politico.eu
January 28, 2026 4:16 pm CET
By Sam Clark
Europe is investing heavily in security but not enough in cyber, bloc’s cyber agency chief says.
BRUSSELS — The European Union urgently needs to rethink its cyber defenses as it faces an unprecedented volume and pace of attacks, the head of the bloc's cyber agency told POLITICO.
“We are losing this game,” said Juhan Lepassaar, the executive director of the EU's Agency for Cybersecurity (ENISA). “We are not catching up, we're losing this game, and we're losing massively.”
Europe has been pummeled with damaging cyberattacks in recent years, which have shut down major airports, disrupted elections and crippled hospitals. Just in the past week, cyber experts pinned an attempted attack on Poland’s power grid on Russia, and the president of Germany's Bundesbank said in an interview that the central bank faced over 5,000 cyberattacks every minute.
The cyber threats come as Europe deals with war on its eastern border, China's growing power over the global technology market and an increasingly unfriendly United States. In the past year, European countries have pledged to boost defense spending and the EU has shaped many of its policies around security and self-reliance.
Investing in security services but not in cybersecurity creates a “loophole,” Lepassaar warned.
The agency chief's warnings come one week after the European Commission presented a proposal to overhaul its Cybersecurity Act legislation. The bill would allow the EU's cyber agency, based in Athens, to expand its personnel by 118 full-time staff and to spend more on operational costs. The agency now has approximately 150 staff.
But Lepassaar lamented that wasn't nearly enough. He drew a comparison to EU police agency Europol and EU border agency Frontex, which have more than 1,400 and more than 2,500 staff respectively, with more resources on the way.
“We just don't need an upgrade. We need a rethink," he said. “Doubling the capacity is the absolute minimum."
The European Union has fallen short in cyber investment for years and it needs to build an entire new EU-level cyber infrastructure, the agency chief said.
Europe needs to 'step up'
When Lepassaar took charge of the agency in 2019, Europe was in a “totally different environment," he said.
In 2019, approximately 17,000 software flaws were added to a global database logging such vulnerabilities; in 2025, more than 41,000 were added, he said. And in 2019, it took hackers approximately two months on average to use those flaws in an attack, but now it took only one day on average, he said, citing industry and government data.
The cybersecurity industry has warned it now takes hackers far less time to exploit glitches, in part because of AI.
Just as Europe has pledged to take greater responsibility for its physical security, it must do the same in cyberspace, said Lepassaar — an Estonian who previously headed the office of European Commissioner for Digital Affairs Andrus Ansip.
In areas such as cataloging and managing cyber vulnerabilities — an obscure but critical area of cybersecurity — the only organizations systematically working on the problem have long been U.S.-based, Lepassaar said. “We all reap the benefits for free … it's needed that we now step up and take our fair share of this.”
MITRE, a U.S.-based nonprofit group, manages a global database of cyber flaws on which the entire industry relies. It nearly lost funding last year before being bailed out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
European startups and small businesses benefit from a system whose security is “backed up only by MITRE and CISA,” Lepassaar said.
ENISA has started operating a database of cyber flaws — though this was planned before MITRE nearly lost its funding — and recently took on a key technical role that further embeds it at the core of global cybersecurity infrastructure.
“It's part of our obligation as Europe to take our fair share from this,” Lepassaar said.
