A new report has revealed that 67% of European Union institutions have been rated in the lowest categories for cybersecurity, raising serious concerns about the bloc’s ability to protect sensitive data from growing digital threats.
The findings, published by the Business Digital Index (BDI) and compiled by Cybernews, show that out of 75 evaluated EU Institutions, Bodies, and Agencies (EUIBAs), more than two-thirds received either a D or F rating—scores that indicate high to critical risk. No institution achieved an A or B rating.
Despite managing some of Europe’s most politically and economically sensitive information, the majority of these entities were found to have inadequate safeguards against cyberattacks. According to the report, every institution assessed had suffered at least one data breach, and 85% of employees in F-rated bodies were found to reuse previously compromised passwords.
Widespread Vulnerabilities
The BDI analysis measured cybersecurity hygiene across seven dimensions, including SSL/TLS configuration, email protection, system reputation, and breach history. The average score across all institutions was 71 out of 100, placing the group in a high-risk bracket under the index’s methodology.
Among F-rated institutions—representing 35% of the sample—46% had suffered a recent data breach. D-rated entities, which accounted for 32%, also fared poorly, with 17% reporting recent breaches. Only the 33% of institutions rated C, representing below-average but less critical risk, reported no recent breaches.
Basic technical weaknesses were observed across the board. SSL/TLS configuration issues were present in 100% of both F- and C-rated institutions and in 92% of D-rated bodies. These flaws expose websites and internal systems to potential interception attacks.
Insecure hosting environments were identified in 92% of F- and D-rated entities. Email systems were similarly vulnerable: spoofing weaknesses were found in 96% of D- and F-rated institutions and in all of those rated C.
Password Reuse and Credential Exposure
The analysis also highlights a major behavioural risk: password reuse. In F-rated organisations, 85% of staff were using credentials already exposed in prior breaches. Among D-rated institutions, the figure stood at 71%. In contrast, only 8% of C-rated employees reused compromised passwords.
Leaked corporate credentials were discovered in 96% of F-rated and 83% of D-rated institutions. These exposures are considered especially dangerous because they can enable attackers to bypass perimeter security and access internal systems.
In 2024, the European Parliament suffered a high-profile breach affecting its PEOPLE recruitment platform. The attack exposed personal data belonging to over 8,000 current and former employees, including ID and residence documents. The breach remained undetected for months and underscored the risks associated with poor password practices and delayed detection capabilities.
A Persistent Problem Despite Reforms
These findings come despite recent initiatives by the European Commission aimed at improving cyber resilience. In 2025, the Commission introduced legislation to enhance cybersecurity capabilities and promote stronger standards across member institutions. The move followed a 2022 report by the European Court of Auditors (ECA), which warned that EUIBAs were not sufficiently prepared for the level of threat they faced and called for increased funding and oversight.
However, the BDI’s 2025 figures suggest that implementation of these reforms has been uneven and, in many cases, insufficient. The continued presence of exposed credentials, outdated infrastructure, and low levels of employee awareness points to systemic issues that have yet to be resolved.
Call for Urgent Action
The report concludes that the low cybersecurity ratings assigned to EU institutions are not only a matter of technical configuration, but of policy and accountability. “These results should serve as a wake-up call,” the authors state, warning that the longer these vulnerabilities remain unaddressed, the greater the risk to both institutional integrity and citizen data.
The data also show a clear link between weak cybersecurity hygiene and real-world consequences. Breaches are more frequent, and recovery efforts more costly, in institutions with the poorest security postures.
To address these deficiencies, experts recommend immediate steps to strengthen password policies, enforce system updates, close configuration gaps, and invest in employee training on cyber hygiene.
As threat actors become more sophisticated and geopolitical tensions increase, the failure of EU institutions to meet even basic cybersecurity standards leaves the entire bloc exposed to espionage, sabotage, and data theft. Unless significant improvements are made, the EU risks undermining not only its own digital infrastructure but also the trust of its citizens and partners.
Read also:
EU Adopts New Cyber Crisis Management Plan to Boost Digital Resilience
