'Some states are building explicit statutory mandates for offensive cyber — the Netherlands published a Defence Cyber Strategy in 2025 that moved from reactive to proactive operations, Germany is drafting legislation to allow its foreign intelligence services to conduct cyber operations abroad and Latvia is also warming up to cyber operations as a deterrent.
'The first point to consider is European states might have different perceptions of threats and expectations regarding the urgency with which these should be dealt with.
'Across the Atlantic, the United States is bold in publicly promoting cyber capabilities as part of its national power but at the same time diminishing investments in CISA and other critical parts of the infrastructure that enable protection and resilience. Europe should take note of this experience.
'The EU's designation of Integrity Technology Group came roughly fourteen months after US OFAC sanctioned the company and eighteen months after the initial Five Eyes advisory. What is more, in the seven years since the EU has adopted the cyber sanctions regime, it has only managed to use it five times.
'The disagreement between von der Leyen and Kallas over establishing an internal intelligence cell to counter Russian hybrid activities is a reminder that EU-level consensus on sensitive capabilities is not guaranteed — and that coalitions of willing states may need to move ahead of it.
'The more productive framing is one of complementarity in which a small number of capable states develop and employ offensive tools, while the broader European architecture – sanctions, attribution, intelligence-sharing, crisis management, and diplomatic cost imposition – is strengthened in ways that every Member State can contribute to. However, this requires ... sustained approach requires coordination'.
https://eucyberdirect.eu/blog/the-risk-of-making-offensive-cyber-the-new-shiny-silver-bullet
