European Commission Confirms Major Cyberattack on Europa.eu Cloud Infrastructure

The European Commission confirmed on Friday that a cyberattack struck its cloud infrastructure on March 24, 2026, with preliminary findings indicating that data was stolen from websites hosted on the Europa.eu platform. Commission spokesperson Nika Blazevic confirmed the breach to TechCrunch, stating that the Commission had "discovered a cyber-attack, which affected part of our cloud infrastructure." A separate statement from spokesperson Thomas Regnier to Bloomberg confirmed the same, adding that the attack struck the Commission's account on cloud provider Amazon Web Services before being detected and blocked. The Commission stated that its internal systems were not affected and that the incident was contained swiftly, though the full scope of the breach remains under investigation. No group or individual has been named as responsible.

Hackers may have taken over 350 gigabytes of data Cybersecurity publication Bleeping Computer, which first reported the breach, cited sources with knowledge of the incident as saying that hackers stole hundreds of gigabytes of data, including multiple databases, from the Commission's AWS account. According to Bloomberg, the person responsible for the hack claimed to have stolen more than 350 (gigabytes) — data reportedly stolen from Commission AWS account of data. Bleeping Computer reported that the hacker provided evidence of access, including screenshots. It remains unclear what categories of data were taken from the public-facing websites. The Commission said it is in the process of contacting EU institutions that may have been affected by the breach, and that it will analyze the incident to strengthen its cyber defenses going forward. The Europa.eu platform hosts websites not only for the Commission but also for the European Parliament, the Council of the EU, and other EU institutions, raising the possibility that the impact extends beyond the Commission itself.

January breach preceded the March attack by weeks The March 24 incident is not the first security event to affect the Commission in recent months. In January 2026, the Commission detected a separate incident that may have exposed limited staff contact details, after which the EU said it would review the security of its systems and take additional precautions if needed. Hans de Vries, ENISA's chief cybersecurity and operations officer, addressed the earlier breach at a panel discussion at the RSA cybersecurity event in San Francisco. „Every organization has incidents. So do we.” — Hans de Vries via Bloomberg Politico reported that the head of ENISA recently warned that Europe is "losing massively" in the broader contest against hacking groups, both criminal and state-sponsored. A body called CERT-EU, which sits within the Commission's IT department, carries responsibility for cybersecurity across EU institutions. The European Parliament also experienced a major data breach in 2024 following the hack of an HR system, according to Politico.

EU public administrations account for 38% of cyber incidents The attack on the Commission reflects a broader trend of escalating threats against European government infrastructure. According to ENISA's annual threat report cited by Bloomberg, public administration networks account for 38 (percent) — share of EU cyber incidents targeting public administrations of all recorded incidents in the EU. Bloomberg also reported that cloud-focused attacks, particularly from nation-states, are increasing in frequency and speed, with artificial intelligence accelerating the pace at which attackers operate. The Commission said it will continue to monitor the situation following the March 24 breach and will later analyze what happened in order to boost its cyber protection in the future. A representative for Amazon did not immediately respond to a request for comment, according to Bloomberg. The Commission did not provide a timeline for completing its investigation into the full impact of the attack.

The European Commission has faced a series of cybersecurity challenges in recent years. The European Parliament suffered a major data breach in 2024 following the compromise of an HR system. In January 2026, a separate incident potentially exposed limited Commission staff contact details. ENISA, the EU's dedicated cybersecurity agency, has been fully operational since September 2005 and is headquartered in Athens, Greece. The agency's annual threat reports have consistently flagged public administrations as among the most targeted sectors across the EU.