The Iran Cyberattack Is the Biggest Digital Law Story of 2026

Here Is Why EU Businesses Must Act Now

By Marcus Venn  |  Digital Rule Book  |  March 1, 2026

TL;DR — Key Points On February 28, 2026, Israel launched what experts are calling the largest cyberattack in recorded history against Iran. Iran's internet collapsed to just 4% of normal traffic — a near-total digital blackout confirmed by NetBlocks. Iran-backed hacker groups have now declared active cyber warfare against Western and EU targets in retaliation. The EU's NIS2 Directive requires businesses to act within 24–72 hours of detecting a significant cyber incident. Every EU business using digital infrastructure should treat this week as a high-alert period and check their defences immediately.

On the morning of February 28, 2026, as fighter jets and cruise missiles were striking Iranian military installations, something equally significant was happening in the invisible world of digital infrastructure. Iran went dark.

Not dark in the sense of power outages — though those happened too. Dark in the most modern, dangerous sense: its internet was effectively switched off. Independent internet monitor NetBlocks confirmed that national connectivity in Iran had dropped to just 4% of normal levels — the near-total digital blackout that security experts have long warned could accompany a major military conflict.

This is not just a story about Iran. It is the most significant digital law development of 2026, and it has direct, immediate consequences for every business operating under EU regulation. Here is what happened, why it matters for you, and what you should do right now.

What Actually Happened — The Digital Dimension of Operation Roaring Lion

While the military strikes of Operation Roaring Lion targeted IRGC command centres, nuclear infrastructure, and missile facilities across nine Iranian cities, a parallel operation was running simultaneously against Iran's digital nervous system. Western intelligence sources confirmed that the cyberattack was specifically designed to prevent Iran from coordinating counterattacks by destroying the IRGC's communications infrastructure.

The scale was unprecedented. Beyond the internet blackout, the attack targeted:

• Iran's official state news agency IRNA — taken offline for an extended period

• Tasnim News Agency, affiliated with the IRGC — severely disrupted and hacked, with subversive messages displayed against the Supreme Leader

• Government satellite broadcasts — hacked since January 2026, with content calling for the regime's overthrow aired to millions of households

• Local apps and government digital services in Tehran, Isfahan, and Shiraz — all reported failures

• Iran's National Information Network — described by cybersecurity experts as fully disconnected even internally within Iran

The attack combined three distinct techniques: electronic warfare that disrupted navigation and communications systems, denial-of-service (DDoS) attacks at massive scale, and deep intrusions into data systems. This was not a simple website takedown — this was the deliberate dismantling of a nation's digital infrastructure as a military objective.

VERIFIED DATA

NetBlocks CEO Alp Toker confirmed: 'The Iranian regime will have deployed this new blackout to counter potential cyberattacks during their own military operation, but also to avoid leaking the locations of senior regime figures through metadata and user-generated content.' Network data showed connectivity at 4% of ordinary levels — consistent with wartime measures used during the June 2025 conflict.

Why This Is a European Business Story, Not Just a Middle East News Story

You might be wondering: an attack on Iran's infrastructure — why does that affect my business in Amsterdam, Berlin, or Warsaw? The answer lies in one word: retaliation.

Iran has maintained one of the world's most sophisticated state-sponsored cyber warfare programs for over a decade. Groups including APT33, APT34, and MuddyWater — all attributed to Iranian state actors — have previously targeted European energy companies, financial institutions, government systems, and critical infrastructure. These groups do not need Iranian internet access to operate. As Bloomberg reported this week, Iranian hackers continued cyberattacks against Israel even throughout the internet blackout by using Starlink terminals and other alternative connectivity methods.

The hacker group Handala, associated with Iranian operations, declared active cyber warfare against Western targets within hours of the strikes. When Iran feels its existence is threatened — which is precisely the current situation — its cyber doctrine shifts from espionage to active sabotage. The targets are not random. They are carefully selected to cause maximum economic and psychological damage to Western governments and businesses.

The EU Legal Framework That Applies Right Now: NIS2

The EU's Network and Information Security Directive 2 — NIS2 — is not a future plan. It became law in October 2024, and as of January 2026, the European Commission proposed further amendments to increase legal clarity. The directive creates binding obligations for businesses in 18 critical sectors, and this week's events trigger several of those obligations directly.

Here is what NIS2 requires, and when:

Obligation	NIS2 Requirement	Deadline
Incident early warning	Report significant incidents to national authority	Within 24 hours of detection
Full incident report	Detailed report with impact assessment	Within 72 hours
Risk assessment	Regular assessment of cybersecurity vulnerabilities	Ongoing obligation
Multi-factor authentication	Enforce MFA on all internet-facing systems	Must be in place now
Supply chain security	Assess cybersecurity risks in your supplier chain	Ongoing obligation
Management accountability	Board-level responsibility for NIS2 compliance	Immediate

NIS2 applies to medium and large entities in critical sectors. But here is what many businesses do not realise: the definition of 'critical sectors' was dramatically expanded from the original NIS1 directive. It now includes cloud computing providers, online marketplaces, social platforms, postal services, food manufacturers, and chemical companies — not just traditional utilities.

Maximum fines for non-compliance: €10 million or 2% of global annual turnover, whichever is higher. Management bodies are personally accountable, with potential individual bans from leadership roles.

Five Practical Actions EU Businesses Should Take This Week

You do not need to be a cybersecurity expert to take meaningful protective action. These five steps are proportionate, achievable, and directly relevant to the current threat environment:

1. Action 1 — Audit your external attack surface today. Make a list of every internet-facing system your business uses: email, remote desktop access, VPN, cloud storage, customer databases. These are your highest-risk entry points for the type of attacks Iranian-linked groups typically deploy.

2. Action 2 — Enable multi-factor authentication everywhere. NIS2 explicitly requires MFA on internet-facing systems. If you have not done this yet, this week is the moment. Every major email provider and cloud platform offers free MFA — it takes minutes to enable and eliminates the most common attack vector.

3. Action 3 — Brief your team on phishing awareness. Iranian-linked cyber operations often begin with sophisticated phishing emails targeting employees. A single email to your team explaining the elevated threat level this week costs nothing and reduces your human vulnerability significantly.

4. Action 4 — Check your backup status. Ransomware — locking your systems until you pay — is a favoured tool of state-sponsored cyber actors during conflict escalation. If your last backup was more than 48 hours ago, run one today. Verify you can actually restore from it.

5. Action 5 — Know your reporting obligations. If your business is NIS2-regulated and you detect a significant incident, you have 24 hours to file an early warning with your national authority. Know which authority that is before an incident happens, not during one.

The Bigger Picture: What This Means for EU Digital Law in 2026

The Iran conflict has done something that years of policy debate could not: it has made the abstract threat of cyber warfare entirely concrete and immediate for every European business leader. The EU's investment in NIS2, the Cyber Resilience Act, the Cyber Solidarity Act, and the EU Cyber Blueprint — all of this regulatory infrastructure suddenly looks less like bureaucratic overhead and more like the essential protective framework it was designed to be.

On January 20, 2026, just five weeks before the Iran strikes, the European Commission proposed targeted amendments to NIS2 specifically designed to ease compliance for smaller businesses. The timing is striking. EU regulators had already identified that the threat environment was escalating. What happened on February 28 confirmed their assessment beyond doubt.

For EU businesses, the lesson is stark: the digital and physical worlds are no longer separate threat environments. A military conflict ten time zones away can create a direct cybersecurity threat to your business within hours. The EU's regulatory framework exists precisely to ensure that European digital infrastructure — and the businesses that depend on it — can withstand that kind of shock.

Frequently Asked Questions

Q: Does NIS2 apply to my small business?

A: NIS2 primarily applies to medium and large entities (50+ employees, €10M+ turnover) in critical sectors. Micro and small enterprises have reduced obligations. However, the European Commission's January 2026 amendments specifically introduced new provisions to make compliance easier for small businesses while still bringing 28,700 additional companies into scope.

Q: What is a 'significant incident' under NIS2?

A: A significant incident is one that causes, or is capable of causing, severe operational disruption or financial loss to your organisation, or that affects other natural or legal persons by causing considerable material or non-material damage. If you are unsure, consult your national cybersecurity authority — they are required to provide guidance.

Q: Which national authority do I report to under NIS2?

A: Each EU member state has designated a national competent authority. In the Netherlands, this is NCSC (National Cyber Security Centre). In Germany, it is BSI. In France, ANSSI. A full list is available at enisa.europa.eu.

Q: What if Iran attacks our systems and we are not NIS2-regulated?

A: Even if NIS2 does not apply to your business, GDPR's security obligation under Article 32 requires 'appropriate technical and organisational measures' to protect personal data. A cyberattack that results in a data breach triggers a 72-hour reporting obligation to your data protection authority regardless of NIS2 status.

The Iran conflict has made cybersecurity a boardroom conversation in every European organisation this week. Use that moment of attention wisely. The EU regulatory framework provides a clear roadmap for what businesses must do. The threat environment provides the motivation. What is needed now is action.

Digital Rule Book will continue monitoring both the evolving conflict and the EU regulatory response. Check back for updates as the situation develops.

DISCLAIMER

This article is for informational purposes only and does not constitute legal or cybersecurity advice. Consult a qualified professional for guidance specific to your organisation. Information is current as of March 1, 2026, and is subject to rapid change given the evolving situation.

AFFILIATE NOTE

This blog occasionally recommends tools and services. If you click a link and make a purchase, we may earn a small commission at no extra cost to you.