Mobile security is not a defence sector concern that occasionally spills over into other industries. It is a universal exposure that manifests differently depending on what your organization does, what data it handles, and who wants access to it. The sectors that have historically invested least in mobile security are often the ones that carry the most sensitive information on the most poorly controlled devices.
The five attack vectors described in the previous article apply across all industries. What differs is the consequence of a successful compromise, the regulatory framework governing the response, and the specific threat actors with a reason to care about your data.

Government and public sector
Civil servants across Dutch ministries regularly send work-related messages via WhatsApp; this is not a secret. It is formally prohibited in several departments and practically unenforceable in most. The gap between policy and reality is not a cultural failure; it is an architecture failure. When there is no approved, usable alternative, people use what works.
The consequence is that sensitive government communications routinely transit infrastructure operated under US jurisdiction, stored on servers outside Dutch or EU legal reach, and accessible to Meta under US law. The Dutch State Secretary acknowledged in March 2026 that reliance on WhatsApp is a risk. The European Commission launched antitrust proceedings against Meta and WhatsApp in April 2026. France, Germany, and Belgium have already deployed government-contracted alternatives. The Netherlands is actively testing options.
NIS2, transposed into Dutch law in October 2024, brings eighteen critical sectors into mandatory compliance scope, including communication tools. For government organizations, the combination of a formal WhatsApp ban, active NIS2 audit requirements, and the absence of a deployed alternative creates a compliance gap that is now measurable and board-level.
Healthcare
Healthcare is the most targeted sector for combined ransomware and data theft attacks of any critical infrastructure category, according to FBI data covering 2024. The average cost of a data breach in healthcare reached $9.8 million in 2024, growing at twice the rate of other industries according to ScienceSoft's sector analysis. Email phishing is the leading entry point, responsible for 63% of all access point breaches in the sector.
Mobile devices are central to this exposure. Clinical staff use smartphones to coordinate patient care, access records, and communicate between departments. The same device that receives a phishing message in the morning is used to access patient data in the afternoon. Without endpoint protection deployed on mobile devices, there is no mechanism to intercept the attack before it succeeds.
The consequences in healthcare extend beyond data loss. When systems are taken offline by ransomware, care delivery is disrupted. In 2024, 58% of computers within targeted healthcare organizations were impacted by attacks. The capacity of a hospital to function as a hospital is directly affected by the security architecture of its mobile endpoints.
Defence and critical infrastructure
Defence staff uses private phones for operational communication. Not because they want to, but because there is no approved alternative. The grey zone between classified communication tools and consumer messaging apps is wide, and most operational activity happens inside it.
The Salt Typhoon campaign confirmed in late 2024 that telecom infrastructure itself is an attack surface. China breached lawful intercept systems in more than 80 countries, with the Netherlands confirmed as affected. When the underlying network is compromised, application-layer encryption on a consumer messaging app provides limited protection.
For critical infrastructure operators, NIS2 has brought crisis communication channels explicitly into audit scope. Contractors and field engineers sharing operational data via WhatsApp groups are now a compliance issue as well as a security one. The organizations most likely to fail an NIS2 audit in this area are not the ones that ignored security entirely. They are the ones that addressed IT security thoroughly and left mobile as an afterthought.
Legal services and journalism
Lawyers carry a legal duty to protect client confidentiality. Journalists have a professional and, in some jurisdictions, legal obligation to protect sources. Both groups rely overwhelmingly on mobile devices for communication, and both are documented targets of sophisticated surveillance.
Pegasus has been confirmed on the devices of lawyers, journalists, and politicians across Europe. The attacks required no action from the target, the devices were running current software, and the compromise was complete before the user was aware anything had happened.
Client confidentiality obligations are structurally incompatible with communication platforms that process data under US jurisdiction. The legal exposure this creates, for the lawyer and for the client, is not theoretical. It is a function of where the data goes and who can access it under what legal framework.
The conclusion
Every sector described above has a different threat profile, different regulatory requirements, and different consequences for a successful compromise. What they share is this: mobile devices are carrying organizational risk that most security architectures were not designed to address, and the gap between current posture and adequate posture is widening.
The organizations that close that gap first will not just be more secure. Under NIS2, they will also be demonstrably compliant. The ones that do not will be carrying both exposures simultaneously.