Source: European Parliament
Question for written answer E-001401/2025
to the Commission
Rule 144
Christine Anderson (ESN)
In December 2020, the European Medicines Agency (EMA) was the target of a cyberattack in which internal emails and confidential documents relating to COVID-19 vaccine evaluations were stolen, allegedly altered, and selectively leaked. The EMA has since confirmed that the perpetrators:
– manipulated emails and other documents, including through altered titles, selective aggregation, and out-of-context presentation;
– did so explicitly in a way ‘which could undermine trust in vaccines’[1];
– released content during a critical phase of public debate and political pressure around vaccine approvals.
Despite this, the EMA and the Commission have not disclosed the specific alterations made or provided any analysis of the potential impact on public perception, citing the risk of spreading misinformation. Meanwhile, credible sources have pointed to foreign state actors as likely culprits, yet the EU has not publicly attributed responsibility.
In this context, can the Commission clarify:
- 1.Why has no public review been conducted of the manipulated content, given its relevance to vaccine trust and democratic accountability?
- 2.Has the Commission deliberately withheld attribution of the attack for diplomatic or political reasons?
- 3.Does the Commission consider it acceptable that no factual account of the alleged document manipulation has been made public to date?
Submitted: 7.4.2025
- [1] https://www.ema.europa.eu/en/news/cyberattack-ema-update-5.