On 24 March, the European Commission discovered a cyber-attack, which affected its cloud infrastructure hosting the Commission's web presence on the Europa.eu platform. Immediate steps were taken to contain the attack. The Commission's swift response ensured the incident was contained and risk mitigation measures were implemented to protect services and data, without disrupting the availability of the Europa websites.
Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission is duly notifying the Union entities who might have been affected by the incident. The Commission's services are still investigating the full impact of the incident.
The Commission's internal systems were not affected by the cyber-attack. The Commission will continue to monitor the situation and take all necessary measures to ensure the security of its internal systems and data. It will analyse the incident and use the results to further enhance its cybersecurity capabilities.
As Europe confronts persistent cyber and hybrid attacks targeting essential services and democratic institutions, the Commission is actively working on enhancing the EU's cybersecurity resilience.
Background
The EU has implemented various measures to enhance cybersecurity, including the Cybersecurity Regulation , the NIS2 Directive , and the Cyber Solidarity Act . The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU, and calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement. The Cyber Solidarity Act strengthens operational cooperation through the European Cyber Shield and the Cyber Emergency Mechanism, enabling the Union to detect and respond to large-scale cyber threats with collective speed and precision. The Cybersecurity Regulation sets out to establish a robust and consistent security framework, aligning with the EU's overall cybersecurity strategy and providing a foundation for the protection of EU personnel, data, and decision-making processes. On 20 January 2026, the Commission has also introduced a new Cybersecurity Package to bolster the Union's collective defences.
