Who Watches the Watchmen? The Council of Europe Breach and the Grey Zones of the EU Cyber Perimeter

In June 2026 the ShinyHunters group claimed an attack on the Council of Europe: according to the attackers themselves, over 429,000 documents and 297 GB of data — payroll, personnel files, CVs, tax, banking and medical records — exfiltrated by exploiting an Oracle PeopleSoft zero-day. But the most interesting detail is not the size of the haul: it is that this target falls into a grey zone of European cyber governance.

What Happened

The PeopleSoft vulnerability and campaign are established fact; the Council of Europe's specific involvement, by contrast, remains an attacker claim not confirmed by the victim. CVE-2026-35273 is an unauthenticated remote code execution flaw in Oracle PeopleSoft (Environment Management component, CVSS 9.8): Oracle issued an out-of-band advisory on 10 June 2026, a sign it was already being exploited as a zero-day. Google Threat Intelligence Group / Mandiant attributes the campaign to the cluster it tracks as UNC6240 (ShinyHunters), with activity observed between 27 May and 9 June and over 100 notified organisations — around 68% of them universities.

The Council of Europe, by contrast, is in claims territory. The group asserts — in statements to The Register and posted on its own leak site — that it exfiltrated 297 GB and 429,000 files: payroll for over 10,000 employees (2011-2026), more than 14,000 CVs, tax, banking and medical records. The Council of Europe has only stated that it is "investigating the matter and assessing the situation". The figures should therefore be treated as alleged.

But even setting the numbers aside, the case is instructive for a reason that has little to do with the size of the theft: it exposes a crack in European cyber governance.

The Name Trap

Let's clear up a common misunderstanding. The Council of Europe is not an institution of the European Union. It is an autonomous international organisation based in Strasbourg, with 46 member states, founded in 1949, guardian of the European Convention on Human Rights. It must not be confused with the Council of the European Union or the European Council, which are EU bodies.

It sounds like pedantry. It isn't: which "club" an organisation belongs to determines which safety net covers it.

The Three Perimeters — and Where the Council of Europe Falls

Europe has built two distinct regulatory perimeters for cybersecurity:

• NIS2 (Directive EU 2022/2555) — covers essential and important entities in the Member States: energy, transport, health, finance, public administration, digital infrastructure. It is the perimeter of national companies and administrations.
• Regulation (EU, Euratom) 2023/2841 — in force since 7 January 2024, the equivalent of NIS2 for the institutions, bodies, offices and agencies of the Union (EUIBA): Commission, European Parliament, Council of the EU, agencies. It strengthened CERT-EU and created the Interinstitutional Cybersecurity Board (IICB) that oversees its implementation.

CERT-EU is precisely the body that comes to mind when asking "but who watches over the security of the European institutions?". The answer, however, only applies to the EUIBAs. The Council of Europe falls into neither perimeter:

• it does not fall within the ordinary NIS2 perimeter, being an autonomous international organisation — neither a national entity designated by a Member State nor a Union entity;
• it is not covered by Reg. 2023/2841 or CERT-EU (not an EU institution);
• it provides for its own security, outside the Union's cyber safety net.

In other words: CERT-EU and the IICB have no ordinary supervisory mandate over the Council of Europe — their perimeter covers Union entities. Forms of cooperation remain possible, but not automatic coverage as for the EUIBAs. A pan-European organisation holding highly sensitive data of 46 states falls through the cracks of NIS2 and the EU-institutions regulation.

What NIS2 Would Say to Those Inside the Perimeter

Here lies the value of the case for companies and administrations that NIS2 very much does cover. The same attack — a zero-day on a third-party ERP/HR — projects four very concrete NIS2 obligations:

• Vulnerability handling — Art. 21(2)(e). The vector is a flaw in a third-party product. NIS2 mandates security in acquisition, development and maintenance, including vulnerability handling: whoever uses that software must have patch management that reacts in hours, and must be able to prove it.
• Supply-chain security — Art. 21(2)(d). A single vulnerability allegedly opened 100+ organisations. This is the supplier risk NIS2 requires you to govern and document.
• Detection and timing. Weeks pass between the start of exploitation and the publication threat. NIS2 (Art. 21) requires monitoring, logging and incident handling: the weak point is not only the missing patch, but detection time.
• Reporting obligation — Art. 23. For affected entities, the chain to the CSIRT kicks in: early warning within 24 hours, notification within 72 hours, final report within one month — alongside GDPR obligations (Art. 33/34), here severe given the nature of the data.

The Lesson

For decision-makers: the regulatory perimeter does not coincide with the risk perimeter. There are organisations — and data — that remain outside NIS2 and the EU-institutions regulation while being first-rate targets. Knowing which "club" you are in, and which safety net applies, is the first act of governance.

For those inside NIS2: being subject to an obligation does not mean being secure. A patching policy in the drawer would not have stopped this attack. What is needed is continuous proof that controls are actually active — patches applied, monitoring working, supply chain mapped. That is the difference between documentary compliance and verified security.