A Wake-Up Call for Europe's Infrastructure: The NIS2 Directive and Lessons from the Collins Aerospace Attack

The cyberattack that crippled operations at major European airports in September 2025 was more than just an isolated incident; it was a critical stress test for the continent’s interconnected digital infrastructure. While hubs like Berlin and London Heathrow descended into chaos, Münster/Osnabrück Airport (FMO) demonstrated a remarkable resilience that serves as a powerful case study for the upcoming NIS2 legislation. The attack, which targeted the IT service provider Collins Aerospace, exposed a systemic vulnerability that the new directive aims to address head-on.

The incident was a direct result of a ransomware attack on Collins Aerospace’s “MUSE” check-in software, a "Common Use" platform relied upon by multiple airlines. This reliance, which offers efficiency in normal operations, proved to be a critical "single point of failure" (SPOF) when the system was compromised. Airports that had fully outsourced their check-in systems to this single provider were left with little recourse. At BER, BRU, and LHR, the failure led to massive delays and flight cancellations, with operators scrambling to revert to antiquated, paper-based manual processes that were woefully inadequate for the volume of passengers.

In stark contrast, FMO’s response was a masterclass in proactive crisis management. Their IT team, upon detecting the disruption, swiftly disconnected their systems from the external platform and seamlessly switched to their own self-sufficient, internal servers. This approach was no accident; it was the result of a strategic decision to maintain technological independence, underpinned by an in-house, KRITIS-capable data center.

This divergence in outcomes perfectly illustrates the principles of Germany’s forthcoming NIS2 Implementation Act (NIS2UmsuCG-E). The new law, particularly its core BSI Act (BSIG-E), mandates that "particularly important facilities" like airports must implement robust risk management and supply chain security measures. The incident would have compelled these airports to conduct a mandatory risk analysis of their dependency on Collins Aerospace. Blind reliance on a single external provider would no longer be a viable strategy under the new law, which requires operators to demonstrate how they are minimising such risks, either through contractual safeguards or, as FMO proved, through redundant systems.

Furthermore, the legislation requires detailed concepts for crisis management, including backup and recovery plans. The reactive, manual-based response at the major hubs would be in direct violation of this provision. FMO's swift and seamless transition to a backup system is precisely what the law intends to achieve.

Perhaps the most significant element of the new law is the personal liability it places on management. Senior executives will be held accountable for actively monitoring and ensuring that risk management measures are in place. This provision would have forced a strategic, top-level assessment of the risks associated with outsourcing critical services, moving the conversation beyond mere cost efficiency.

The Collins Aerospace attack is a clear warning that without a legislative push, the next digital disruption could be far more devastating.