Summary for busy readers
Denmark’s official 2025 cyber threat assessment confirms a very high level of risk from cybercrime and espionage, with record ransomware activity, persistent DDoS campaigns linked to pro-Russian actors, and a rising focus on operational technology in utilities and industry. Phishing and exploitation of known vulnerabilities remain the favourite break-in routes.
The message is clear for boards and IT leaders across Europe: reduce the human factor, close unmanaged access gaps, and harden identity, password, and multi-factor controls across every login, not just those covered by SSO.
What the new report says
Threat levels are elevated
Authorities rate cybercrime and cyberspying as very high, with continuous attacks against Danish organisations and public bodies. Activist-aligned groups run frequent DDoS campaigns that, at times, align with state interests. Destructive attacks are assessed as a medium threat, while there is no current capability for cyberterror.
Ransomware set fresh records in 2024 and continues to surge
The report states that last year saw a record number of ransomware victims in Denmark. Small and mid-sized organisations are often hit hardest due to resource constraints, yet larger enterprises are also targeted, including through the purchase and use of zero-day vulnerabilities. Consequences include extended outages, expensive recovery, lost data and reputational harm.
Supply chain risk is real
A Danish hosting provider was taken offline following an attack, cascading to customers, including a university hospital that temporarily lost access to a critical monitoring system used to manage heating. This illustrates how third-party incidents can impact essential services.
Operational technology is now in play
Pro-Russian hackers have repeatedly scanned for internet-exposed control systems, logging in where weak or default credentials exist and manipulating settings to create disruption. A Danish waterworks incident in late 2024 briefly left households without water due to changes in pressure levels. Norwegian authorities also reported an attack on a dam’s control system that opened valves for hours. These incidents were simple, yet they demonstrate how minor access weaknesses can have outsized effects.
DDoS is part of the normal picture
Banks, transport, telecoms, and public sector sites have faced repeated DDoS attacks, sometimes timed to coincide with elections and political events. One Nordic bank mitigated the vast majority of a multi-week campaign, yet customers still experienced intermittent disruption.
How attackers get in
In initial compromise, exploitation of known vulnerabilities accounts for more than half of observed cases, followed by phishing and brute-force attacks against weak credentials. Phishing remains common because it is cheap, scalable and effective.
What this means for your business
- Assume breach and minimise blast radius
Patch quickly and continuously, but also plan for the reality that some gaps will exist. Strong identity and access controls limit what an attacker can do if they gain access to a device or cloud tenant. Enforce unique, high-strength passwords and multi-factor on every account, not only those behind SSO. - Close the unmanaged access gap
The report’s case studies show that attackers exploit unmanaged logins, weak or shared credentials and exposed remote access. Map every service in use, including SaaS outside IT’s visibility, and bring those accounts under central policy with auditable access and automated 2FA. - Reduce the human factor at scale
Phishing is still a primary route in. The fastest risk reduction comes from removing manual steps for users during login, from generating strong and unique passwords to auto-filling 2FA codes, so that secure behaviour is the default rather than an aspiration. - Treat suppliers and internet-exposed OT as part of your identity perimeter.
Ask vendors how credentials and admin access are protected, and verify that strong authentication is used. For plants and sites that use remote control systems, remove default passwords, restrict exposure and require multi-factor for any remote session.
How Uniqkey helps you act on the findings
Uniqkey focuses on the specific weaknesses highlighted in the report, with a European-first approach to privacy and data residency.
- Complete control over every login. Bring both SSO-compatible and non-SSO services into one view. Generate and enforce unique, high-strength passwords for all accounts, and remove shared plaintext credentials by using secure sharing that never reveals the secret.
- Automated multi-factor without extra friction. Apply multi-factor authentication to all services by default, including automatic TOTP handling that eliminates manual code entry while maintaining strong authentication. This directly counters the phishing and brute-force tactics identified in the report.
- Visibility that eliminates shadow access. Discover and monitor unmanaged SaaS, assign ownership and apply policy. Use a central audit log to trace every access and simplify external compliance reviews.
- Security and sovereignty by design, Uniqkey uses a zero-knowledge architecture with local client-side encryption and is built and hosted in Europe for European data sovereignty and long-term compliance.
“Uniqkey is so user friendly that all our users have been willing to adopt it.”
Wim, IT consultant at VIB
Summary
Denmark’s 2025 assessment does not only describe a Danish problem. It shows the pattern that affects every European organisation today.
The fastest way to cut real risk is to take control of every login, reduce human error through automation, and remove the blind spot between managed and unmanaged access.
That is precisely what Uniqkey is designed to do.
