Executive Vice-President Henna Virkkunen has defended the credibility of the European Commission's cybersecurity framework, arguing that two major cyberattacks on the institution in 2026 demonstrate the effectiveness of existing safeguards rather than their failure. In a written answer to a parliamentary question from Barbara Bonte (PfE) on 3 July 2026, Virkkunen acknowledged that the Commission was a 'high-profile target' and that threat actors were using increasingly sophisticated techniques, including artificial intelligence. She stressed that neither incident caused major disruption to IT systems, proving that measures under Regulation 2023/2841 and cooperation with CERT-EU were 'effective in detecting and containing the attack attempts swiftly, and in reducing their impact.'
a February hack on the Mobile Device Management platform and a 24 March 2026 attack on the cloud infrastructure of the Europa.eu platform, in which approximately 92 GB of data was stolen via a compromised version of the open-source tool Trivy. Bonte had questioned how the Commission could require thousands of public authorities and businesses to comply with the NIS2 Directive and the EU Cybersecurity Regulation while being compromised itself. Virkkunen did not name any individual responsible, instead pointing to the internal cybersecurity risk-management framework and Commission Decision 2017/46. She did not commit to making the internal review public.
The March incident, Virkkunen noted, highlighted the growing risk of software supply-chain attacks. The Commission is reinforcing measures on verification of software origin and authenticity, tighter controls on third-party and open-source components, continuous monitoring, and defence-in-depth. She also referenced the Commission's proposal for a revised Cybersecurity Act 2 (COM/2026/11 final), which aims to strengthen ICT supply chain security. The answer contained no new numerical targets or deadlines, instead offering general commitments to improve internal protocols and regulatory frameworks.
The Commission is doubling down on its existing cybersecurity architecture, arguing that the attacks validate the current approach of detection and containment rather than signalling a need for fundamental overhaul. The emphasis on supply-chain security and the revised Cybersecurity Act 2 suggests future regulatory tightening for software vendors and open-source tool providers. Institutional follow-up is expected as the legislative process on the Cybersecurity Act 2 advances, with the Commission likely to use lessons from the incidents to bolster its own internal rules and possibly to push for faster adoption of the revised regulation.