Second data breach at European Commission this year leaves open questions over resilience

The European Commission confirmed that a cyberattack impacted cloud infrastructure hosting its web presence on the Europa.eu platform.

Authorities said the cyberattack was discovered on 24 March, and early findings from the ongoing investigation suggest data were taken from the affected websites.There is no indication that the Commission’s internal systems were compromised.

“The Commission’s swift response ensured the incident was contained and risk mitigation measures were implemented to protect services and data, without disrupting the availability of the Europa websites,” officials noted.

Although few details are available, screenshots posted on X suggest a hacking group claims to possess around 350 GB of European Commission data, including mail server contents, databases, confidential documents and contracts.

The Commission added it would continue to monitor the situation, take measures to secure its internal systems and data, and analyse the incident to improve its cybersecurity capabilities.

The incident marks the second time this year that the EU and its institutions have been targeted, following an earlier breach of the European Commission’s mobile device management platform.

The EU recently sanctioned companies from China and Iran, along with two individuals, over cyberattacks targeting its member states and partners. The move is intended to send a message that such attacks will not be tolerated and that anyone involved will be held accountable.

Despite various steps taken by the EU, including the Cybersecurity Regulation, the NIS2 Directive and the Cyber Solidarity Act, some officials are not convinced it can deal with attacks and threats on equal terms and warn that its cybersecurity measures are insufficient.