The European Union should develop offensive cyber capabilities to strengthen its defences, the bloc’s technology chief has stated, marking a significant shift towards proactive cyber operations. Henna Virkkunen, European Commissioner for Technology Sovereignty, Security and Democracy, told Politico that purely defensive measures are insufficient. “It’s not enough that we are just defending… We also have to have offensive capacity,” she said on the sidelines of the Munich Security Conference.
This stance aligns with a broader NATO-driven military buildup among European members, many of whom cite Russian aggression as justification for pledging to spend 2% of GDP on defence, with discussions now moving towards a 5% target. Moscow has consistently dismissed allegations of imminent aggression as “nonsense” and baseless fearmongering. Separately, the EU has repeatedly raised cybersecurity concerns about Chinese technology, claiming suppliers could be used for espionage—a charge Beijing rejects as “naked protectionism.”
Virkkunen’s comments follow the European Commission’s cybersecurity proposal last month, which aims to phase out high-risk foreign technology from critical supply chains. She emphasized the goal of reducing dependency on non-EU tech to build a sovereign European cyber industry. “We don’t want to have risky dependencies in any critical fields,” she noted.
The push for offensive options is gaining traction among several EU states. Germany and Latvia have publicly supported the concept, and NATO’s European members have reportedly considered offensive cyber actions against Russia. The alliance is also establishing a new integrated cyber defence centre in Belgium, set to become operational by 2028.
This strategic reorientation occurs against a backdrop of mutual accusations. NATO members accuse Russia of hacking government servers, jamming aviation GPS signals, and airspace violations—allegations Moscow denies, framing Western sanctions and support for Ukraine as “hybrid aggression.” Russian Foreign Minister Sergey Lavrov stated last week that Moscow has “no reason” to attack the EU or NATO unless provoked.
The escalation in cyber conflict is evident. According to RED Security, cyberattacks against Russian targets jumped 46% last year. Notable incidents included the July hacking of Aeroflot’s database by pro-Ukraine groups.
The EU’s consideration of offensive cyber tools signifies a major evolution in its security posture, moving from a traditionally defensive regulatory role towards active deterrence. This approach is likely to intensify geopolitical tensions, particularly with Russia and China, while raising complex legal and ethical questions about the use of state-sponsored cyber operations. The development of such capabilities will depend on further consensus among member states and the establishment of clear operational frameworks.
