September 2025 Cyber Outlook: increasingly structured attacks on remote work and distant access

The fall of 2025 opens with a surge in cyber threats targeting remote work and critical services: municipalities, industries, schools, and large international groups have all been hit, often through ransomware or attacks on remote access chains.

Key incidents in recent weeks

French public administration

The city of Poitiers and its CCAS disclosed a cyberattack in late August/early September 2025. Networks were isolated, cybersecurity providers were mobilized, some services (civil registry, passports) were restored quickly, while others (urban planning, media libraries) remained unavailable. The situation has stabilized, with no publicly reported compromise of personal data, no known ransom demand at this stage, and the investigation is ongoing.

Beyond the Poitiers case, several large-scale cyberattacks have recently struck French public and social service actors, confirming that the risk now extends across all essential services:

• France Travail (formerly Pôle emploi): A major breach of the Kairos application recently exposed the personal data of at least 340,000 job seekers. Kairos is a France Travail platform for managing training programs digitally. This incident, following other major attacks in 2024, undermines trust in the security of public platforms dedicated to employment and social support. It highlights the need to strengthen IT system maintenance, early detection capabilities, and crisis management plans in the public sector.

• Healthcare sector: Several hospitals and regional organizations (notably in Hauts-de-France and Normandy) were targeted in early September 2025 by cyberattacks against patient identity databases, disrupting hospital operations. These new breaches, confirmed by ARS, underscore the critical importance of regulatory compliance and cyber-resilience in healthcare structures, which are under increasing pressure from GDPR and ANSSI.

• Local governments: Beyond Poitiers, other major incidents have marked 2025 — system paralysis in the Hauts-de-Seine department, a ransomware attack on the town of Thaon, and a wave of defacements of municipal and institutional websites (notably at hosting provider O2Switch in early September). Together, these cases demonstrate the variety and persistence of the threat, from sensitive data breaches to prolonged interruptions of local services.

Automotive – Jaguar Land Rover (JLR)

On September 1, a major cyber incident forced JLR to halt production in several factories (UK, Slovakia, India, Brazil) and disconnect all IT systems to contain the attack. The potential cost is estimated at millions of pounds per day, with operations expected to resume in October. Several cybercriminal groups claimed responsibility, but without formal evidence or confirmation from the company. As of today, JLR reports no evidence of customer data exfiltration.

Social & local organizations – AWO Karlsruhe-Land

On August 27, the AWO Karlsruhe-Land association suffered a ransomware attack. The IT infrastructure was paralyzed and restored within a day. No disruption of social services was observed. Investigations into a possible data leak are still ongoing.

Regulatory pressure: a driver of cybersecurity transformation

The rise in number and severity of cyber incidents in 2025 highlights the structuring role of European regulation. Far from being a mere administrative burden, regulatory pressure — embodied by GDPR, NIS2, DORA, and others — is now a real accelerator of operational cybersecurity.

These regulations impose strict reporting deadlines, rapid detection and response measures, and exhaustive traceability of all actions taken during an incident. These requirements force companies, municipalities, and associations to professionalize their crisis management processes and document each step rigorously. For many organizations — including social and industrial actors — this pressure has proven beneficial: it has enabled them to contain attacks more effectively, restore operations faster, and communicate transparently with their ecosystem (users, authorities, partners).

This shows that compliance is no longer separable from cyber resilience. It fosters continuous improvement of practices and opens an institutional dialogue on digital security. More than just a binding framework, regulatory pressure is becoming a driver of excellence and transformation for the cybersecurity of remote access and hybrid environments.

Operational recommendations

• Patching and immediate mitigation: active monitoring of exposed systems (VPN, appliances, servers, clients), rapid deployment of available patches.

• Supervision and control of remote access: adoption of Zero Trust solutions, strong authentication, session isolation, network segmentation, MFA, log centralization, and anomaly detection.

• Compliance governance: anticipation of notification models (GDPR, NIS2, DORA), orchestration of log collection, inventory of third parties, and rapid revocation of access in case of incident.

• Monitoring & exercises: continuous scanning, monitoring, and granular management of all remote access points.

Focus Reemo: sovereign, secure, and compliant remote access

• Platform to secure all your company’s remote access

• (Remote Desktop, DaaS/VDI, Containers, Bastion+, DR systems)

• Zero Trust architecture, strict session isolation, built-in traceability, granular administration.

• ISO/IEC 27001, SOC 2 and TPN Gold certified.