Europe is under attack. At least virtually. According to an analysis by Microsoft Russian cyberattacks against NATO countries surged by 25 per cent in a year. Among these are many EU-countries. Around five per cent of all Russian cyberattacks worldwide were directed at Belgium alone. At the same time, the EU faces another challenge: reducing its reliance on non-European digital infrastructure and becoming more digitally independent. Taken together, this leads to a simple question: are these cyberattacks just separate incidents, or are they part of a larger geopolitical plan? To answer that, we need to understand why Russia uses cyber operations in the first place.
Keir Giles – Chatham House
“Cyberwar is never separate from information war”: Russia expert Keir Giles on how Moscow uses cyberattacks as a weapon in its hybrid warfare strategy
These incidents raise a crucial question: are these cyberattacks isolated disruptions, or part of a broader geopolitical strategy? To answer that, we need to understand why Russia uses cyber operations in the first place.
For Moscow, cyberattacks are not isolated technical incidents. They are part of a broader strategic mindset known as information confrontation. According to Russia expert Keir Giles, cyber operations must be understood as one element within a wider spectrum of tools that also includes disinformation, propaganda and psychological pressure. “Cyberwarfare is never separate from information war,” he explains. The goal is not only to disrupt systems, but to influence societies, undermine trust and weaken opponents over time.
“It is clear that it’s a constant battle, an arms race between attackers and defenders”
Rather than aiming for one decisive digital blow, Russia applies what Giles describes as continuous cyber pressure. European institutions, governments and companies are constantly probed for vulnerabilities. Some attacks succeed, others fail, but the cumulative effect is what matters. “It’s clear that it is a constant battle, an arms race between attackers and defenders,” Giles says. This permanent pressure forces defenders to stay alert at all times, while attackers only need to succeed once.
The grey zone and plausible deniability
A defining feature of Russia’s cyber strategy is the deliberate blurring of lines between state actors and criminal groups. Many cyberattacks cannot be clearly traced back to the Kremlin, even when they align closely with Russian strategic interests. Giles notes that Russia benefits from a permissive environment in which criminal hackers operate with relative freedom as long as their targets are abroad. Individuals often move between state agencies and criminal networks, creating a grey zone that offers Moscow plausible deniability.
This complicates Europe’s response. Without clear attribution, political and legal countermeasures become harder to justify. At the same time, the damage is real: disrupted services, leaked data and shaken public confidence. Cyberattacks therefore function as a low-cost, low-risk way for Russia to project power and test European resilience without crossing the threshold of open conflict.
Yet cyber operations are only effective because of what they target: complex, interconnected digital systems that modern societies rely on every day. To understand why these attacks are so difficult to prevent and why defending against them is inherently harder than launching them, we need to look at how cyberattacks actually work.
Dennis-Kenji Kipker – Professor IT Security Law (University of Bremen)
“Weakening societies without triggering war”
Cyberattacks today are rarely standalone digital incidents. They are increasingly part of a broader strategy known as hybrid or grey-zone warfare, where cyber operations, physical disruption, and psychological pressure are combined to weaken societies without triggering open conflict. According to cybersecurity expert Professor Dennis-Kenji Kipker (University of Bremen), this form of warfare has already become a daily reality in Europe. “Hybrid warfare is no longer an abstract concept”, he claims.
Recent drone incidents over European airports and military bases illustrate how this strategy works in practice. Drones have been spotted repeatedly across several countries, including Germany, Denmark, Belgium, and Sweden. While each incident on its own may seem limited, their coordination and repetition are what make them alarming. Kipker explains that these actions are treated by authorities as hybrid threats because they are designed to test responses and create instability rather than cause immediate destruction: “Their coordination and repetition across several countries point to a deliberate attempt to destabilize the infrastructure and to test the reaction of NATO and the European Union,” he says.
Ambiguity and attribution
What makes such incidents especially effective is their ambiguity. No Western government has publicly released definitive proof of Russian involvement, yet suspicion among intelligence and political leaders remains high. The targeting of airports, energy hubs, and military sites fits a familiar pattern. Kipker notes that the timing of these incidents often coincides with political flashpoints, such as debates over frozen Russian assets. While the Kremlin denies responsibility, “the pattern speaks for itself,” he argues.
At the heart of these tactics is the grey-zone approach: weakening societies without crossing the legal threshold of armed conflict. Hybrid threats combine drones, cyberattacks, and disinformation to generate fear, confusion, and uncertainty. “They aim to weaken societies without triggering war,” Kipker explains. Because these actions remain legally ambiguous, attribution is difficult and political responses are often slow or cautious. This grey area is precisely what makes such attacks so powerful.
Cyberattacks on critical infrastructure follow the same logic. Modern aviation systems, for example, depend on complex networks of interconnected technologies and external service providers. This interconnectedness creates efficiency, but it also increases exposure. A single breach can ripple across borders. The ransomware attack on Collins Aerospace’s MUSE system, which disrupted automated check-in, boarding, and baggage drop services at major European airports, made this vulnerability painfully visible. As Kipker puts it: “The biggest threat isn’t the drone itself, it’s the reveal of our vulnerability.”
Europe is still playing a little bit of a catch-up
Dennis-Kenji Kipker
From prevention to resilience
Defending against these attacks is fundamentally harder than carrying them out. Drones are cheap, accessible, and easy to deploy, while effective defenses are expensive, complex, and require coordination across countries and institutions. In cyber conflict, attackers only need to succeed once; defenders must succeed every time. This imbalance gives hybrid actors a structural advantage. Kipker is blunt about Europe’s current position: “Not really,” he says when asked whether Europe is prepared. While initiatives such as the EU’s Cyber Resilience Act and proposals for a European “Drone Wall” show progress, he believes Europe is still “playing a little bit of catch-up” and remains “too naive.”
For Kipker, the solution lies in a strategic shift. For years, cybersecurity policy has focused primarily on prevention, stopping attacks before they happen. But in a world of constant hybrid pressure, that mindset is no longer sufficient. “We must move from prevention to resilience,” he argues. This means enforcing tougher security standards, isolating critical systems, reducing dependency on vulnerable external vendors, and running realistic crisis exercises that assume systems will fail at some point.
Why people still matter
Resilience also has a human dimension. Technology alone cannot guarantee security or stability. Even in an era of artificial intelligence, drones, and automated systems, Kipker insists that people remain central. On the military side, he argues that modern warfare requires what he calls “centaur warfighters”: soldiers who combine human judgment with technological precision. “Technology is only there to augment human intelligence, not to replace it,” he says. Ultimately, “control and stability still come from people.”
Hybrid warfare, whether through cyberattacks or drone incidents, is not primarily about destruction. It is about exposure: revealing weaknesses, testing responses, and slowly eroding confidence in institutions and infrastructure.
As Kipker’s analysis makes clear, the real danger lies not in any single attack, but in what repeated low-level disruptions reveal: how fragile modern, interconnected societies are — and how urgently they need to adapt.
However, it is important to note that the European Union has already introduced several various policies and measures to strengthen cyber resilience. One of the most relevant is ENISA, the EU Agency for Cybersecurity. Founded in 2004, ENISA’s mission is to help achieve a high common level of cybersecurity across Europe. The agency does not defend networks or respond to attacks itself. Instead, its core tasks are to support cooperation between member states and to provide technical advice and assistance. ENISA also organises EU-wide cyber crisis exercises such as Cyber Europe, where experts from public and private sectors and EU institutions simulate major cyber incidents to test, share, and improve crisis management. In addition, ENISA supports the implementation of EU cybersecurity policies and contributes to the development of new ones.
Are SMEs the way to digital autonomy?
But there is also a more fundamental European weakness: dependency. While the European Union has strengthened its cybersecurity rules and coordination in recent years, much of the digital infrastructure on which public services and companies rely remains controlled by non-European actors.
Justin Nogarede – Senior Policy Analyst (Friedrich-Ebert-Stiftung)
Justin Nogarede, Senior Policy Analyst at the Friedrich-Ebert-Stiftung In Brussels, argues that this dependency limits Europe’s room for manoeuvre long before any cyberattack takes place. “Public services across the EU use basically cloud infrastructure from the US: Microsoft, Amazon, Google,” he says. This reliance, he stresses, goes beyond technical convenience. “You don’t just rent a computer; you outsource responsibility. That dependence is unsustainable“, he says.
Sovereignty vs autonomy
This is where digital sovereignty comes into play. According to the World Economic Forum this refers to the ability to have control over your own digital destiny – the data, hardware and software that you rely on and create. However Nogarede is sceptical of definitions that equate sovereignty with full control. “Realistically you cannot have digital sovereignty in a digital Europe, if sovereignty means full control over your technological infrastructure,” he says. Instead, he prefers to speak of autonomy. “We need to be more autonomous. Now we really are not.” According to Nogarede this is becoming especially important because of the Trump re-election and his very overt hostility towards Europe“.
Why Europe struggles to build its own datastack
However when it comes to being more autonomous Europe faces a lot of obstacles. “The EU was not set up to do industrial policy“, says Nogarede. “It‘s lacking trust and a long-term horizon”to invest together in a European technological platform”. In addition he mentions the missing expertise and attractive salaries in the U.S.
Public procurement as leverage
As part of the solution Nogarede finds it necessary to favor strategic industries in Europe over those in other jurisdictions, when it comes to public procurement. Even though this can be defined as protectionism, he argues that the international context has changed and other nations like the U.S. and China do the same thing. “You have to make sure at least parts of public funds for digitalization, go to European suppliers“, he says.
One example for these suppliers can be Small and Medium-sized Enterprises (SMEs). But what does SME stand for?
Tech SMEs are smaller commercial technology companies that build essential digital tools, such as cloud and collaboration platforms. They play a vital role in Europe’s emerging tech industry. Even so, these companies often remain overlooked, while roughly 80% of digital technologies are still imported. That gap is exactly what the European DIGITAL SME Alliance was created to address.
SMEs are often talked about as part of the solution, but for Sebastiano Toffaletti they are the starting point. As CEO of the European DIGITAL SME Alliance, he represents tens of thousands of smaller tech companies across Europe. His role is to bring their voice to the EU policymaking and ensure that “Europe’s digital future is built with SMEs, not around them.”
“Tech SMEs must take the lead in boosting Europe’s tech capacity and strategic independence.”
Henna Virkkunen
EU Tech President Henna Virkkunen agrees with him on that. At the annual DIGITAL SME event, she emphasised that ‘tech SMEs must take the lead in boosting Europe’s tech capacity and strategic independence.’ Put differently, Europe’s digital sovereignty will depend on commercial tech companies taking the lead. In the United States, this model is actively backed by government policy, with major players such as Amazon, Microsoft and Google dominating the cloud infrastructure, but “Europe must strengthen its own digital capabilities now,” Toffaletti says.
Not everyone in the European Parliament supports that strategy. Belgian MEP Marc Botenga warns that replacing US dominance with a European version of Big Tech would miss the point entirely. “We don’t want an EU Amazon,” he says , especially not one that could“play with the private data of your citizens.” That is why Botenga argues for a fundamentally different path: public digital infrastructure. In his view, only a “public, open, transparent” system can guarantee democratic oversight and real sovereignty.
Watch: Full interview with Botenga.
“Digital sovereignty is not a ‘nice to have’, but the foundation of future security. Because in the end, that is where the wars of the future will be fought.“
Marc Botenga
When asked how high digital sovereignty really sits on the EU-agenda, Botenga doesn’t sound positive. Europe should have acted years ago. Even proposals such as a EuroStack, he adds, remain largely theoretical and are not taken seriously enough by either the Commission or Parliament. The result is money spent without clear priorities. For Botenga, that pattern is dangerous. Digital sovereignty is not a “nice to have,” but the foundation of future security. Because “in the end, that is where the wars of the future will be fought.”
