In early 2020, Maastricht University confirmed it had paid a ransom of €200,000 worth of Bitcoin to regain access to its systems following a ransomware attack. In only 30 minutes, cybercriminals had encrypted 267 university servers, including backups, impacting 25,000 students and staff. The attack halted email services, prevented access to research data, and disabled library systems. Similar incidents have affected technical universities, publicly funded research institutes, and research hospitals across Europe. Such cases can even be lethal – in 2020, a ransomware attack was linked to the death of a patient at the University Hospital Düsseldorf, when a system outage forced emergency patients to be diverted elsewhere.
Research institutions are vulnerable in part due to the nature of their IT environments. Many use outdated legacy systems, either because specialised research equipment depends on antiquated software, or because they lack resources to migrate to state-of-the-art systems. These institutions also tend to have decentralised governance structures and large, heterogeneous user populations that will never be fully immune to phishing or social engineering.
Yet these explanations are symptoms, rather than the core problem. Cyber incidents targeting research institutions reveal a structural vulnerability in Europe’s security architecture. The continent’s public research ecosystem has become a prime target for cyber operations, but remains largely excluded from cybersecurity and national security policy frameworks.
This gap matters because Europe increasingly defines its future power through research and innovation. Under Horizon Europe alone, the EU is investing €95.5 billion in research and development between 2021 and 2027. Member states contribute tens of billions more through national funding schemes and public research organisations. However, the institutions that host this research remain poorly protected, with uneven, and often minimal, cyber protection and limited access to threat intelligence. Europe is funding strategically relevant knowledge production at scale while failing to secure it as such.
Research institutions are high-value, low-protection targets
Europe’s public research institutions are high-value targets – they generate knowledge critical to industrial competitiveness, public health, energy resilience, and technological leadership. Their research into artificial intelligence, quantum technologies, advanced materials, biotechnology, and energy systems routinely feeds into defence capabilities and other dual-use applications, even when that is not their initial intent.
At the same time, the research ecosystem is structurally exposed, due to institutions’ decentralised nature and under-resourced central security functions. Despite investing more than ever in cybersecurity, Moody’s 2023 survey of 114 international universities found it accounted for just 7% of their total IT budget compared to 11.6% across other types of organisations.
Compared to the hardened networks of governments or major defence contractors, research institutions offer high-value access at a low cost. Key cybercrime objectives include intellectual property theft, access to pre-publication findings, and visibility into international research networks. In some cases, such as the incident at Maastricht University, the attacks involve ransomware campaigns and limit the capacities of institutions to respond to crises.
Europe’s policy blind spot
Despite this reality, cybersecurity policy frameworks at both EU and national level largely stop short of the research ecosystem. Existing strategies prioritise the protection of critical infrastructure, essential services, government networks, and selected private-sector operators. Research institutions, even when publicly funded and strategically relevant, often sit awkwardly outside these categories.
This situation reflects a structural governance gap. At the EU level, responsibility for research funding, digital policy, and cybersecurity governance is divided across different directorates, with limited coordination on research security. Security policy itself remains primarily a national competence, further complicating EU-level action.
At the national level, responsibilities are fragmented across science ministries, research councils, interior or digital ministries, and national cybersecurity agencies. In many cases, no actor is clearly responsible for ‘research security’ as a policy domain. Publicly funded research institutions are therefore expected to manage cyber risks largely on their own.
A persistent reluctance to frame research as a security issue reinforces this fragmentation. Concerns about academic freedom, openness, and international collaboration have led policymakers to avoid securitisation by default. In practice, this has translated into strategic neglect rather than principled restraint. Research institutions often lack systematic access to threat intelligence, coordinated incident-response mechanisms, and sustained financial support for cybersecurity.
Toward a European research security approach
The absence of a coherent research (cyber)security framework is not a mere technical oversight but a strategic liability. Recent reforms in EU cybersecurity policy, particularly through NIS2, have strengthened baseline risk management and reporting obligations across a wider range of sectors. Yet these advances have not resolved the specific vulnerabilities of Europe’s research ecosystem. Addressing this gap does not require militarising academia or closing Europe’s research environment, but recognising that resilience is a precondition for openness.
Research institutions must be systematically integrated into national and European cyber threat-awareness frameworks. NIS2 improves incident reporting and supervisory coordination, but it does little to address the specific threat profiles that publicly funded research institutions face, including intellectual property exfiltration and long-dwell espionage, where cybercriminals maintain access to systems for extended periods. Generic guidance is insufficient against these risks. National cybersecurity authorities should therefore establish dedicated threat-briefing channels and early-warning mechanisms for research institutions.
Additionally, cybersecurity should be embedded more directly into EU research funding instruments. NIS2 establishes horizontal obligations, but it remains largely disconnected from the funding frameworks that shape institutional behaviour across Europe’s research ecosystem. Ensuring a minimum cybersecurity baseline to be eligible for large-scale EU research grants would translate regulatory expectations into practical capacity-building. Rather than being overly prescriptive, these baselines should prioritise governance structures, incident-response capability, and basic technical controls. Crucially, they must be accompanied by targeted financial and technical support so that smaller institutions can qualify.
Europe should move beyond a compliance-driven approach by investing in ecosystem-level support mechanisms. Shared incident-response capabilities, pooled security services, and sector-specific training programmes could significantly raise baseline resilience. Such arrangements would allow research institutions to retain autonomy while benefiting from collective capacity that no single university or research centre could develop independently.
Finally, research security must be explicitly recognised as a cross-cutting policy issue at EU and national levels. Without clearer institutional ownership, the protection of strategically relevant research could remain dependent on uneven national designation and institutional capacity, which could reinforce existing fragmentation. Defining responsibilities across the domains of research, digital policy, and security policy would help remove research security from its current grey area and align Europe’s cybersecurity frameworks with its strategic ambitions.
An exceptional reminder for cybersecurity action
So what happened to Maastricht University after the attack? In a rare turn of events, Dutch authorities traced part of the ransom through a laundering network and ultimately returned the funds. The value of the Bitcoin payment, left untouched for years, had risen sharply, resulting in the university paradoxically profiting from the price increase.
The incident is now institutional memory, commemorated through Eternal Blue, an artwork by Richard Vijgen in the university’s main hall, which visualises the constant stream of attempted intrusions against the university’s network.
Yet this exceptional outcome should not distract from the underlying lesson. Maastricht was not protected by a coherent research security framework, nor was the recovery the result of a systematic policy response. Across Europe, most such attacks never lead to restitution and rarely trigger structural change, an unsustainable pattern in an increasingly hostile threat environment.
Europe must begin treating its research ecosystem as strategically relevant infrastructure. Only by aligning research policy, cybersecurity governance, and strategic investment can Europe ensure that it adequately protects the knowledge it funds.
