Russia’s war on Ukraine has made cyber disruption part of everyday life. China has turned supply chains into data pipelines. At Thursday’s hearing with five cybersecurity capacities, MEPs asked whether Europe can still shape its digital fate — before its enemies do.
Europe’s lawmakers often summon experts, draft barely inteligible communiqués and file them away. As the European Parliament’s Committee on Security and Defence (SEDE) joined forces with the Committee on Industry, Research and Energy (ITRE) for a hearing on Cyber-defence and cybersecurity on 29 January, the feeling was different.
No one talked about hypothetical threats. Every witness pointed to hardware already working on Europe’s roads, grids and clouds. And each of them was well aware of the adversaries in Moscow and Beijing who probe those systems daily.
Steering data like wheels
Several core messages stood out. Civil and military spheres now overlap so completely that any resilience plan must cover both. And Europe already has institutions—ENISA, CERT-EU, the new Cybersecurity Competence Centre—but lacks the habit of using them in concert. The results are not encouraging. MEP Jens Geier (S&D/DEU) captured the mood with a scary example. German offshore wind farms, he said, “can actually be switched off from abroad”.
“Intelligent cars are already here on our roads in Europe… basically smartphones on wheels, packed with high-resolution cameras, radars, positioning systems and connected to the internet,” said Paulina Uznanska, deputy head of the China Department at Poland’s Centre for Eastern Studies. “An intelligent car can be an EV, a hybrid or even a combustion vehicle; what matters is the digital layer.”
You might be interested
Speaking through a videolink because sickness prevented her from participating in person, she said Chinese brands hold “over six per cent of the EU market,” and Beijing sees their data as “a strategic opportunity”. “Data gathered by these vehicles is very useful for making the BeiDou satellite navigation system more precise, and that very system is used by the People’s Liberation Army,” she warned.
China is stricter
China knows how hazardous such data can be when collected by outsiders. “The Standardisation Administration of China has explicitly warned that widespread use of foreign-made vehicles creates national-security risks,” Ms Uznanska noted. “Tesla cars faced informal limits near government buildings or high-level events attended by Xi Jinping; access was granted only after the company passed China’s data-security tests.”
The EU sets the strategy… but implementation must come at all levels: national, defence, industry, education. Everyone should play his or her own role. — Luca Tagliaretti, executive director at European Cybersecurity Competence Centre
“When it comes to intelligent cars, China regulates far more strictly than we do; in the EU, exposure is moving faster than regulation,” she cautioned. Her prescription: “Member states should act now at national level to protect critical infrastructure and military facilities… intelligent vehicles must be explicitly included in the revision of the EU Cybersecurity Act… we should move quickly to EU-wide rules.” Such rules, she argued, could become “a very potent non-tariff barrier and catalyse a booming, safe EU-based industry for automotive software and sensors.”
Budgets and breaches
“We have a European cybersecurity demand problem—we know it, we want it, but we are not ready to pay for it,” said Iva Tasheva, chief information-security officer for two Belgian firms. ENISA data show “the supply of managed security services has doubled versus demand, budgets are shrinking, and the European cybersecurity market is actually contracting.”
Energy firms illustrate the gap: “Energy companies spend around six million euros a year on cyber—about the same cost as one average breach. One incident wipes out the entire annual budget,” Ms Tasheva added.
The board member of Women4Cyber Belgium blamed cumbersome procurement. “Different procurement requirements create artificial barriers to trade; they cost time, money and ultimately our industry.” Digital Europe grants are “still very administrative-driven, not agile… cover only 50 % of allowed expenses… and often force you to publish as open source.” Europe is “investing millions, yet losing trillions. That curve, of course, is going to bring down everyone,” Ms Tasheva said.
Hybrid foes, hybrid fixes
“Europe is no longer facing isolated cyber incidents; we are facing systematic hybrid operations—cyber-attacks against critical infrastructure combined with disinformation campaigns and political pressure,” warned Ferdinand Gehringer, security and defence director at FTI Consulting.
“The problem is not that the EU lacks tools—the problem is that we still use them separately.” He wants cybersecurity treated “as a system, not a collection of instruments,” with an aim to “raise the costs of attacks, limit systemic damage, ensure rapid recovery and preserve Europe’s freedom of action in crisis.”
We have a European cybersecurity demand problem. We know it, we want it, but we are not ready to pay for it. — Iva Tasheva, CoCyber ambassador
His model rests on three pillars. “First, a whole-of-society approach—more than 70 % of critical infrastructure is privately operated.” Second, “civil-military convergence with clear legal separation; cooperation must become a routine default.” Third, “co-operation-based innovation: security policy and industry policy must be deliberately linked.” Supply-chain numbers underline the need: “We have around 70 % U.S. cloud providers in the European Union… just 15 % belong to EU providers.” Governments, the former scholar with the Konrad Adenauer Stiftung argued, should become anchor customers for European clouds.
War-tested testimony
“Russia is simply trying to eliminate Ukraine’s nation, using all possible means, including cyber aggression,” said Nataliya Tkachuk, head of cybersecurity at Ukraine’s National Security and Defence Council. “Cyber war against Ukraine started… with the BlackEnergy virus attack on Ukrainian power plants in December 2015—300,000 households were left without electricity.” Ukraine now fields “a really effective and even proactive cybersecurity and cyber-defence system,” thanks to “all our capacities from private sector, from our cyber volunteers.” Last year it faced “more than 6,000 cyber attacks from the Russian Federation”.
Danger has spilled westward. “One month ago, in December 2025, Russia conducted a cyber-attack of destructive character against the Polish energy sector; if it had been successful more than 500,000 EU citizens would have been without electricity.” Thus “any European country is fair play for Russian cyber aggression.” Ukraine does not rely solely on defence: “We have the right for self-defence and we are hacking back—and we are doing this very successfully.” She offered co-operation: “Probably it’s time to integrate Ukraine into the European cyber-defence framework.”
MEP Wouter Beke (EPP/BEL) asked whether Europe needs offensive cyber tools. Ms Tkachuk’s answer was clear: “It is simply impossible without offensive capabilities.” Legal authority is missing. “Only two NATO countries actually use their offensive cyber capabilities—I’m talking about the United States and probably Great Britain—and that’s all.” Russia, China and North Korea “don’t care about international humanitarian law… Offensive capacity is a necessary part of [deterrence].”
Money and manpower
“Critical infrastructure are becoming now a tool of geopolitical influence, and our first line of defence, our cyber soldiers, are the operators of that infrastructure,” said Luca Tagliaretti, executive director of the EU Cybersecurity Competence Centre. He cited recent breaches: “Ireland 2021—data loss of 42 hospitals… UK 2025—attacks on government departments and the Electoral Commission… France 2024—data loss of more than 33 million citizens.”
His centre has “invested around 600 million euros so far—40 % went to SMEs—supporting around 200 projects and 1,500 companies. We target one billion euros and 300 projects by the end of next year.” Three cross-border hubs are out to tender; grants back “regional cable labs” and “a platform for testing post-quantum cryptography”. Yet, he conceded, “Is this enough? Well, it is not. We need to improve funds for fundamental research, strengthen public-private partnerships and have a common agenda with the defence sector.” Dual-use prototypes must grow: “We expect in 2026 to make this an important part of our budget.”
EU-wide rules could become a very potent non-tariff barrier and catalyse a booming, safe EU-based industry for automotive software and sensors. — Paulina Uznanska, deputy head of the China Department at Poland’s Centre for Eastern Studies
MEP Mārtiņš Staķis (Greens-EFA/LAT) demanded to know who should act. Mr Tagliaretti replied: “The EU sets the strategy… but implementation must come at all levels: national, defence, industry, education. Everyone should play his or her own role.” Strategy and co-ordination live in Brussels; execution lives everywhere else.
‘Can we afford it?‘
Speakers outlined clear tasks. Plug the Chinese-car loophole before market share becomes political leverage. Make governments the first big customers for European cloud services. Create a legal framework for EU-level offensive cyber operations. Force EU and national agencies to share real-time data.
Ms Uznanska’s closing warning applies across the board. Every extra Chinese vehicle on European roads raises the political cost of action. Regulation will never catch up unless it moves faster than the technologies it tries to tame. The hearing supplied a blueprint, of sorts. The question, as Ms Tasheva put it, “Can we afford to go on like that?”
