The numbers are impressive. EU member states are on track to spend €381 billion on defence in 2025, up 63% from five years earlier. The Security Action for Europe (SAFE) instrument is unlocking €150 billion in loans for joint procurement. NATO allies agreed in The Hague to push defence spending to 5% of GDP by 2035. Europe, it seems, has finally woken up.
But here's the uncomfortable question that keeps getting buried under the procurement announcements and industrial strategy papers: What good is a €800 billion defence surge if the threats are already inside the house?
The Gap Between Tanks and Terminals
The Centre for European Policy Studies (CEPS) has been sounding this alarm with increasing urgency. In their 2026-27 research priorities, the Brussels-based think tank frames the challenge bluntly: For as long as Donald Trump occupies the White House, the US will remain self-interested, unpredictable and, at times, openly hostile. The EU can no longer assume automatic alignment with Washington.
That's the external picture. But the internal picture is arguably more pressing – and far less resourced.
Consider what's actually happening on European soil right now. According to analysis from the International Centre for Counter-Terrorism and GLOBSEC, there have been more than 150 suspected Russia-linked hybrid incidents across the EU and NATO member states since 2025. In Germany alone, 321 suspected incidents have been recorded, including drone intrusions and disinformation campaigns targeting critical infrastructure. The data shows a fourfold increase in sabotage and vandalism operations compared to the previous year.
This isn't theoretical. On 30 January 2026, the European Commission's own central mobile infrastructure was hit by a cyberattack, potentially compromising staff names and mobile numbers. The Commission contained the incident within nine hours – but the fact that it happened at all illustrates the vulnerability.
The ProtectEU Strategy: Better Late Than Necessary
To its credit, the EU has not been entirely asleep. The ProtectEU strategy, launched in April 2025, represents the most comprehensive internal security framework the EU has ever produced. It takes a whole-of-society approach to security, involving citizens, businesses, researchers, and civil society. It calls for mainstreaming security across all EU legislation and proposes doubling Europol's staff.
The strategy explicitly acknowledges what many policymakers have been reluctant to say out loud: The lines between hybrid threats and open warfare are blurred. Russia has been waging an online and offline hybrid campaign against the EU and its partners, to disrupt and undermine societal cohesion and democratic processes.
But here's where implementation reality collides with strategic ambition.
The Cybersecurity Package: Necessary but Not Sufficient
On 20 January 2026, the European Commission proposed a comprehensive new cybersecurity package aimed at strengthening the EU's resilience. The package includes revisions to the Cybersecurity Act, amendments to the NIS2 Directive (the EU's framework for cybersecurity across critical sectors), and updates to the European Cybersecurity Certification Framework (ECCF).
The key elements are sensible: reinforcing ENISA (the European Union Agency for Cybersecurity), establishing a horizontal framework for trusted ICT supply chain security, introducing mandatory ransomware reporting, and streamlining certification processes. The amendments aim to ease compliance burdens for approximately 28,700 companies, including over 6,000 SMEs.
But the World Economic Forum's Global Cybersecurity Outlook 2026 offers a sobering reality check: 94% of survey respondents identify AI as the most significant driver of change in cybersecurity in the year ahead. The percentage of organizations assessing the security of AI tools before deployment has nearly doubled from 37% in 2025 to 64% in 2026 – but that still leaves more than a third of organizations deploying AI without proper security assessment.
The Hybrid Threat Reality
The Robert Schuman Foundation's analysis identifies a critical blind spot in European strategic thinking: The phenomenon is still rarely addressed from the perspective of internal security policy. The concept of hybrid threats, which originated in defence and foreign policy circles, has forcefully found its way into European internal security policy and had not yet been fully assimilated into the internal sphere.
This matters because the response mechanisms are different. External defence involves procurement, industrial capacity, and military readiness. Internal security involves law enforcement cooperation, intelligence sharing, critical infrastructure protection, and – crucially – the resilience of democratic institutions themselves.
The Council's January 2026 sanctions against six Russian individuals involved in Foreign Information Manipulation and Interference (FIMI) represent a step forward. But as the European Council on Foreign Relations argues, Europe's response has been largely defensive and reactive. The remedies proposed tend to be tame and uncontroversial: more cyber-defence, fact-checking and digital literacy, and strengthening institutions.
The Implementation Gap
Here's where the operational reality gets uncomfortable. The European Commission's General Report for 2025 acknowledges that further work will continue in areas including effective measures to return those with no legal right to stay in the EU, continuous adaptation to the evolving security landscape, and accelerating the implementation of the digitalisation framework to prevent security risks.
That language – further work will continue – is the bureaucratic equivalent of we're not there yet.
The Centre for European Reform's March 2026 analysis on building public support for defence spending identifies a fundamental tension: Europe faces a triple threat: Russia's imperialist ambitions in Europe, China's economic coercion, and US withdrawal from its commitments on European security. But the challenge is that many European countries have high levels of public debt or large government deficits. To make room for defence spending, countries will either need to cut public spending elsewhere or raise taxes, neither of which will be popular among voters.
The risk? When public services have been reduced in the past, it has led to increased support for far-right or populist parties. These parties seek to weaken, rather than strengthen Europe's security, and accelerate democratic backsliding.
What Actually Needs to Happen
The gap between strategy documents and operational reality is where most security initiatives go to die. For teams actually implementing internal security measures – whether in public sector organizations, critical infrastructure operators, or technology providers – the following questions need clear answers:
Who owns the response when a hybrid attack hits? The current architecture involves ENISA, national CSIRTs (Computer Security Incident Response Teams), Europol, and various national agencies. The coordination mechanisms exist on paper. Whether they work at speed under pressure is another matter.
What's the "good enough" threshold for critical infrastructure protection? The NIS2 Directive establishes requirements, but compliance timelines and enforcement mechanisms vary significantly across member states. Organizations need clarity on what adequate protection actually looks like.
How does the supply chain security framework translate to procurement decisions? The revised Cybersecurity Act introduces provisions to potentially recall and phase out products already deployed in EU infrastructure if suppliers are later deemed high-risk. That's a significant operational risk for organizations that have already made procurement decisions.
Where does AI security fit? The cybersecurity package addresses AI tangentially, but the speed of AI deployment is outpacing the regulatory framework. Organizations deploying AI systems in critical contexts need guidance that doesn't yet exist in binding form.
The Uncomfortable Truth
Europe's defence awakening is real and necessary. The shift in US attitude – with Pentagon officials now explicitly supporting European allies growing their defense industrial base – creates both opportunity and obligation. The €800 billion mobilization is happening.
But security doesn't begin at the border. It begins with the systems that keep hospitals running, the networks that enable democratic participation, the infrastructure that powers daily life, and the information environment that shapes public understanding.
The hybrid threats targeting Europe right now don't require tanks to counter. They require operational resilience, rapid response capabilities, and – perhaps most importantly – the institutional capacity to act faster than the threat evolves.
The strategy documents are in place. The question is whether implementation can keep pace with the threat. Based on current evidence, that's not a bet anyone should feel comfortable making.
The intersection of defence, internal security, and technological resilience is exactly the kind of challenge that requires more than policy papers. It requires practitioners, policymakers, and technologists in the same room, working through the operational details. That conversation is happening at Human x AI Europe in Vienna on May 19 – where Europe's answer to these questions is being built, one implementation at a time.
Frequently Asked Questions
Q: What is the ProtectEU strategy and when was it launched?
A: ProtectEU is the European Union's comprehensive internal security strategy, launched on 1 April 2025. It takes a "whole-of-society approach" to security, involving citizens, businesses, researchers, and civil society, and aims to mainstream security considerations across all EU legislation while strengthening cooperation between Member States and EU agencies.
Q: How much is the EU spending on defence under the ReArm Europe Plan?
A: The ReArm Europe Plan aims to mobilize over €800 billion in defence spending, including €150 billion through the Security Action for Europe (SAFE) loan instrument for joint defence procurement. EU member states were forecast to spend €381 billion on defence in 2025, representing a 63% increase from five years earlier.
Q: What are the main hybrid threats facing Europe in 2026?
A: According to ICCT and GLOBSEC analysis, Europe faces over 150 suspected Russia-linked hybrid incidents, including drone intrusions, infrastructure sabotage, cyberattacks, and large-scale disinformation campaigns. Germany alone recorded 321 suspected incidents, with sabotage and vandalism operations increasing fourfold compared to the previous year.
Q: What does the revised EU Cybersecurity Act 2026 require?
A: The revised Cybersecurity Act, proposed in January 2026, introduces a horizontal framework for trusted ICT supply chain security, mandatory ransomware reporting to national authorities, enhanced ENISA operational capabilities, and streamlined certification processes. It aims to ease compliance burdens for approximately 28,700 companies while strengthening critical infrastructure protection.
Q: How does NIS2 relate to internal security?
A: The NIS2 Directive establishes cybersecurity requirements across 18 critical sectors in the EU, including energy, healthcare, transport, and digital infrastructure. It requires essential and important entities to implement risk management measures, report incidents, and maintain supply chain security. Member States must fully implement NIS2 as part of the broader ProtectEU framework.
Q: What is the NATO defence spending target for 2035?
A: NATO allies agreed at The Hague summit in 2025 to increase defence spending to 5% of GDP by 2035, including 3.5% of GDP on "core defence." Some leaders, including Danish Prime Minister Mette Frederiksen, have argued that reaching 3.5% by 2035 may be too late and the target should be achieved by 2030.