On 16 March 2026, the European Council adopted restrictive measures against Chinese and Iranian companies under the EU’s horizontal cyber sanctions regime. This was the sixth time the EU made use of its cyber sanctions regime since the establishment of such a framework to ‘deter and respond to cyber attacks that constitute an external threat to the EU or its Member sStates’ back in 2019. But more than raising the number of individuals and entities listed in the cyber sanctions regime to 19 and 7 respectively, this round was notable as it was the first time that Chinese companies operating as part of the state-linked offensive cyber ecosystem were named as well as the first time that an Iranian entity, Emennet Pasargad was designated under the regime.
The announcement comes at a time of shaky transatlantic relations, a renewed assessment across Europe on the need to fend for itself, and a pressure to invest more in defence. More importantly, it comes at a time where Europe is warming up to the idea of offensive cyber and strengthening its cyber deterrence. At this year’s Munich Security Conference, European Commission’s Vice President Henna Virkkunen was clear that ‘it’s not enough that we are just defending… We also have to have offensive capacity’. The 2025 White Paper for European Defence had already noted that ‘there is a need to develop together with Member States a voluntary support scheme for offensive cyber capabilities as credible deterrence’. Several Member States are building statutory mandates for offensive operations and the direction of political intent is pointing towards that.
However, political appetite does not constitute strategy. While cyber capabilities to conduct and sustain cyber campaigns might be attractive in writing, we need to have a clear sense of the pros and cons of the current public nod towards offensive cyber in Europe in order to avoid it becoming a shiny new silver bullet. The point here is not a concern with some European states saying they will develop–or make more visible–offensive cyber capabilities, but whether Europe’s deterrence posture is best served by a collective push towards such operations and campaigns or by a collective push towards complementarity. This commentary argues for the latter. Even though it seems there is a political momentum (at least in discourse) for more offensive leaning capabilities, states should play with their strengths and understand what they each can bring to the table in making it harder for adversaries to operate rather than pursuing the lure of offensive cyber as the latest ‘shiny’ deterrence object on the table.
Appetite and Drivers
The current enthusiasm for offensive cyber in Europe does not emerge in a vacuum and there are at least three dynamics underpinning it. First, the growing transatlantic uncertainty is the background against which Europe and its Member States have been rethinking interdependencies in areas such as national defence and security. While not exclusive to cyber, such dynamics do play a part in European rethinking not only in terms of defence spending linked to enhancing offensive capabilities but of what are the sharpest tools in the deterrence toolbox to impose costs and/or disrupt, slow or degrade malicious cyber activity. This also plays out in a background against which the Defense Secretary Pete Hegseth reportedly ordered US Cyber Command to stand down from planning offensive cyber operations against Russia in February 2025. Even though this move might be reflective of this administration’s foreign policy, it landed quite poorly in Europe – in a context where NATO’s Secretary General, Mark Rutte, stated that ‘Russia will remain the most significant and direct threat to our security’.
Second, and paradoxically so – but such is the state of politics at present – despite the transatlantic challenges, Europe and Allies still carefully observe US posture in this area. US military operations such as Operation Absolute Resolve to remove President Maduro from Caracas or the early days of Operation Epic Fury against Iran have modelled more public communications concerning the use of cyber capabilities in a crisis and conflict. Even though public avowal of cyber operations has been overall scarce, the current Trump administration has been approaching this differently albeit with some degree of secrecy. Moreover, such public communication gives European states food for thought on how to balance secrecy and public communications to signal the strategic relevance of cyber capabilities in contexts ranging from competition, crisis and conflict.
Third, national appetite from some European states have already been translating into action, be it narratively, institutionally and/or politically. Some states are building explicit statutory mandates for offensive cyber — the Netherlands published a Defence Cyber Strategy in 2025 that moved from reactive to proactive operations, Germany is drafting legislation to allow its foreign intelligence services to conduct cyber operations abroad and Latvia is also warming up to cyber operations as a deterrent.
Offensive Cyber is Not a Silver Bullet
However, one thing is saying and the other is doing. Some European states have been taking steps to adjust their domestic governance to enable offensive cyber capabilities to be deployed – but that is not the case for all EU Member States. There are considerable challenges and consequences to a collective expectation of offensive cyber in Europe (if it grows) – all of which need to be considered in order to ensure that collective deterrence can be enabled rather than hindered by a valid yet more-complex-than-it-seems appetite.
The first point to consider is European states might have different perceptions of threats and expectations regarding the urgency with which these should be dealt with. It is understandable, given proximity and history of cyber attacks, that countries in Eastern Europe are more directly and pressingly concerned with Russian state-sponsored cyber campaigns. Meanwhile, tackling Chinese cyber threats is often politically more contentious. Spain has consistently raised eyebrows after having awarded Huawei with a 12 million euros contract to manage the storage of judicial wiretaps, despite the European Union considering the company a high-risk supplier and, most recently moving forward with the proposal of a new Cybersecurity Act to create a legal pathway to remove them from critical sectors.
The second challenge in making offensive cyber a silver bullet to enable the next phase of European cyber deterrence is that it fails to acknowledge the varying levels of maturity and capacity across Europe. Developing and sustaining offensive cyber capabilities requires not only technical talent but also persistent access, intelligence infrastructure, targeting expertise, and the institutional arrangements to coordinate across agencies. These are capabilities that even well-resourced states struggle to scale. The spectrum of capacity across Europe is wide – from smaller states with limited resources to middle powers like Czechia that have developed considerable capabilities but still operate at a different scale from France, the Netherlands or Germany.
This matters because offensive capability without commensurate investment in defence and resilience creates a deterrence posture that is structurally brittle.It does not matter if a state has offensive cyber capabilities if its resilience and investment in defence are not strong enough to withstand the consequences of their use. Across the Atlantic, the United States is bold in publicly promoting cyber capabilities as part of its national power but at the same time diminishing investments in CISA and other critical parts of the infrastructure that enable protection and resilience. Europe should take note of this experience.The temptation to invest in the topic du jour, the ‘offensive’, at the expense of the unglamorous work of resilience is a failing deterrence strategy. European states pursuing offensive mandates without raising the bar of their own domestic cyber resilience risk that structural brittleness.
Building a Structure of Complementarity and Coordination across the Europe
But not all is lost. Credible, consistent and sharper deterrence tools are indeed needed. The strength of Europe lies in how well it leverages complementarity not leveling the playing field.
What does this mean in practice?
First, The EU’s cyber diplomacy toolbox and the subsequent cyber sanctions regime needs to be more purposefully leveraged. This round was notable as it illustrates both ambition and limitations. Ambition as it was the first time Chinese companies operating as part of the state-linked offensive cyber ecosystem were targeted — Integrity Technology Group (tied to Flax Typhoon) and Anxun Information Technology (i-SOON) — as well as the first time an Iranian entity was designated under such regime. But frequency of sanctions does not necessarily change behaviour on its own and the timeline of cyber sanctions reveal some limitations. The EU's designation of Integrity Technology Group came roughly fourteen months after US OFAC sanctioned the company and eighteen months after the initial Five Eyes advisory. What is more, in the seven years since the EU has adopted the cyber sanctions regime, it has only managed to use it five times.
The question is not whether the EU should impose costs – it should – but whether a fourteen-month lag is consistent with a deterrence logic, or whether it serves a different function: building coalition legitimacy, achieving political consensus among twenty-seven Member States, or simply reflecting the bureaucratic tempo of multilateral action. It may be both. But in a context where adversaries do not need to coordinate among twenty-seven Member States before acting, when sanctions do come through they should arrive within a shorter temporal alignment of successive, compounding campaigns.
Second, building the base for intelligence partnerships beyond the Five-Eyes. The Netherlands has reportedly indicated an interest to push towards an European equivalent of the Five Eyes intellignece partnership. Rather than seeing this as mutually exclusive, the context of growing reluctance between some European states in engaging with the US also creates an opportunity for new alliances and collaborations–and that is the case of the Dutch proposal which would look at other states such as the UK, Poland, France, Germany and Nordic countries. This is critical and could be an opportunity to start setting the trust and foundation needed to further enhance joint attributions and counter-cyber operations at a new level of visibility. Meanwhile, not all coordination among European states needs to go through the EU – and could be further enhanced by intra-European coalitions – as we have seen with the back-and-forth between European Commission President Ursula von der Leyen and High Representative Kaja Kallas over the establishment of an internal cell to collect intelligence across Europe to support responses to hybrid activities from Russia.
Third, European states need to identify their complementarities and use existing platforms to coordinate action rather than race for a level playing field. Not all states across Europe have offensive cyber capabilities and that does not make them weaker or less capable. The UK, France, Netherlands and others might be best positioned to contribute to the sharper end of the spectrum of deterrence: cost imposition through punishment. However, there is a range of well-equipped states that have increasingly become more comfortable with joining or leading public attributions, conducting incident response, publishing technical advisories or hardening the security of their critical infrastructures. The risk at present for government representatives in Europe is that of seeing offensive cyber as a silver bullet and legitimising a focus on imposing costs when some states have not yet raised the bar of their own domestic cyber resilience.
The more productive framing is one of complementarity in which a small number of capable states develop and employ offensive tools, while the broader European architecture – sanctions, attribution, intelligence-sharing, crisis management, and diplomatic cost imposition – is strengthened in ways that every Member State can contribute to. However, this requires a crucial exercise from capitals across Europe: to understand what tools they are more comfortable with (i.e. attributions, economic measures, diplomatic measures, among others) and how they can support a sustained approach. That sustained approach requires coordination.
Fourth, EU and NATO complementarity has long been a challenging and sensitive area - as some states are more inclined to one over the other. The EU's cyber diplomacy toolbox and NATO's cyber defence posture operate in overlapping but distinct registers. The EU can impose economic costs – asset freezes, travel bans, market-access restrictions – and could do more. NATO's Sovereign Cyber Effects Provided Voluntarily by Allies framework and among other elements (NATO Integrated Cyber Defence Centre, 2021 Comprehensive Cyber Defence Policy) and its classified equivalent of the cyber diplomacy toolbox for the Alliance offers a coordination mechanism on cyber deterrence. Complementarity between the two institutional architectures remains more aspirational than operational, and the division of labour on attribution, cost imposition and defensive response is still largely ad hoc.
