A Major Disruption in European Air Travel
On 19 September 2025, Brussels Airport experienced a major cyber-attack that brought operations to a halt.
The attacker targeted Collins Aerospace, a key IT supplier responsible for the airport’s check-in and boarding systems.
The consequences were immediate and severe. More than 90 flights were cancelled or delayed, thousands of passengers were left stranded.
And the disruption quickly spread to other European airports. Airlines, ground handlers, and passengers all suffered significant inconvenience and loss.
A Textbook Supply Chain Attack
This incident is a clear example of a supply chain attack, where the compromise of a single supplier led to the paralysis of multiple airports – a phenomenon often described as the “cascading effect” (ENISA Study 2023).
The increasing reliance on outsourcing and digitisation means that critical operations are now frequently dependent on external IT providers.
In such an environment, the complexity of interconnected systems, numerous software dependencies, and opaque vendor relationships combine to create vulnerabilities that are difficult to manage.
The attack itself was sophisticated. It involved ransomware deployed against a widely used platform.
And it starkly exposed the dangers of placing excessive trust in suppliers without ensuring sufficient oversight and monitoring of their security practices.
Not an Isolated Case: Sweden’s Data Breach
The Brussels Collins Aerospace case is not an isolated event. In August 2025, a ransomware attack on a Swedish municipal IT supplier compromised the personal data of 1.5 million citizens—nearly 15% of Sweden’s population.
The breach exposed sensitive information such as names, addresses, national identification numbers, and, in some cases, health and union membership records.
The exposure of this type of data not only increases the risk of identity theft and fraud. It also threatens the privacy and freedoms of those affected.
As it opens the door to unauthorised use, surveillance, or discrimination.
This incident demonstrates that supply chain breaches can have a direct and adverse impact on the fundamental rights and civil liberties of EU citizens, extending far beyond operational disruption.
Europe’s Regulatory Response
Since the original NIS Directive in 2016, the GDPR, Cybersecurity Act, NIS2, DORA, and the Cyber Resilience Act have all raised the bar for cyber security and supply chain risk management.Today, organisations are required to report incidents quickly. As well as manage supplier risk proactively, include robust security clauses in contracts, and ensure continuous monitoring and due diligence.These requirements are not optional. They are designed to address precisely the risks exposed by incidents like the Brussels Airport paralysis.
Rapid implementation of these EU requirements is now essential.
Companies must invest in compliance, risk management, and supplier oversight without delay, or risk becoming the next headline.
Approach Cyber: Protecting the Digital Supply Chain
At Approach Cyber, bringing cyber serenity to society is our mission.
We help organisations prevent, detect, and respond quickly to supply chain attacks, offering 24/7 incident response, supply chain risk assessment, and regulatory compliance support.
-
Watch the interview on RTL info
of David Vanderoost (CEO of Approach) about the Brussels Airport incident. -
Read our article about “Why Does Supply Chain Cybersecurity Matter? From (Difficult) Regulatory Compliance to (Difficult) Risk Management Tools Towards Resilience and Trust”
(co-written with Charles-Albert Helleputte and Andrea Oatola, lawyers at the Brussels Bar), published in CUP Palais, Anthemis (only in print version, soon available online) -
Contact us: csirt@approach-cyber.com | +32 10 83 21 06 | +41 21 561 16 44 |
https://www.approach-cyber.com
If your most trusted supplier was compromised tonight, would your business survive the fallout?
Would you know how to respond, and could you protect your customers, your reputation, and your future?
