Cyber Security

On strengthening cyber offensive capabilities, EU member states cannot wait after Brussels

Published

4 days ago

May 9, 2025

European cyber defences are weak and vulnerable. In this age of geopolitical tensions, our continent’s computer systems are sitting ducks for hackers and hostile nations. We must protect ourselves better, writes Antonia-Laura Pup.

While the bloc made progress in strengthening some cyber defence infrastructure, including through its recent Cyber Resilience Act, the EU continues to lag behind Russia, China, and the United States in developing robust offensive cyber capabilities. This is an easy problem to fix. It just means loosening the rules so that EU member states can work together more easily. Europe needs interoperability and more joint exercises between countries which already possess this capability and have a shared threat assessment.

The nature of the cyber conflict makes the distinction between peacetime and wartime obsolete. State actors with opaque strategic agendas like Russia and China, as well as non-state actors like criminal groups and hacktivists may challenge critical infrastructure, collect valuable intelligence, and launch disruptive attacks while remaining below the threshold of armed conflict. That means Europe must judge its response carefully.

Prior to the presidential vote in 2024, 85,000 cyber attacks hit Romania’s election systems. This prompted the Romanian intelligence community to publicly affirm national election websites were published on Russian cyber crime platforms hours before citizens went to the polls. In 2024, Chinese hackers linked with national intelligence agency MSS targeted anti-China European lawmakers through cyberattacks to gather sensitive data.

In the grey zone of the cyber domain, the defensive and passive posture the EU has adopted is insufficient. Without robust cyber capabilities, the EU cannot threaten retaliation, which is an essential component of deterrence and a key element for the bloc’s credibility in its attempt to become more relevant militarily.

The European Commission recognised this urgency in its White Paper for European Defence, published in March 2025, which injected some much-needed pragmatism into the EU cyber domain. “Both defensive and offensive cyber capabilities are needed to ensure the protection and freedom of manoeuvre in cyberspace,” it said.

European security, however, cannot wait for the development of new support schemes or common cyber offensive capability across the bloc. The issue is more fundamental. There is even a lack of common understanding of what constitutes a cyber risk. For Hungary, which has developed a significant digital transformation partnership with Huawei, it is much less likely that their political leaders would agree China is a cyber risk.

Similarly, the Slovak government, led by Russia-sympathiser Fico, could prove an obstacle to EU efforts to conduct offensive operations against Moscow. These two countries alone could easily veto an initiative for developing a joint cyber offensive capability as part of the European Common Security and Defence Policy, which needs unanimity for its policy decisions. Without a shared perspective on what a security threat is, attempting EU-wide efforts for joint offensive capabilities in cyber would become a hollow project before it even starts.

There is no time to waste with this politicking. Member states should not wait for an EU-wide joint offensive capability in cyber. They should start now, through more voluntary joint exercises among European allies and more interoperability, including EU candidate states with experience in conducting offensive cyber operations, like Ukraine.

For instance, they could look into PESCO (Permanent Structured Cooperation). Established in December 2017 at the EU level, it is a framework which allows willing and able EU members to work more closely in security and defence, without requiring unanimous agreement from other member states. As a voluntary platform, it allows member states to develop common defence capabilities, invest in joint projects, and enhance operational readiness by working more closely together.

Cyber initiatives are already underway under PESCO.The Cyber Rapid Response Teams (CRRT) became the first such project to reach full operational capability in May 2021. This project pools 8-12 cybersecurity professionals from the six participating EU countries (Croatia, Estonia, Lithuania, the Netherlands, Poland, and Romania) to provide assistance in the event of cyber incidents around EU members, institutions, and partner countries. EU candidate countries with experience in fighting cyber operations could also join and expand this PESCO project. This wider alliance can then expand their focus to include joint offensive cyber exercises.

PESCO is ripe for expansion. Member states should consider broadening it by allowing EU accession countries to pool in, but also by extending the scope of its cyber focus to include offensive capabilities and joint cyber offensive exercises.

Interoperability must also be a priority. In this case, Information Sharing and Analysis Centres (ISAC) are intended to foster collaboration between cybersecurity communities in different economic sectors. Developing ISACs for cyber offensive capabilities would allow for multi-stakeholder consultations and identifying the support businesses need, including by reducing red tape for start-ups which may want to be involved in developing offensive cyber capabilities for the EU.

The EU must bolster its cyber offensive capabilities in a more agile way, through more joint exercises, more interoperability through information sharing, and less red tape for economic actors who want to shoulder this effort. However, waiting for political consensus and shared maturity to emerge at the bloc-level is counter-productive and would leave the European Union even further behind state actors which are already using the cyber offensive with great skill. With pragmatism, the EU needs to go further in developing its offensive cyber capacity, even if only by bringing together those who are already raring to go.

Antonia-Laura Pup is a policy fellow with Young Voices Europe. She is a Fulbright Student in Security Studies at Georgetown University, where she is researching China’s influence in the Black Sea region. Originally from Romania, she formerly advised the chairman of the Defence Committee in the Romanian parliament. She also formerly worked at the OECD and European Parliament.

Share this article: