Over the last decade, European cyber policy has successfully matured from a technical niche into a pillar of strategic security. While the European Union has built a sophisticated architecture of resilience through regulatory frameworks like NIS2 and DORA, a critical gap remains in its ability to deter state-linked adversaries.
Current strategy assumes that reducing vulnerability will automatically decrease malicious activity; however, sophisticated state actors often tolerate higher costs if their strategic gains remain high.
In the latest policy brief, GLOBSEC GeoTech Center policy brief, Beyond Resilience: Power, Coercion, and Credibility in European Cyber Strategy, Alexandr Burilkov, argues Europe must convert its dispersed toolkit—including sanctions, regulatory powers, and diplomatic instruments—into a predictable, credible, and cumulative pattern of consequences. Credibility in the cyber domain is not just about possessing capability, but about the consistent and intelligible signaling that these capabilities will be used.
Policy Takeaways
1. Strategic Reorientation
- Integrate Deterrence Theory: Future EU policy should move away from “deterrence-light” postures by explicitly anchoring resilience as a baseline and cost-imposition as a secondary, active pillar.
- Shift from Tools to Doctrine: The priority is not creating new instruments, but developing a clearer doctrine on how to sequence, signal, and repeat the use of existing ones to shape adversary expectations.
2. Operational & Alliance Coherence
- Strengthen EU-NATO Alignment: To prevent adversaries from exploiting the “seams” between civilian and military responses, there must be habitual consultation, shared attribution frameworks, and aligned signaling practices.
- Improve Response Timelines: The signaling value of a response is tied to its speed. The EU must streamline coordination between the Commission, the EEAS, and member states to ensure sanctions and attributions are not “procedurally delayed”.
3. Public-Private Integration
- Formalize Industry Relations: Since the private sector owns and monitors the majority of critical digital infrastructure, they must be integrated into response planning before a crisis occurs through standing consultation formats and secure coordination channels.
- Telemetry Integration: Rapidly integrate private-sector visibility and forensic data into public decision-making to close the gap between incident detection and political response.
4. Political Unity
- Member State Dialogue: Establish structured dialogues regarding proportionality and escalation management to ensure a unified front, as adversaries will look to exploit any fragility in collective consensus.
- Leverage Economic Power: Use the scale of the single market and trade policy as cross-domain levers to impose material costs on malicious actors.