Key Takeaways
- The EU and its enlargement partners share a highly interconnected digital environment, making them vulnerable to the same state‑and non‑state cyber threats.
- Recent data show a sharp rise in cyber incidents – thousands of attacks per year targeting public administration, transport, and digital infrastructure, with a growing ideological motivation.
- Current pre‑accession policies focus on regulatory compliance (e.g., NIS2 transposition) but fall short on building operational resilience, information‑sharing, and crisis‑response capacities.
- Persistent shortages of skilled cybersecurity professionals, fragmented governance, and reliance on non‑European technology providers undermine collective defence.
- Strengthening resilience before accession requires political, societal, and industrial measures: clear mandates, interoperable procedures, expanded training and awareness, joint exercises, and efforts to reduce strategic dependencies on foreign ICT suppliers.
- Existing platforms such as the Western Balkans Cyber Capacity Centre (WB3C), the EU‑Ukraine Cyber Dialogue, and the EU Cybersecurity Reserve offer models for deeper cooperation that should be scaled and institutionalised.
Shared Threat Landscape Across the EU and Its Neighbourhood
The EU’s enlargement partners are increasingly woven into the same digital fabric as Member States through cross‑border infrastructure, shared service providers, and common information spaces. This interdependence means that a cyber operation aimed at one country can quickly spill over to others, as illustrated by the Russian Viasat attack on the KA‑SAT satellite network, which disrupted Ukrainian communications while also affecting broadband users across Europe. State actors such as China, Russia, Iran, and North Korea, alongside various non‑state groups, employ sophisticated campaigns—including Volt Typhoon, NotPetya, Homeland Justice, WannaCry, and Andariel—to target government services, critical infrastructure, electoral processes, supply chains, and the broader information environment. The result is a systemic threat capable of undermining essential services, eroding democratic legitimacy, and destabilising societies.
Statistical Overview of Recent Cyber Incidents
Data from the EU Cybersecurity Agency (ENISA) reveal the scale and intensity of the challenge. Between July 2024 and June 2025, ENISA logged 4,875 cybersecurity incidents, with a noticeable rise in the use of artificial intelligence for malicious purposes and an uptick in attacks on strategic points of digital supply chains. Public administration alone accounted for more than one‑third of these incidents, while transport, digital infrastructure, and services remained high‑value targets. Ideologically motivated operations dominated the landscape, comprising roughly 80 % of reported attacks, far outpacing financially driven (13 %) and cyber‑espionage (7 %) motives. In the enlargement neighbourhood, Ukraine experienced over 5,900 cyberattacks in 2025—a 37 % increase from 2023—averaging about 16 per day. Moldova faced more than 1,000 attacks in the first half of 2025, many linked to Russian‑affiliated groups. Electoral processes proved especially vulnerable: large‑scale DDoS spikes surrounded the 2024 presidential and 2025 parliamentary elections, with the 2025 vote generating over 16 million malicious connection attempts against electoral and government systems, prompting the temporary blocking of 4,000 websites.
Limitations of a Compliance‑Driven Pre‑Accession Approach
The EU’s current enlargement strategy treats cybersecurity largely as a matter of regulatory alignment—encouraging partners to transpose instruments such as the NIS2 Directive, the 5G Toolbox, and broader digital policy frameworks. While compliance is a necessary foundation, it does not guarantee operational preparedness. The gradual, stepwise nature of accession struggles to keep pace with a fast‑moving, transnational threat landscape. Even among Member States, implementation of frameworks like NIS2 remains uneven, and the same tools often prove difficult to apply operationally in enlargement contexts where institutional capacities differ. Consequently, cooperation stays fragmented and reactive, limiting the ability to mount a collective defence when crises erupt.
Resource Gaps and Institutional Fragmentation
A critical bottleneck is the chronic shortage of skilled cybersecurity personnel. More than half of European organisations (52 %) report difficulties retaining qualified professionals, a deficit that weakens governmental defence capabilities and hampers the growth of domestic expertise and open‑source solutions. This skills gap is mirrored in enlargement partners, where limited training pipelines and brain‑drain exacerbate the problem. Beyond human resources, institutional fragmentation complicates coordination. Multiple EU instruments, overlapping mandates, and unclear lines of responsibility slow decision‑making during crises. While initiatives such as ENISA’s European Cybersecurity Skills Framework aim to harmonise competences, access to advanced operational structures remains restricted for partners; for example, the EU CSIRTs network is legally confined to Member States under the NIS framework, preventing enlargement countries from participating directly in real‑time information‑sharing and joint incident response.
Strategic Dependencies and the Need for Digital Sovereignty
The enlargement process incentivises rapid digitalisation, yet many partners continue to rely on cheap, scalable solutions from dominant non‑European providers—principally US and Chinese cloud and ICT firms. This dependence mirrors a broader EU vulnerability: Amazon, Google, and Microsoft together control roughly 63 % of the regional cloud market. While the Commission’s 2026 cybersecurity package acknowledges the importance of securing ICT supply chains, addressing technological dependence requires broader industrial policy choices that promote diversification, strategic procurement, and home‑grown innovation. Aligning enlargement‑driven digitalisation with the EU’s sovereignty and strategic autonomy agenda is essential to avoid entrenching the very dependencies the Union seeks to reduce.
Pathways to Enhanced Resilience Before Accession
To transform shared vulnerabilities into collective strength, the EU and its enlargement partners must bolster political, societal, and industrial resilience.
Political Resilience: Swift, coordinated action under pressure hinges on clear institutional mandates, interoperable procedures, and trusted crisis‑management mechanisms. Strengthening cooperation between cybersecurity agencies at EU, Member State, and partner levels—supported by frameworks such as NIS2 and the 5G Toolbox—is vital. Where full participation in structures like the EU CSIRTs network is not yet feasible, alternative formats (e.g., liaison nodes, shared platforms) should be developed to enable real‑time interaction. Existing hubs such as the Western Balkans Cyber Capacity Centre (WB3C) can facilitate joint exercises, peer exchanges, and the harmonisation of practices, reducing fragmentation and fostering mutual learning.
Societal Resilience: Societies must be able to absorb and recover from cyber and hybrid shocks without major destabilisation. This calls for robust digital architectures protecting critical infrastructure and essential services, reinforced by regional incident‑response mechanisms and the sharing of operational experience. Elevating basic and advanced digital skills across populations is equally important: expanding cyber‑awareness campaigns, integrating practice‑oriented modules into university curricula, and forging stronger links between public institutions, academia, and the private sector can build a cyber‑savvy citizenry. Tools like ENISA’s Cybersecurity Skills Framework can standardise training, while large‑scale exercises—such as the eight conducted by Ukraine since 2023—provide hands‑on readiness that can be replicated regionally.
Industrial Resilience: Reducing reliance on external ICT providers requires a viable regional industrial base capable of designing, procuring, maintaining, and scaling trusted digital solutions. This entails diversifying supply chains, instituting strategic procurement policies that favour home‑grown or vetted vendors, and investing in skills, research, and innovation ecosystems. Platforms like the WB3C can evolve beyond training centres to become catalysts for regional industrial uptake, innovation hubs, and cross‑border cooperation projects. By expanding demand within a wider European digital space, local providers can achieve the scale needed to compete with dominant external actors, thereby enhancing both security and economic sovereignty.
Implementing these measures will shift the focus from mere formal alignment to tangible, operational resilience—ensuring that the EU’s neighbourhood becomes a stronger, more secure pillar of European security rather than a point of weakness.