“It only happens to others” is a thought that often crosses the human mind. And for good reason, it stems from a protective mechanism operating at the neuronal level. What becomes problematic is when this reflex is transposed to cybersecurity. Many organizations do not seem to feel concerned by cyber risks, as if their size or sector of activity made them unattractive targets for hackers. Yet studies clearly show that all types of organizations, private and public alike, can fall victim to an attack.
Opinion piece written by Mickaël Wajnglas, Secretary General of SPAC Alliance (Smart Physical Access Control), an organization that federates European stakeholders around technological sovereignty and the standardization of security frameworks.
In the current context, a simple antivirus is no longer sufficient. And trivial passwords, such as those used by the Louvre Museum, should no longer exist. At a time when the average cost of a data breach amounts to millions of euros, and as Europe continues to strengthen cybersecurity regulation, what are we waiting for to implement highly secure systems within our public institutions?
AI is giving rise to new forms of attack
In 2025, 86% of organizations reported having experienced operational disruptions affecting sales, services, or production following a cyberattack. Public institutions are no exception: phishing, ransomware, and denial of service attacks remain among the most widespread forms of cyber aggression. These techniques have been made accessible to both expert and amateur cybercriminals thanks to malicious artificial intelligence tools available on the darknet. Today, one in six breaches involves AI. AI generated phishing campaigns achieve click through rates 4.5 times higher than traditional attacks and can be up to 50 times more profitable.
Beyond audio and video deepfakes, which are hyper realistic manipulations, AI has also led to another phenomenon: vishing, or voice phishing. Using AI enhanced voice cloning tools, cybercriminals call their victims while imitating the voice of a professional or personal contact. This technique has increased by 442% in just six months. Finally, AI also enables the creation of polymorphic malware capable of changing form with each execution or infection, thereby bypassing traditional antivirus solutions.
A seven figure bill
No sector, private or public, is spared from cyber threats. France Travail, Mango, Kering, the French Shooting Federation, Clarins, and Asahi, all victims of cyberattacks in recent months, illustrate the diversity of affected organizations.
On average, data breaches result in a financial cost of 4.44 million dollars. Jaguar Land Rover provides a recent example: following a cyberattack in August, the company was forced to take its IT systems offline while resolving the intrusion, paralyzing production at several of its London plants. The cost of the incident to the British economy is estimated at 1.9 billion pounds sterling, a staggering figure. Beyond the direct financial damage suffered by Jaguar Land Rover, the cash flow of thousands of suppliers working with the brand was impacted. It is a textbook example of the domino effect of a cyberattack. Within local authorities, cyberattacks can have significant consequences for citizens, paralyzing public services such as drinking water services or identity card applications, and compromising personal data.
NIS2 and CRA, better to prevent than to endure
The European Union is currently developing regulations aimed at harmonizing and strengthening the security of European stakeholders. Among them are the Cyber Resilience Act and the NIS2 Directive, currently being transposed into French law, which incorporates the notion of physical security, essential for protection against physical intrusions and hybrid attacks, and will significantly impact local authorities. As these regulations will soon become applicable across national and European territory, companies and public administrations must anticipate them now.
Adopting new technologies and security processes takes time and entails significant costs: between 100,000 and 200,000 euros for so called important entities, and between 450,000 and 880,000 euros for so called essential entities, according to the French Court of Auditors. This is a necessary investment when one considers the average cost of an attack: 466,000 euros for an SME, 13 million euros for a mid sized company, and 165 million euros for a large enterprise. Spreading these investments over time helps reduce the operational burden on teams and better absorb the financial effort.
Some stakeholders, such as the Ile de France Region, did not wait for the transposition of the NIS2 Directive to begin assessing the cyber risk management practices of their suppliers. By adopting this preventive measure, the region limits the risk of data leaks originating from all stakeholders, including clients, suppliers, employees, and partners. Compliance thus becomes a mark of trust and a genuine strategic asset.
By anticipating and complying with upcoming European regulations, organizations and institutions build a solid security foundation for their infrastructures, enabling them to more effectively combat today’s threats and those of tomorrow, whether driven by AI or quantum technologies.
