Awake But Groggy: Europe’s Shadow Warfare Guardians

The EU is doing well in some areas but as attacks rise, much more continent-wide cooperation is needed.

Prime Minister Tusk confirmed the incident on Warsaw–Lublin railway line was an act of sabotage. Source: Donald Tusk / X/ Press materials

The purpose of shadow warfare attacks on European countries by Russia and its proxies is multifaceted: to test the vulnerability of critical infrastructure, to destabilize societies and governments, and to provoke reactions that undermine national and European unity and institutions, including the free press and open public debate.  

The scale of disruption caused by attacks ranges from small to very significant, and now spans all of Europe — from the hacktivist attack on the Millenium Bank in Portugal (2022) to the disruption of undersea cables in the Baltic Sea (2023-2024), and — possibly as a result of state action  — the huge £1.9bn ($2.5bn) September’s cyber-attack on Jaguar Land Rover, said to be Britain’s worst-ever. 

So, how is the European Union (EU) responding to the threat?  

As Mark Leonard of the European Council of Foreign Relations has aptly put it, the world has entered the Age of Unpeace. Peacetime assumptions no longer hold, especially for the systems that support everyday life, such as electric grids and water supply systems. For Europe, the illusion of security crumbled the day Russia began its full-scale invasion of Ukraine. While Europe is no longer living in denial of this new reality, it is still figuring out its response to it. 

So far, the EU’s record in terms of actual European policy response to hybrid threats is uneven. 

Cybersecurity: Probably the most positive example is the EU cybersecurity policy, with strong standards set by the NIS2 Directive and additional, though optional, measures in the Cyber Solidarity Act. The bloc has an agency to oversee this, ENISA, but even here, it is not always easy for it to reconcile prompt action at the EU level with the national sovereignty of member states. It is likewise difficult to exercise a technical mandate in a very rapidly evolving political landscape. However, ENISA and a number of national cybersecurity agencies are developing well and keeping abreast of the many threats. 

Sabotage: Once a feature of wartime, sabotage is now a regular feature of the continent’s new everyday reality. That was brought home again on November 15 when unknown saboteurs attacked a train line in Poland. The incident followed numerous hostile attacks this year, many attributed to Russia. In this area, the EU also has policies to protect itself, notably the Critical Entities Directive, but member states have not yet fully adopted it.  

It’s also the case that most work is done by national bodies such as security agencies, which cooperate and coordinate at times, but make most decisions on their own or in coordination with national decision-makers. The Commission is now working to establish its own in-house intelligence cell, it is reported, to complement the work of the existing Intelligence and Situation Centre within the European External Action Service. This is the area where getting a full picture of what is happening in real time at the European level is difficult. 

The Ninisto Report, presented in 2024 by the former Finnish President Saule Ninisto and containing many useful recommendations on EU security policy, advocated a European anti-sabotage network to support member states in preventing and responding to sabotage, building on existing EU-level cooperation like the Critical Entities Resilience Group and the Hybrid Fusion Cell. Such a network has not yet been established. 

Cognitive warfare and election interference: This is conceptualized in EU policy as fighting foreign information manipulation and influence, or FIMI.  

This area also has some emerging European architecture, but it is less comprehensive. Response mechanisms are slower and wholly dependent on political decisions. Much like cyber incident response, the framework includes rapid alerts during significant disinformation campaigns, but activation requires individual assessment by member states or EU institutions rather than automatic triggers. This is too slow for today’s threat environment. 

The European Commission’s new initiative, the European Democracy Shield, proposes “a new European Centre for Democratic Resilience to bring together EU and member states’ expertise and resources to increase our collective capacity to anticipate, detect and respond to threats and build democratic resilience.” According to the Commission, the center’s aim will be “to improve situational awareness and the capacity to anticipate and detect threats, develop a robust and coordinated early warning system and support rapid response capacity”.   

This is a welcome development, but so far, there is no ambition to widen the mandate to include other threats beyond the information domain (that is, FIMI and election interference). In other words, if and when it is establishe,d the center will likely improve coordination and response in the domain of information threats, but this structure will continue to be separated from the units dealing with cyber threats and sabotage.  

While the Hybrid Fusion Cell, an entity within the European External Action Service, may sound like it is dedicated to collecting data about attacks in various key domains, this does not happen in real time, and does not imply a data-driven operational response. As one expert puts it: “Member states like to be in the driving seat.”  

The fact that some EU countries have shown themselves, time and again, to be less than trustworthy when it comes to putting EU interests ahead of short-term gains from cooperation with Russia does not contribute to an atmosphere of trust and sharing. 

Such “siloed” European and national responses to shadow war threats have been confirmed in interviews this author has conducted with a number of experts across Europe. The reason is predictable – protecting institutional and national turf, and the absence of a political mandate (primarily from member states) for daily operational coordination to be carried out at the European level.  

In many cases, if a cyber-attack on a critical infrastructure company is combined with a FIMI campaign against the same company on social media, these two levels of attack will be addressed by different entities at the national and European levels. 

Our enemies, however, are unencumbered by national borders.  

This should change. Europe must have a more comprehensive common security policy and better-organized operational defenses to counter shadow warfare. Strengthened data sharing and operational coordination can be agreed between discrete groups of member states (possibly including non-EU European countries, like Norway and the UK, which face the same attacks).  

Such an opt-in/opt-out approach may be inevitable since any such proposal is sure to be used as a bogeyman by nationalist-populist leaders in some EU governments.  

But those member states that have considerable resources in relevant areas, and those that have very high stakes in not losing the hybrid war to Russia, can and should work together. As events are making clear, the first shots in the shadow war have already been fired. 

By Marija Golubeva. Marija Golubeva is a Distinguished Fellow with the Democratic Resilience Program at the Center for European Policy Analysis (CEPA.) She was a Member of the Latvian Parliament (2018-2022) and was Minister of the Interior from 2021-2022. She is the founder of crisis exercise startup Meleys and a Henrik Enderlein Fellow at the Centre for International Security, Hertie School (Berlin).  Article first time published on CEPA web page. Prepared for publication by volunteers from the Res Publica - The Center for Civil Resistance.