Paolo Galdieri : 24 September 2025 12:15
On September 20, 2025, a cyberattack hit three of Europe’s major airports: London Heathrow, Brussels, and Berlin. The digital systems governing check-in and baggage handling were rendered unusable, resulting in delays, cancellations, and the inability to ensure regular flight traffic.
For days, thousands of passengers were trapped in chaos that highlighted how dependent air travel is on the continued functioning of computer systems.
The cause should not be found in individual airports, but in Collins Aerospace, a US company belonging to the RTX Corporation group that provides critical software globally. The attack targeted MUSE, a system that allows airlines to share check-in and gate infrastructure. This centralized architecture, designed for efficiency and economies of scale, proved to be a single point of failure capable of simultaneously shutting down multiple airports. The attack thus highlighted how the supply chain is today the industry’s true Achilles heel.
According to the European Union Agency for Cybersecurity (ENISA), the incident is linked to ransomware. Beyond economic motivation, a geopolitical element cannot be ruled out. Targeting a global provider of critical civilian infrastructure could be intended to create instability, test Western defenses, or mask data exfiltration activities. The line between organized cybercrime and state strategy appears increasingly blurred.
The practical impact was severe. In Brussels, approximately 40% of flights were canceled, Heathrow saw over 90% of departures delayed on Sundays, and Berlin saw more than two-thirds of flights affected by disruptions. The use of manual procedures such as handwritten labels and paper lists proved unsustainable for an international hub. It became clear that technological dependence was now such that a return, even temporarily, to “analog” working methods was impossible.
In recent years, the European Union has embarked on a comprehensive path to strengthen cybersecurity, aiming to ensure a common level of protection across all Member States. The first NIS Directive represented the starting point, introducing the idea that providers of essential services and digital service providers had to comply with specific risk management and incident reporting obligations. However, implementation experience has shown that the initial approach was uneven and fragmented, with implementation varying from country to country and a non-uniform level of protection.
The response was the adoption of the NIS2 Directive, which significantly expanded the scope of the directive, including a broader range of entities deemed strategic, including transport infrastructure, energy, healthcare, and public administrations. The directive also introduced more stringent governance standards, placing direct responsibility on corporate management bodies for implementing security measures. This is not just a technical requirement, but a genuine management obligation that impacts directors’ liability and the overall assessment of corporate compliance.
The reference to the supply chain is particularly important. The new rules aim to prevent situations in which the vulnerability of a single supplier could compromise the entire system. In this regard, NIS2 requires extending security controls and standards to contractual relationships with commercial partners, establishing a multi-level system of responsibility. The European approach, therefore, is moving toward a model that recognizes cybersecurity as a structural element of economic stability and collective security.
The Italian legislature has gradually adapted its legislation to developments in European cybersecurity law. The transposition of the first NIS Directive led to the introduction of security and notification obligations for operators of essential services and digital service providers. This model, while representing a step forward, has shown significant limitations, especially in terms of coordination and effectiveness of the measures adopted.
The implementation of NIS2 represents a crucial step. It requires not only expanding the scope of stakeholders but also introducing more effective managerial accountability mechanisms. In Italy, a central role is assigned to the National Cybersecurity Agency, which assumes guidance, coordination, and oversight functions, ensuring uniform implementation. Transposition also entails strengthening the powers of sectoral regulatory authorities, which are required to work in synergy with the Agency.
A particularly relevant aspect concerns the liability of company directors and managers. National legislation, in line with European provisions, assigns them a duty to supervise and monitor the adoption of safety measures, creating potential liability not only towards the company but also for the external effects of any deficiencies. This requires a review of organizational models and contractual clauses with suppliers, with the aim of ensuring that the entire supply chain meets adequate standards.
The Italian implementation, therefore, does not merely formally translate European rules, but integrates them into the national regulatory framework, creating a system that tends to increase the responsibility of those involved and strengthens overall protection against cyber threats. Within this framework, Italian law is moving toward an ever-greater convergence between security protection, market regulation, and the responsibility of economic operators.
The aviation industry has traditionally focused its efforts on physical protection. The 2025 incident demonstrates that attention must shift to cybersecurity. It is essential to ensure constant monitoring of IT and OT systems, adopt a security architecture that does not assume automatic trust, and segment networks to prevent the propagation of attacks. Contractual relationships with suppliers must include clauses requiring periodic audits, minimum security standards, and mandatory reporting procedures.
The use of manual improvisation has confirmed that the continuity of air services today cannot rely on elementary emergency solutions. Redundant systems, truly viable alternative plans, and staff training in digital emergency procedures are needed. IT is no longer a support system, but an integral part of the functioning of air transport, and therefore of national and economic security itself.
The attack on Collins Aerospace must prompt reflection. Dependence on a few strategic suppliers, the centralization of functions, and the interconnection of systems have created new forms of vulnerability. Europe, its member states, and businesses must recognize that protecting digital infrastructure is now an integral part of collective security. The legislation provides a stringent framework, but it must be followed by an effective commitment to adopting robust technical and organizational measures. Digital security is no longer a technical issue, but a key component of economic stability and public trust.
Paolo Galdieri