February 13, 2026 12:36 pm CET
By Antoaneta Roussi

“We also have to have offensive capacity,” says Commissioner Henna Virkkunen.

Europe must be able to strike back in cyberspace, as the strategy to deter adversaries is no longer enough, the EU executive's tech and security chief told POLITICO.
“It’s not enough that we are just defending ... We also have to have offensive capacity,” the European Commission's Executive Vice President Henna Virkkunen said in an interview on the sidelines of the Munich Security Conference on Friday.
For years, European capitals have held back from stating publicly that they support offensive cyber operations — known as "hacking back" — because of fears that such operations could trigger retaliation and escalation from countries like Russia, China and others.
But the tide is turning, as EU states including Germany, Latvia and others warm to the idea of conducting offensive cyber operations. The European Commission also mentioned the need for both defensive and offensive cyber capabilities in its defense white paper in December.
Virkkunen said the Commission is also identifying critical areas and industries where Europe wants more control over its data. It is part of a broader push to reduce dependence on foreign technology and build a homegrown tech and cyber industry in Europe.
“We don’t want to have risky dependencies in any critical fields,” she said. “That doesn’t mean we plan to do everything on our own. When we don’t have certain capacities ourselves, we are very willing to work with like-minded partners to build resilient supply chains.”

politico.eu
January 28, 2026 4:16 pm CET
By Sam Clark

Europe is investing heavily in security but not enough in cyber, bloc’s cyber agency chief says.

BRUSSELS — The European Union urgently needs to rethink its cyber defenses as it faces an unprecedented volume and pace of attacks, the head of the bloc's cyber agency told POLITICO.

“We are losing this game,” said Juhan Lepassaar, the executive director of the EU's Agency for Cybersecurity (ENISA). “We are not catching up, we're losing this game, and we're losing massively.”

Europe has been pummeled with damaging cyberattacks in recent years, which have shut down major airports, disrupted elections and crippled hospitals. Just in the past week, cyber experts pinned an attempted attack on Poland’s power grid on Russia, and the president of Germany's Bundesbank said in an interview that the central bank faced over 5,000 cyberattacks every minute.

The cyber threats come as Europe deals with war on its eastern border, China's growing power over the global technology market and an increasingly unfriendly United States. In the past year, European countries have pledged to boost defense spending and the EU has shaped many of its policies around security and self-reliance.

Investing in security services but not in cybersecurity creates a “loophole,” Lepassaar warned.

The agency chief's warnings come one week after the European Commission presented a proposal to overhaul its Cybersecurity Act legislation. The bill would allow the EU's cyber agency, based in Athens, to expand its personnel by 118 full-time staff and to spend more on operational costs. The agency now has approximately 150 staff.

But Lepassaar lamented that wasn't nearly enough. He drew a comparison to EU police agency Europol and EU border agency Frontex, which have more than 1,400 and more than 2,500 staff respectively, with more resources on the way.

“We just don't need an upgrade. We need a rethink," he said. “Doubling the capacity is the absolute minimum."

The European Union has fallen short in cyber investment for years and it needs to build an entire new EU-level cyber infrastructure, the agency chief said.

Europe needs to 'step up'
When Lepassaar took charge of the agency in 2019, Europe was in a “totally different environment," he said.

In 2019, approximately 17,000 software flaws were added to a global database logging such vulnerabilities; in 2025, more than 41,000 were added, he said. And in 2019, it took hackers approximately two months on average to use those flaws in an attack, but now it took only one day on average, he said, citing industry and government data.

The cybersecurity industry has warned it now takes hackers far less time to exploit glitches, in part because of AI.

Just as Europe has pledged to take greater responsibility for its physical security, it must do the same in cyberspace, said Lepassaar — an Estonian who previously headed the office of European Commissioner for Digital Affairs Andrus Ansip.

In areas such as cataloging and managing cyber vulnerabilities — an obscure but critical area of cybersecurity — the only organizations systematically working on the problem have long been U.S.-based, Lepassaar said. “We all reap the benefits for free … it's needed that we now step up and take our fair share of this.”

MITRE, a U.S.-based nonprofit group, manages a global database of cyber flaws on which the entire industry relies. It nearly lost funding last year before being bailed out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

European startups and small businesses benefit from a system whose security is “backed up only by MITRE and CISA,” Lepassaar said.

ENISA has started operating a database of cyber flaws — though this was planned before MITRE nearly lost its funding — and recently took on a key technical role that further embeds it at the core of global cybersecurity infrastructure.

“It's part of our obligation as Europe to take our fair share from this,” Lepassaar said.