Critical infrastructure at risk: A call for revised security strategies
Written by Elsa Neeme, Senior Expert at the e-Governance Academy
With 90% of organisations anticipating an increase in cyberattacks – both in volume and costliness – in the upcoming years, there is a greater urgency for revised cybersecurity strategies and a more comprehensive approach to cybersecurity across borders.
Disruptions to critical infrastructure (CI) systems can cascade across sectors, magnifying their impact: a cyberattack on an energy grid could disrupt water supply systems, public transportation and emergency services, amplifying societal and economic consequences. Such events undermine public trust, shake investor confidence and jeopardise national security.
The rising costs of cyber incidents
In an era guided by digital transformation on the one hand and the expanding military aggression in Ukraine on the other, cybersecurity has remained one of the most pressing challenges for the like-minded states, as well as for organisations worldwide. Recent global reports reveal that, beyond the staggering financial toll, these breaches also impact trust, innovation and societal well-being. In fact, the average cost of a data breach in 2024 has surged to €4.4 million, reflecting a 10% increase over the previous year.¹ This escalation is not merely a financial concern but a critical indicator of the evolving complexity and scope of cyber threats.
Among individual countries, the United States reports that the average impact of a data breach has reached approximately €4.88 million. Within the European Union, the Benelux countries face the highest costs for a breach (€5.3 million), followed by Germany (€4.8 million) and Italy (€4.3 million).²
Shadow data increases vulnerability
One of the most significant facilitators of data breaches is “shadow data”, which accounts for nearly one third of all incidents, according to multiple studies.³ Shadow data refers to ungoverned and unmanaged information stored across disparate systems, devices and locations. This hidden data is notoriously difficult to track, secure and delete, leaving organisations exposed to vulnerabilities that often go unnoticed until a breach occurs.
Breaches involving shadow data are particularly costly and challenging to resolve. Their complexity stems from the fragmented nature of such data, which complicates incident response efforts and increases remediation timelines. This trend highlights the importance of robust data governance strategies and tools capable of identifying, managing and securing shadow data across enterprise environments.
Russia’s cyberattacks on Ukraine have nearly doubled
Severe incidents attributed to Russia last year have demonstrated how state actors leverage cyberattacks to destabilise geopolitical adversaries. In 2024, the number of cyberattacks on Ukraine surged by nearly 70%, with 4,315 incidents recorded, compared to 2,541 in 2023, according to the State Service of Special Communications and Information Protection of Ukraine.⁴ Hackers targeting Ukraine have focused predominantly on critical infrastructure, including the energy sector, government institutions, security agencies and telecommunications networks. These sectors form the backbone of national stability, making their compromise both strategically and symbolically impactful.
Moreover, attackers prioritise access to Ukraine’s defence plans, data from the defence industry, and intelligence from government and military-supporting organisations. This focus highlights the role of cyber warfare in complementing physical military actions, creating a multidimensional threat environment.
Cyberattacks undermining democratic processes
Cyberattacks have increasingly been employed in 2024 to destabilise democratic processes during elections. For example, in the lead-up to Moldova’s October 2024 presidential elections and EU referendum, Russia intensified its hybrid operations, including a major cyberattack on Moldova’s parliament, to undermine democratic institutions and influence the country’s EU alignment. Furthermore, Moldova’s critical infrastructure has become a key target for cyberattacks, underscoring the nation’s vulnerability to escalating hybrid threats.⁵
Overall, the adversary events in cyberspace throughout 2024 emphasise the critical importance of adopting a more comprehensive approach to cybersecurity across borders. In this context, aligning with the new EU laws, particularly the NIS2 Directive⁶ and embedding its measures into national cybersecurity strategies are indispensable steps toward ensuring robust protection and long-term resilience.
2024: A milestone year in building resilience
The year 2024 represents a pivotal moment in the European Union’s journey to enhance its security landscape with EU directives. Across the EU and beyond, member states and candidate countries like Albania, Moldova and Ukraine have been working diligently to harmonise. national norms with the requirements of the NIS2 Directive. The NIS2 Directive reflects the need to address cascading risks, where an incident in one sector (e.g. telecommunications) can ripple across others (e.g. healthcare or emergency services). Focusing on systemic interdependencies ensures a comprehensive approach to mitigating risks and strengthening resilience.
Encompassing a broader scope covering a wide range of critical sectors and entities, stricter requirements and a more coordinated approach, NIS2 aims to create a high common level of cybersecurity across the Union. Building on the advances brought by the NIS2 Directive, another significant milestone in 2024 for enhancing resilience across the European Union is the harmonisation of the Critical Entities Resilience (CER) Directive. Together, these directives create a comprehensive and cohesive framework for safeguarding critical services, addressing both the cybersecurity and physical security dimensions essential to the functioning of modern societies.
Looking ahead: Cybersecurity as a process, not an endpoint
As cyber threats continue to escalate, with 90% of organisations expecting an increase in cyberattacks in terms of both volume and costliness, the need for a dynamic and adaptive approach to cybersecurity
has never been more critical. However, despite the growing threat landscape, 74% of organisations are focusing their preparedness efforts internally, with much lower participation in national or EU-level initiatives. Yet cross-border cooperation is essential for managing large-scale incidents and safeguarding interconnected critical infrastructure systems. The consequences of failing to protect critical infrastructure go beyond financial losses and can undermine public trust, shake investor confidence and jeopardise national security.
The lessons from 2024 underscore a vital truth: the evolving threat landscape, technological advancements and increasing interdependencies demand an ever-adapting strategy that prioritises innovation, shared responsibility and resilience. To navigate the challenges ahead, targeted and strategic investments in cybersecurity are paramount. Ultimately, aligning national cybersecurity practices with the NIS2
Directive should be regarded as the foundation of any comprehensive strategy to protect critical infrastructure. In building up contemporary security capabilities, it is important to keep in mind that cybersecurity is not a static endpoint but an ongoing journey – one that demands vigilance and innovation. eGA remains committed to supporting countries on this journey, ensuring that critical infrastructure remains a founding pillar of secure and sustainable digital societies.
¹ European Union Agency for Cybersecurity [ENISA], ENISA Threat Landscape 2024, 2024, https://www.enisa.europa.eu/sites/default/files/2024-11/ENISA%20Threat%20Landscape%202024_0.pdf.
² IBM Security, Cost of a Data Breach Report 2024, 2024, https://www.ibm.com/security/data-breach.
³ Ibid.
⁴ https://www.pravda.com.ua/eng/news/2025/01/9/7492671/.
⁵ “Leadership of Moldova’s Post State Enterprise Explains Cyber Attack to Which Enterprise Was Subjected”, Moldpres, 10 May 2024, https://www.moldpres.md/en/news/2024/05/10/24003428.
⁶ Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive), Official Journal of the European Union, L 333, 27 December 2022, 80–152, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555.