The number of cyberattacks on EU bodies is increasing sharply. The level of cybersecurity preparedness within EU bodies varies and is overall not commensurate with the growing threats. Since EU bodies are strongly interconnected, a weakness in one can expose others to security threats. This is the conclusion of a special report by the European Court of Auditors which examines how prepared the EU’s governing entities are against cyber threats. The auditors recommend that binding cybersecurity rules should be introduced, and the amount of resources available to the Computer Emergency Response Team (CERT-EU) should be increased. The European Commission should also promote further cooperation among EU bodies, the auditors say, while CERT-EU and the European Union Agency for Cybersecurity should increase their focus on those EU bodies that have less experience in managing cybersecurity.

Significant cybersecurity incidents in EU bodies increased more than tenfold between 2018 and 2021; remote working has considerably increased the number of potential access points for attackers. Significant incidents are generally caused by complex cyberattacks that typically involve the use of new methods and technologies, and can take weeks if not months to investigate and recover from. One example was the cyberattack on the European Medicines Agency, where sensitive data was leaked and manipulated to undermine trust in vaccines.

“EU institutions, bodies and agencies are attractive targets for potential attackers, particularly groups capable of executing highly sophisticated stealth attacks for cyber-espionage and other nefarious purposes”, said Bettina Jakobsen, the ECA member who led the audit. “Such attacks can have significant political implications, harm the overall reputation of the EU, and undermine trust in its institutions. The EU must step up its efforts to protect its own organisations.”