House Rules. The European Commission writes the data protection rulebook. Three days ago, someone walked out with 350GB of its data.

On 24 March 2026, the European Commission detected a cyberattack against its cloud infrastructure. Three days passed before it told anyone.

The Commission confirmed the breach publicly on 27 March. The attacker had accessed at least one Amazon Web Services account used to host Europa.eu -- the platform serving the Commission, the European Parliament, the Council of the European Union, and other EU bodies.

The attacker claims to have taken more than 350GB of data. Multiple databases. Employee information. Screenshots provided as proof of access to an internal email server. They say they will not seek ransom. They say they will publish the data later.

AWS was clear about its position. Its services operated as designed. The failure was in the Commission’s account configuration, not the infrastructure beneath it.

This is called the shared responsibility model.

What the shared responsibility model actually means

Cloud providers secure the hardware, the facilities, and the underlying platform. The customer secures everything they put on it. Access controls, authentication, permissions, account hygiene. That is the customer’s job.

When an attacker walks into an AWS account and extracts 350GB across multiple databases, the shared responsibility model places the failure squarely with the account holder. AWS did not get hacked. The Commission’s use of AWS did.

This is not a criticism of cloud infrastructure in principle. It is a description of how the accountability is structured, and who carries it when something goes wrong.

Why this institution in particular

The European Commission is the body that drafts and enforces the General Data Protection Regulation. It is the institution that has issued enforcement actions, levied fines, and published guidance on how organisations across Europe should handle personal data and manage security risks.

Article 32 of the GDPR requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Commission is not exempt from its own regulation.

The breach follows a separate incident disclosed earlier in 2026, in which attackers accessed the Commission’s mobile device management environment via Ivanti vulnerabilities. Two significant incidents in three months.

The parallel that matters

Three days before the Commission confirmed this breach, I wrote about HMRC awarding a £472.8 million, decade-long contract to AWS with a single bidder and no visible exit strategy.

The argument in that piece was about jurisdiction and lock-in. AWS is a US company. Data hosted on AWS infrastructure, wherever it sits geographically, is held by an entity subject to US law -- including the CLOUD Act and FISA Section 702. That legal exposure applies whether the account is configured well or badly.

The Commission’s breach adds a second dimension. Cloud dependency is not only a jurisdictional question. It is an operational security question. The organisation responsible for European data protection law lost control of a cloud account containing hundreds of gigabytes of institutional data.

The irony is not that it happened. Breaches happen. The irony is the gap between the standards the Commission expects of others and the controls it maintained over its own environment.

What should follow

The Commission has said its internal systems were not affected and that it is notifying affected EU institutions. An investigation is ongoing.

If the stolen data includes personal data relating to identifiable individuals -- Commission employees, contractors, citizens who interacted with Europa.eu -- then GDPR notification obligations apply. The Commission would be both the supervisory authority and the data controller with a notifiable breach.

Whether a DPIA was completed before this infrastructure was deployed on AWS, what that assessment concluded about the risks, and whether it was reviewed after the first breach this year are questions worth asking. Under GDPR Article 35, DPIAs for high-risk processing are not optional.

The receipts, as ever, are the point.

Primary sources: European Commission press notice IP_26_748, 27 March 2026. BleepingComputer, 27 March 2026. TechCrunch, 27 March 2026.

-- Alan