Attacks on critical infrastructure are causing heightened alertness across the EU. When it comes to defence, individual countries sometimes reach their limits. The European Commission is addressing this with numerous measures that will ultimately result in a comprehensive European cybersecurity architecture.
A cyberattack on a German billing service provider recently resulted in the loss of data belonging to tens of thousands of patients. Diagnoses and treatments can be derived from this data. The data is said to relate exclusively to private patients and self-paying patients. According to its own figures, the billing company in question serves 95 per cent of all university hospitals in Germany and 51 per cent of all major hospitals, including the university hospitals in Freiburg, Cologne, Düsseldorf, Tübingen, Heidelberg and Ulm. Hospitals and healthcare facilities have long been a popular target; just recently, patient data was compromised in an attack in Lower Saxony. Both attacks are characterised by the fact that the hospitals themselves were not directly targeted, but rather their service providers. These are therefore supply chain attacks. They are often easier to carry out, as victims in the supply chain are frequently less well secured than the actual targets. This particularly affects the heavily regulated critical infrastructure (CNI) sector. Here, the number of attacks is rising more sharply than in other economic sectors.
CNI attacks are rising across the EU
This trend is not limited to Germany; the threat level is rising across the EU, not least due to international conflicts. The European Commission is therefore planning numerous initiatives to improve cybersecurity, particularly in the CNI sector. These include measures such as the NIS2 Directive and the Cyber Resilience Act (CRA), as well as the Cyber Solidarity Act, the Cyber Blueprint and improved protection for critical supply chains. Some of these are already being implemented.
The NIS2 Directive has been in force in Germany since December 2025. Affected companies and public authorities must implement stricter cybersecurity standards, more rigorous reporting obligations and new requirements for risk management. Furthermore, the scope of affected companies is being expanded to include, amongst others, the waste management sector, postal and courier services, and food manufacturers. The newly introduced category of ‘indirect impact’ also covers suppliers and service providers, such as the healthcare billing companies mentioned above. NIS2 even requires larger, directly affected companies to secure their entire supply chain. To assess the extent to which your own company is affected, numerous tools are available online, such as those provided by the German Bundesamt für Sicherheit in der Informationstechnik (BSI).
The CRA came into force at the end of 2024 and is aimed at manufacturers of digital products. The principle of ‘security by design’ is to be applied more rigorously to connected devices. This includes secure default configurations, regular security updates, vulnerability management and mandatory reporting of security breaches. Transition periods apply until the end of 2027.
Joint operational cyber defence
The Cyber Solidarity Act was passed early last year and has since come into force. It is intended to ensure that Member States no longer have to respond in isolation to major cyberattacks, but instead work together as a joint European cyber defence network. The EU is thus establishing a joint operational cyber defence. Among the triggers were hybrid Russian attacks since the start of the war in Ukraine, as well as increasing attacks on hospitals and energy supplies. Smaller states in particular can hardly cope with large-scale coordinated cyber attacks on their own. Cross-border cyber defence hubs and a European Security Operations Centre (SOC) are intended to provide a solution. In addition, joint emergency management is planned, which will also include emergency and crisis management team exercises. A sort of ‘cyber fire brigade’, for example in the form of an incident response team, is to be deployed in the event of major attacks. However, national reservations are delaying the implementation of these measures, as individual member states do not wish to share sensitive data in full.
In addition, the European Commission is working on a revision of the Cybersecurity Act. The draft revision, presented in January this year, provides for a strengthening of the European Union Agency for Cybersecurity (ENISA) and additional requirements for secure ICT supply chains. To this end, ENISA will receive a significant increase in funding. The agency will also shortly be organising a large-scale crisis management exercise called ‘Cyber Europe 2026’.
Overall, the aim is to establish a comprehensive European cybersecurity architecture within the EU. Cybersecurity is thus increasingly being treated in Europe in a similar way to, for example, compliance requirements in the financial sector. This includes documentation requirements, audits, sanctions and the liability of company management. For many companies, this transforms cybersecurity from a purely IT issue into a regulatory task for the board of directors or senior management.
For those affected, the multitude of regulatory measures – some of which overlap – can be quite confusing. Different reporting requirements also contribute to this. Consolidation could not only clear up misunderstandings but also increase effectiveness.
Sources:
Heise: Cyberattack on billing service provider affects many hospitals (in German)
Statista: Critical infrastructure is the main target of hackers (in German)
BSI: NIS-2 – What to do? (in German)
BSI: NIS-2 impact assessment (in German)
European Commission: EU Cyber Solidarity Act
ECSO: The Cyber Solidarity Act Unpacked: ECSO’s Essential Brief
Bitkom: EU presents revision of the Cybersecurity Act (in German)
