The EU’s top official, European Commission’s president Ursula von der Leyen, was on her way to Bulgaria when a suspected Russian attack forced her plane to land without essential navigation tools.
This harrowing episode was no accident but what officials suspect to be a deliberate act of Russian interference – an electronic attack targeting critical infrastructure in the heart of the European Union.
This incident exposes not only the elevated state of geopolitical hostility but also the cybersecurity weaknesses within EU institutions themselves.
According to the research by the Business Digital Index, or BDI, the EU’s cybersecurity defenses resemble an office where nearly half the doors are unlocked, passwords are scrawled on sticky notes, and the alarm system is known to be broken but left unfixed. The BDI findings reveal the reality that EU institutions may not be robustly prepared to withstand or respond effectively to high-impact cyber-physical attacks like GPS jamming.
The researchers looked at 75 EU institutions and found that none got an A or B for cybersecurity efforts. 35% got the lowest grade, an F. The problems are especially clear with basic security: in the F-rated institutions, 85% of employees reused passwords that had already been breached. In C-rated ones, only 8% did this. SSL/TLS configuration issues were identified in 100% of F-rated institutions.
These findings point to very real – and these days accelerated by AI – risks for phishing, malware, and stolen data. Attackers can now do such things as mimicking colleagues using deepfake technology, and deploying malware that adapts in real time to avoid detection. Needless to say that these potential threats can result in financial loss, reputational damage, and regulatory penalties for EU organizations.
The EU’s main response to growing cyber threats has been to add more rules in order to improve cybersecurity. But the data shows that just having rules isn’t enough. Despite these new rules, nearly half (46%) of the EU’s lowest-rated organizations have already suffered data breaches.
I believe that the real problem is that leaders aren’t acting urgently or taking responsibility. For example, almost all D-rated and F-rated institutions had insecure hosting environments. Domains vulnerable to email spoofing were found in every C-rated organization and in 96% of D-rated and F-rated ones.
The EU needs to do more than merely add more rules and formally follow them. It needs to make sure leaders are held responsible for breaches. That means executives should have part of their pay tied to cybersecurity results. It also means having real, independent security checks with actual consequences for failure. The Transport sector is doing a little better than others, and the EU should learn from that.
Some might argue that more rules will solve the problem, or that it’s just too big to fix in a short amount of time. But the numbers tell a different story: the institutions with the worst track records are the same ones that don’t pay attention to basic security practices such as using strong and uncompromised passwords. At the end of the day, this comes down to leadership.
Given that cyber threats keep on evolving and the geopolitical situation isn’t exactly what we want it to be, the risks are really high. Every day the EU waits, it puts sensitive data, economic stability, and public trust at risk. If the EU wants to be a leader in digital governance, it needs to make cybersecurity a top priority for executives, invest in training, and hold leaders to account.
If nothing changes, the next headline won’t be about bad grades or landing with paper maps. It might be about a real crisis that rules can’t fix. The question now is whether the EU will act in time.
ABOUT THE AUTHOR
Jurgita-Lapienyte is the Editor-in-Chief at Cybernews, where she leads a team of journalists and security experts that uncover cyber threats through research, testing, and data-driven reporting. With a career spanning over 15 years, she has reported on major global events, including the 2008 financial crisis and the 2015 Paris terror attacks, and has driven transparency through investigative journalism. A passionate advocate for cybersecurity awareness and women in tech, Jurgita has interviewed leading cybersecurity figures and amplifies underrepresented voices in the industry. She’s recognized as the Cybersecurity Journalist of the Year and featured in Top Cyber News Magazine’s 40 Under 40 in Cybersecurity. Jurgita has been quoted internationally – by the BBC, Metro UK, The Epoch Times, Extra Bladet, Computer Bild, and more.
ABOUT CYBERNEWS
Cybernews is a globally recognized independent media outlet where journalists and security experts debunk cyber by research, testing, and data. Founded in 2019 in response to rising concerns about online security, the site covers breaking news, conducts original investigations, and offers unique perspectives on the evolving digital security landscape. Through white-hat investigative techniques, Cybernews research team identifies and safely discloses cybersecurity threats and vulnerabilities, while the editorial team provides cybersecurity-related news, analysis, and opinions by industry insiders with complete independence.
Cybernews has earned worldwide attention for its high-impact research and discoveries, which have uncovered some of the internet’s most significant security exposures and data leaks. Notable ones include:
- Cybernews researchers discovered multiple open datasets comprising 16 billion login credentials from infostealer malware, social media, developer portals, and corporate networks – highlighting the unprecedented risks of account takeovers, phishing, and business email compromise.
- Cybernews researchers analyzed 156,080 randomly selected iOS apps – around 8% of the apps present on the App Store – and uncovered a massive oversight: 71% of them expose sensitive data.
- Recently, Bob Dyachenko, a cybersecurity researcher and owner of SecurityDiscovery.com, and the Cybernews security research team discovered an unprotected Elasticsearch index, which contained a wide range of sensitive personal details related to the entire population of Georgia.
- The team analyzed the new Pixel 9 Pro XL smartphone’s web traffic, and found that Google’s latest flagship smartphone frequently transmits private user data to the tech giant before any app is installed.
- The team revealed that a massive data leak at MC2 Data, a background check firm, affects one-third of the US population.
- The Cybernews security research team discovered that 50 most popular Android apps require 11 dangerous permissions on average.
- They revealed that two online PDF makers leaked tens of thousands of user documents, including passports, driving licenses, certificates, and other personal information uploaded by users.
- An analysis by Cybernews research discovered over a million publicly exposed secrets from over 58 thousand websites’ exposed environment (.env) files.
- The team revealed that Australia’s football governing body, Football Australia, has leaked secret keys potentially opening access to 127 buckets of data, including ticket buyers’ personal data and players’ contracts and documents.
- The Cybernews research team, in collaboration with cybersecurity researcher Bob Dyachenko, discovered a massive data leak containing information from numerous past breaches, comprising 12 terabytes of data and spanning over 26 billion records.
- The team analyzed NASA’s website, and discovered an open redirect vulnerability plaguing NASA’s Astrobiology website.
- The team investigated 30,000 Android Apps, and discovered that over half of them are leaking secrets that could have huge repercussions for both app developers and their customers.
