Navigating Cyber Risks in EMEA: Key Insights for 2025

Navigating Cyber Risks in EMEA: Key Insights for 2025
Technology

03 of 12

This insight is part 03 of 12 in this Collection.

April 14, 2025 15 mins

Navigating Cyber Risks in EMEA: Key Insights for 2025

Navigating Cyber Risks in EMEA: Key Insights for 2025

Organizations in EMEA face unprecedented challenges as cyber threats become more sophisticated. In the face of emerging AI, evolving regulations and geopolitical tensions, businesses should strengthen their resilience to better navigate the complexities of the digital age.

Key Takeaways
  1. The growing use of AI is a key force underpinning cyber security threats in EMEA. Advancements in AI outside of EMEA also support the need to develop critical infrastructure in the region.
  2. Evolving cyber and AI regulations have pressured organizations to adapt to new disclosure rules, ensuring compliance and protection against potential fines and reputational damage.
  3. Geopolitical tensions are at an all-time high, increasing cyber risks and impacting data privacy in the European Union.

Table of Contents

  1. Regional Self-Sufficiency in AI

  2. Operational Challenges in the Implementation of AI

  3. Shifts in the Cyber Security and the AI Regulatory Environment

  4. Geopolitical Influences on the Evolving Cyber Risk Landscape

  5. How Organizations in EMEA Can Better Manage Cyber Risks

The cyber threat environment in Europe, the Middle East and Africa (EMEA) has been defined by a shifting geopolitical landscape, impactful cyber events and acknowledgements by officials of increasing risks.

On July 19, 2024, a security update issued by CrowdStrike caused an IT outage, disrupting global business operations. While initial fears of a major cyber attack were unfounded, the event’s impact was significant, demonstrating potential vulnerabilities in organizations’ operational and cyber resilience, including many public and private organizations in EMEA. Richard Horne, the head of the National Cyber Security Centre in the United Kingdom, describes the cyber risks facing the nation as “widely underestimated,” warning that Britain and its allies are competing in a high-stakes contest for cyber space. “There is a clearly widening gap between the exposure and threat we face, and the defenses that are in place to protect us,” he notes.1

The number of cyber events that have occurred in the European Union (EU) over the past year has jumped significantly. This is in part due to the increase in geopolitical tensions that the EU is currently facing.2 Nation-state actors continue to use proxy groups for plausible deniability while cyber warfare tactics, which can be a means of pressuring governments that have publicly voiced criticism, contributing to the evolving cyber threat. The Russia-Ukraine war brings additional risk factors. Cyber threats stemming from the conflict potentially include espionage activities or business continuity issues from attacks on critical infrastructure and utilities.

Artificial intelligence (AI) plays a significant role in these evolving threats and the risks that organizations must prepare to navigate. AI-driven cyber threats, such as phishing, malware and social engineering, have become more prevalent and sophisticated, while governments grapple with AI infrastructure and regulations concerning the implementation and use of the technology.

In this environment, businesses with a footprint in EMEA should pay close attention to three key AI-related trends that are amplifying cyber risks.

43%

In Q4 2024, there was a 43 percent increase in global ransomware and cyber extortion victims from the previous quarter.

Source: IBM

1. Regional Self-Sufficiency in AI

The focus on digital sovereignty globally has meant that countries in EMEA are increasingly looking to develop their own cloud infrastructure and security measures to reduce dependency on foreign AI technologies, including DeepSeek and ChatGPT.

The EMEA region is impacted by the foreign focus on AI infrastructure due to multiple factors, including:

  1. Data Privacy and Espionage Concerns: The DeepSeek chatbot has now been blocked by the Italian Data Privacy Authority after the Chinese startup failed to address the regulator's concerns over its privacy policy.3
  2. Divergences from EU Regulations: The China Personal Information Protection Law has certain obligations that differ from the General Data Protection Regulation (GDPR) and defines key components such as personal information rights and response timelines with less precise language.4
  3. Cost of AI Systems and Stock Disruption: China's DeepSeek AI model has upended assumptions about the cost of building powerful large language models (LLMs), opening the door to innovation. S&P Global Ratings predict this will enable Chinese internet firms to rapidly integrate powerful, cheap AI models — a boon for the many Chinese firms without access to leading-edge chips — increasing their influence on this industry.5

“Geopolitical tensions can lead to protectionist-style policies around data, data residency and the transfer of data,” explains Chris Scott, executive director for Aon’s Cyber Solutions in Europe, the Middle East and Africa. “There is now more volatility in who can do business with what sort of quasi-governmental institution. Industries in EMEA that might contract with governmental bodies are going to see this geopolitical tension increase uncertainty.”

Countries in EMEA are now prioritizing self-sufficiency in AI and cloud infrastructure to counter foreign influence and enhance national security. In early 2025, more than 60 major European companies committed to a project designed to boost Europe’s competitiveness in the age of AI. InvestAI, an initiative to mobilize €200 billion for investment in AI, also includes a new European fund of €20 billion for AI gigafactories and aims to create critical AI infrastructure.6 French President Emmanuel Macron also revealed that investors will inject €109 billion into AI projects in France, describing the investment as the equivalent of what the U.S. has announced with “Stargate,” referring to OpenAI's $500 billion plan.

2. Operational Challenges in the Implementation of AI

AI adoption and potential for abuse is leading to trust erosion and vulnerability exploitation. The lowering barrier to access AI tools is leading to increased risks associated with data breaches and privacy violations.

Threat actors are using tools such as FraudGPT and LLMs to co-author scam emails and generate malicious PowerShell scripts.7 AI is also thought to be behind a significant decrease in the time it takes to exploit vulnerabilities. Threat actors have been observed integrating LLMs into legitimate testing tools for guidance and traffic analysis, increasing exploitation speed.

Bad actors are now able to use AI to write phishing emails that are harder to detect, capitalizing on the human weak point, as well as execute more complex phishing scams. Early in 2024, an employee at an engineering firm in the UK made a transfer of $25 million following a video call with senior management. However, the employee hadn’t been talking to his managers, but to deepfakes created by AI.8

140+

France experienced more than 140 cyber attacks during the Olympic games in July 2024.

Source: Agence Nationale de la Sécurité des Systèmes d’Information

Quote icon

While the threats are similar, losses are climbing as bad actors use AI to automate scams and generate better-crafted emails. If a ransomware gang needed 15 people to execute a targeted attack on a company, now they need just one person because they can automate some of these processes.

Amine Menaa
Cyber Consulting Head Nordics, Cyber Engagement Leader, Europe, the Middle East and Africa

A key security concern is open-source models in AI systems that allow for community assessments of vulnerabilities. However, it can be dangerous to copy and paste the code and deploy it locally without a diligent review of how it could influence an organization’s security posture and its interaction with other services and network paths.

Researchers tested DeepSeek’s chatbot using 50 common jailbreaking techniques, such as prompts to trick a model into overcoming its guardrails and outputting potentially harmful content. It failed every test. This means that companies implementing DeepSeek in their systems may be incorporating security vulnerabilities. At the same time, bad actors can use DeepSeek’s models to help them create malware and cyber attacks, run phishing scams and even plot a terrorist attack.9

The rise of shadow AI also has implications for data regulation and compliance. Shadow AI is the unsanctioned use of any AI tool or application by employees or end users without the formal approval or oversight of the information technology (IT) department. A common example is the unauthorized use of generative AI (GenAI) applications, such as ChatGPT, to automate tasks like text editing and data analysis. Employees often turn to these tools to enhance productivity and expedite processes. However, since IT teams are unaware of these apps being used, employees can unknowingly expose the organization to risks concerning data security, compliance and reputation.10

“Cyber risk has been amplified by the deployment of AI tools across the three buckets of attack, defense and business enablement,” says David Molony, Aon’s head of cyber in Europe, the Middle East and Africa. “Leaders should consider how that translates into the ways their organizations protect themselves from a control and balance sheet perspective.”

38%

of employees admit to sharing sensitive work information with AI tools without their employers' permission.

Source: Infosecurity Magazine

3. Shifts in the Cyber Security and AI Regulatory Environment

Evolving regulatory challenges related to both cyber security and AI, including accidental non-compliance and data processing concerns — coupled with changing geopolitical dynamics — are causing significant shifts in the regulatory landscape.

Notable legislation includes:

  • EU AI Act

    This is an evolving AI-related regulation for which transparency requirements are key. The new regulatory framework establishes various obligations for providers and users depending on the level of riskiness of the AI systems at issue. Many AI systems pose minimal risk, but they need to be assessed.

    While the EU AI Act is still being phased in and there is yet to be any enforcement activity under the new Act, the prospect of liability looms large. In turn, there will be a significant focus among directors and officers on internal governance and internal reporting to senior management and boards of directors.

  • Cyber Security and Resilience Bill (CSR)

    In the UK, CSR is expected to strengthen the country’s digital defenses at a time when public services are increasingly targeted by cyber criminals and state actors. As with many recent regulations, there is an emphasis on incident reporting.

    This will continue to challenge organizations’ abilities to quickly and effectively understand the key indicators of system compromise and make statements about the long-term impacts on businesses.

  • Network and Information Systems Directive (NIS2)

    NIS2 updates minimum cyber security standards across the EU for specific sectors and businesses. Failure to meet the requirements outlined in the new directive could result in significant fines and reputational damage. The directive expands its scope beyond the EU NIS directive to cover more sectors such as supply chains, food production and public administration. It focuses on the need for consistent implementation across all EU member states.

    NIS2 also introduces size-cap rules. This means that all medium-sized and large entities operating within covered sectors are now subject to the directive's provisions. This expansion aims to improve cyber security across infrastructure and industries that are critical to the economy.

    Countries are already moving to comply with NIS2. In preparing for its implementation, the Irish government published proposals for legal changes in the General Scheme for the National Cyber Security Bill 2024. The proposal for a National Cyber Security Bill will incorporate NIS2 into Irish law.11

  • Digital Operational Resilience Act (DORA)

    DORA requires financial services entities and third-party information and communication technology providers operating in the EU to comply with strict new technical requirements and standards to protect against digital threats as of January 2025. It also requires compliance with strict notification requirements in the event of certain cyber incidents.

    Those found non-compliant could be fined 1 percent of their average daily worldwide turnover per day of non-compliance.

  • Cyber Resilience Act (CRA)

    The CRA came into force in the EU in December 2024, but its applicability is spread across dates ranging from June 2026 to December 2027. Businesses should be aware of the potential challenges around managing legacy hardware or software products and their compliance with the new requirements, as the CRA’s treatment of legacy products reflects a fundamental shift in product security regulation. Rather than grandfathering older products, it requires that all connected devices meet modern security standards, regardless of their original release date.

EMEA organizations must stay ahead of cyber security and AI-related regulations and adapt to their disclosure rules. Aon professionals recommend casting a wide net in terms of horizon-scanning for these developments to maintain a clear view of what’s coming down the pike.

Geopolitical Influences on the Evolving Cyber Risk Landscape

The U.S. is in the midst of de-prioritizing cyber security initiatives, which has implications for the EMEA region.

The administration is recalling U.S. regulations and bodies supervising U.S. data privacy alignment to EU regulations, such as GDPR. This potentially impacts any U.S. cloud service hosting EU data. Companies should consider implementing contingency plans as officials deliberate whether to double down on stricter data transfer laws.

In early 2025, the U.S. Department of Homeland Security also terminated memberships across all its advisory boards, including the Cyber Safety Review board, National Security Telecommunications Advisory Committee, U.S. Secret Service Cyber Investigations Advisory Board, Critical Infrastructure Partnership Advisory Council, AI Safety and Security Board and National Infrastructure Advisory Council.12

“These developments introduce risk factors for EU companies and citizens, especially when it comes to cloud-based services,” says Mario Bizzi, Aon’s head of Cyber Risk Consulting in Europe, the Middle East and Africa. “As a result, it will be less secure for companies in the EU to have their data hosted in U.S. data centers.”

The Privacy and Civil Liberties Oversight Board in the U.S., which is central to assessing data protection, is used by the EU to legitimize data transfers under the Trans-Atlantic Data Privacy Framework (TADPF). If the framework is weakened, EU companies and institutions could be forced to forgo U.S. cloud services or risk violating GDPR.

An executive order signed on January 20, 2025, aims to review all previous decisions on national security and possibly repeal them within 45 days. This could overturn the basis of the TADPF and result in illegal data transfers between the EU and U.S. “Companies should urgently develop contingency plans such as ‘host in Europe,’ to prepare for potential legal uncertainties,” adds Bizzi.

How Organizations in EMEA Can Better Manage Cyber Risks

While the global cyber threat environment is volatile, the cyber insurance market remains competitive with continued pressure on rates. Aon professionals are seeing increasing capacity from new and existing insurers with a slowing in premium volume growth, indicating that the market is softening. However, despite the EMEA cyber market maturing, there are still low penetration rates in some regions, especially emerging markets such as Eastern Europe.

Insurers are focused on more flexible underwriting and understanding client exposures, while also emphasizing the need for client preparedness and risk management. This focus is paying off. Organizations are becoming more prepared to handle cyber incidents and though claims frequency is increasing, severity remains under control.

Quote icon

The implementation of AI can optimize gains in business operations and increase organizations’ bottom lines. However, it’s important to adjust a risk and insurance profile to account for the implementation of AI, as well as inflationary trends to ensure that cyber cover remains adequate.

David Molony
Head of Cyber Solutions, Europe, the Middle East and Africa

Here are five strategies that can help organizations continue to build sustained cyber resilience:

  1. Consider legal implications and consequences of cyber security incidents, particularly as the regulatory environment evolves.
  2. Strengthen your business resilience in response to incidents via testing and real-world simulations. Organizations are working with technology stacks that are significantly different than in the past. Therefore, it’s important to test their systems and challenge resilience mechanisms to make sure that they are adapting to new threats.
  3. Understand your cyber coverage and ensure it has accounted for inflationary trends. Use tools like Aon’s Cyber Risk Analyzer, which simulates loss scenarios and articulates total cost of risk, enabling businesses to make data-driven decisions to optimize their cyber insurance programs relative to their unhedged loss potential.
  4. Take a considered approach to AI deployment and integrate AI security actions. These include conducting both AI assessments when implementing an engine into your systems and determining its access points, as well as periodic scenario-based risk assessments on AI model usage. Then, continuously audit models and data sets, and monitor supplier AI risks.

    Risk transfer is also key. “Following the rapid development of the market for AI services and due to the number of related accidents, more tailored insurance products are emerging,” explains Bizzi. “At the same time, numerous types of existing coverages are already influenced and partially updated to reflect the risks inherent in the AI world.”
  5. Partner with a trusted cyber risk advisor and external incident response team to help with horizon-scanning and risk management.

“It helps to work with a broker that has their finger on the pulse of how cyber insurance markets might perceive challenges and evolving trends, and the risks associated with them,” says Scott. “They can be dynamic in terms of moving capacity to suit the profile of an organization effectively.”

Making Better Decisions on Cyber Risk

Title
File Type
File Size
Cyber Risk Analyzer
PDF (157KB)
PDF
157KB
Aon’s Thought Leaders
  • Mario Bizzi
    Head of Cyber Risk Consulting, Europe, the Middle East and Africa
  • Amine Menaa
    Cyber Consulting Head Nordics, Cyber Engagement Leader, Europe, the Middle East and Africa
  • David Molony
    Head of Cyber Solutions, Europe, the Middle East and Africa
  • Chris Scott
    Executive Director, Cyber Solutions, Europe, the Middle East and Africa
  • Søren Stryger
    Chief Cyber Broking Officer, Europe, the Middle East and Africa

1 Risk facing UK “widely underestimated,” cyber chief to warn in first major speech, National Cyber Security Centre
2 ENISA Threat Landscape 2024, ENISA
3 Italy's regulator blocks Chinese AI app DeepSeek on data protection, Reuters
4 Analyzing China's PIPL and how it compares to the EU's GDPR, IAPP
5 China's DeepSeek Triggers Cycle of Disruption, S&P Global
6 EU launches InvestAI initiative to mobilise €200 billion of investment in artificial intelligence, European Commission
7 ENISA Threat Landscape 2024, ENISA
8 'This happens more frequently than people realize’: Arup chief on the lessons learned from a $25M deepfake crime, World Economic Forum
9 DeepSeek has tilted the balance towards open source AI, but big security issues remain, Fortune
10 What is shadow AI?, IBM
11 Get ready for Ireland’s new cyber security regime, Byrne Wallace Shields
12 U.S. DHS fires outside advisers, sources say China probe disrupted, Reuters

About Cyber Solutions

Aon’s Cyber Solutions offers holistic cyber security, risk and insurance management, investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents. Cyber security services provided by Stroz Friedberg Limited and its affiliates. Cyber risk services provided by Aon UK Limited and its affiliates. Insurance services are regulated by the FCA.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series Asia

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series Pacific

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
View All
Subscribe CTA Banner