4 hours ago
2
OPINION – When ransomware groups hit Romania’s national water agency, its largest coal-fired power producer and oil pipeline operator all in recent months, it would have been easy to file each incident under “criminal nuisance” and move on. But the ransomware gangs targeting the national critical infrastructure, including groups like Qilin and Gentlemen, are not merely profit-driven criminals operating in a vacuum. They are key vectors of Russian hybrid warfare in Europe.
In a recent interview with Recorded Media, Romania’s top cybersecurity official Dan Cimpean highlights that these frequent cyber-attacks are not merely operations performed by non-state actors looking for extracting financial benefits. These attacks, Cimpean argues, are systematic and geopolitically timed, often coinciding with Romanian political decisions tied to support for Ukraine. As observed in the Kremlin-sponsored interference campaign targeting Romania’s presidential elections in 2024, Russia is “trying to destabilize our social, political, and economic life”.
Romania, which has NATO’s largest land border with Ukraine, is not an outlier. Polish energy infrastructure was recently hit by Moscow-linked actors. Moldovan parliamentary elections in 2025 were accompanied by cyber and disinformation operations amplified by artificial intelligence. Dutch intelligence has warned that Russian cyberattacks, sabotage, and cover influence campaigns across Europe are intensifying. The pattern is clear and so is the trajectory: fearing military loss in Ukraine, Russia attempts to destabilize Kyiv’s most supportive European partners. What is less clear is why the European Union is not acting for increasing the costs for these cyberattacks, especially since EU leaders like Emmanuel Macron and Friedrich Merz claimed earlier at the Munich Security Conference that they must take action for becoming geopolitically robust given U.S.’s ambiguity towards European engagement, coupled with Russia’s growing assertiveness.
The European Union does, in fact, possess a meaningful tool that could be deployed in cases like Romania’s: its cyber sanctions framework, established in 2019 under the Cyber Diplomacy Toolbox. This instrument was used sparingly to designate individuals and entities responsible for significant cyberattacks. In the 7 years since it was established, only 17 individuals and 4 entities were sanctioned under this cyber sanctions’ framework, despite the increasing number of offensive cyber operations in Europe in the range of thousands. Given the scale and frequency of Russian-aligned cyber operations across the continent, the EU’s restraint is not strategic patience - it is negligence and an invitation for Russian-connected ransomware groups to continue offensive operations targeting European energy, telecommunications, and water infrastructure.
The EU deploying cyber sanctions more aggressively would carry more than the symbolic value of a more strategically autonomous Europe. Sanctions create costs for the adversary. They are designed to disrupt financial flows to ransomware operators who depend on the international banking infrastructure, cryptocurrency exchanges with European exposure, and front companies operating in permissive jurisdictions. Designating ransomware groups like Qilin, Gentlemen, and their known affiliates, along with the broader ecosystem of bulletproof hosting providers, money launderers, and initial access brokers that sustain them would not outline eliminate ransomware overnight. It would, however, raise the cost to ransomware groups doing business with Russia and, at the same time, send an unambiguous political signal that the EU is treating cyber operations targeting critical infrastructure as acts of aggression, not just cybercrime.
The EU must pursue these sanctions not in isolation, but as part of a broader attribution effort including member states and candidate countries. Attribution is often a hard political choice rather than a technical operation, and Russia is actively exploiting the EU’s difficulty in making hard political decisions. The evidentiary threshold for sanctions does not require the certainty of a criminal conviction. The standard is reasonable grounds, and between national cyber agencies, Europol, ENISA, and intelligence-sharing partnerships, Europe has more than enough to build credible designation cases. Formats like the recently launched trilateral cyber alliance between Romania, Moldova, and Ukraine could be used not only for sharing threat intelligence and aligning standards for cyber hygiene, but also for crystallizing broader continental support for the EU cyber sanction’s framework.
But even stronger political will may not be enough without a structural reform of the EU cyber sanctions regime. Under the current legal framework, decisions on cyber sanctions designations require unanimity in the EU Council, implying that a single member state can veto a cyber designation, however well-evidenced. This is not a theoretical problem, it’s an operational gap that Russia understands and exploits through its sympathetic EU governments, like Hungary and Slovakia. Through the advocacy of states that are in the front line of exposure to Russian hybrid warfare, the EU must pursue qualified majority voting for cyber designations.
The argument that foreign and security policy must remain unanimously agreed is understandable in contexts where member state interests genuinely diverge. Protecting European critical infrastructure from a hostile state’s hybrid operations is not one of these contexts - it should be common ground. Moving towards quality majority voting for cyber sanctions would also help speed the pace of these decisions. The EU sanctioned people for the NotPetya campaign three years after the attack, and for the Bundestag hack five years after it occurred. This delay severely dilutes the impact of the sanctions and signals Europe's weakness.
The European Union must also look inward, at the corporate negligence that makes these cyberattacks against vital infrastructure so effective. The jarring truth is that the Russian-sponsored ransomware campaigns targeting critical infrastructure succeed not primarily because of Russian sophisticated offensive capabilities, but because of poor cyber hygiene. Unpatched systems, poor identity management practices, weak network segmentation and insufficient red teaming create the perfect storm in which these ransomware gangs operate to weaken European economies. European critical infrastructure sites are not breached because operators like Qilin are sophisticated, but because the bar is low enough to clear. The EU’s NIS2 Directive, which came into force in 2023, was supposed to change this status quo. It expanded the scope of critical sectors to mandatory cybersecurity standards and tightened reporting obligations and management-level accountability. Member states, however, have been very slow to transpose NIS2 into national law and even slower to enforce it meaningfully.
The EU must advance toward a model where entities in critical sectors that suffer a significant breach face real regulatory scrutiny as a reasonable standard. Companies that cannot demonstrate minimum cyber hygiene should face graduated financial penalties and those responsible for critical systems, whether power grids, water utilities, or pipeline operators, should face enhanced obligations and more aggressive oversight.
The moment to act is not after the next power outage, the next hospital system locked down or the next election disruption. Romania’s top cybersecurity official has warned that even if the guns in Ukraine fall silent, Russia will continue to operate in cyberspace, and the European Union must be prepared to act. Preparation does not imply reinventing the wheel, but actively using the tools already on the shelf, such as the underutilized European cyber sanctions regime for whose activation Romania needed to advocate.
The legal framework exists and the dots of Russian hybrid warfare can be connected for the political establishment to deliberate and act. Europe's continued inaction against Russian-connected offensive cyber operations targeting critical infrastructure carries real costs - ones that undermine the ideal of a geopolitically robust EU and push European elites further from their stated objective of making the continent more economically competitive.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
English (US) · 