Cybersecurity Guide
Protect your digital life with practical, EU-focused cybersecurity advice. From strong passwords to GDPR rights, learn how to stay safe online in Europe.
Password Security
Weak or reused passwords are the root cause of over 80% of data breaches. In the EU alone, cybercrime costs individuals and businesses an estimated 5.5 billion euros annually, and compromised credentials are the most common attack vector. Building strong password habits is the single most effective step you can take to protect your digital life.
Best Practices
-
check_circle
Use unique passwords for every account. If one service is breached, attackers will try those credentials on dozens of other services within minutes (credential stuffing).
-
check_circle
Make passwords at least 16 characters long. Modern password cracking hardware can brute-force 8-character passwords in hours. Length is the primary factor in password strength.
-
check_circle
Use passphrases instead of complex character substitutions. A passphrase like "correct-horse-battery-staple" is both stronger and more memorable than "P@ssw0rd!23".
-
check_circle
Never share passwords via email, messaging, or phone. No legitimate organisation will ever ask for your password. This is always a scam.
Password Managers
A password manager generates, stores, and auto-fills unique, strong passwords for every account. You only need to remember one master password. The EU's cybersecurity agency ENISA recommends using a password manager as a core security practice. Look for managers that offer end-to-end encryption, zero-knowledge architecture, and compliance with GDPR for data stored in the EU. Reputable options include open-source tools like Bitwarden and KeePassXC, as well as commercial products that store data on EU servers.
Quick Check
Visit haveibeenpwned.com to check whether your email address or phone number has appeared in known data breaches. This free service, recommended by many EU cybersecurity bodies, helps you identify which accounts need immediate password changes.
Breach Statistics
- 80% of breaches involve weak or stolen passwords
- 59% of people reuse passwords across accounts
- 11 billion credentials exposed in known breaches
- 4 hours to crack an 8-character password
Phishing & Social Engineering
Phishing attacks account for over 90% of successful cyberattacks in Europe. These scams trick you into revealing sensitive information by impersonating trusted entities — banks, government agencies, delivery companies, or colleagues.
How to Identify Phishing
Suspicious Sender Address
Check the actual email address, not just the display name. Attackers use domains like "paypa1.com" or "arnazon-security.com" that look similar to legitimate addresses at a glance.
Urgency and Threats
"Your account will be suspended in 24 hours" or "Immediate action required" — legitimate organisations rarely use panic-inducing language. This is a pressure tactic to make you act before thinking.
Suspicious Links
Hover over any link before clicking. The displayed text may say "www.yourbank.eu" but the actual URL points elsewhere entirely. On mobile, long-press links to preview their destination.
Unexpected Attachments
Never open attachments you were not expecting, especially .exe, .zip, .docm, or .xlsm files. Even PDFs can contain malicious content if they exploit reader vulnerabilities.
Real-World Phishing Examples
EU consumers frequently encounter these phishing scenarios:
- mail Fake delivery notifications: Emails or SMS claiming a parcel from DHL, DPD, or PostNL requires payment of a small customs fee. The link leads to a credential-harvesting page.
- account_balance Bank security alerts: Messages claiming suspicious activity on your account with a link to "verify your identity." Your bank will never send login links via email.
- local_police Tax authority impersonation: Emails purporting to be from national tax offices offering refunds. Tax authorities communicate via official portals and registered post, not email links.
- support_agent Tech support scams: Pop-ups or phone calls claiming your computer is infected, directing you to install remote access software.
Golden Rule
When in doubt, never click the link in the message. Instead, open your browser and navigate directly to the organisation's official website. If the alert is real, you will see it when you log in through the legitimate portal.
GDPR & Your Rights
The General Data Protection Regulation (GDPR) gives EU residents the strongest data privacy rights in the world. Understanding and exercising these rights is a critical part of your digital safety.
Right of Access
You can request a copy of all personal data any organisation holds about you. They must respond within 30 days. This is known as a Subject Access Request (SAR).
Right to Erasure
Also called the "right to be forgotten." You can request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.
Right to Rectification
If an organisation holds inaccurate or incomplete data about you, you have the right to have it corrected. This includes outdated addresses, names, or any other personal information.
Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format and transfer it to another service provider. This promotes competition and user choice.
Right to Object
You can object to processing of your data for direct marketing purposes. This right is absolute — the organisation must stop processing immediately upon your objection.
Right to Breach Notification
If a data breach is likely to result in a high risk to your rights and freedoms, the organisation must notify you without undue delay, explaining what happened and what steps to take.
How to Exercise Your Rights
Send a written request (email is acceptable) to the organisation's Data Protection Officer (DPO). Their contact details must be published in the privacy policy. If the organisation does not comply within 30 days, file a complaint with your national Data Protection Authority — for example, CNIL in France, BfDI in Germany, or the DPC in Ireland. You can also lodge complaints at edpb.europa.eu.
VPN & Privacy Tools
A Virtual Private Network (VPN) encrypts your internet traffic and masks your IP address, protecting your data from surveillance and interception — especially on public networks. When choosing a VPN for use in Europe, consider the following:
- check_circle Choose providers headquartered in strong privacy jurisdictions (e.g., Switzerland, Iceland, or EU countries)
- check_circle Verify the provider has a genuine no-logs policy, ideally audited by an independent third party
- check_circle Look for WireGuard or OpenVPN protocols — avoid proprietary, unaudited protocols
- check_circle Ensure the VPN has EU-based servers for optimal performance and GDPR compliance
Beyond VPNs, enhance your privacy with browser extensions that block trackers (such as uBlock Origin), privacy-focused search engines like DuckDuckGo or Startpage (both EU-friendly), and encrypted email services like ProtonMail or Tutanota.
Two-Factor Authentication
Two-factor authentication (2FA) adds a second layer of security beyond your password. Even if your password is compromised, an attacker cannot access your account without the second factor. ENISA recommends enabling 2FA on all critical accounts.
Types of 2FA (Best to Least Secure)
Hardware Security Keys (FIDO2/WebAuthn)
Physical USB or NFC keys like YubiKey. Phishing-resistant and the most secure option available.
Authenticator Apps (TOTP)
Apps like Google Authenticator, Authy, or FreeOTP generate time-based codes locally on your device.
SMS-Based 2FA
Better than no 2FA, but vulnerable to SIM-swapping attacks. Use only when no other option is available.
Priority Accounts for 2FA
Enable 2FA on these accounts first: email (the master key to all other accounts), banking, social media, cloud storage, and your password manager. Most EU banks already enforce strong customer authentication under PSD2 regulations.
Safe Online Shopping
EU consumers enjoy some of the strongest online shopping protections in the world under the Consumer Rights Directive (2011/83/EU). However, knowing your rights and exercising caution is still essential, as fraudulent websites cost EU consumers hundreds of millions of euros annually.
Your EU Consumer Rights Online
-
check_circle
14-day withdrawal right: You can return most online purchases within 14 days of delivery for a full refund, no reason required. The seller must refund within 14 days of receiving the returned goods.
-
check_circle
2-year legal guarantee: All goods sold in the EU carry a minimum 2-year guarantee. If a product is faulty, the seller must repair, replace, or refund it.
-
check_circle
Transparent pricing: The total price, including all taxes and delivery charges, must be clearly displayed before you confirm the purchase.
-
check_circle
Chargeback protection: Under PSD2, your bank must refund unauthorised transactions. Credit card purchases offer additional Section 75-equivalent protections in many member states.
Spot a Fake Shop
- close Prices too good to be true (70-90% off luxury goods)
- close No physical address or phone number listed
- close Poor grammar, stock photos, and copied content
- close Only bank transfer or cryptocurrency accepted
- close Domain registered very recently (check WHOIS)
- close Missing or plagiarised privacy policy and terms
Children's Online Safety
Under GDPR Article 8, children under 16 (or 13 in some member states) require parental consent for data processing by online services. The EU is also advancing the Digital Services Act (DSA), which imposes stricter obligations on platforms to protect minors from harmful content.
- check_circle Set up age-appropriate parental controls on devices and platforms
- check_circle Teach children never to share personal information, location, or photos with strangers online
- check_circle Use family-safe DNS services that filter inappropriate content
- check_circle Maintain open dialogue about online experiences — make reporting easy and judgement-free
- check_circle Review app permissions and in-app purchases regularly
Report child exploitation material immediately at inhope.org, the international network of hotlines operating across EU member states.
Public WiFi Risks
Free public WiFi in cafes, airports, hotels, and trains is convenient but inherently risky. Attackers can create rogue hotspots with legitimate-sounding names ("Hotel_WiFi_Free") or intercept unencrypted traffic on genuine networks.
How to Stay Safe on Public WiFi
- check_circle Always use a VPN when connecting to public networks
- check_circle Verify the network name with staff before connecting
- check_circle Never access banking or enter passwords on public WiFi without a VPN
- check_circle Disable auto-connect and file sharing on your device
- check_circle Use your mobile data (tethering) for sensitive transactions when possible
WiFi Pineapple Attacks
Attackers use devices that automatically impersonate WiFi networks your phone has connected to before. Your phone connects automatically, routing all traffic through the attacker. Prevent this by removing saved networks you no longer use and disabling auto-join for public hotspots.
Protect Every Aspect of Your Life
Digital safety is just one layer of protection. Explore our guides on physical safety at home, in the workplace, and while travelling across Europe.