In the spring of 2007, Estonia’s public services were under cyber-attacks for three weeks. This event is likely to have alerted several EU national governments on the vulnerability of their internet-based services. The ‘spring’ of digital resilience for public authorities began when it became evident that there was a need to associate digitalisation with information security. Nowadays, this need in the public sector is even more urgent and driven by increased digitalisation, growing interconnection and the mounting occurrence of cyber-attacks. EU legislation has been an important lever of change in public administrations, for example with the GDPR. In future years, it will continue to play this key role. The Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) and the Interoperable Europe Act are examples of legislation that will drive change in the digital resilience of public administrations. This study is a pioneer in the investigation of the state of play of digital resilience of local and regional authorities (LRAs) across the EU. A primary drawback was the lack of a definition, in the literature, of the public sector’s digital resilience. Bearing in mind that European LRAs provide a large variety of eGovernment services and that some LRAs are also responsible for services of general and/or of economic interests, the digital resilience of public authorities certainly encompasses the capacity to cope with threats affecting the provision of public services and the integrity of data. Thus, ‘digital resilience’ goes beyond the protection of ICT assets. It implies prevention and preparedness measures. If in place, it also ensures timely response and recovery actions from incidents.