EU to ‘step up’ on cyber security as dependence on US laid bare

Stay informed with free updates

Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.

The EU is moving to play a bigger role in helping businesses and governments tackle cyber security issues, after a key organisation’s funding crunch in April laid bare Europe’s dependence on US cyber infrastructure.

The EU needed to “step up our game” and take a more active role in reporting and patching potential cyber threats, said Juhan Lepassaar, executive director of Enisa, the EU’s cyber security agency.

“We just haven’t had the global system so far, which relies to a large extent on capabilities in the United States,” Lepassaar told the Financial Times. “We as Europe are ready to take part in strengthening the global vulnerability framework.”

The EU set up a new structure last month to warn European businesses and governments about vulnerabilities, Lepassaar said.

In April, cyber experts had sounded alarm bells when US government funding for a vital security organisation was temporarily threatened.

The US has for decades run, via a non-profit, a public catalogue of cyber vulnerabilities that could be targeted by hackers. It gives guidance on limiting the threats, allowing companies and governments worldwide to report security issues and get help to fix them.

Although the programme was not ultimately interrupted, it highlighted a weak spot in the global online security system at a time of rising online threats. It also revealed Europe’s reliance on the US for crucial digital infrastructure, particularly as Washington also rolls back its military defence guarantees to the continent.

“There have been perhaps some developments in the United States, but so far, the system is sound. However, in order to make it more sustainable, we do believe that we have a role to play,” Lepassaar said.

US cyber agency CISA, which oversees the programme, put the issue down to an administrative error. But CISA itself is also in the crosshairs of US President Donald Trump’s cuts, as a draft budget for 2026 would eliminate more than 1,000 staff and cut the agency’s funding by almost $495mn.

Each day, more than 100 vulnerabilities are reported to the system, amounting to more than 40,000 per year. “Not all of them are critical but on average one every day is critical, so it needs to be handled somehow,” Lepassaar said.

The EU last month set up its own “European vulnerability database”, Lepassaar said, and was seeking a more active role in proposing patches and guidelines particularly for European companies to tackle those potential threats.

While the EU database had already been in the works before the issues in the US were reported, they have made its full implementation even more urgent.

“Essentially, it is about taking care more about our backyard, but by doing so, also strengthening the global vulnerability management framework,” Lepassaar said.

He said there had “clearly” been an increase in state-sponsored cyber attacks. “We see a rise in state-nexus actors targeting critical infrastructure, but also of course public administration,” Lepassaar said. “When we look in the first quarter of 2025, we see China nexus-threat actors targeting telecom sectors.”

Last month, the Czech government identified China “as being responsible for [a] malicious cyber campaign” targeting its foreign ministry.

Lepassaar said ransomware attacks, where victims’ data is encrypted and they are asked to pay a ransom for the release, were also an important issue, as well as politically motivated attacks by so-called hacktivists.

“Electricity, telecoms and banking are actually quite mature” in terms of their security, he said, but public administration, health and waste water management are “worrisome” and a “risk zone”. “These are the sectors who need to take action.”

The EU adopted new cyber resilience rules last year, requiring companies to build better security standards into products with digital components, such as smart watches or baby monitors.

The European Commission is also working on a review of its Cybersecurity Act, which could expand Enisa’s mandate. Lepassaar said his agency could play a more proactive role in helping “market players” better implement the new cyber resilience rules.