US and EU Respond to Rising Cyberattacks on Critical Infrastructure

Over the past year, cyberattacks on critical infrastructure in the United States and the European Union have evolved from isolated incidents to a systemic threat, endangering public safety, economic stability, and political stability. Officials in Washington and Brussels now admit that malicious attacks on water systems, power grids, hospitals, transport networks, and financial services are no longer minor irritations but a full-scale national security crisis. The trend of increasing the level and number of such attacks has compelled governments to enhance regulation, allocate a greater amount of funds to digital protection, and foster closer collaboration with allies and private corporations.

Europe provides one of the best examples of the threat. In such cases, Poland alone has reported daily incursions of hostile activities associated with Russian groups, with an average of twenty to fifty intrusion attempts being registered per day. Most are repelled, but some have caused havoc to the work of hospitals, as well as exposing sensitive medical information, and on at least one occasion, there was an attempt to cripple municipal water systems, but this was thwarted. The Polish government has reacted by increasing investments in cybersecurity, with a focus on healthcare and utilities. The same can be observed in the EU, where the number of noteworthy cyber incidents was recorded in the monitoring report as more than 1,200, almost 20 percent more than in the previous year. Healthcare, energy, transport, and banking were the most targeted sectors, indicating the way attackers use vulnerabilities that impact millions of people in their everyday lives. In turn, Brussels has revised its Network and Information Security regulations, introduced the Cyber Solidarity Act in order to establish cross-national response teams and training schemes, and promoted closer intelligence sharing between the member states. Germany went to a higher level and embraced its own law, the KRITIS, which required thorough vulnerability mapping and severe punishment in cases where the operators do not meet the stringent reporting requirements.


The United States is confronting parallel problems. Following a series of ransomware attacks in hospitals, manufacturing facilities, and municipalities earlier this year, government agencies like CISA and the FBI were warning that more organizations with ties to Russia and Iran were increasingly targeting industrial control systems, previously regarded as too obscure to be exploited. The White House has already advanced the Cyber Incident Reporting of Critical Infrastructure Act that requires companies to report breaches within one of the short deadlines. Although full enforcement is delayed until 2026, federal officials urge early compliance, warning that silence only weakens collective defense. But even here, we can find structural difficulties: smaller players in industries like water utilities or regional local healthcare simply do not have resources and staff, and the interconnectedness of the new networks is such that one unstable situation can spread throughout the whole chain of the supply.

Despite these vulnerabilities, transatlantic responses are growing stronger. The simulations of attacks on civilian infrastructure are embedded in NATO exercises now, the EU is establishing independent vulnerability databases, and Washington is increasing its collaboration with its Five Eyes and Asian allies. On both sides of the Atlantic, policymakers are debating the imposition of liability on those companies that fail to implement basic protection, and there are some financial incentives for resilience upgrades. The partnership between the government and companies is emerging as the heart of cyber defense since most critical infrastructure is owned by the former. Meanwhile, governments and regulators emphasize that regulation is not sufficient, but systems are to be restructured with redundancy, segmentation, and default security. Artificial intelligence is already being used by the attackers to improve phishing and intrusion methods, and attribution is still unclear, which gives the state actors the opportunity to cover themselves using proxy groups.


For ordinary citizens, the stakes are immediate and tangible. In Poland, patients have been transferred to different hospitals due to malware infection, and in the United States, a number of municipalities have had to shut off their digital services. Every interruption is reducing societal confidence in institutions and providing the political discussion over its capability and safety. Cyberattacks will contribute an additional vulnerability layer to the already challenged Western societies, with inflation, energy strains, and geopolitical insecurity that an adversary is more than willing to take advantage of. The fight to protect critical infrastructure is not just a technical challenge: it is a challenge of democracies in a hybrid attack. The U.S. and EU are taking unprecedented measures, which would have been utterly unthinkable ten years ago, yet the rate of adaptation by aggressor entities ensures that the competition will not stop. The ability of open societies to innovate and coordinate fast will be the determinant of not only the reliability of their core services but also the credibility of their overall geopolitical posture.