4 min read

The European Commission confirmed on March 30 that attackers had compromised its public web infrastructure hosted on Amazon AWS. More than 350 gigabytes of data is said to have been leaked. It is the second security incident within 30 days – in February, work devices belonging to senior staff had already been compromised. For cloud architects in the regulated DACH environment, the incident provides a concrete reference scenario: the institution driving NIS2 and the Cyber Resilience Act is failing in its own implementation.

The Key Points in Brief

• The European Commission confirmed a cyberattack on its publicly accessible Europa websites, hosted on Amazon AWS, on March 30, 2026.
• According to reports, more than 350 GB of data was exfiltrated. The Commission provides no figures and refuses to disclose the attack vector or the duration of the attack.
• It is the second breach in 30 days. In February, work phones belonging to senior Commission staff had been compromised.

What Happened

The attack was discovered on March 24 and publicly confirmed on March 30. The publicly accessible web portals of the European Commission are affected – not internal administrative systems, as far as is currently known. The Commission refers to „data from these websites“ without specifying which data categories are affected. No attribution to a state or criminal actor has been made.

The attack vector has not been confirmed. The infrastructure runs on Amazon Web Services – whether the vulnerability was in the AWS configuration, in a web application, or in a supply chain element remains unclear. AWS itself has not yet commented on the incident.

Why It Matters for DACH

NIS2 has been in force since October 2024 and requires critical infrastructure operators in the EU to comply with strict reporting obligations, risk management, and incident response processes. The Cyber Resilience Act adds to these requirements for connected products. Both regulations were driven in large part by the European Commission.

The fact that the same institution has now recorded two security incidents within one month – and in both cases is refusing the transparency it imposes on others by law – is more than a communications problem. For IT leaders and security managers in DACH companies, the question arises: if the European Commission itself is failing in implementation, how realistic are the requirements it places on others?

For cloud architects in regulated environments – public authorities, critical infrastructure operators, financial service providers – the incident is a concrete argument in ongoing architecture decisions. Anyone advocating hybrid cloud strategies with clear data separation between public and sensitive workloads now has a reference scenario. Anyone putting everything on a single hyperscaler faces an uncomfortable question.

The Sovereignty Paradox

Over the past three years, the EU has invested heavily in digital sovereignty: EUCS (European Cloud Services Scheme), Gaia-X, the European Cybersecurity Competence Centre in Bucharest. At the same time, European institutions host their own infrastructure on US hyperscalers. The Commission’s websites run on AWS. The European Parliament uses Microsoft 365.

„The EU preaches sovereignty in data hosting – and hosts its own portals on AWS. This is not a contradiction one can overlook. It is a credibility problem that grows with every breach.“
– cloudmagazin editorial assessment

The argument that „AWS is more secure than on-premise“ may be technically correct – AWS invests billions in security infrastructure. But the Shared Responsibility Model places responsibility for configuration, access management, and application security with the customer. And that is exactly where the Commission appears to have failed. AWS was not hacked – the Commission did not secure its AWS environment sufficiently.

Assessment

Three things stand out. First, the lack of transparency: six days between discovery and confirmation, no details on the attack vector or affected categories of data. That contradicts the spirit of the reporting obligations the Commission itself enshrined in NIS2. Second, the pattern: two incidents in 30 days point to structural problems – not a single configuration error. Third, the political dimension: the incident will accelerate the EUCS debate on sovereignty requirements for cloud services.

For cloud teams in DACH, the incident changes nothing operationally – their own security architecture remains their own responsibility. Strategically, however, it provides arguments for three decisions: hybrid architectures with clear workload separation. Regular configuration audits independent of the cloud provider. Incident response processes that are actually tested – not just documented.

Frequently Asked Questions

Was AWS itself hacked?

Based on current information, no. The attack affected the European Commission’s web applications and configurations on AWS infrastructure. In the Shared Responsibility Model, the customer is responsible for the security of its applications and configurations. AWS has not yet commented publicly.

What data is affected?

The Commission has not named any data categories. The publicly accessible Europa web portals are affected. Since these are primarily informational pages, personal data is likely to be affected only to a limited extent (contact forms, newsletter sign-ups). According to the Commission, internal administrative systems were not affected.

What does this mean for my cloud architecture?

The incident does not change the security of AWS as a platform. But it shows that even large organizations make basic configuration mistakes. Concrete measures: a configuration audit of your own AWS/Azure/GCP environment, a review of incident response processes, and ensuring that shared responsibility boundaries are understood within the team.

Image source: AI-generated (May 2026), C2PA certificate embedded in image