What do financial institutions in CEE, DACH, Nordic, and US markets need to know about cybersecurity in 2025? Finding appropriate responses to evolving threats in various markets
Cyber threats continue to compromise the security of technology systems, affect operations and pose significant risks to financial stability in the EU and globally.
With new regulations on the horizon and the technological revolution at its peak, financial institutions need to improve their cybersecurity initiatives.
In the 2020 Systemic Cyber Risk Report by the European Systemic Risk Board (ESRB), the analysis revealed that a cyber incident could escalate into a systemic cyber crisis that threatens financial stability.
In its 2024 follow-up, the ESRB indicates that the risks to financial stability from cyber incidents, identified as key risks in 2020, have significantly increased in recent years.
The number of reported incidents in 2023 has increased by 80% compared to year 2022, according to a recent report by the European Union Agency for Cybersecurity (ENISA).
Figure 1. Number of reported incidents per year (27 EU Member States and 3 EEA countries). Source: ENISA
Cyber threats are impacting different types of industries and sectors. According to the ENISA Threat Landscape 2024 report, covering the period from July 2023 to June 2024, a significant number of events are targeting organisations in the public administration (19%), transport (11%), and finance (9%) sectors.
At the top of the list of identified threats in this report is DDoS (Distributed Denial of Service), which targets a wide range of sectors. The most affected sectors, besides banking (12% of DDoS events), include public administration (33%), transport (21%), and digital infrastructure (6%).
All this information sets the focus on the state of cybersecurity, threats, and vulnerabilities and the need for effective and layered controls to mitigate the related risks.
ENISA’s NIS Investments 2024 report provides insights into the readiness of organisations to comply with the new requirements and face the challenges they bring along.
As per this report’s key findings, organisations allocated 9% of their IT investments for information security in 2023, a significant increase of 1.9% compared to 2022.
Figure 2. Information security spending metrics by region. Source: ENISA
Financial institutions must stay ahead of the curve to avoid severe financial and reputational damage. Cybercriminals are relentless, exploiting every vulnerability in systems, processes, and human behavior. Every financial entity must begin preparing now.
Markets in CEE, DACH, the Nordic region, and the US each face unique cyber risks. Attacks vary in complexity and scale, and regulators are demanding stronger data security. Customers expect secure and stable services.
The year 2025 will not favour those who hesitate. Falling behind now could result in even greater losses next year. Financial institutions must prepare their teams, technology, and compliance strategies.
Below are some head-ups to help you do that.
CEE: Managing complex compliance frameworks
Central and Eastern Europe (CEE) financial institutions face a challenging landscape. They handle multiple frameworks, including NIS2, GDPR, and PSD2. The upcoming DORA enforcement in January 2025 adds complexity. Regulators in CEE push for stricter controls and standardisation. The key focus is three-folded:
- securing transactions;
- protecting personal data;
- preventing breaches.
From legacy systems to emerging digitalisation, CEE-based organisations face a challenging cybersecurity landscape. Outdated systems are prime targets for cybercriminals, as attackers exploit weak links in old code and insufficient controls.
To mitigate risks and ensure continuous improvement, organisations should implement software and hardware updates, conduct vulnerability assessments, invest in penetration testing, and adhere to the ISO 27001 standards.
Key steps for managing complex CEE compliance frameworks:
- Conduct penetration testing every quarter. Track evolving threats.
- Implement GDPR-compliant data handling. Protect client personal data and build customer trust.
- Update legacy systems. Reduce easy attack vectors.
Penetration testing identifies and exposes potential vulnerabilities before attackers can exploit them, as they can simulate real attacks. Financial institutions should conduct annual penetration tests to ensure readiness for new regulations.
CEE firms must treat compliance as a continuous effort. This means closing gaps before enforcement deadlines, investing in skilled professionals, and getting top-notch tools.
Failing to adapt means losing ground in a competitive landscape.
DACH: Balancing between local and EU cybersecurity demands
The DACH region, which includes Germany, Austria, and Switzerland, follows the tendency of increased cybersecurity attacks.
As per the State of IT Security in Germany in 2024 repot by Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), the IT security situation in the country was and still is a cause for concern. The threat landscape continues to evolve rapidly, with the digital attack surface expanding, vulnerabilities providing serious opportunities for intrusion, and attackers finding faster and more sophisticated ways to exploit them.
The report also notes an increase in DDoS attacks during the first half of 2024, with the peak occurring in April.
Figure 3. Known DDoS attacks in Germany (measurement number). Source: BSI
The DACH region has some strict cybersecurity requirements for financial organisations out there.
DORA and NIS2 add new rules that align with EU-wide standards. Meanwhile, local frameworks like KRITIS in Germany demand extra measures for critical infrastructure providers. DACH institutions are supporting their compliance with GDPR, local privacy laws, ISO27001, CIS Controls, and PCI-DSS if they handle credit card data.
DACH regulators expect high-quality internal controls and regular audits. They want to see:
- strong incident response plans;
- secure software development life cycles.
No financial institution can afford to ignore software vulnerabilities. Attackers often choose API endpoints, mobile apps, and third-party integrations as entry points.
Financial institutions can rely on or experiment with red teaming as a proactive response. Red teaming offers real-world testing, where skilled professionals attempt to bypass defenses, assess staff readiness, and evaluate recovery procedures.
Relying on SOC 2 Type 2 reports helps demonstrate continuous adherence to security principles. By 2025, one can expect stricter penalties for non-compliance.
DACH financial institutions juggle multiple frameworks. Hiring skilled engineers and compliance experts is a crucial part of the process. Securing systems now prevents bigger headaches later.
Nordics: High standards and integrated frameworks
Nordic markets are known for setting an extremely high bar for cybersecurity.
The cyber threat landscape in the Nordic financial sector is a complex ecosystem where threat actors collaborate and operate in each other’s domains. According to the 2024 Cyber Threat Landscape report by Nordic Financial CERT, while the financial sector in the Nordics accounted for approximately 17% of all DDoS attacks observed by NFCERT in 2023, most attacks went unnoticed. These attacks generally failed to cause prolonged downtime for websites in the Nordic financial sector.
Figure 4. Hacktivists in numbers. Source: Nordic Financial CERT
On the other hand, during the second half of 2024, the Nordic banks suffered a series of sophisticated DDoS attacks, one of which was Nordea Bank.
The region’s financial institutions generally operate within EU frameworks, including GDPR and the EU Cybersecurity Act. Nordic countries also follow the NIST 2.0 framework and SOC 2 approaches. This region values integrated solutions, which means banks and insurers look for frameworks that work together.
Nordic regulators emphasise aspects like:
- privacy by design;
- ePrivacy Directive;
- continuous testing.
Lax security policies lead to data leaks and lost trust.
However, as a potential solution to the emerging Nordic cyber threats, several key methods exist to mention. First, penetration testing provides a critical defense by identifying server misconfigurations, insecure code, and weak authentication.
Second, Zero Trust Architecture adds an additional layer of security by requiring strict verification of every user and device. Third, Nordic firms combine SOC 2 reports with ISO 27001 certifications to demonstrate to third parties that they are committed to security.
US: Facing changing SEC priorities
Given the continued increase in cyberthreats in the financial sector and confronting shifting regulatory priorities, US financial institutions face challenging cyber risk management plans.
Updates on rules from the Securities and Exchange Commission (SEC) (such as Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) as well as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) just add to the list of regulatory requirements.
Additionally, the EU-U.S. Data Privacy Framework, finalised in July 2023, outlines safe and trusted cross-border data transfers between the EU and the US.
Ransomware and distributed denial of service (DDoS) attacks continue to be the top cyber threats facing the financial sector. According to the Cybersecurity and Financial System Resilience Report 2024 by the Office of the Comptroller of the Currency (OCC) and the 2024 Report on the Cybersecurity Posture of the United States, emerging threats include supply chain exploitation, artificial intelligence (AI) vulnerabilities, and account takeover.
Threat intelligence and incident response testing are critical. Institutions must understand emerging tactics and develop strategies to mitigate them. SOC 2 Type 2 reports demonstrate consistent security controls, while Zero Trust Architecture helps reduce insider threats and block unauthorized access. It’s important to note that US regulators do not hesitate to impose hefty fines for negligence.
Many US financial institutions embrace CIS Critical Security Controls as best security practices. It is done to reduce the attack surface. They also invest in developing business continuity strategies in accordance with the type and amount of impact that the entity may or may not accept after a disruption. This is often done with the support of the ISO22301 standard – security and resilience – business continuity management systems. These ensure quick recovery from disruptions.
How Qinshift/Avenga can help?
Qinshift/Avenga supports financial institutions in CEE, DACH, Nordic, and US markets. The company brings in-depth knowledge of local and international compliance frameworks.
Services offered:
- ISO27001 & ISO27002 (2013 and 2022) Compliance
- SOC II Compliance and Reporting
- Threat and Risk Security Assessments
- Business Continuity Management (ISO22301)
- IT System Management Audits (ISO20000)
- GDPR Implementation and Risk Assessment
- PCI-DSS Compliance and Internal Audit
- Privacy and Data Protection (GDPR, CCPA)
- DORA and NIS2 Implementation
- KRITIS Compliance
- CIS Critical Security Controls Compliance
- NIST 2.0 Compliance
- Provision of Information Security Officer (ISO27001), Data Protection Officer (GDPR), and System Security Officer (PCI DSS) as-a-Service
- Cybersecurity Consultancy Services
- Security and Privacy Risk Assessment Services
Qinshift/Avenga helps institutions prepare for upcoming challenges to stay compliant, secure, and ready for 2025 and beyond.
Conclusion
CEE, DACH, Nordic, and US financial institutions face a tough 2025.
- Each region imposes new rules and complex frameworks.
- Attackers deploy advanced techniques.
- Regulators set hard deadlines and severe penalties.
Firms must not wait. They must invest in penetration testing, adopt zero trust, and ensure compliance with key standards. They must train staff and secure their supply chains.
Acting now means safer operations and better trust.
Does your organisation operate in one of the above mentioned regions?
We invite you to connect.
Explore how we can help strengthen your cybersecurity strategy for 2025 and beyond. Contact our experts and let’s chat.
Sponsored by Avenga