The EU is working to play a bigger role in helping businesses and governments tackle cybersecurity issues as funding for key organizations in April relied on US cyber infrastructure.
The EU needs to “step up our game” and play a more active role in reporting potential cyber threats and patching patches, said Juhan Lepassaar, executive director of ENISA, the EU’s cybersecurity agency.
“We have never had a global system before, and this is heavily dependent on the capabilities of the US,” Lepassaar told the Financial Times. “We as Europe are ready to participate in strengthening our global vulnerability framework.”
Last month, the EU established a new structure to warn European businesses and governments of vulnerabilities, according to Lepassaar.
In April, cyber experts were ringing the alarm bell when funding for key US government security organizations was temporarily threatened.
The United States has been running for decades through nonprofits and public catalogs of cyber vulnerabilities that hackers may target. It provides guidance on limiting threats and helps businesses and governments around the world report security issues and fix them.
The program was ultimately uninterrupted, but at the time of the rise in online threats, it highlighted the weaknesses of the global online security system. It also revealed Europe’s dependence on the US on critical digital infrastructure, particularly as Washington retreates its military defense guarantees on the continent.
“There have probably been some developments in the US, but so far the system is healthy. But I believe we have a role to play in making it more sustainable,” says Lepassaar.
The US cyber agency CISA, which oversees the program, has lowered the issue to an administrative error. But the CISA itself is also in the crosshairs of President Donald Trump’s cuts, as the 2026 budget draft removes more than 1,000 staff and cuts agency funding nearly $495 million.
Over 100 vulnerabilities are reported to systems every day, with over 40,000 per year. “Not all of them are important, but on average one is important every day, so somehow you need to deal with it,” says Lepassaar.
The EU set up its own “European vulnerability database” last month, and it called for a more active role, particularly in proposing patches and guidelines to tackle these potential threats, Lepassaar said.
The EU database was already underway before the US issues were reported, but it made it even more urgent to implement the full implementation.
“Essentially, it’s about paying more attention to our backyard, but doing so will strengthen our global vulnerability management framework,” says Lepassaar.
He said the state-sponsored cyberattacks have been “evidently” increasing. “We’ve seen an increase in state and national actors targeting critical infrastructure, but of course we’re looking at the administration as well,” Lepassaar said. “If you look at the first quarter of 2025, you can see Chinese Nexus threat actors targeting the communications sector.”
Last month, the Czech government identified China as “(a) the head of a malicious cyber campaign.”
Recommended
Lepassaar said ransomware attacks, in which victims’ data are encrypted and they are asked to pay ransom for release, are also a key issue, and politically motivated attacks by so-called hacktivists.
“Electricity, communications and banking are actually very mature,” he said, but administration, health and wastewater management are “worry” and “risk zones.” “These are sectors that need to be taken.”
The EU adopted new cyber resilience rules last year, requiring businesses to build better security standards for products with digital components such as smartwatches and baby monitors.
The European Commission is also working on a review of cybersecurity laws that could expand Eniza’s mission. Lepassaar said his agency could play a more active role in helping “market players” implement more of the new cyber resilience rules.
