After hack of COVID-19 vaccine data, EU unveils plans for greater cybersecurity

Margaritis Schinas, European Commissioner for Promoting Our European Way of Life, speaks in Brussels
Margaritis Schinas, the European Commissioner for Promoting Our European Way of Life, speaks at a news conference in Brussels on Wednesday.
(Kenzo Tribouillard / Pool photo)

The European Union unveiled plans Wednesday to revamp the 27-nation bloc’s dated cybersecurity rules, days after data on a new COVID-19 vaccine were unlawfully accessed in a hack attack on the European Medicines Agency.

The EU recorded about 450 cyber incidents last year involving European infrastructure, notably in the financial and energy sectors, and the pandemic has highlighted the continent’s deep dependence on the internet and exposed security weaknesses.

Last week, German pharmaceutical company BioNTech and its U.S. partner, Pfizer, said that data on their new COVID-19 vaccine were “unlawfully accessed” during a hack of the servers of the European Medicines Agency. The Amsterdam-based regulator, which will hold a meeting Monday to consider emergency authorization for the vaccine, acknowledged that it had been the target of a cyberattack.

The EU’s current Network Information System regulations date from 2008, and the European Commission’s new proposals aim to bring them up-to-date and allow the EU to impose hefty fines on operators who break the rules.


“The time of innocence is over. We know that we are a target,” Commission Vice President Margaritis Schinas told reporters. “We need to modernize, reinforce and adapt.”

The plans include an “EU-wide Cyber Shield” that would use artificial intelligence and machine-learning to detect early signs of attacks, a cyber unit to respond to incidents and threats, and beefed-up cooperation between countries and with organizations such as NATO.

The Justice Department accuses 2 Chinese hackers of researching network vulnerabilities at companies known to be working on a coronavirus vaccine.

July 21, 2020

The new strategy would focus on protecting essential infrastructure like electricity grids, heating systems, gas and hydrogen plants as well as air, rail, water and road links. Financial market and health infrastructure would also be among the priorities.

The EU wants to bolster its sanctions system with regard to cyber incidents. This year, the bloc imposed sanctions on people and organizations linked to Russia, China and North Korea.

The new plans must now be debated by EU countries and the European Parliament and are likely to change substantially. Once they are agreed upon, the 27 nations would have 18 months to adopt and start applying the rules nationally.


Following last week’s cyberattack on the European Medicines Agency, Pfizer and BioNTech said that hackers had accessed “some documents relating to the regulatory submission” they made to the agency for their COVID-19 vaccine.

IBM security researchers detect a cyberespionage effort that tried to collect information associated with a U.N. COVID-19 vaccination program.

Dec. 3, 2020

They said that none of their own systems had been breached and that they were not aware that any study participants had been identified as a result of the data being accessed.

“At this time, we await further information about EMA’s investigation and will respond appropriately and in accordance with EU law,” the companies said. “EMA has assured us that the cyberattack will have no impact on the timeline for its review.”