Article page checkbox is not checked in page info.
EU response to hybrid threats
EU response to hybrid threats
Linda Tóthová with Darius Engel, Members' Research Service
Summary
Hybrid threats against the EU have increased significantly in both frequency and sophistication, creating complex challenges for European security, democratic institutions and societal resilience. Malicious state and non-state actors combine political, economic, cyber, information and military tools to exploit vulnerabilities, undermine public trust and destabilise societies, while remaining below the threshold of armed conflict.
The EU and its Member States have gradually transformed their understanding of hybrid threats into concrete policies, operational capabilities and coordinated response mechanisms. The EU approach combines preventive, protective and reactive measures, including intelligence cooperation, protection of critical infrastructure, sanctions regimes, resilience building and strategic communication. Recent incidents involving cyber-attacks, disinformation campaigns and EU airspace violations have further accelerated the development of EU-level instruments designed to detect, deter and respond to these malign activities. As security challenges increasingly overlap across civilian and military domains, the EU and the North Atlantic Treaty Organization (NATO) aim to ensure complementarity between the EU's regulatory and civilian tools and NATO's defence and military capabilities through improving coordination and enhancing situational awareness.
The European Parliament emphasises that hybrid threats, mainly from Russia, China and Belarus, represent an escalating security challenge for the EU, and calls for a comprehensive EU response, stronger EU–NATO coordination, enhanced resilience and civil preparedness, targeted countermeasures, and closer cooperation with partner countries.
Defining hybrid threats
A hybrid threat is a phenomenon resulting from convergence of multiple elements and domains, creating complex and multidimensional risks aimed at undermining a target through means that typically remain below the threshold of armed conflict. In recent years, systemic vulnerabilities in democratic states have drawn attention, as they are increasingly targeted and exploited by hostile actors and regimes.
The concept of hybrid threats gained particular prominence following Russia's 2014 illegal annexation of Crimea, during which Russia combined the deployment of 'little green men' with other non-conventional tactics. Prior to this, particularly in Europe, the concept remained largely confined to academic and strategic debate. The publication of key strategic documents in the 2010s and early 2020s, however, led the EU to develop operational capabilities and dedicated policy instruments. Russia's 2022 invasion of Ukraine further demonstrated that covert operations and conventional military force can be combined within a broader strategy, reinforcing hybrid threats as one of the central features of Euro–Atlantic security policy.
In 2021, the European Commission and the Hybrid Centre of Excellence for Countering Hybrid Threats (Hybrid CoE, see section on EU–NATO cooperation below) developed a conceptual model for analysing hybrid threats to improve early detection and strengthen resilience. The model is structured around four analytical pillars: actors and objectives, referring to state or non-state actors seeking to influence, undermine or harm targeted systems; domains, meaning the environments targeted; tools, regarding the means used; and phases, describing the escalation continuum. The model distinguishes 13 interconnected domains of activity, namely infrastructure, cyber, space, economy, military, culture, society, public administration, legal, intelligence, diplomacy, political and information (see Figure 1). A key feature of the model is its dynamic escalation logic, whereby hybrid actions can evolve or occasionally de-escalate along a spectrum ranging from preparatory influence operations and sustained destabilisation to overt coercion.
Hybrid threat and hybrid warfare
The terms hybrid threats and hybrid warfare are broadly related, yet differ in scope and intensity, particularly in the degree of organisation, escalation and use of force. Hybrid threats describe coordinated but dispersed hostile actions below armed conflict threshold, while hybrid warfare typically involves both conventional military and sustained non-military campaigns involving irregular methods, characteristic of open or near-open hostilities. Most analysts use the terms interchangeably as an umbrella concept to describe ongoing or potential hostile actions, where perpetrators operate in the 'grey zone', and make use of plausible deniability and the increasingly asymmetric nature of modern conflicts.
Hybrid threat landscape in the EU
Since 2014, in particular, the EU has faced hybrid threats targeting its democratic institutions, critical infrastructure and societal cohesion. Russian hybrid attacks in Europe quadrupled between 2022 and 2023, and tripled again between 2023 and 2024. European countries providing sustained political, financial or military support to Ukraine have been particularly exposed. Rather than isolated incidents, these hybrid activities have been described as a pattern of coercive probing designed to test how quickly European actors 'detect and react' to threats, how they employ defences, and how coordinated responses prove under pressure. The following non-exhaustive examples illustrate some of the most significant recent incidents.
Cyber domain
The cyber domain remains a significant theatre of malign activity. Hybrid threat actors use disruptive, espionage and influence-oriented operations to target government networks, critical services and strategic industries while maintaining plausible deniability. These activities frequently seek not only operational disruption but also an erosion of public trust in institutions and crisis-management capacities. Cyber tools are relatively low-cost, scalable and difficult to attribute. Offensive cyber and electronic warfare activities, including GPS jamming, can also be conducted from a state's own territory, third countries or distributed virtual networks, further complicating attribution. Cyber operations increasingly intersect with wider hybrid campaigns targeting the EU. However, not all cyber-attacks form part of hybrid campaigns and, conversely, not all hybrid activities include a cyber component, underscoring that 'hybrid is always a combination of tools but not all combinations are hybrid'.
In July 2022, Iran-linked cyber actors carried out a destructive cyber-attack against Albanian government websites, prompting an EU statement of solidarity and an offer of assistance. In November 2022, the European Parliament's website faced a sophisticated cyber-attack shortly after declaring Russia a state sponsor of terrorism. In March 2023, the French National Assembly's website was disrupted by a distributed denial-of-service (DDoS) attack, in which a target service is deliberately overwhelmed with large volumes of traffic, making it unavailable to legitimate users. The pro-Russian group NoName057 claimed responsibility for the attack, linking it to France's support for Ukraine. According to the European Union Agency for Cybersecurity (ENISA), cyber incidents recorded from July 2024 through June 2025 primarily affected public administration, transport, digital infrastructure and services, and finance and manufacturing, with essential entities accounting for over half of all recorded cases. State-aligned activities against Member States have continued steadily, with cyber-espionage mainly targeting public administration. 'Hacktivism' accounted for the largest share of incidents, driven largely by low-impact DDoS campaigns against public institutions.
Infrastructure domain
Hybrid actors target critical infrastructure through combined cyber and physical means to damage assets, raise operating costs or restrict access to essential resources. The President of the European Commission, Ursula von der Leyen, described critical infrastructure as 'the new frontier of warfare'. Since 2022, interference with Global Navigation Satellite Systems (GNSS) has increased, mainly disrupting aviation and maritime activity. On the day of Russia's invasion of Ukraine, a cyber-attack on the KA-SAT satellite network caused widespread outages across Europe, and was formally attributed to Russia by the EU Member States in May 2022.
Physical sabotage has likewise intensified, particularly against critical undersea infrastructure. Submarine cables – critical for global communications and carrying around 99 % of global data traffic – remain highly vulnerable to both accidental and deliberate disruption, including from anchors and ship activity. 'Shadow fleet' vessels are suspected to facilitate sabotage operations under civilian cover, with some also capable of seabed monitoring and often sailing under flags of convenience. In October 2023, the Balticconnector gas pipeline and several telecommunications cables in the Baltic Sea were damaged. In 2024, it was reported that Cook Islands-flagged tanker Eagle S severed the Estlink 2 cable between Finland and Estonia. That same year, undersea cables between Lithuania and Sweden and between Finland and Germany were disrupted as well.
A series of arson and rail-related attacks have also been reported across Europe. Overall, 152 kinetic incidents attributable to Russia were identified between January 2022 and February 2026. Incidents publicly linked to Russian actors in the years 2024 to 2025 – including an arson attack on an IKEA store in Vilnius, a fire at a Warsaw shopping centre, sabotage of a Polish railway line, and multiple cases involving self-igniting parcels – illustrate a broader pattern of hybrid activity aimed at testing resilience, straining security systems, imposing economic costs, and fostering insecurity across European societies.
Military/defence domain
Compromising a country's military and defence capabilities can be an effective means of exerting influence, applying pressure, or preparing ground for future malign operations. Such activities can also force a response from the targeted state, leading to increased defence expenditure and resource depletion, thereby generating indirect economic pressure. In this way, the threat actor may induce escalation by provoking reaction. A prominent line of effort concerns recent coercive activity in the air and border domains. Since 2022, Member States have recorded missile and drone incursions, repeated airspace violations by Russian military aircraft, and pressure-testing of allied response systems. Examples include a brief entry of a Russian cruise missile into Polish airspace in March 2024, drone incursions into several Member States' airspaces that disrupted civil aviation and prompted NATO's Article 4 consultations, and a Russian MiG-31 fighter jet intrusion into Estonian airspace in September 2025. Most recently, in May 2026, a Russian drone crashed in eastern Romania, fuelling discussions on how to further support the Eastern Flank security. Belarus-linked balloon incursions into Poland and Lithuania have similarly been framed as part of a broader hybrid pressure campaign.
Information domain
The information domain is a further vector of hybrid threats. The fourth European External Action Service (EEAS) report on foreign information manipulation and interference threats (FIMI), published in March 2026, identifies Russia (29 %) and China (6 %) as leading actors conducting coordinated campaigns to distort public debate, undermine trust, and influence democratic processes, while also noting a significant rise in AI-enabled techniques and procedures. Although often perceived as primarily virtual, FIMI is strongly rooted in the physical world through its links to real events, including elections. Major events targeted include the Paris 2024 Olympic and Paralympic Games, the 2024 Romanian presidential elections, and the Moldovan 2024‑2025 electoral cycles. Social media platforms remain the primary dissemination channels, increasingly supported by bot networks, impersonation of trusted media outlets and AI-generated deepfakes. Campaigns such as Ghostwriter and Doppelgänger, widely linked to Russian and Belarusian influence networks, demonstrate how cyber intrusion and disinformation are often mutually reinforcing, combining account compromise, fabricated content and cloned media brands to erode support for Ukraine and weaken confidence in public institutions.
Source: G. Giannopoulos, H. Smith and M. Theocharidou, The landscape of hybrid threats: A conceptual model, European Commission Joint Research Centre (JRC) and Hybrid CoE, 2021; graphic by Samy Chahri, EPRS, 2026.
EU hybrid threat response architecture
The EU has evolved from a primarily resilience-oriented framework to a multidimensional system combining regulatory instruments, intelligence and situational awareness capacities, strategic communication, and increasingly operational response mechanisms. The 2024 Draghi report noted that 'Europe now faces conventional warfare on its Eastern border and hybrid warfare everywhere', while the 2024 Niinistö report conceptualised the EU approach around 'deterrence by denial' (reducing vulnerabilities and strengthening resilience) and 'deterrence by punishment' (imposing costs on perpetrators). Hybrid CoE's recommendations to counter hybrid threats focus on a 'whole-of-government' approach bringing together a broad set of capabilities and institutional perspectives; caution against creating 'mutual dependencies to sustain peace' with large hostile actors; and raise awareness that emphasis on resilience and escalation avoidance may be exploited, calling instead for a balance between resilience building and an 'imposition of costs and the denial of benefits' to threat actors.
Strategic and institutional framework
The foundations of the EU approach were established by the 2016 joint communication by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy/Vice-President of the Commission(HR/VP) on a Joint Framework on countering hybrid threats, which introduced 22 operational measures. Among the most significant was the establishment of the Hybrid Fusion Cell (HFC) within the EEAS's EU Intelligence and Situation Centre. Supported by the Single Intelligence Analysis Capacity (SIAC), the HFC integrates classified and open-source information from Member States and EU institutions to provide early warning and hybrid threat assessments. Other measures included a hybrid risk survey to identify Member State vulnerabilities, proactive strategic communication, diversification of energy sources, resilience of space infrastructure, and capacity building in partner countries. The 2018 joint communication further institutionalised the EU's cross-sectoral approach.
The 2022 Strategic Compass marked a shift towards a more operational posture by calling for a comprehensive EU hybrid toolbox, rapid response capacities, stronger cyber defence and enhanced intelligence sharing. The June 2022 Council conclusions operationalised the hybrid toolbox, linking it to existing instruments, such as the cyber diplomacy toolbox and the integrated political crisis response arrangements; at the same time, they marked a transition from an ad-hoc reaction to coordinated responses to sustained hybrid campaigns (see Figure 2). In May 2024, ahead of the European Parliament elections, the Council adopted conclusions on safeguarding electoral processes, calling for intensified efforts to detect and respond to foreign influence attempts. The same month, the Council approved a practical framework for deploying Hybrid Rapid Response Teams. The most recent (March 2026) Council conclusions on advancing the EU's capacity to counter hybrid threats reaffirmed the EU's intention to use 'all available tools' to prevent, deter and respond to hybrid campaigns, and invited the HR/VP and the Commission to present an actor-specific strategic approach based on intelligence assessments.
Additional strategic guidance comes from broader security and defence initiatives integrating hybrid preparedness. The White Paper for European Defence – Readiness 2030 highlights military mobility, infrastructure and border protection, defence industrial readiness, and resilience against cyber and hybrid attacks. The 2025 preparedness union strategy promotes an 'all-hazard', 'whole-of-society' and 'whole-of-government' approach to crisis preparedness, crisis planning, infrastructure protection, supply chain security and societal continuity during crises. Similarly, the internal security strategy identifies hybrid threats, sabotage and threats to critical infrastructure as key security challenges, recommending stronger intelligence sharing through the SIAC, enhanced law enforcement cooperation, and improved border management.
Cyber resilience and response
A central component of the EU's resilience architecture is based on regulatory and legislative instruments, with the cyber ecosystem representing one of its most advanced areas. The Directive on measures for a high common level of cybersecurity across the Union ('NIS2 Directive'), revising the NIS Directive, significantly expands cybersecurity obligations for critical and essential entities across sectors including energy, transport, health and digital infrastructure, introducing stricter risk management, incident reporting and supply chain security. The Critical Entities Resilience Directive ('CER Directive') complements the NIS2 by strengthening physical resilience requirements for critical infrastructure operators, while the Cyber Resilience Act introduces cybersecurity-by-design obligations for digital products and connected devices. The EU cyber blueprint clarifies roles and coordination among Member States and EU actors during large-scale incidents, drawing on ENISA's analytical and support functions, the CSIRTs Network for operational coordination, and EU CyCLONe for crisis-level incident management.
The EU's 'deterrence by denial', namely reducing vulnerabilities and increasing systemic resilience, is complemented by a growing set of diplomatic instruments. The cyber diplomacy toolbox, adopted in 2017, provides a framework for coordinated responses to malicious cyber activities, while the horizontal cyber sanctions regime (2019) enables restrictive measures against individuals and entities responsible for significant cyber-attacks. As of June 2026, the regime covers 19 individuals and seven entities linked primarily to Russian and Chinese cyber operations.
Information space
The EU has developed a framework against FIMI, disinformation and election interference combining analytical, regulatory and communication tools. The EEAS East StratCom Task Force and its flagship project, EUvsDisinfo, are central to identifying and exposing pro-Kremlin disinformation narratives. They maintain a comprehensive database of disinformation cases, and have debunked over 19 700 entries by mid-2026. Additional regional StratCom Task Forces were established for the Western Balkans, the Middle East and North Africa (MENA) region and sub-Saharan Africa, extending EU monitoring and communication capacities across several regions. The regulatory framework includes the Digital Services Act, which introduces systemic risk mitigation and transparency obligations for very large online platforms, including requirements relating to disinformation and algorithmic accountability, and the European Media Freedom Act. These are complemented by the European Democracy Shield initiative and related European Centre for Democratic Resilience, focused on strengthening information integrity and resilience against foreign interference and election manipulation, including the use of AI-generated content under the wider EU AI regulatory framework. In parallel, the work of the European Digital Media Observatory and its regional hubs aids with fact-checking while also covering several partner countries; the Rapid Alert System (RAS) supports Member State coordination on counter-disinformation response; and the FIMI Information Sharing and Analysis Centre serves to enhance information sharing and cooperation between stakeholders, including civil society.
Critical infrastructure protection
The protection of digital, physical and orbital infrastructure is a core pillar of EU resilience. Alongside the CER Directive, the NIS2 Directive strengthens cybersecurity and risk management requirements for critical entities. In the space domain, the EU Space Programme Regulation and the EU space strategy for security and defence enhance the protection of satellite and orbital assets, increasingly seen as strategic vulnerabilities. At sea, following repeated subsea cable incidents, the Commission adopted the 2025 action plan on cable security to improve monitoring, repair capacity and resilience of submarine infrastructure. In the air domain, EU efforts are embedded in the wider defence-readiness agenda, with the aforementioned White Paper for European Defence/Readiness 2030, the defence readiness roadmap 2030 and the action plan on drone and counter-drone security. Together, they support flagship initiatives such as the European Drone Wall and Eastern Flank Watch, aimed at improving detection, deterrence, and response to aerial threats and hybrid activities while strengthening readiness and capability development. These efforts are reinforced through the permanent structured cooperation (PESCO), which develops capabilities relevant to 'grey-zone' threats, such as the Integrated Multi-Layer Air and Missile Defence System (IMLAMD) against threats posed by low-cost unmanned aerial vehicles, as well as the Cyber Rapid Response Teams and Mutual Assistance in Cyber Security (CRRT).
Diplomatic and restrictive measures
The EU also increasingly relies on diplomatic and coercive instruments for deterrence and response, reflecting a growing emphasis on 'deterrence by punishment' by imposing political and economic costs, reinforcing collective action, and signalling EU unity. In October 2024, the EU introduced a dedicated sanctions regime targeting Russia's destabilising activities against the Union, including sabotage, cyber operations, election interference, attacks against critical infrastructure and the instrumentalisation of migration. The restrictive measures apply to 79 individuals and 20 entities. In response to Belarusian hybrid campaign against the EU, the Council widened the scope of sanctions against Belarus in light of the instrumentalisation of migrants (November 2021) and of airspace violations in Lithuania and other hybrid activities (December 2025).
The EU also uses public attribution through statements by the Council and the HR/VP to identify perpetrators, condemn hostile activities, and demonstrate solidarity with Member States or partner countries. Examples include the July 2025 condemnation of Russia's persistent hybrid campaign, the May 2025 statement expressing solidarity with Czechia, and the July 2021 declaration calling for due diligence regarding malicious cyber activities originating from China's territory.
Source: Compiled by the authors; graphic by Samy Chahri, EPRS, 2026.
Cooperation with partners
Finally, the EU response to hybrid threats is closely linked to cooperation with international partners and organisations. Beyond NATO, the EU engages with the United Nations and G7 on information exchange, situational awareness and promotion of normative frameworks, while cooperation with the African Union and the Association of Southeast Asian Nations (ASEAN) supports cyber capacity building and resilience. In addition, the EU's security and defence partnerships provide bilateral frameworks with like-minded countries covering, to varying degrees, cybersecurity, hybrid threats, infrastructure resilience, maritime security, counter-terrorism and FIMI. In the defence domain, common security and defence policy (CSDP) missions and operations increasingly integrate hybrid-related tasks, as illustrated by the EU Partnership Mission in Moldova, reflecting a shift towards more operational counter-hybrid engagement. The EU also supports other exposed partners, particularly Ukraine and the Western Balkans, through strategic communication, cyber assistance and resilience building.
EU–NATO cooperation
While NATO's 2010 Strategic Concept addressed hybrid threats only indirectly, through references to cyber-attacks, terrorism and electronic warfare, the 2022 Strategic Concept identified hybrid threats – including cyber-attacks, disinformation, economic coercion, instrumentalised migration and manipulation of energy supplies – as a challenge to Allied security. At the 2014 Wales Summit, leaders agreed that cyber-attacks may trigger Article 5 of the North Atlantic Treaty, and since 2016 have recognised that certain hybrid activities may also reach the level of armed attack. In 2025, NATO established the position of Special Coordinator for Hybrid Threats as a high-level focal point for the Alliance's efforts to counter hybrid threats.
The cooperation between the EU and NATO builds on the joint declarations of 2016, 2018 and 2023, which identify hybrid threats as a shared priority and emphasise practical cooperation and information exchange. The 2023 joint declaration, in particular, commits to strengthening cooperation across infrastructure resilience, emerging technologies, and fight against FIMI. Furthermore, 20 of the present 74 joint proposals focus on cooperation in countering hybrid threats. The 10th progress report highlights deepened structured dialogue on resilience and cybersecurity, enhanced staff-to-staff coordination, and improved coherence between EU and NATO's response teams. The report also notes that lessons on resilience and baseline preparedness have informed the EU preparedness union strategy, supporting the idea that EU–NATO collaboration on countering hybrid threats 'should not only take place in the final phases of escalation but also during the priming phases'. In the information domain, the EU's RAS complements NATO's Rapid Response Group. With regard to resilience, an EU–NATO Task Force on resilience of critical infrastructure was established in January 2023, issuing its final report in June 2023 with recommendations on energy security, transport, digital infrastructure and space.
Cooperation also extends to public statements, through which the Council of the EU and the North Atlantic Council (NAC) – NATO's highest political decision-making body – coordinate attribution and expression of solidarity to demonstrate unity and amplify political messaging. Examples include the May 2024 statement on cyber-attacks targeting Germany and Czechia, and the September 2022 solidarity statement on Albania. The EU and NATO have also supported specialised institutions, most notably the Helsinki-based Hybrid CoE, established in 2017, which focuses on research, training, policy coordination and civil-military cooperation. Exercises also form part NATO's counter-hybrid efforts, including EU–NATO Parallel and Coordinated Exercises such as the EU Integrated Resolve 2024 and the NATO Crisis Management Exercise 2025, both of which have featured relevant hybrid scenarios.
EU and NATO's rapid response teams
Both the EU and NATO can deploy expert teams to assist in responding to hybrid campaigns while maintaining primary responsibility at the national level. NATO's Counter Hybrid Support Teams, established in 2018, may be deployed to allied states at their request, and with the NAC's approval, to provide tailored assistance against hybrid activities. Past deployments include Montenegro (2019) and Lithuania (2021). Similarly, the EU's Hybrid Rapid Response Teams (HRRT), created in 2024 as part of the EU hybrid toolbox, provide short-term tailored assistance to Member States, CSDP missions, or partner countries. Deployment is coordinated through the Commission, the EEAS and relevant Council structures. The first countries to benefit from the HRRT support were Moldova (2025) and Armenia (2026). In parallel, the EU's Cyber Rapid Response Teams, established under PESCO in 2018, bring together national experts from participating states to provide operational cyber assistance, including technical and mitigation support during large-scale cyber incidents. Past deployments have included Lithuania (2020), Moldova (2024) and the EU Training Mission in Mozambique (2023).
Effectiveness of the EU's response to hybrid threats
Experts generally agree that the EU has significantly expanded its toolbox against hybrid threats; nevertheless, they question whether current measures are sufficient to deter increasingly sophisticated campaigns. At the analytical level, Hybrid CoE's model does not fully account for multiple actors operating simultaneously across different domains towards a common objective, nor for the cascading effects through which actions in one domain can generate vulnerabilities in others. This may lead to an under-estimation of the complexity and cumulative impact of these campaigns.
At the operational level, a recent European Council on Foreign Relations (ECFR) analysis commends the EU for having acknowledged that 'purely defensive approaches have failed to curb' hybrid activity, and suggests a more proactive strategy centred on defending against attacks, disrupting hostile networks, and imposing costs on perpetrators. Recommendations include consolidating the institutional landscape, particularly for countering FIMI; strengthening cooperation with Ukraine on drone-related capabilities and lessons learnt; and developing the capacity to conduct proportionate cyber and other asymmetric responses against hostile actors. Similarly, EU Institute for Security Studies (EUISS) analysts argue that the EU should adopt a more assertive approach towards hybrid attacks by combining stronger infrastructure protection and early-warning systems with measures capable of imposing costs on perpetrators via attribution, sanctions and other tangible measures. A separate EUISS assessment stresses that the effectiveness of the EU's broader hybrid threat response depends on maintaining credible deterrence against Russia by denying leverage over European societies and infrastructure, punishing hostile actions, and managing escalation risks.
For the ECFR, Gustav Gressel notes that fragmented intelligence structures and uneven Member State capacities hinder preparedness. He recommends expanding Europol's role in counter-intelligence, increasing joint investment in offensive cyber capabilities through PESCO, and improving 'cyber hygiene' standards across governments and societies. From a cyber perspective, the Center for Strategic and International Studies, a United States (US) policy research organisation, contends that the EU's emphasis on norms, resilience and interdependence has not substantially constrained Russian hybrid activity, while continued reliance on US cyber capabilities creates vulnerabilities for both EU and NATO deterrence should US support diminish. According to an EUISS brief examining EU–NATO cooperation, the EU should focus its efforts on areas where it can generate the greatest added value, including societal resilience, preparedness, military mobility, and strengthening of CSDP missions. Looking ahead, experts emphasise the importance of deeper engagement with neighbourhood partners to improve interoperability, trusted information exchange, and collective crisis management.
European Parliament position
The European Parliament has repeatedly highlighted hybrid threats as a key part of the EU threat landscape, and established special committees on the European Democracy Shield (EUDS) and on foreign interference in EU democratic processes, including disinformation (INGE and ING2).
In its January 2026 resolutions on the implementation of the CSDP and CFSP, Parliament stressed that hybrid activities extend beyond cyber and information operations, highlighting the increasing use of hybrid instruments by Russia, China, and Belarus, including cyber-attacks, unmanned aerial vehicle (UAV) and balloon incursions, sabotage, military provocations, smuggling operations, and the instrumentalisation of migration. Parliament particularly highlighted Russia's hostile activities, calling for an EU action plan to counter Russian hybrid warfare across all domains; stronger EU–NATO cooperation; enhanced resilience and civil preparedness; lessons learnt from Ukraine on countering Russia's information operations; and greater support for CSDP missions. In June 2026, Parliament condemned Russia's provocative actions on the eastern flank, recommended integrating counter-unmanned aircraft systems (C-UAS) into joint training and EU civil protection planning, and called for a horizontal EU sanctions framework for hybrid threats.
In February 2026, Parliament adopted a resolution on the EU strategic defence and security partnerships, underlining their importance in responding to security challenges, including cyber and hybrid threats. In December 2025, Parliament denounced Belarusian hybrid attacks in Lithuania, and urged a review of existing strategic and operational frameworks for countering hybrid threats to enhance deterrence, preparedness and rapid response capabilities. In October 2025, following Russia's airspace violations, Parliament condemned Russia's actions as escalatory, and supported a coordinated and proportionate EU response, including measures against airborne threats. It called for sanctions against Russia's shadow fleet due to its possible involvement in critical infrastructure attacks, and stressed that Russia's sabotage and hybrid activities 'amount to state-sponsored terrorism, even if they fall under the threshold of armed attack'. Moreover, Parliament condemned GNSS/GPS jamming in the Baltic and Black Sea regions, and called for reinforced protection of the EU's eastern border, while welcoming initiatives such as European Drone Wall and Eastern Flank Watch. In September 2025, Parliament warned of intensified efforts to destabilise Moldova and undermine its democratic reforms and EU integration, calling for increased support, including for the EU Partnership Mission.
Main references
- European Commission and HR/VP, joint communication on a Joint Framework on countering hybrid threats: a European Union response, 2016.
- Giannopoulos, G., Smith, H. and Theocharidou, M., The landscape of hybrid threats: A conceptual model, European Commission Joint Research Centre (JRC) and Hybrid CoE, 2021.
Classification
Policy areas: Foreign Affairs | Security and Defence
Committees: Foreign Affairs (AFET), Security and Defence (SEDE)
Statement on the use of AI
Any AI-generated content in this text has been reviewed by the authors. ChatGPT@EC was used to improve the readability of the text.
Disclaimer
This document is prepared for, and addressed to, the Members and staff of the European Parliament as background material to assist them in their parliamentary work. The content of the document is the sole responsibility of its author(s) and any opinions expressed herein should not be taken to represent an official position of the Parliament.
Copyright
© European Union.
The reuse of this document is authorised under a Creative Commons Attribution 4.0 International (CC-BY 4.0) licence.
https://creativecommons.org/licenses/by/4.0/deed.en
To use or reproduce elements that are not owned by the European Union, permission may need to be sought directly from the respective rightsholders.