When Europe’s GPS goes dark: the urgent cybersecurity crisis inside the EU

There’s a growing cybersecurity crisis within EU institutions, writes Cybernews Editor-in-Chief Jurgita Lapienytė

The EU’s top official, European Commission president Ursula von der Leyen, was on her way to Bulgaria recently when a suspected Russian attack forced her plane to land without essential navigation tools. This harrowing episode was no accident, but what officials suspect to be a deliberate act of Russian interference – an electronic attack targeting critical infrastructure in the heart of the European Union.

This incident exposes not only the elevated state of geopolitical hostility but also the cybersecurity weaknesses within EU institutions themselves.

According to the research by the Business Digital Index, or BDI, the EU’s cybersecurity defences resemble an office where nearly half the doors are unlocked, passwords are scrawled on sticky notes, and the alarm system is known to be broken but left unfixed.  The BDI findings reveal that EU institutions may not be robustly prepared to withstand or respond effectively to high-impact cyber-physical attacks, such as GPS jamming.

The researchers looked at 75 EU institutions and found that none got an A or B for cybersecurity efforts and that 35% got the lowest grade, an F. The problems are especially clear with basic security: in the F-rated institutions, 85% of employees reused passwords that had already been breached. In C-rated ones, only 8% did this. SSL/TLS configuration issues were identified in 100% of F-rated institutions.

These findings point to very real – and these days accelerated by AI – risks for phishing, malware, and stolen data. Attackers can now do such things as mimicking colleagues using deepfake technology, and deploying malware that adapts in real time to avoid detection. Needless to say, these potential threats can result in financial loss, reputational damage, and regulatory penalties for EU organizations.

The EU’s main response to growing cyber threats has been to add more rules in order to improve cybersecurity. But the data shows that just having rules isn’t enough. Despite these new rules, nearly half (46%) of the EU’s lowest-rated organizations have already suffered data breaches.

I believe that the real problem is that leaders aren’t acting urgently or taking responsibility. For example, almost all D-rated and F-rated institutions had insecure hosting environments. Domains vulnerable to email spoofing were found in every C-rated organization and in 96% of D-rated and F-rated ones.

The EU needs to do more than merely add more rules and formally follow them. It needs to make sure leaders are held responsible for breaches. That means executives should have part of their pay tied to cybersecurity results. It also means having real, independent security checks with actual consequences for failure. The Transport sector is doing a little better than others, and the EU should learn from that.

Some might argue that more rules will solve the problem, or that it’s just too big to fix in a short amount of time. But the numbers tell a different story: the institutions with the worst track records are the same ones that don’t pay attention to basic security practices such as using strong and uncompromised passwords. At the end of the day, this comes down to leadership.

Given that cyber threats keep on evolving and the geopolitical situation isn’t exactly what we want it to be, the risks are really high. Every day the EU waits, it puts sensitive data, economic stability, and public trust at risk. If the EU wants to be a leader in digital governance, it needs to make cybersecurity a top priority for executives, invest in training, and hold leaders to account.

If nothing changes, the next headline won’t be about bad grades or landing with paper maps. It might be about a real crisis that rules can’t fix. The question now is whether the EU will act in time.

ABOUT THE AUTHOR

Jurgita Lapienytė is the Editor-in-Chief at Cybernews, where she leads a team of journalists and security experts that uncover cyber threats through research, testing, and data-driven reporting.