The cyber attack on Collins Aerospace in September 2025 paralysed operations at several major European airports due to the failure of a central IT service provider. While major hubs were plunged into chaos, Münster/Osnabrück Airport (FMO) demonstrated impressive resilience through proactive measures and technological self-sufficiency. This analysis sheds light on the incident in the light of the upcoming German NIS2 legislation and shows how the obligations for risk assessment and management liability enshrined therein should prevent such system failures in the future.
Introduction
In September 2025, the European aviation industry witnessed a cyberattack that demonstrated the systemic vulnerability of modern, networked infrastructures. The target was not a single airport, but the IT service provider Collins Aerospace, whose failure triggered a cascade of operational disruptions at key transport hubs - while passengers at other airports were unaware of the incident. This incident can therefore serve as a case study for the impact of the forthcoming transposition of the NIS2 Directive into German law.
This article analyses the incident by first describing the different effects and reactions at the affected airports. It then analyses the specific provisions of the German NIS2 Implementation Bill (NIS2UmsuCG-E) with its core draft BSI Act (BSIG-E) to show how the new regulatory requirements would have significantly influenced the outcome of such an incident.
The incident: a stress test for operational resilience in aviation
On 19 and 20 September 2025, a confirmed ransomware attack compromised the check-in software "MUSE" from the provider Collins Aerospace, causing widespread operational disruption. MUSE stands for "Multi-User System Environment" and is a so-called "Common Use" platform. Such systems, standardised as Common Use Passenger Processing Systems (CUPPS), allow multiple airlines to use the same physical infrastructure at an airport, such as check-in counters, departure gates and self-service kiosks. Instead of each airline maintaining its own dedicated counters, resources can be allocated dynamically according to demand. The application can run on the airport's servers or in the cloud. While the latter solution facilitates scaling, it can become a fundamental vulnerability, as may be the case here.
In any case, the effects at the airports concerned differed significantly and painted a clear picture of the various degrees of preparation and technological dependency.
At the international hubs of Berlin (BER), Brussels (BRU) and London Heathrow (LHR), the failure of the centralised external system led to an almost complete collapse of passenger handling. The operators were forced to switch to manual processes with paper lists, which could not cope with the volume of passengers. The result was massive delays - 90% of flights at Heathrow were affected the following Sunday - and a high number of flight cancellations. The preventive reduction of flight capacities in Brussels by 50% for the following day indicates the lack of a functioning and tested emergency concept.
This contrasted with the situation at Münster/Osnabrück Airport (FMO) and the other airports in North Rhine-Westphalia (NRW). After realising the disruption, FMO's IT management made the decision to proactively disconnect its own systems from the external platform. Check-in operations were seamlessly switched to self-sufficient, internal server systems so that flight operations could continue without any significant restrictions for passengers. This approach was no coincidence, but the result of a strategic focus on technological independence, underpinned by the operation of an in-house, KRITIS-capable data centre.
Assessment based on the NIS2 Implementation Act: Regulatory requirements as a blueprint for resilience
If the German NIS2UmsuCG had already been in force at the time of the attack, the operators would have been obliged as "particularly important facilities" to take measures that would have prevented a scenario like the one at the major hubs. The Münster/Osnabrück case serves as a positive example of how the principles of the new regulation are already being put into practice.
- Risk management and supply chain security: According to Section 30 (2) No. 4 of the draft BSI Act (BSIG-E), operators must ensure the security of their supply chains. This would have required a mandatory risk analysis of Collins Aerospace's dependency. The identification of the MUSE system as a critical "single point of failure" (SPOF) would have been mandatory. An operator would have had to demonstrate what measures had been taken to minimise the risk - for example through contractually agreed safety standards or, as in the case of FMO, by maintaining a redundant, self-sufficient system. Blindly relying on the availability of a single external provider would be a clear breach of duty under the new legal situation.
- Crisis management and maintenance of operations: The requirement under Section 30 (2) No. 3 BSIG-E explicitly requires concepts for "maintenance of operations, such as backup management and recovery after an emergency, and crisis management". The procedure at the large airports, which was based on reactive improvisation with inadequate manual processes, is in clear contradiction to this provision. The example of FMO, on the other hand, demonstrates ideal crisis management: the rapid separation of the compromised system and - presumably - the activation of a prepared, functional backup system is exactly what the legislator intended with this paragraph.
- Responsibility and liability of the management: The decisive lever of the new law is Section 38 BSIG-E, which makes the management personally liable. They are not only responsible for approving the risk management measures, but also for actively monitoring them and are personally liable in the event of breaches of duty. This regulation would have ensured that the strategic decision to rely on external service providers was taken at the highest level and that the associated risk was appropriately assessed and minimised. A decision based purely on cost efficiency without adequate risk management would hardly be tenable under this regulation.
