AI has made it cheaper and easier to hack you

AI tools have changed what it takes to carry out a cyberattack. What previously required a team with technical expertise can today be done by a single actor with the right tools.

A concrete illustration: during January and February 2026, a criminal actor compromised over 600 firewalls across 50+ countries, including northern Europe¹. Not a state power. Not a large syndicate. One actor with AI tools and time.

The numbers

The Acronis Cyberthreats Report H2 2025 shows the trend clearly: 80% of all Ransomware-as-a-Service providers now market AI or automation capabilities². Email attacks increased by 36% in the second half of 2025². Ransomware attacks rose 50% through October 2025 compared to the year before². Over 1,200 victims through supply chain attacks from January to November 2025².

AI is less about new types of attacks. It makes existing attacks faster, cheaper and available to more people¹. The person who hacked 600 firewalls did not need to be particularly skilled. AI did the heavy lifting.

The barrier to carrying out an attack is falling. Not because more people want to attack organisations, but because more people now technically can.

Why NIS2 exists

The EU adopted the NIS2 Directive to force a baseline of cyber resilience across member states. Every EU country is now transposing it into national law. In Sweden it became the Cybersecurity Act (SFS 2025:1506), which entered into force on 15 January 2026³. Wherever you operate in the EU, the requirements are broadly the same.

The directive does not exist to collect fines. It exists because society stops working when critical infrastructure fails. Hospitals need their systems. Water utilities cannot have compromised control systems. Supply chains collapse when one link breaks. Your organisation is part of that ecosystem, whether you are classified as critical infrastructure or not.

NIS2 requires organisations to build resilience before they need it. The Swedish implementation lists ten categories of security measures in Chapter 2, Section 3³. Other member states have equivalent lists. Among the most important:

1. Risk analysis: identify what can go wrong and how likely it is
2. Incident management: a plan for when things go wrong
3. Business continuity planning: how operations continue during and after an incident
4. Supply chain controls: security requirements for your suppliers and subcontractors
5. Cyber hygiene training: all employees, not just IT
6. Encryption practices: protect data at rest and in transit

The problem is that many organisations do not even know they have been compromised. Mandiant’s M-Trends 2025 report found that the global median dwell time (how long an attacker stays before being detected) is 11 days, rising to 26 days when an external party sounds the alarm⁴. Without systematic monitoring, logging and routines for detecting anomalies, nobody is looking. That is why security needs to be managed, not just installed. There need to be processes, responsibilities and follow-up. It needs leadership.

NIS2 also requires incident reporting: 24 hours for an early warning, 72 hours for a full incident notification, one month for a final report³. That requires you to first have the ability to detect that something happened. The reporting requirements exist so authorities can warn others, coordinate response and prevent the same attack from spreading. It protects everyone, not just you.

Yes, there are sanctions. Up to 2% of global annual turnover or EUR 10 million for essential entities. 1.4% or EUR 7 million for important entities³. In some member states, senior management can be held personally liable. But sanctions are the last resort, not the purpose. The purpose is that you have functioning protection in place the day you need it.

ISO 27001 gives you the structure

Every requirement NIS2 sets out already has a ready-made structure in ISO 27001⁵. The directive’s requirements overlap heavily with the standard.

Some concrete connections:

ISO 27001 requires contact with relevant authorities (Annex A 5.5)⁵, exactly what you need to meet the 24-hour reporting requirement. The standard requires collection and analysis of threat intelligence (Annex A 5.7)⁵, the thing that would have prompted you to update your firewalls before those 600 were hacked. Supply chain controls are in Annex A 5.19-5.22⁵. Incident management planning in Annex A 5.24⁵.

You do not need to reinvent the wheel. The structure already exists.

AI is also an attack surface

AI tools are not just something attackers use. They are an attack surface in themselves.

The risk grows with every new AI feature organisations roll out. Microsoft’s Copilot has access to your SharePoint, your email, your Teams chats. Anthropic’s Claude Cowork can read and move files on your computers. Security researchers showed in January 2026 that Claude Cowork could be tricked into sending every file in a folder to an attacker without the user noticing⁶. These are not theoretical risks. They are documented vulnerabilities in tools your employees already use.

On top of that: employees pasting confidential information into external AI services create data leaks without a single firewall rule being broken. Shadow AI, where staff use AI tools that IT never approved, makes the risk picture impossible to oversee. We wrote more about this in Why do we pay for software AI can build for free?

It is not enough to secure yourselves against AI-powered attacks. You also need to govern how you use AI.

ISO 42001 gives you the framework for that⁷. The standard covers risk assessment of AI systems, data quality, transparency and control over third-party providers. If you already have ISO 27001 as a foundation, adding AI governance is a manageable step.

Make it harder for the attackers

Taking cybersecurity seriously is not optional. It is a responsibility. To your employees, your customers, your suppliers and everyone else who depends on your systems working.

Every organisation that builds a functioning ISMS makes it harder for the next attacker. Not just for your own sake. You become a more reliable link in the supply chain, an organisation that does not spread the infection when it arrives. One that takes its responsibility.

Run a gap analysis against NIS2 and your national implementation. Map which of the ten security areas you have in place and which are missing. Build your ISMS with ISO 27001 and ISO 42001 as the foundation. Test your incident reporting chain before you need to use it for real.

AmpliFlow helps you build and run your ISMS with support for ISO 27001, ISO 42001 and NIS2 compliance. Book a call and we will show you how.

Footnotes

1. CERT-SE Weekly Brief, week 9, 27 February 2026. Sweden’s national CSIRT summary of current cyber threats. ↩ ↩²

2. Acronis Cyberthreats Report H2 2025, published 20 February 2026 by Lee Pender. ↩ ↩² ↩³ ↩⁴

3. Sweden’s Cybersecurity Act, SFS 2025:1506. In force since 15 January 2026. Sweden’s implementation of the NIS2 Directive. Referenced as a concrete example of how member states transpose NIS2. ↩ ↩² ↩³ ↩⁴

4. Mandiant M-Trends 2025, published 23 April 2025 by Google Cloud. Global median dwell time 11 days, 26 days when externally notified. https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025 ↩

5. ISO 27001:2022. International standard for information security management systems. ↩ ↩² ↩³ ↩⁴ ↩⁵

6. Prompt Armor, “Claude Cowork Exfiltrates Files”, 14 January 2026. Security researchers demonstrated that Cowork could be tricked into exfiltrating files without the user’s knowledge. ↩

7. ISO/IEC 42001:2023. International standard for artificial intelligence management systems. ↩