everything returns to business as usual, with little real effort to improve the overall situation in a sustainable way. This is one of the reasons why I have high hopes for the Cyber Resilience Act (CRA).
Beyond that, there have certainly been plenty of surprises, though not necessarily within cybersecurity itself. The rapid rise of AI tools caught me somewhat off guard. Naturally, this has had implications across many industries. That said, once these tools became available, their adoption within cybersecurity itself didn’t surprise me very much.
What advice would you give organizations to help them prepare for 2025?
Michael Brunner: Make it your New Year’s resolution to systematically identify your organization’s cyber risks, understand them in the context of your own business, and work consistently to reduce them.
There is no such thing as 100% cybersecurity.
However, organizations can proactively manage their information security risks before those risks materialize during a cyberattack and cause serious damage.
From the perspective of Security Engineering, what do you hope to see in 2025?
Michael Brunner: Above all, I’d like to see greater awareness of secure software development.
Far too often I meet highly capable software developers who are also severely overloaded. They generally know exactly what is required to build secure software—but they simply aren’t given the necessary time or resources.
This often creates a vicious cycle: insecure software is released, avoidable vulnerabilities are only discovered much later—often after deployment into production—and developers are forced to interrupt their current projects to fix problems that could have been prevented in the first place.
The resulting overhead creates enormous frustration for everyone involved.
Given how heavily our society depends on reliable and secure software, I hope we’ll see a much greater appreciation for the effort required to develop secure software products.
And just as importantly, I hope organizations will listen more closely to software developers when they advocate for the conditions necessary to build secure software from the outset.
