Lessons from recent cyberattacks: what they tell us about resilience
Analysis of recent operational disruption attacks—from rail networks to clinical settings—and what they reveal about the shift from prevention to resilience under NIS2 and ISO 27001.
When ticketing systems went down at one of Europe’s largest rail operators earlier this year, millions of passengers found themselves staring at error screens. Trains kept running—the operational technology was unaffected—but for hours the digital plumbing that lets people pay, plan and board became unavailable. A few weeks later, a regional rehabilitation clinic in northern Germany lost access to its IT systems entirely, forcing it to revert to paper records and divert patients elsewhere. In Ireland, anyone who lived through the HSE ransomware attack of 2021 will recognise the second story immediately.
These are different incidents in different sectors, with different attackers and different mechanisms. What they share is a pattern that has become the defining feature of cyberattacks in 2025 and 2026: the attacker’s goal is no longer to steal information. It’s to disrupt operations.
For organisations approaching NIS2 obligations, ISO 27001 certification, or simply trying to build a defensible security posture, that shift is the single most important thing to understand. The controls that protect data confidentiality—encryption, classification, access management—still matter. But they’re no longer where most of the modern threat is being expressed.
Two cases, one pattern
The Deutsche Bahn incident is straightforward in technical terms: a distributed denial of service attack overwhelmed ticketing and information systems. There was no breach, no data theft, no ransomware. Just unavailability—and that was enough to disrupt millions of journeys and dominate national news cycles for a working day.
What makes the attack notable isn’t its technical sophistication. DDoS attacks are well understood, and broadly mitigatable with the right architecture and provider relationships. What’s notable is the target selection. The attacker chose a system whose disruption would maximise public visibility and operational pain, without needing to bypass particularly hard defences. They didn’t need to get inside the network. They just needed to make the outside unreachable.
This is the modern attack calculus in miniature. Hardened internal systems stay hardened. But the attack surface that matters has expanded beyond data systems to include any service whose unavailability creates real-world consequences.
The BDH-Klinik incident is a different shape but the same logic. A ransomware-style IT outage forced the clinic to revert to manual operations and divert patients to other facilities. The immediate impact wasn’t data exposure—it was the inability to function as a healthcare provider. Patient care continued, but at a significantly reduced level and at considerable operational cost.
Healthcare ransomware has been a recurring theme for half a decade. What’s changed is the operational depth of the disruption. Modern hospital IT environments are no longer document repositories with clinical applications bolted on—they’re operational systems on which the practice of medicine depends, end to end. Prescription, scheduling, imaging, lab results, patient records, theatre logistics. Take them away and the hospital cannot deliver care in anything like its current form.
For an Irish audience this story has a familiar shape. The 2021 ransomware attack on the Health Service Executive remains one of the most consequential cyber incidents in the country’s history—weeks of operational disruption across the entire national health system, an estimated cost north of €100 million, and a fundamental rethink of how Irish public sector cybersecurity is governed. Five years on, the HSE attack is still the single most cited example in any serious conversation about Irish cyber resilience—and rightly so. It demonstrated, painfully, what the German incidents are demonstrating again: in systems that have become genuinely digital, “reverting to paper” is not a backup plan. The digital dependency is the plan.
What’s changed in the threat landscape
Three things have shifted meaningfully in the threat landscape over the past two years.
First, the target is operations, not data. Attackers have learned that data theft is a slow monetisation path with diminishing returns: stolen credentials and personal information are abundant and cheap on dark markets, and the price has been falling for years. Operational disruption, by contrast, monetises immediately—via ransom payment, regulatory pressure, or in the case of nation-state actors, political and reputational impact. The technical playbook (initial access, lateral movement, privilege escalation, persistence) is much the same as it has been. The endpoint of the attack is what’s changed.
Second, the attack chain is faster. Incidents that used to take months from initial access to actual impact now resolve in days or hours. Industry reports through 2025 consistently show median dwell times shrinking from weeks to days. Ransomware actors are deploying faster after first access, and double-extortion patterns mean the defender’s window to detect, contain, and respond has compressed dramatically.
Third, the systemic attack surface is bigger. As organisations digitalise core operations—and concentrate them on a shrinking set of platform providers—the dependency graph has consolidated. The MOVEit incidents of 2023 made this visible at industrial scale: a vulnerability in one file transfer product cascaded into operational and data exposures across hundreds of downstream organisations. The same logic applies to identity providers, cloud platforms, payment processors, and SaaS-delivered business systems. Few organisations are alone responsible for their own resilience anymore. The chain is only as strong as its weakest shared link—and most organisations cannot articulate that chain accurately when asked.
What the Irish numbers tell us
The Data Protection Commission’s 2024 annual report, published in June 2025, gives us hard Irish numbers to put against this broader narrative.
In 2024, the DPC received 7,781 valid personal data breach notifications—an 11% year-on-year increase, and the latest in a steady upward trajectory since GDPR enforcement began. ePrivacy breach notifications nearly tripled compared to the prior year. The DPC issued €652 million in administrative fines across eleven finalised inquiries, including a €310 million decision against LinkedIn for unlawful behavioural analysis and €251 million across two December decisions against Meta. Over 11,000 new cases were opened by individuals.
Three things stand out in those numbers.
Volume keeps rising. Notification volumes have grown consistently year on year. This isn’t necessarily because organisations are getting worse at security—it’s that they’re getting more rigorous at noticing and reporting incidents that would once have been handled quietly. The implication is that breach response capability is now a load-bearing organisational discipline, not an occasional one. Every organisation in scope of GDPR needs to be confident that its 72-hour breach notification process actually works when needed.
The dominant cause is mundane. Around half of all 2024 breaches notified to the DPC were caused by correspondence being sent to the wrong recipient—an email or letter going to the wrong address. This is the most banal possible breach vector, and it dwarfs every other category. For the typical Irish organisation, the highest-volume risk isn’t a sophisticated attacker—it’s a stressed employee in finance, HR, or legal hitting “send” too quickly. The controls that matter here are mundane too: data loss prevention rules on outbound mail, mandatory delays on sensitive correspondence, training cadence, and the design of the systems people use.
The high-impact category is different. While volume is dominated by human error, business impact is increasingly dominated by the operational attacks described above. The DPC’s largest 2024 enforcement decisions concerned systemic data processing rather than discrete incidents, but the operational ransomware patterns affecting healthcare and infrastructure remain the most consequential category when measured by business cost, reputational damage, and downtime.
The practical implication for prioritisation is significant: a serious security programme needs to address both ends of this distribution. The high-volume mundane breaches are largely a control-and-training problem; the high-impact operational attacks are a resilience problem. The same programme has to manage both, and the controls don’t substitute for one another.
The real lesson: prevention is necessary, not sufficient
The dominant compliance narrative of the past decade has been prevention: implement the right controls, block the right things, stay out of the headlines. This is still important, and well-implemented preventive controls do meaningfully reduce the number of successful attacks. But it’s no longer the whole story.
The cases above illustrate something that NIS2 captures explicitly in regulation: the obligation is not just to prevent incidents, but to continue operating through them, and to recover quickly when they happen anyway. Article 21 of NIS2 lists business continuity and crisis management as a mandatory risk-management measure on the same footing as access control and cryptography. ISO 22301 and ISO 27001 both treat operational resilience as a core management discipline rather than an after-thought.
In practice, the difference looks like this. A prevention mindset asks “how do we stop attackers getting in?” A resilience mindset adds “and what do we do if they do?” Both questions need credible answers. The second one is where most organisations are weakest—and where regulators, insurers, customers, and boards are starting to look hardest.
What good resilience actually looks like
Resilience isn’t a single control. It’s a set of architectural and organisational properties that together make recovery and continued operation possible under attack conditions. The components every in-scope organisation should be examining are familiar to anyone who has worked in business continuity, but they take on new urgency in the current threat environment.
Tested recovery, not theoretical recovery
Backups that have not been restored in anger are not backups. Disaster recovery plans that have not been exercised are not plans. The HSE response in 2021 was substantially shaped by the gap between documented recovery procedures and the reality of executing them under pressure. A meaningful number of organisations still consider an annual tabletop reading exercise to be “DR testing”—it isn’t. Full or near-full recovery exercises, with realistic time pressure and incomplete information, should be the norm for anything in scope of NIS2 or providing a critical business service.
Manual fallback for critical processes
Where digital systems support life-safety or revenue-critical processes, there should be a defensible manual path—even a degraded one—that staff have actually practised. This is uncomfortable to admit in a digital transformation programme but it’s increasingly unavoidable in regulated sectors. The hospitals and rail operators making the news this year all had a moment where someone had to ask, can we still run this without IT? In most cases the answer was “yes, but badly”. Knowing in advance how badly, and how to mitigate it, is part of resilience.
Identity recovery as a primary concern
When ransomware encrypts authentication systems, restoring identity becomes the binding constraint on everything else. You can have intact backups, but if you can’t authenticate the people who need to restore them, you cannot recover. Out-of-band identity recovery procedures—including how to re-establish privileged access from a clean state in a compromised environment—are now a basic resilience requirement, not an exotic one.
Supply chain visibility
Knowing which third parties your operations depend on, what would happen if each failed, and what your contractual recourse would be is foundational to NIS2 supply chain obligations. Most organisations cannot articulate this with any precision today. Building it out is unglamorous work, but it’s also one of the highest-leverage exercises a security or operations function can run.
Crisis communications
The reputational and operational impact of incidents is often determined more by how the organisation communicates during them than by the technical facts. Pre-defined communication templates, decision authorities, and stakeholder lists are cheap to build in peacetime and expensive to invent at 3am during a live incident. The organisations that come through cyber incidents with their reputations intact almost always have these prepared.
Tabletop discipline
Regular exercises that put leadership through realistic scenarios—including scenarios where preventive controls have already failed—surface gaps that documentation alone never reveals. We see significant value in quarterly tabletop exercises for organisations of any meaningful size, and the cost is modest relative to the operational insight they produce. Every serious NIS2-scope organisation should be conducting these.
Insurance as a backstop, not a strategy
Cyber insurance has matured significantly and is genuinely useful, but as carriers tighten exclusions and conditions, organisations relying on insurance as their primary recovery mechanism are increasingly exposed. Insurance complements resilience; it doesn’t replace it. The questions insurers are now asking during underwriting—about controls, testing, supply chain, and incident response—are themselves a reasonable proxy for the resilience capability a regulator will eventually expect.
What this means for NIS2-in-scope organisations
If you’re approaching NIS2 obligations in Ireland, the practical implication of all this is straightforward: the directive is going to be enforced in a threat environment that has materially changed since the obligations were drafted. Your readiness needs to reflect that.
Article 21’s risk-management measures are framed in technology-neutral terms. That’s a feature, not a bug—it means a well-designed resilience programme can be defended even as attack techniques evolve. But it also means competent authorities will increasingly look for evidence that operational measures function under stress, not just that they’re documented.
Three things matter for in-scope organisations right now.
An honest scope assessment. Many Irish organisations are still uncertain whether they’re in scope for NIS2 at all. The 18 sectors and the size thresholds are clear on paper but require careful interpretation in real businesses—particularly where group structures, shared services, or critical-supplier relationships are involved. Getting this wrong in either direction creates problems: false confidence on one side, unnecessary cost on the other.
Resilience-first gap analysis. A gap analysis against Article 21 needs to test whether the operational measures (business continuity, incident response, supply chain controls) actually function—not just whether they’re written down. The bias should be toward tested capability over policy compliance. Many organisations entering audit cycles still discover that their documented plans collapse the first time they’re seriously exercised.
Board-level engagement. NIS2’s management accountability provisions—including potential personal liability and temporary prohibitions on managerial functions—create a board-level imperative that didn’t exist under the original NIS Directive. Cybersecurity discussions at executive level need to mature from “are we compliant?” to “are we ready?”. The two are not the same.
Closing thoughts
The incidents that have defined the past few years aren’t going to be the last. The attacks on rail networks and clinical settings making headlines through 2025 and 2026 are not exotic outliers—they’re representative of a broad pattern affecting organisations of all sizes, sectors, and geographies. Irish organisations operating under NIS2 obligations will encounter their own equivalents, whether as direct targets or as collateral damage from supplier and platform compromises.
The good news is that the security and resilience capabilities required to weather these incidents are well understood, broadly implementable, and increasingly demanded by regulators, customers, insurers, and boards. None of this is novel. What’s changed is the urgency of moving from documented programmes to demonstrably effective ones—and the cost, both regulatory and operational, of failing to make that move.
For organisations early in this journey, the practical starting point is an honest assessment of where prevention stops and resilience begins—and the willingness to invest in the second category at least as seriously as the first.