On 24 March 2026, the European Commission discovered that its cloud infrastructure had been compromised.
The infrastructure in question was its Amazon Web Services account — hosting the Commission’s web presence on the Europa.eu platform. A threat actor had accessed the account, taken over 350 gigabytes of data including multiple databases, and provided proof of access to BleepingComputer before the Commission had made any public statement.
The Commission confirmed the breach on Friday. Official statement IP/26/748. Spokesperson Nika Blazevic confirmed the details to TechCrunch the same morning. The Commission’s internal systems, it said, were not affected.
The hacker has declined to demand a ransom. They intend to publish the data at a later date.
This is the second major security incident at the European Commission in 2026. The institution that wrote the AI Act, administers GDPR, enforces NIS2, and published the Cyber Solidarity Act has been breached — twice — in under sixty days.
The paper had a chapter about this.
What Happened
The attack was discovered on Tuesday, March 24. The Commission’s cybersecurity incident response team contained it quickly. Risk mitigation measures were implemented. The Europa.eu websites remained available throughout the incident — the attack targeted data hosted there, not the availability of the services themselves.
According to sources familiar with the incident who spoke to BleepingComputer — the publication that broke the story — the breach affected at least one of the Commission’s AWS accounts. The threat actor provided screenshots demonstrating access to information belonging to European Commission employees and to an email server used by Commission staff. They claimed over 350 GB stolen, including multiple databases.
Amazon Web Services issued a statement: “AWS did not experience a security event, and our services operated as designed.”
That statement is technically precise. The cloud infrastructure operated correctly. The breach was at the account level — credentials, access control, identity management. AWS delivered exactly the service contracted. The problem was not what AWS did. The problem was where the data was, and who held the keys.
The Second Time
This is not the Commission’s first breach in 2026.
In February, the Commission disclosed that its mobile device management platform — used to manage staff devices — had been hacked. The incident was discovered on January 30. The vulnerability was in Ivanti Endpoint Manager Mobile software, exploited via a code-injection flaw. The same attack pattern hit the Dutch Data Protection Authority and Valtori, a government agency under Finland’s Ministry of Finance.
Twelve days before that breach was discovered — on January 20 — the European Commission had published a new Cybersecurity Package to strengthen European defences against state-backed actors and cybercrime groups.
Last week, the Council of the European Union sanctioned three Chinese and Iranian companies for orchestrating cyberattacks against EU member state infrastructure.
None of this is coincidence or contradiction. It is the baseline. The EU’s own cybersecurity agency, ENISA, states in its annual threat landscape analysis that public administrations are the single most frequently targeted category of organisation in the European threat environment. The Commission writes those ENISA reports. It knows the data. The frequency of attacks against institutions like itself is not a surprise finding — it is the operational reality that motivated the legislation.
What the Commission cannot legislate away is its own infrastructure dependency.
The Regulator's Infrastructure
The European Commission wrote the AI Act. It administers the General Data Protection Regulation. It is the enforcing body for NIS2 — the Network and Information Security Directive that requires organisations in critical sectors to report significant incidents within strict windows and demonstrate robust cyber hygiene. It published the Cyber Solidarity Act, creating the European Cyber Shield and Cyber Emergency Mechanism to detect and respond to large-scale cyber threats with “collective speed and precision.”
Its public platform runs on Amazon Web Services.
This is not an accusation. Institutional infrastructure decisions are slow, deeply path-dependent, and involve long-term contracts that predate current circumstances by years. The Commission is not unaware of the irony — the sovereign cloud agenda, GAIA-X, the European Cloud Infrastructure discussion — all of it reflects exactly this awareness. The policy intention is clear. The implementation gap is equally clear.
But the AWS statement is the key to reading this clearly: the cloud worked as designed. Data stored on external infrastructure, under credentials managed by the organisation but held on a foreign provider’s platform, is accessible to anyone who obtains those credentials. The attack surface is not the datacenter wall. It is the authentication layer. And authentication layers are exactly what sophisticated threat actors target — not by breaking AWS, but by compromising the accounts that hold access to it.
This is the structural argument The Great Return made. Not that US cloud providers are bad actors. Not that AWS is negligent. But that cloud infrastructure architecture creates dependencies — credential stores, API access, identity management — that are fundamentally outside the organisation’s direct control. And that for institutions handling sensitive data, that dependency is a liability that cannot be contracted away.
The Commission’s January Cybersecurity Package includes proposals to address exactly this. The question now is whether the second breach in sixty days accelerates the pace of the institutional shift — or whether, as typically happens in large institutions, the operational disruption fades and the structural dependency persists.
The Data That Has Not Leaked Yet
The threat actor’s stated position deserves direct attention: they do not intend to extort the Commission. They intend to publish the data at a later date.
That is, in some respects, the more serious scenario. Extortion ends when either the ransom is paid or the organisation declines. Publication — scheduled, unilateral, at a time of the attacker’s choosing — means the incident is not closed. The Commission is now in a position of uncertainty: 350 gigabytes of databases, the contents of which are not yet fully characterised, will appear in public at an undetermined point in the future.
The Commission states that its internal systems were not affected. The breach targeted the cloud infrastructure hosting the europa.eu web presence — public-facing content and the systems behind it, not the Commission’s core operational and decision-making data. That distinction matters and should not be collapsed. But europa.eu is not a static brochure site. It hosts the Commission’s institutional presence, its databases of published documents, its staff communication infrastructure. The screenshots the threat actor provided — showing access to employee information and an email server — indicate the data exposure extends to personnel-level information at minimum.
The Commission is in touch with other EU entities that may have been affected. That notification obligation is itself governed by the frameworks the Commission wrote.
What the Scorecard Says
The Great Return was explicit about the sovereignty risk. Chapter 3 of the paper identified dependence on US hyperscaler infrastructure as one of the primary structural vulnerabilities facing European institutions — not a theoretical risk, but an active one, given the legal territory that US cloud providers operate under and the attack surface that account-level access creates.
The paper’s 30-prediction scorecard included a category around geopolitical and institutional risk: the projection that European institutions would face material incidents arising from their US cloud dependencies before the end of 2027, and that those incidents would accelerate the institutional cloud sovereignty debate beyond the policy discussion stage.
The prediction was for 2027. It arrived in the first quarter of 2026. Twice.
Scorecard update: 12 of 30 predictions assessed. 12 in the right direction. The sovereignty risk prediction — that institutional dependence on US cloud infrastructure represents an active liability rather than a theoretical concern — has moved from “projected” to “confirmed incident.” The confirming institution is the one that wrote the rules everyone else is expected to follow.
There is no satisfaction in being right about this. Every data breach in a European institution is a real security failure with real consequences for real people. The argument was never that the risk was acceptable because it would make a useful illustration. The argument was that the risk was structural, that structural risks produce structural incidents, and that the correct response is structural change — not faster incident response on the same architecture.
The Commission is now investigating. It will report findings. It will implement additional measures. It will continue to monitor. All of that is appropriate and necessary.
And then, at some point, the data will be published. And the Commission — the institution that this week enforced GDPR notification obligations on others, and last week sanctioned foreign entities for attacking European infrastructure — will be the subject of its own breach disclosure, in full public view.
That is what sovereignty risk looks like when it stops being theoretical.