Forty percent of the companies surveyed experienced at least one significant cyberattack in 2025, according to the 11th edition of the CESIN barometer (Club des Experts de la Sécurité de l’Information et du Numérique) conducted with OpinionWay.
On the surface, this figure might seem reassuring, as it aligns with a downward trend observed for several years. Yet the 397 CISOs and information security managers (RSSI) surveyed are unequivocal: this decline does not mean the threat is receding but rather reflects a gradual improvement in detection and prevention capabilities.
Because when an attack manages to breach defenses, the damage is substantial. 80% of victimized companies report an impact on their operations, whether through production disruptions, reputational losses or data theft, this last consequence remaining the most frequent.
Geopolitics enters cyber strategies
More than one in two companies notes an increased threat from state-origin sources. In a tense international context, cyber espionage is now perceived as a high risk by 40% of respondents, regardless of their size.
This awareness translates into a growing interest in digital sovereignty. More than half of companies declare themselves concerned by these issues and by the trusted cloud, a significant rise compared to the previous year.
The barometer reveals, however, a paradox: for RSSI, sovereignty is not limited to the nationality of the tools used. It resides above all in the ability to manage dependencies, to negotiate contracts, and to audit suppliers. The main risks tied to the cloud are legal and contractual, with hard-to-negotiate clauses, extraterritorial laws and a lack of control over the subcontracting chain.
The weakest link: suppliers
A third of companies estimate that more than half of their cybersecurity incidents originate from third parties. Supplier vulnerabilities in vendors, service providers or partners have become a major vector of compromise. In response to this finding, organizations are strengthening their measures: 85% integrate security clauses into their contracts and 74% use security questionnaires. The cyber-rating, a tool for evaluating third parties, is also on the rise and is now used by nearly half of companies.
Proven attack techniques that evolve
The dominant attack vectors remain unchanged but are becoming more structured and specialized. Phishing, in all its forms, remains the main entry point for significant cyberattacks in 55% of incidents.
Next come the exploitation of security vulnerabilities (41%) and indirect attacks via third parties (35%). Distributed denial-of-service attacks (DDoS) affect 21% of victimized organizations and are increasingly part of hybrid strategies.
Among emerging vectors, deepfake-based fraud remains a minority but illustrates a troubling evolution of social engineering attacks, made more credible by artificial intelligence.
Defenses strengthened but persistent gaps
Companies are making clear progress in gaining control of their digital assets. 81% report having a complete view of their assets, while 92% have identified or are in the process of identifying their critical assets. In cloud environments, the share of organizations reporting poor visibility falls to 31%.
Endpoint detection and response (EDR) solutions remain widely deployed and enjoy a very high level of confidence, with 95% perceived effectiveness.
Multifactor authentication (MFA) is becoming a standard. Zero Trust approaches are gaining ground, adopted by 31% of companies, while 26% have a Vulnerability Management Operations Center. Yet weaknesses persist, notably in managing privileged access for administrators and subcontractors, as well as in securing increasingly hybrid environments.
AI, a new attack surface
The use by employees of unapproved AI services, the “shadow AI,” is identified as the riskiest digital behavior. 66% of companies rate it as high or very high risk. More broadly, 60% consider heavy use of unapproved cloud services or software as a significant risk factor.
While direct exploitation of AI as an attack vector remains marginal, cited by only 3% of victimized companies, it already appears in significant incidents. The first malware capable of adapting its behavior in real time or partially rewriting its logic to evade detection is emerging.
Regulatory pressure intensifies
85% of companies say they are affected by at least one cybersecurity regulation. The European NIS2 directive stands out as the most structuring framework, cited by 59% of organizations, ahead of DORA (32%) and the Cyber Resilience Act (30%).
A mature outlook taking hold
In 2025, 92% of organizations place cyber risk in their top 5 risks, and nearly two-thirds position it in the top 3, with 16% naming it as the number one risk. Cybersecurity is now regularly monitored by the leadership committee.
Budget-wise, the barometer notes a slight easing. The share of companies allocating 5% or more of their IT budget to cybersecurity falls to 42%, versus 48% last year. This decrease does not signal disengagement but rather a phase of consolidation and optimization after several years of sustained investment.
On skills, 85% of companies say their employees are aware of cybersecurity risks. Yet the barometer notes a ceiling in awareness given still more complex digital practices.
