EU Airports Disrupted by MUSE Outage.

On 19 September, Collins Aerospace’s MUSE platform, used by airlines to share check-in desks, kiosks and boarding gates, experienced a cyber-related disruption. While ENISA has confirmed ransomware was involved, no technical details or confirmed attribution have been released.

Flights were delayed, some cancelled, and passengers at Heathrow, Brussels and Berlin and many other major European airports queued for hours as staff reverted to manual boarding passes. These fallback processes kept planes moving, but at significant cost to efficiency and trust.

Single Vendor Dependency

The reliance on MUSE highlights the risks of single vendor dependency. Consolidating operations into one system brought efficiency, but it also created a single point of failure. When MUSE went down, there was no immediate substitute, and disruption spread quickly across multiple airports.

NIS2 and Why it Matters

The EU’s NIS2 Directive was introduced to address scenarios where digital failures or attacks cause widespread operational disruption. It requires critical entities including transport operators to implement:

• Robust risk management across their IT and supply chains.
• Business continuity and disaster recovery strategies that go beyond paper-based backups.
• Incident reporting when disruptions significantly impact operations.

Critically, NIS2 places accountability on boards and senior executives. Under NIS2, outages like MUSE would likely be scrutinised as potential failures of resilience planning, carrying regulatory and financial consequences if gaps were found.

Key Priorities

This incident highlights three urgent priorities:

1. Audit Dependencies – organisations need a clear map of where operations hinge on single providers. Hidden dependencies are often the source of the biggest disruptions.
2. Security by Design – Resilience should be built into systems from the outset. Fallback cannot rely on improvised manual workarounds. Organisations need architectures that maintain operations even if a primary vendor fails.
3. Evidence Resilience – under NIS2, it is not enough to claim resilience. Boards must be able to prove it through documented processes, real redundancy and tested protocols.

Key Takeaways

The MUSE outage showed how quickly disruption spreads when critical services depend on a single provider.

While aviation felt the impact this time, the principle applies far more widely. Organisations in every sector are being asked by regulators, partners and their own boards to demonstrate that continuity is not left to chance.

The takeaway is that resilience must be owned at the organisational level. Relying entirely on a vendor to guarantee continuity is no longer enough.

Securing the Data Itself

Modern ransomware often turns outages into data breaches. If data theft were to be confirmed, the consequences would extend far beyond delays.

Binarii Labs addresses this risk by securing unstructured data at the source where every file is encrypted, fragmented and distributed so no attacker can ever access it in full. Even if systems are breached, the data remains protected, continuity is preserved, and organisations can meet the resilience and accountability that NIS2 now demands.

‍