The European Parliament on 17 June 2026 debated the protection of EU citizens' data from hybrid threats, focusing on a major data breach in Lithuania where over 600,000 records from the national register were stolen. Renew MEP Petras Auštrevičius criticized Lithuanian authorities for delaying notification to affected citizens from April to May 2026, questioning why the breach was hidden. Council Deputy Minister Marilena Raouna highlighted the EU's legislative cyber framework and the proposed cybersecurity package, stressing the need for coordinated response via hybrid rapid response teams and the European Democracy Shield. Commissioner Michael McGrath (Justice) outlined EU tools including NIS2, the Cyber Resilience Act, and the Cyber Solidarity Act, and announced upcoming proposals to strengthen Eurojust and Europol.
MEPs from across the political spectrum diverged on national implementation gaps and political responsibility. EPP MEPs Liudas Mažylis and Vytenis Povilas Andriukaitis questioned the pace of national implementation, while S&D's Julie Rechagneux called for stronger EU-level guidelines. Renew's Dainius Žalimas emphasized faster information sharing, and ECR's Aurelijus Veryga pressed for investment in cyber resilience. Greens-EFA MEP Virginijus Sinkevičius highlighted democratic trust erosion. PfE MEP Petras Gražulis blamed liberal-conservative governments for ignoring 2024 cybersecurity recommendations. The debate underscored the need for a united European response to hybrid attacks targeting citizens' data and democratic trust.
The breach and the delayed notification have exposed tensions between national sovereignty and EU-level oversight. On one hand, stronger EU guidelines and faster information sharing could improve response times and protect citizens, but on the other, they may impose additional compliance burdens on national authorities. The debate also highlighted a cleavage between those advocating for more EU integration in cybersecurity (Renew, S&D, Greens) and those emphasizing national responsibility (EPP, ECR). The impact on stakeholders is significant: EU citizens face increased risk of identity theft and fraud; national authorities may face stricter reporting obligations; EU institutions like Europol and Eurojust could gain expanded powers; and cybersecurity firms may see increased demand for resilience solutions. The Commission's upcoming proposals to strengthen Eurojust and Europol are expected to address some of these gaps, but the debate showed that member states remain divided on how fast and how far to go.