Why Cybersecurity in Education Can’t Wait for NIS2

Schools and universities across Europe are dealing with a wave of cyberattacks that classrooms and campuses were never built to withstand. In early 2025, hackers used stolen credentials and a VPN without two-factor authentication to roam Eindhoven University of Technology’s networks undetected for five days. Classes were cancelled for an entire week. The incident is part of a broader pattern: education has become a high-value target, and the regulatory response is finally catching up. The question is no longer whether your institution will be tested, but whether it will be ready when it happens.

Education Has Become a Top Target for Cybercriminals

Educational institutions hold an unusual combination of assets. Tens of thousands of personal records, valuable research data, financial systems, and access credentials that move freely between students, staff, and outside partners. That density of sensitive information, paired with a traditionally open IT culture, is exactly what attackers want.

Across the EU, ransomware groups have targeted universities, vocational schools, and even primary schools. Dutch institutions are no exception. Maastricht University paid roughly 197,000 in ransom after a 2019 attack, and TU/e was the most recent high-profile case. Smaller schools rarely make the news but face the same threats with a fraction of the security budget.

The damage is rarely contained to IT. Cancelled classes, exposed student data, halted research, and the slow process of rebuilding trust with parents, students, and partners. By the time systems are restored, the financial and reputational cost has already been paid.

NIS2 Draws a Line, But Not Around Every Institution

The European NIS2 directive obliges large parts of the public and private sector to demonstrably improve their cybersecurity. Higher education is included via the research sector, so most universities and many universities of applied sciences fall under it. Primary, secondary, and vocational schools usually do not, although national governments can still designate them as critical entities.

If you want to know exactly where your institution stands, Guardey published a detailed NIS2 education guide that breaks down the thresholds, obligations, and grey areas. It explains how mixed organisations and supply chain ties can quietly pull non-listed schools into scope as well.

But here is the thing about NIS2: even if your institution is not formally in scope, the threats it responds to apply to you all the same. Falling outside the directive does not mean falling outside the attackers’ targeting lists.

Why Security Awareness Is the Hardest Part

Most successful attacks on education do not break encryption. They walk through the front door using a phishing email, a reused password, or a missing two-factor prompt. The TU/e incident started with stolen credentials. The Maastricht ransomware began with a phishing message that an employee clicked.

Technical controls help, but they only work when the people behind them know what they are doing. A VPN protects connections; it does not stop someone from handing over their login over the phone. Multi-factor authentication blocks credential theft; it does not help if staff approve push notifications without checking what they are approving.

That is why security awareness training belongs at the centre of every education cybersecurity programme, not in an annual compliance slide deck. Recognising phishing, handling data safely, and knowing what to do when something looks wrong are skills that have to be practised. NIS2 explicitly requires this for institutions in scope. Every other school should do it anyway.

Building Digital Resilience in Schools and Universities

A solid baseline for any educational institution looks broadly the same. Multi-factor authentication on every account that touches student or staff data. Encrypted connections for staff and researchers working remotely or from public networks, where a VPN such as GOOSE VPN can secure traffic against interception. Documented incident response so a ransomware alert at 3am does not paralyse the IT team.

Supplier security is the often-overlooked piece. Schools rely heavily on student information systems, learning platforms, and cloud storage providers. When one of those vendors is breached, your institution inherits the consequences. Reviewing contracts and security commitments from suppliers is part of a serious cybersecurity programme, regardless of whether NIS2 requires it.

None of this is exotic. Most of it is what well-run organisations in other sectors have been doing for years. The difference is that education is now expected to operate at the same security maturity, often with the added complexity of open academic environments and tight budgets.

Whether your institution falls under NIS2 or not, the direction of travel is the same. Attackers see schools and universities as soft targets with high-value data. Regulators are tightening the rules around how that data is protected, and insurers will follow. The institutions that invest now in awareness, controls, and culture will not just be compliant when their turn comes. They will be the ones that are not in the news.