In the spring of 2024, Czech and German police arrested suspects in what security officials widely assessed as a Russia-linked network of arson and sabotage spanning at least six EU member states. The operatives were recruited online, paid in cryptocurrency, and tasked with firebombing warehouses and surveilling military logistics. Few had intelligence training. All were disposable—designed to be caught without connecting the chain to Moscow in a courtroom.
The arrests made headlines for a day. The EU has a hybrid sanctions regime and a hybrid toolbox on paper, but neither produced a coordinated attribution or visible consequences in this case. The operatives were charged under national criminal codes in separate jurisdictions. The campaign did not stop. Through 2025 and into 2026, European security services have continued to report sabotage attempts, cyber intrusions, and covert operations linked to hostile states.
This pattern—provocation, ambiguity, fragmented response, inadequate consequences—is Europe’s defining security vulnerability in 2026. The problem is not recognition but governance: attribution takes too long, prosecution fractures across 27 legal systems, and consequences arrive too late to deter. Hybrid aggression is a law enforcement and resilience problem first—police, prosecutors, and regulators—and only occasionally a defense one.
A coordinated campaign meets a fragmented response.
Hostile actors, primarily Russia, according to multiple European intelligence assessments, are waging a sustained below-threshold campaign: infrastructure sabotage, weaponization of migration, cyber intrusions, GPS jamming, and persistent information manipulation designed to erode institutional trust.
The logic is deliberate. Each act sits below the threshold that would trigger NATO’s Article 5, with deniability built in. Adversaries treat this as a single integrated effort. Europe responds incident by incident, country by country.
Information manipulation compounds every other vector. Disinformation surges timed to elections or crises are integral to the hybrid campaign, conditioning societies for the next provocation. The EEAS tracks foreign information interference with growing sophistication, but rapid public communication—stating what happened, who is responsible, and what follows—remains too slow. Every day of official silence is a day adversaries set the terms.
Submarine cables are not just critical infrastructure. They are Single Market infrastructure. Over 95 percent of intercontinental data travels through them, and the digital backbone of European finance and cloud services depends on them. A severed cable in the Baltic cascades across borders: payment systems, cloud services, and energy trading.
The EU’s Action Plan on Cable Security acknowledged this vulnerability, but without binding obligations and pre-contracted repair capacity, it remains aspiration, not policy. Recent Baltic incidents showed what rehearsed national protocols can achieve—no union-wide equivalent exists.
The tools exist—execution doesn’t.
Brussels is not starting from zero. The EU hybrid threats framework includes the Hybrid Fusion Cell, the Hybrid Toolbox, a dedicated sanctions regime, and Council–Commission–EEAS coordination. Joint Investigation Teams via Eurojust and the Integrated Political Crisis Response arrangement offer cross-border pathways and have produced individual prosecutions.
But these successes remain tactical and inconsistent, not strategically deterrent at the EU level. The Hybrid Centre of Excellence produces serious analytical work. NATO has sharpened its hybrid posture, and EU–NATO cooperation has had a formal basis since 2016.
The gap is not in documents. It is in execution—speed, integration, and the political will to impose costs. When arson is linked to a foreign intelligence service, which prosecutor acts across borders? When attribution is ready, who decides to go public? Today, the answers depend on which member state is affected and whether consensus holds on a given Tuesday. That is not a system. It is improvisation.
Three operational upgrades could change this before the next incident.
First, a standing hybrid incident cell. Not another consultative body, but an operational unit linking the EEAS Hybrid Fusion Cell, Europol, Eurojust, and the EU Intelligence and Situation Centre, with a direct line to NATO. It activates within hours to coordinate intelligence-sharing, forensic support, and public communication.
Second, an EU attribution playbook with a rapid communication protocol. Pre-agreed evidentiary standards, communication templates, and a political track allow the High Representative to issue a preliminary statement within 48 hours. Fill the narrative vacuum before adversaries do.
Third, mandatory resilience baselines for critical infrastructure operators. The cable action plan must become binding: continuous monitoring, redundancy obligations, pre-contracted repair vessels, and mandatory incident reporting. Maritime surveillance cooperation should become routine, not exceptional.
Underpinning all three is a credible deterrence ladder. A pre-agreed menu of consequences scaling with severity and pattern of behavior: from criminal prosecution and persona non grata declarations, through targeted sanctions and asset freezes, to sector-specific economic measures and enhanced maritime protection. Not automatic but predictable enough that adversaries calculate costs before acting, and transparent enough that European publics see their governments responding, not absorbing.
Hybrid threats are ultimately an attack on the compact between citizens and the state: we will protect you, and we will hold aggressors accountable. Every unanswered sabotage plot, every slow-walked attribution erodes that compact—and with it, the democratic legitimacy on which European security rests. Europe does not need to escalate. It needs to respond credibly, lawfully, and fast. The adversaries waging this campaign below the threshold are betting that democracies are too fragmented and too cautious to act. It is time to prove them wrong.
