There is a growing awareness that many critical infrastructure entities in Europe remain poorly equipped to defend against cyber threats. These organisations are essential to society but often lack the funding, personnel, and technical capabilities needed to meet expanding regulatory demands. While EU initiatives like the NIS2 Directive and the Cyber Resilience Act have advanced the European cybersecurity policy framework, their effectiveness depends on the ability of resource constrained entities to comply in practice.
Today, Virtual Routes is pleased to publish a new report titled Under Pressure: Securing Europe’s Resource-Constrained Critical Infrastructure, authored by Max Smeets, Gijs van Loon, James Shires, and Apolline Rolland. The report identifies which parts of Europe’s critical infrastructure are most in need of targeted cybersecurity support and outlines what forms of assistance would be most effective. It focuses in particular on the drinking water and wastewater sectors, which are increasingly exposed to cyber threats but receive limited investment and exhibit low cybersecurity maturity.
To explore this issue in depth, the report conducts a spotlight analysis of the drinking water and wastewater sectors. The analysis documents a clear rise in cyber incidents targeting water infrastructure across Europe and beyond – including ransomware attacks, credential breaches, and attempted sabotage of treatment processes. These threats are amplified by inadequate remote access controls, legacy system vulnerabilities, and poor asset visibility.
In response, the report outlines a pathway to improved cybersecurity through a layered approach: improving basic cyber hygiene, enhancing asset visibility, deploying sector-specific safeguards, and developing crisis response plans. Throughout, the report emphasises the need for collaborative, cross-border support.
To advance this agenda, the report concludes with four policy recommendations for the EU:
- Launch an EU Water-Cyber Hygiene Accelerator Program: Establish a grant-based accelerator to improve cyber hygiene in drinking and wastewater utilities, prioritizing multi-factor authentication, secure access, and regular patching. The program would combine sector-specific guidance from ENISA with financial support modeled after successful EU and US initiatives.
- Establish a European Water Sector ISAC: Create a European Water ISAC to enable trusted information sharing, threat intelligence, and coordinated incident response among water utilities, regulators, and member-state CSIRTs, enhancing cross-border cyber resilience in the sector.
- Mainstream Cyber Risk into Environmental and Public Health Governance of Europe’s Water Systems: Integrate cybersecurity into EU water governance, ensuring cyber threats are accounted for in environmental and health regulations, water safety plans, and emergency preparedness strategies to protect water quality and public health.
- Use Political Tools to Deter Malicious Activity Targeting Water Infrastructure: Leverage the Cyber Diplomacy Toolbox more actively against cyberattacks on water infrastructure. While it has been used for incidents like NotPetya and WannaCry, it remains underutilised for water sector attacks. Coordinated sanctions, public attributions, and diplomatic measures should be employed to signal that targeting water systems carries real consequences.
This report is sponsored by Microsoft.
Read the full report below.
