Brussels Airport, along with other major airports across Europe, was targeted in a cyberattack over the weekend, with the effects still being felt several days later.
The cyberattack on Collins Aerospace, the external provider of check-in and boarding systems, disrupted check-in and baggage systems at hubs including Brussels, Dublin, London and Berlin.
Thousands of passengers (including some EU leaders travelling to the UN General Assembly in New York) were left stranded with cancelled or delayed flights.
Travel disruption is expected to continue today. "We expect that approximately one in ten flights will be cancelled on Wednesday," Ihsane Chioua Lekhli, spokesperson for Brussels Airport, confirmed to The Brussels Times. "The impact will be similar to what it was on Tuesday, when 9% of departing flights were cancelled."
Manual check-ins at Brussels Airport on Tuesday 23 September 2025. Credit: Belga/Arthur Gekiere
AI cyberattack?
The European Union Agency for Cybersecurity (ENISA) on Monday confirmed that the attack involved ransomware, which involves blocking systems by encrypting their content. The hackers typically demand a ransom to release the systems.
It is still unclear who is behind the cyberattack.
"We are aware of the ongoing disruption of airports' operations, which were caused by a third-party cyber incident," an ENISA spokesperson told The Brussels Times.
At the moment, the ENISA cybersecurity agency cannot share further information regarding the cyberattack, the spokesperson stated. "There is an ongoing investigation, and the relevant authorities will communicate further updates if deemed necessary."
According to the cybersecurity agency's Emerging Threats 2030 report, the 'Supply Chain Compromise of Software Dependencies' remains a key emerging threat.
"This is considered an after-effect of the expanding integration of third-party suppliers and partners in the supply chain, leading to new vulnerabilities and opportunities for attacks," the report states.
People waiting at the check-in of Brussels Airport on Saturday 20 September 2025 in Brussels. Credit: Belga/Joris Smets
According to AI expert Christian Perry, the CEO of Undetectable AI, the hackers likely used AI to penetrate the airport system’s security. "In this sort of attack, AI can do the heavy lifting that used to take hackers weeks."
AI can scan for weaknesses across huge systems in minutes. "Once it finds a way in, it can copy normal user behaviour so it does not raise any alarms," Perry said in a statement. "That is why this airport attack is so concerning. It shows how quickly the rules of cybersecurity are changing."
While the impact for travellers – queues, cancellations, and missed connections – is immediate, Perry stressed that the bigger concern could be what comes next. "Unfortunately, this probably won’t be the last time we see something like this."
And airports are not the only places at risk; the same methods could be used against other parts of daily life, such as (public) transport networks, hospitals, banks and even emergency services.
As attackers get more advanced, Perry feels that organisations need to wake up to the fact that traditional security is not enough anymore. "Just like we scan luggage for hidden threats, we now need systems that scan for hidden AI activity. Without that, we are always going to be one step behind."
Defending against attacks
But it is not all doom and gloom: AI could also help defend against the attacks it enables. "It can be trained to spot unusual patterns, pick up threats faster than any human team, and shut down attacks before they spiral," says Perry.
At the European level, the ENISA cybersecurity agency actively aims to contribute to "cooperative preparedness" among Member States by facilitating common and effective situational awareness.
The CSIRTs Network (composed of EU Member States' national appointed incident responders) and CyCLONe members (national authorities of Member States in charge of cyber crisis management) are also engaged in active information exchange on the matter, with ENISA supporting as their secretariat.
Manual check-ins at Brussels Airport on Tuesday 23 September 2025. Credit: Belga/Arthur Gekiere
Additionally, the EU's 'NIS2' Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU, including transport.
The directive addresses security of supply chains and supplier relationships by requiring individual companies to address potential cybersecurity risks in their supply chains and supplier relationships. "Member States are encouraged to identify ways and share good practices on managing supply chain risks, especially on software dependencies."
The ENISA Threat Landscape report found that abuse of cyber dependencies has also intensified, as shown by "compromises in open-source repositories, malicious browser extensions and breaches of service providers," which amplifies the risk throughout interconnected digital ecosystems.
Advice from Brussels Airport
With the consequences of the attack still being felt, Brussels Airport advises passengers to check the status of their flight before leaving for the airport and to arrive on time: two hours before departure for a flight within the Schengen zone, and three hours for non-Schengen destinations.
Over the weekend, the number of cancellations and delays was significant at Brussels Airport. On Saturday, 25 of the 234 scheduled departures and 13 arrivals were cancelled. On Sunday, 50 of the 257 departures and 35 arrivals were cancelled.
While the attack continued to disrupt flights on Monday and Tuesday, the impact was significantly reduced and the vast majority of flights operated as planned thanks to alternative check-in options.
In the meantime, Brussels Airlines, the largest airline at Brussels Airport, has been asking passengers to check in online as much as possible. TUI fly, meanwhile, has been using its own check-in system since Tuesday afternoon.
Passenger rights: refunds and assistance
Consumer protection organisation Testachats has reminded travellers that passengers whose flights are cancelled due to the cyberattack are entitled to a free alternative solution or a full refund of their ticket.
However, airlines are not obliged to pay financial compensation, as the cancellations are considered the result of force majeure.
Passengers whose flights are delayed are entitled to assistance from their airline, such as the provision of refreshments. If an overnight stay is required, the airline must cover hotel accommodation costs.
