For most of its history, the EU approached cybersecurity as a regulatory and defensive challenge. NIS2, the Cyber Resilience Act, baseline hygiene.
That era is shifting.
At the Munich Cyber Security Conference in February 2026, the EU’s Executive Vice President for Tech Sovereignty Henna Virkkunen said it plainly: “It’s not enough that we are just defending… We also have to have offensive capacity.”
Why now?
The timing is not accidental.
The Munich Security Index 2026 ranked cyberattacks as the top perceived risk among G7 countries, ahead of economic crisis and conventional military threats.
Across Europe, the threat environment has changed in ways that defensive frameworks alone cannot address:
Russia’s hybrid campaigns, blending cyberattacks, sabotage, disinformation, and political interference, have escalated steadily since 2023.
China, meanwhile, has focused on pre-positioning and espionage across European networks. The pattern is quieter, more patient, aimed at mapping European systems and harvesting sensitive information relevant to NATO and EU decision-making.
The cumulative effect is a security environment in which adversaries operate continuously below the threshold of armed conflict, probing and degrading systems while avoiding triggers for a conventional military response.
As NATO Deputy Secretary General Radmila Shekerinska framed it: “This is dangerous, and this is the world we live in.”
The Deterrence Gap:
The core argument for offensive cyber capabilities is rooted in deterrence theory.
If adversaries face no meaningful consequences for their operations, the incentive structure favors continued and escalating attacks.
Shekerinska stated that NATO’s objective should be “to take action and to be able to strike back,” with the goal of changing adversaries’ risk calculus “to make it more expensive, to make it riskier for them to act.”
The logic: Resilience without deterrence becomes endurance.
What Comes Next?
The EU does not have a unified offensive cyber command, and its member states retain sovereign authority over their intelligence and military cyber operations.
But the institutional signals from Munich 2026 point toward a shift in how the EU frames the problem.
Cybersecurity is no longer viewed as a regulatory or defensive issue.
It is now being discussed as part of an offensive posture aimed at achieving strategic deterrence by proactive actions when necessary.
