The European Commission has contained a cyberattack on its central mobile device management infrastructure that may have exposed staff names and mobile telephone numbers.
The Brussels-based institution announced on 6 February 2026 that its systems identified traces of unauthorised access on 30 January 2026. The Commission's response teams contained the incident and cleaned affected systems within nine hours. No compromise of individual mobile devices was detected.
The attack targeted infrastructure managing mobile devices for Commission personnel. The system stores employee contact information required for device provisioning and management. The Commission has not disclosed the number of affected staff members or the attack vector used to gain initial access.
CERT-EU provides institutional cybersecurity
The Computer Emergency Response Team for EU institutions (CERT-EU) functions as the central cybersecurity service for all Union institutions, bodies, and agencies. The organisation operates continuous threat monitoring, automated alert systems, and incident response capabilities to address vulnerabilities across the EU administrative infrastructure.
The Interinstitutional Cybersecurity Board (IICB) governs CERT-EU operations, coordinating security standards and monitoring cyber-hygiene implementation across the EU administration. The board optimises cooperation between institutions on threat intelligence and incident response protocols.
EU institutions face persistent targeting by threat actors and criminal groups seeking access to policy discussions, diplomatic communications, and regulatory information. Previous incidents include distributed denial-of-service attacks on EU agency websites and phishing campaigns targeting officials.
Regulatory framework for institutional security
EU institutions implement security measures under internal regulations and decisions establishing information security policies. These frameworks require risk assessments, access controls, encryption standards, and incident reporting procedures across administrative systems.
Mobile device management systems centralise configuration, application deployment, and security policy enforcement for institutional smartphones and tablets. Compromise of these platforms can enable surveillance of communications, location tracking, or deployment of malicious software to managed devices.
The Commission operates a separate infrastructure for classified information handling, subject to additional physical and technical security controls. The mobile infrastructure targeted in this incident manages unclassified administrative devices.
Cybersecurity incidents affecting EU institutions require notification to CERT-EU, which coordinates response activities and shares threat intelligence with affected organisations. The team maintains relationships with national cybersecurity centres and international partners for incident coordination.
Europe experiences persistent cyber threats targeting government institutions, critical infrastructure, and democratic processes. Attribution of attacks remains challenging due to the use of proxy infrastructure, false flag techniques, and commercially available offensive tools.
The Commission states it will review the incident to inform ongoing cybersecurity capability enhancement efforts. Specific technical improvements or policy changes resulting from the review were not disclosed.
