85% of Employees Recirculate Compromised Passwords as Cybersecurity Threats Rise in EU Institutions
In a pressing update from 2025, the European Commission has rolled out new initiatives designed to boost cyber resilience and enacted legislation aimed at enhancing cybersecurity across the European Union (EU). Nevertheless, significant apprehensions persist regarding the readiness of EU institutions to combat cybersecurity challenges effectively.
According to a 2022 special report by the European Court of Auditors (ECA), European Union Institutions, Bodies, and Agencies (EUIBAs) are not adequately prepared to confront the cyber threats they face, prompting calls for heightened financial investment in cybersecurity initiatives.
Despite ongoing efforts to enhance security measures, the most recent data from the Business Digital Index, powered by Cybernews, reveals that EU institutions are still grappling with securing their systems against cyberattacks. The analysis indicates that 67% of the assessed organizations received a D or F grade—the lowest possible ratings in the index. Alarmingly, all surveyed institutions have reported data breaches, and 85% of employees at the lowest-rated organizations were found to be reusing compromised passwords.
Even as they handle sensitive political, economic, and citizen data, most EU institutions are exposed to considerable cybersecurity risks.
EU Institutions Show Fundamental Weaknesses in Cybersecurity Practices
The research team behind the Business Digital Index evaluated the websites of 75 EU governmental institutions to assess their cybersecurity posture. Among these institutions, one-third received a C score, indicating below-average security, while 32% were categorized as high-risk with a D score, and an alarming 35% fell into the critical risk category with an F score. Not a single institution achieved an A or B rating.
The average security score across EUIBAs was 71 out of 100, placing them in a high-risk classification according to the index’s methodology. This suggests that while some basic security measures exist, organizations remain significantly vulnerable to cyber threats.
The current cybersecurity landscape across EU organizations raises serious concerns and warrants immediate action. The persistence of vulnerabilities increases the likelihood of sensitive data being stolen or misused, posing significant risks to both institutional integrity and personal privacy.
Data Breaches Predominant Among Low-Scoring Institutions
The issue of password reuse also emerged as a significant concern. Among F-rated organizations, 85% of employees were found to recycle credentials from prior breaches, compared to 71% in D-rated organizations, and just 8% in C-rated institutions. These statistics suggest that the recurring breaches seen in low-scoring organizations are likely symptomatic of systemic negligence.
The findings of this research correlate with major security incidents in recent history. In 2024, the European Parliament disclosed a significant breach of its PEOPLE recruitment platform, which compromised the personal data of over 8,000 current and former employees. The breach, which went unnoticed for months, revealed sensitive documents, including ID cards, residence permits, and marriage certificates—data ripe for identity theft.
The practice of reusing passwords post-breach exponentially increases risk levels for both individuals and organizations. This persistent issue highlights the urgent need for enhanced employee education concerning password management and the implications of credential reuse.
Critical System Vulnerabilities Identified Among Low-Scoring Institutions
The data indicates a strong correlation between low cybersecurity scores and notable systemic weaknesses. Issues related to SSL/TLS configurations were identified in all F-rated institutions and 92% of D-rated institutions, exposing them to man-in-the-middle attacks and undermining secure communication protocols. Similarly, 92% of D-rated and F-rated institutions had insecure hosting environments, while all C-rated institutions faced these vulnerabilities as well. Email spoofing risks were present in every C-rated organization, along with 96% of D-rated and F-rated institutions, facilitating potential impersonation attacks.
Additionally, exposed corporate credentials were found in 96% of F-rated and 83% of D-rated institutions, highlighting a stark divide in basic security hygiene when compared to C-rated organizations, where only 12% faced similar issues. Although the dataset revealed relatively few instances of critical vulnerabilities, half of the F-rated institutions displayed signs of high-risk web vulnerabilities.
Research Methodology Overview
This analysis is drawn from data compiled by the Business Digital Index (BDI) research team, which employs the BDI to evaluate publicly accessible information. The team utilizes custom scans, IoT search engines, and databases concerning IP and domain name reputations to assess organizations based on their online security protocols. In total, 75 EUIBAs were thoroughly evaluated for their cybersecurity hygiene.
The report examines cybersecurity risks across seven critical dimensions, including software patching, web application security, email protection, system reputation, hosting infrastructure, SSL/TLS configuration, and data breach history. More details on the methodology used for this analysis can be found here.
About the Business Digital Index
The Business Digital Index (BDI) is a cybersecurity reputation platform created by Cybernews, providing organizations with real-time security ratings based on publicly available data. By continuously monitoring external digital assets, such as outdated technologies and other common risk indicators, it employs a weighted scoring model to evaluate external cybersecurity postures effectively.
