Estonia’s approach to cybersecurity is shaped by direct experience.
The 2007 cyberattacks on Estonian government, banking, and media websites — widely attributed to Russian actors — were among the first large-scale, politically motivated cyber operations against a nation-state.
That event catalyzed not just Estonia’s own cyber posture but much of NATO’s institutional thinking about cyber defense.
Nearly two decades later, Estonia is again at the forefront, this time pushing the conversation beyond defense toward offensive capability.
At the Munich Cyber Security Conference in February 2026, Estonia’s foreign intelligence service (EFIS) chief, Kaupo Rosin, made one of the most explicit calls yet for European offensive cyber capabilities.
“My call to the European industry is not only to think about cyber defense technology, but start to think about cyber offensive solutions too. The tools currently available to the services are mostly non-European solutions.”
This wasn’t just rhetoric.
This is a significant statement for several reasons.
– First, it acknowledges that European intelligence services are already conducting or planning operations that require offensive tools.
– Second, it reveals a strategic vulnerability: dependency on non-European suppliers for these capabilities.
– Third, it frames the problem as both an industrial and a security challenge, calling for investment and coordination rather than simply more procurement.
In November 2025, NATO’s CCDCOE in Tallinn ran the Crossed Swords exercise, which explicitly trained in full-spectrum offensive cyber operations.
CCDCOE director Tõnis Saar said: “In cyberspace, we need to adopt a wartime mentality, including strong offensive cyber capabilities.”
That language of “wartime mentality” reflects Estonia’s assessment of the current threat environment. It is not a hypothetical framing.
Estonia’s intelligence services have been tracking the escalation of Russian hybrid operations since well before the full-scale invasion of Ukraine in 2022, and the country has consistently warned that the threat extends beyond Ukraine to the broader Euro-Atlantic space.
Estonia’s argument isn’t that every European country should become a cyber power on its own.
It’s that Europe collectively needs the industrial base, legal frameworks, and partnerships to support offensive cyber capabilities, and that dependence on non-European tools is a strategic risk.
