Lessons From the European Airports Ransomware Attack

Chaos. Cancellations. Reputational harm. Financial loss. All of these hit Heathrow, Brussels, and Berlin airports in September after a ransomware attack crippled a critical passenger system, Collins Aerospace’s Multi User System Environment (MUSE). The result was a cascade of massive delays, at least 217 canceled flights, thousands of affected passengers, and likely millions of euros in losses for these airports and airlines.

The incident demonstrated the catastrophic effects of an attack that disables the weakest link in a supply chain for critical infrastructure such as airports. It also exemplified how ransomware has become a global threat: A single vulnerability in a U.S. company’s software triggered reputational and financial damage for airports spanning three countries, and operational turmoil for airlines and passengers across multiple nations. 

However, the incident also places a spotlight on key differences in cybersecurity regulation in the United States and Europe. While the European Union and the U.K. have enacted overarching laws and regulations, the U.S. still lags behind, with piecemeal regulations covering different industry sectors and no unified federal framework. Indeed, due to the different regulatory approaches on disclosure of these incidents and protection of personal data, it is difficult to know exactly how the attack is being handled across jurisdictions—demonstrating the dangers of these regulatory discrepancies.

A Key Difference From Previous Attacks 

This attack resembles previous high-profile incidents that exposed systemic vulnerabilities in third-party service providers. The 2020 SolarWinds breach compromised approximately 18,000 organizations through a single software update, while the 2021 Kaseya ransomware attack affected an estimated 1,500 businesses downstream from a managed service provider. 

The Collins Aerospace incident followed this sort of route but with a crucial difference: It struck operational technology in real-time critical infrastructure, not merely IT systems that could be isolated or temporarily shut down. Consequently, airports and airlines had to revert to pen and paper for manual bag registration, passenger ticketing, and gate assignments. Lines extended through terminals as gate agents manually verified passenger information, wrote out baggage tags by hand, and coordinated gate changes through two-way radios.

By compromising a widely used service provider, the attackers achieved what would have required separate breaches of dozens of individual organizations, a force multiplier effect that has become the trademark of supply chain cyberattacks. In this case, the reputational and economic damage materialized in real time across multiple jurisdictions simultaneously.

European Regulation: A Unified Statutory Framework, but a Mosaic of Agencies

In Europe, the Collins Aerospace incident activated a structured legal process under the NIS2 Directive and the General Data Protection Regulation, although little has been made public. The European Union Agency for Cybersecurity (ENISA) confirmed that ransomware was involved, and national authorities in Belgium, Germany, and the United Kingdom opened or coordinated inquiries. However, European law places strict limits on the disclosure of investigative details related to critical-infrastructure operators. These confidentiality provisions, intended to protect sensitive operational and personal data, mean that no official reports or sanctions have been released.

The response demonstrates the European Union’s comprehensive regulatory architecture, designed to address precisely the types of supply chain vulnerabilities exposed in this attack. At its center is Directive 2022/2555, the Network and Information Security Directive (NIS2), which was revised in December 2022 and required member states to implement the directive by October 2024. 

The NIS2 replaces the original 2016 Network and Information Systems Directive (NIS), expanding both the scope and depth of regulatory obligations in response to an increasingly complex threat environment. Its aim is to strengthen the overall resilience of critical sectors and to harmonize cybersecurity obligations across member states.

A major innovation under NIS2 is the broad expansion of its sectoral coverage beyond the traditional infrastructure sectors regulated under the original NIS, such as energy, transport, health, finance, and digital infrastructure. The new directive extends obligations to additional “essential and important entities,” including in air transport, public electronic communications services, public administration, the manufacturing of critical products, postal and courier services, and waste management. This widened scope reflects the EU’s recognition that cyber vulnerabilities in supply chains can cascade through interconnected sectors such as civil aviation.

Under NIS2, essential entities are required to adopt “appropriate and proportionate technical and organizational measures” to manage cybersecurity risks. They are also required to report significant cybersecurity incidents to national authorities within strict time frames, typically 24 hours for an initial notification and 72 hours for detailed updates, ensuring rapid situational awareness and cross-border coordination. 

Member states are required to adopt national cybersecurity strategies, designate competent authorities, and establish or strengthen national computer security incident response teams (CSIRTs). The directive also created the EU-CyCLONe network, which coordinates crisis management and large-scale incident response among member states and EU institutions.

Particularly applicable to the Collins Aerospace case, NIS2 establishes a two-tier classification system that distinguishes between “essential entities” and “important entities” based on criticality and potential impact of service disruptions. Essential entities operate in sectors of high criticality, where disruption would have particularly severe consequences for public safety, national security, public health, or economic stability. 

The directive explicitly designates air transport as a sector of high criticality in Annex I, placing airport managing bodies, air carriers, air traffic control operators, and entities operating installations within airports within the essential entity category. NIS2’s regulatory framework would thus classify Collins Aerospace as a provider of essential services to entities in a high-criticality sector.

The European Union Agency for Cybersecurity is the central technical and coordination body behind the NIS2 regime. ENISA’s mandate derives from Regulation (EU) 2019/881, also known as the EU Cybersecurity Act, which made ENISA a permanent agency and expanded its authority beyond information-sharing to include certification schemes, capacity-building, and support for implementation of NIS2.

Under Article 23 of NIS2, ENISA acts as the recipient of anonymized and aggregated reports on significant cyber incidents from member states’ national authorities. These reports, submitted quarterly, allow ENISA to produce threat assessments, trend analyses, and policy recommendations. ENISA serves as an aggregator of incident information across the EU while respecting the confidentiality of individual company notifications.

Importantly, ENISA is not an enforcement body. It does not investigate incidents, impose penalties, or publish company-specific disclosures. Those responsibilities fall to the national authorities and CSIRTs designated under NIS2. ENISA’s role is instead to coordinate and give technical advice, ensuring homogeneity in how member states handle incident reporting, vulnerability management, and risk assessment.

Although it is difficult to know for sure, in the Collins Aerospace incident, ENISA’s involvement would likely have been indirect. If the affected airports or national CSIRTs reported the ransomware event as a “significant incident,” the details would be added into ENISA’s quarterly reporting cycle. Any subsequent reference would appear only in statistical or trend form (for example, as an increase in ransomware activity in the transport sector) rather than as a particularly named case. This confidentiality framework reflects the EU’s balance between transparency and operational secrecy in critical-infrastructure cybersecurity.

Incident reporting and coordination in this case would have involved three national cybersecurity authorities. In Belgium, the Centre for Cybersecurity Belgium (CCB) serves as the national competent authority and incident response team under the country’s implementation of the NIS2 Directive. In Germany, the Federal Office for Information Security (BSI) holds equivalent responsibilities under the IT-Sicherheitsgesetz 2.0 and a forthcoming NIS2 implementation law. 

Coordination among the Belgian and German authorities would take place through the EU’s CSIRTs Network and the EU-CyCLONe crisis management mechanism, both enabled by ENISA. The United Kingdom, by contrast, relies on bilateral cooperation channels and law enforcement liaison with their National Crime Agency, its lead law enforcement agency against organized crime, human, weapons and drug trafficking, as well as cybercrime and economic crime that transcends international borders.

This institutional mosaic illustrates how even within Europe, cybersecurity governance for interconnected infrastructure such as air transport remains divided between EU-level coordination and national authorities.

It is also important to note that even though Collins Aerospace is a U.S.-based company, NIS2 can regulate it when it provides essential services to European airports. In interconnected digital systems, regulation follows operational dependencies, not just the corporate address. A U.S.-based software provider cannot avoid EU cybersecurity requirements just because its headquarters and servers lie outside Europe when its systems are integral to European airport operations. 

The U.K.’s Evolving Regulatory Landscape

For the United Kingdom, which has operated outside the NIS2 framework since Brexit, the National Cyber Security Centre leads on incident response within the aviation sector, alongside the Department for Transport, under the U.K.’s Network and Information Systems Regulations 2018.

While the EU pursues harmonization through directives such as NIS2, the U.K. is updating its regulatory framework with the forthcoming Cyber Security and Resilience Bill, expected to be introduced in Parliament during the 2025-2026 legislative session. The bill would update the existing Network and Information Systems Regulations 2018, which currently covers only five sectors (transport, energy, drinking water, health, and digital infrastructure), alongside certain digital services.

As per the U.K. government’s cyber security and resilience policy statement, which details the elements in the bill, it “will address the specific cyber security challenges faced by the U.K. while aligning, where appropriate, with the approach taken in the EU NIS 2 directive.” The bill’s most significant departure from traditional regulatory models lies in its treatment of supply chain security.

The proposed legislation will enable regulators to designate specific high-impact suppliers as “designated critical suppliers,” imposing obligations comparable to operators of essential services themselves. Under this framework, a company like Collins Aerospace, if deemed critical to U.K. airport operations, could be directly regulated regardless of its headquarters location. Designation criteria include whether the supplier’s disruption could have a “significant disruptive effect” on essential services and whether the supplier relies on networks and information systems that could be targeted or compromised. 

This represents a fundamental shift: Rather than merely requiring airports to manage supplier risk contractually, the U.K. proposes the establishment of direct regulatory authority over the suppliers themselves. Most notably for entities such as Collins Aerospace, the bill would explicitly bring managed service providers into regulatory scope, estimated to cover 900-1,100 additional entities. 

The U.K.’s approach contrasts with the EU model in that the U.K. emphasizes regulatory flexibility and executive authority over uniform regulatory standards. However, the U.K.’s regulatory approach extends jurisdiction based on operational dependency rather than a corporate address. The proposed designation framework for critical suppliers applies a functional test: If a provider’s disruption would significantly affect U.K. essential services (like airports), regulators may bring that provider under the country’s regulatory purview, regardless of where the company maintains its headquarters or servers. 

Like NIS2, this framework would reach U.S.-based providers such as Collins Aerospace when they operate systems integral to U.K. critical infrastructure. The primary difference lies not in jurisdictional reach but in implementation: While the EU establishes harmonized criteria across member states, the U.K. delegates designation authority to individual sectoral regulators on a case-by-case basis.

The U.S.’s Piecemeal Regulation

In the United States, the only public disclosure of the Collins Aerospace incident so far has been RTX Corporation’s Form 8-K, filed shortly after the breach, stating that the incident had not materially affected its operations or finances. No follow-up filings or enforcement actions have been reported. This demonstrates that the U.S. system remains largely disclosure driven: Once a company meets the Securities and Exchange Commission’s (SEC’s) materiality threshold and files an 8-K, there is usually no further regulatory reporting unless new information emerges. Agencies such as Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Aviation Administration were informed but have not issued public findings.

This demonstrates how oversight of cyber incidents in critical infrastructure still depends more on voluntary cooperation and transparency requirements than on a single, comprehensive federal statute. While the EU relies on a multilayered regulatory framework, combining national authorities such as the CCB and BSI with supranational coordination through ENISA, the United States operates under a more fragmented, sector-based model.

CISA, within the Department of Homeland Security, takes the lead on national cyber incident coordination. However, its authority over private-sector operators is largely advisory until full implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA can publish alerts, share threat intelligence, and coordinate responses, but it cannot force private entities to implement specific cybersecurity measures or report incidents, unless authorized by separate legislation. 

CIRCIA is the most significant statutory expansion of CISA’s powers since its creation. It mandates that owners and operators of “covered critical infrastructure” report “covered cyber incidents” to CISA within 72 hours, and ransomware payments within 24 hours. In other words, reporting is no longer voluntary, but mandatory. The law also authorizes CISA to issue binding operational directives defining who must report, what incidents qualify, and what enforcement mechanisms will apply. 

According to the proposed rules, one of CIRCIA’s roles is to “promulgate regulations implementing the statute’s covered cyber incident and ransom payment reporting requirements for covered entities.” In these same proposed rules, CISA defined a cyber incident as “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.”

Under this framework, CISA defines a “substantial cyber incident experienced by a covered entity” and put forth any of these criteria to determine minimum requirements for them to be “substantial,” including disruption of a covered entity’s ability to engage in business, unauthorized access to a covered entity’s information system or network, or any nonpublic information that is facilitated through a managed service provider like Collins Aerospace’s MUSE system.

The challenge is that these requirements are not yet in force: CISA is still drafting the final rule, the publication of which has been delayed until spring 2026. Until then, CISA continues to rely on voluntary reporting mechanisms, such as the Joint Cyber Defense Collaborative, to gather incident data and coordinate private-sector response.

CIRCIA does not explicitly apply to incidents that occur outside U.S. territory, and its extraterritorial application remains uncertain. These issues are still pending until the rulemaking process is complete. Some law firms suggest that if a covered entity operates critical infrastructure within the U.S., it might be required to report even if the cyber incident happened abroad, as long as the incident impacts the entity’s U.S. operations or assets. CISA’s Notice of Proposed Rulemaking for CIRCIA suggests that an entire corporate entity may be treated as covered even if only a portion of it performs critical functions, and that a covered cyber incident via a third party or in a non-U.S. context might also trigger reporting if it materially affects critical infrastructure. 

From the perspective of CIRCIA, it is still unclear if the ransomware attack on Collins Aerospace in other countries would trigger a mandatory reporting obligation to CISA. Although Collins is a U.S. company, the incident occurred in European-based systems that supported airport operations abroad, not within infrastructure located in the United States. CIRCIA’s jurisdiction is currently defined by the territorial nexus of the affected infrastructure, not by the nationality or corporate domicile of the operator.

CISA’s reporting requirements apply to “covered critical infrastructure” as defined by Presidential Policy Directive 21, meaning infrastructure physically or functionally operating within the United States. Unless the ransomware incident had a direct operational impact on U.S. assets, transportation networks, or defense systems, Collins Aerospace’s obligation to report under CIRCIA would remain voluntary.

However, once CISA finalizes its implementing rule, the law could extend to foreign incidents that materially affect U.S. critical infrastructure, raising future questions about how far CIRCIA’s reach may extend to transnational technology providers like Collins Aerospace. 

On the other hand, the Transportation Security Administration has imposed specific cybersecurity requirements for airlines and airport operators, while the SEC enforces disclosure obligations for publicly traded companies when cyber incidents are deemed “material.” Each of these authorities advances a distinct policy objective: resilience, safety, or investor transparency, resulting in a regulatory patchwork rather than a cohesive national system. This contrast underscores the structural difference between the EU’s centralized coordination and legal accountability model and the U.S.’s approach of distributed oversight and reactive disclosure.

The U.S. system puts transparency obligations on companies themselves rather than on a central coordination agency. Under the SEC’s cybersecurity disclosure rules, Collins Aerospace’s parent company, RTX Corporation, was required to file a Form 8-K publicly within four business days of determining that the incident was material. In its filing, the company said that:

While our investigation and assessment of this product cybersecurity incident is ongoing, it has not had a material impact and is not reasonably expected to have a material impact, on the Company’s financial … business operations or results of operations.

Thus, while ENISA collects information primarily for “systemic resilience and policy design,” the SEC regime highlights market transparency and investor protection. The two approaches symbolize different regulatory philosophies: one administrative (as in the European market), the other market based and disclosure driven, acting mainly through self-regulation (as in the U.S.). 

***

The Collins Aerospace incident demonstrates an important aspect of modern cyber threats: Attacks increasingly target not the end user, but the technology providers upon which critical infrastructure depends. This attack was not directed at Heathrow, Brussels, or Berlin; rather, it targeted a single service provider whose systems were embedded in their daily operations. By compromising this centralized service provider, the attackers achieved what would have required separate breaches of dozens of individual organizations, a force multiplier effect.

The attack also exposed the uneven but gradually tightening regulatory landscape that governs cybersecurity across the Atlantic. While the EU has adopted an increasingly centralized approach, the U.S. continues to struggle with piecemeal, sector-specific regulation. In an age of increased cyber incidents, the discrepancy between these approaches could prove detrimental.