The European Commission said on Friday that its Europa web platform was targeted in a cyberattack on 24 March, in an incident that affected the cloud infrastructure hosting a number of EU websites and may have resulted in the extraction of data from those sites. The Commission said the breach was quickly contained and that the full impact remains under investigation.
In a statement reported on 27 March, the Commission said early findings indicated that data had been taken from websites hosted on the platform. It also said EU institutions that could have been affected had already been informed. At the same time, Brussels sought to draw a clear line between the compromised web infrastructure and its core administrative systems, stating that the Commission’s internal systems were not affected by the attack.
The Europa domain is the principal public gateway for the European Union’s institutional websites, publications and policy material. Any incident affecting that infrastructure therefore has implications beyond a single department or service, even if the breach is ultimately shown to have been limited in scope. For now, however, the Commission has not identified a perpetrator, nor has it given any estimate of the volume or sensitivity of the data potentially accessed. No group or individual was named in connection with the attack.
The timing is notable. The Commission’s disclosure comes at a moment when Brussels is placing growing emphasis on cyber resilience and on the broader threat posed by hostile digital activity directed at democratic institutions, public administrations and critical infrastructure. In public remarks earlier this year, Commission Executive Vice-President Henna Virkkunen argued that Europe could no longer be “naive” about the vulnerability of its critical systems, saying cybersecurity had become inseparable from wider security policy.
The latest incident also follows a fresh round of EU cyber sanctions adopted by the Council on 16 March. Those measures targeted three entities and two individuals held responsible for cyberattacks against EU member states and EU partners. According to the Council, the listings included Integrity Technology Group and Anxun Information Technology, both based in China, as well as two co-founders linked to Anxun, alongside the Iranian company Emennet Pasargad. The Council said the measures were part of the EU’s wider cyber sanctions regime, under which listed persons and entities face asset freezes, while individuals are also subject to travel bans.
EU sanctions Chinese and Iranian entities over cyberattacks on member states
That sanctions package was intended to signal that the EU is prepared to respond politically and economically to malicious cyber activity, even where attribution and enforcement remain complex. The Council said the regime now applies to 19 individuals and seven entities, and described the latest designations as part of a “strong and sustained response” to persistent malicious cyber operations targeting the Union, its member states and partners.
