Disruption as Strategy: Europe’s Cyber Threat Landscape

by Richard Knowlton,

Chair, Richard Knowlton Associates Ltd

5 minute read

The National Cyber Security Centre (NCSC) is the UK government’s technical authority for cybersecurity, operating as part of GCHQ. Its role is not limited to incident response: it sets guidance, issues threat advisories, supports critical national infrastructure operators, and acts as the government’s principal voice on emerging cyber risks.

When the NCSC issues a public warning, it is usually because it judges that a pattern of activity has moved beyond isolated incidents and now poses a systemic risk to organisations or public services.

Its latest advisory warns UK organisations of sustained online disruption caused by pro-Russian hacktivist groups, primarily through distributed denial-of-service (DDoS) attacks. The NCSC is explicit that many of these attacks are technically unsophisticated, but it stresses that this does not make them insignificant. Their value to attackers lies in visibility and persistence: taking services offline, even temporarily, can disrupt daily operations, undermine public confidence, and force organisations into repeated crisis-management mode. The advisory therefore frames the issue not as a classic data-security problem, but as one of operational resilience and service continuity in a geopolitically charged environment.

Seen in that light, the UK government’s warning should not be read as a peculiarly British problem. On the contrary, when placed in a wider European context, it looks less like an outlier and more like one of the clearest public articulations of a threat that many EU member states are already experiencing, but not always describing in the same way.

The alert focuses on sustained denial-of-service activity by pro-Russian hacktivist collectives targeting public-facing services. The emphasis is deliberately sober: these attacks are often basic, but they are persistent, visible, and effective at eroding trust in public institutions. Crucially, the NCSC frames them as a resilience issue rather than a breach narrative, signalling that availability and continuity are now central elements of national cyber risk.

Do states in the EU see the same pattern?

In operational terms, yes—very clearly.

Across the EU, national CERTs and cybersecurity agencies have reported a marked increase in politically motivated DDoS campaigns since 2022, with a notable acceleration during 2024–2025. Targets are strikingly consistent: government portals, local authorities, transport operators, financial institutions, and media organisations. The same clusters of threat actors recur in open reporting, including groups such as NoName057(16), KillNet affiliates, and loosely coordinated Telegram-based collectives that mobilise supporters rapidly around geopolitical flashpoints.

Germany provides a useful comparator.

The Bundesamt für Sicherheit in der Informationstechnik (BSI) has repeatedly highlighted hacktivist DDoS activity in its annual threat assessments and situation reports, particularly against federal and Länder-level public services. However, BSI communications tend to embed this threat within broader technical reporting, rather than issuing sharply framed public warnings. The message to operators is clear; the message to the wider public is more restrained.

France shows a similar pattern.

The Agence nationale de la sécurité des systèmes d’information (ANSSI) has documented sustained disruptive activity against public administration and strategic sectors, especially during periods of diplomatic tension. Yet ANSSI’s public posture is characteristically understated, folding hacktivism into a wider narrative of sustained cyber pressure rather than isolating it as a headline risk.

This reflects a long-standing French preference for avoiding the amplification of adversary narratives through public alarm.

Northern European states are often closer to the UK position.

The Netherlands’ National Cyber Security Centre Netherlands and several Nordic authorities have been more explicit in acknowledging ideologically motivated disruption aimed at visibility rather than compromise. In these countries, such scenarios are increasingly built into national resilience planning and cross-sector exercises, and public messaging tends to emphasise societal preparedness and shared responsibility.

At the EU level.

ENISA reporting over successive threat-landscape cycles reinforces the same conclusion. Hacktivism has evolved from sporadic nuisance into a persistent component of hybrid pressure. ENISA’s language is careful and analytical, but its data shows the same rise in frequency, coordination, and targeting of essential services that the UK NCSC is now calling out more directly.

Why, then, do we not see a steady stream of NCSC-style warnings from every EU capital?

The answer is less about denial of the threat and more about political and strategic communication choices. Public cyber warnings sit at the intersection of cybersecurity, public confidence, and foreign policy. Some governments are reluctant to issue high-profile alerts that could be interpreted domestically as loss of control or internationally as escalation. Others are concerned about inadvertently amplifying the visibility of hacktivist groups whose primary objective is attention and symbolic impact.

There is also a structural dimension.

In several EU states, responsibility for cyber resilience is distributed across multiple ministries and agencies. This can slow or dilute public messaging even when technical assessments closely match those of the NCSC. The absence of a prominent warning should therefore not be misread as an absence of concern or preparation.

From an operational standpoint, the lived experience across the EU broadly matches what the UK is describing. Public-sector SOCs and network teams are dealing with repeated waves of denial-of-service activity that is cheap to launch, difficult to deter, and costly to manage over time. The impact is measured not in stolen data, but in degraded services, political scrutiny, and cumulative strain on operational teams.

For leadership teams, this convergence matters.

It means the UK advisory is best understood not as a uniquely British response, but as an early and unusually candid articulation of a European-wide reality. Availability is now a strategic asset, and disruption—however technically basic—has become a tool of geopolitical signalling.

The regulatory direction of travel reinforces this conclusion.

NIS2, the Critical Entities Resilience framework, and parallel national measures all push organisations toward demonstrable operational resilience rather than narrow technical compliance.

In that sense, the NCSC warning is less about threat novelty and more about governance maturity: an insistence that denial-of-service scenarios be treated as first-class risks, planned for, exercised, and owned at senior level.

In short, the experience of EU member states largely mirrors what the UK NCSC is describing, even if the tone of public communication varies. Some governments speak loudly, others quietly; few genuinely disagree on substance.

For organisations operating across borders, the implication is clear.

Disruption is a strategy in Europe’s cyber threat landscape.

If you are visible, public-facing, or systemically important in Europe, hacktivist-driven disruption is no longer an edge case. The only open question is whether you are managing it as an occasional technical nuisance—or preparing for it as a predictable feature of today’s geopolitical landscape.

Our corporate security consultancy Richard Knowlton Associates works closely with its subsidiary, the Cambridge Cyber ​​Centre to ensure an holistic approach to managing cyber risk in its wider geopolitical and economic context.

Both were founded with the mission of contributing to an informed, rigorous, and decision-oriented debate, helping public and private leaders understand security risk not as an isolated technical problem, but as a structural component of European resilience. Only by recognizing the systemic nature of the threat will it be possible to develop responses worthy of the complexity of our time.

We prepare our clients to make effective and timely decisions in cyber risk management and data protection. This is achieved through leadership development courses, mentoring, consulting, and research services.