A cyberattack was detected on the European Commission’s central mobile device management infrastructure, which might have exposed staff names and mobile telephone numbers.

On February 6, 2026, Brussels-based authorities announced that unauthorized access had been identified on January 30, 2026. The response teams contained the incident within nine hours after its detection and cleaned the affected systems. No compromise of individual mobile devices was reported.

The attack focused on infrastructure managing mobile devices for Commission personnel. This system holds employee contact information necessary for device provisioning and management. The exact number of affected staff members and details about the initial access vector remain undisclosed.

CERT-EU’s Role in Institutional Cybersecurity

The Computer Emergency Response Team for EU institutions (CERT-EU) serves as a central cybersecurity service for all Union bodies and agencies. It operates continuous threat monitoring, automated alert systems, and incident response capabilities to address security vulnerabilities across the EU administrative infrastructure.

The Interinstitutional Cybersecurity Board (IICB) oversees CERT-EU operations, coordinating security standards and monitoring cyber-hygiene implementation across the EU administration. The board enhances cooperation between institutions on threat intelligence and incident response protocols.

EU institutions are frequently targeted by threat actors and criminal groups seeking access to policy discussions, diplomatic communications, and regulatory information. Past incidents have included distributed denial-of-service attacks on agency websites and phishing campaigns targeting officials.

Regulatory Framework for Institutional Security

EU institutions enforce security measures under internal regulations and decisions that establish information security policies. These frameworks mandate risk assessments, access controls, encryption standards, and incident reporting procedures across administrative systems.

Mobile device management systems centralize configuration, application deployment, and security policy enforcement for institutional smartphones and tablets. Compromise of these platforms can enable surveillance of communications, location tracking, or the deployment of malicious software to managed devices.

The Commission maintains a separate infrastructure for handling classified information, subject to additional physical and technical security controls. The mobile infrastructure targeted in this incident manages unclassified administrative devices.

Cybersecurity incidents affecting EU institutions require notification to CERT-EU, which coordinates response activities and shares threat intelligence with affected organizations. The team maintains relationships with national cybersecurity centers and international partners for incident coordination.

Europe continues to face persistent cyber threats targeting government institutions, critical infrastructure, and democratic processes. Attribution of attacks remains challenging due to the use of proxy infrastructure, false flag techniques, and commercially available offensive tools.

The Commission plans to review the incident as part of ongoing cybersecurity capability enhancement efforts, though specific technical improvements or policy changes resulting from this review have not been disclosed.