Europe Fails to Protect its Critical Infrastructure
I. What Is Critical Infrastructure?
Critical infrastructure means systems and assets whose disruption or destruction would have a severe impact on public health, national security, or the ability of armed forces to operate. When it fails, people die or armies cannot move.
The universally recognized sectors are: energy generation and transmission, drinking water and wastewater, rail and strategic transport, telecommunications, the financial payment system, hospitals and emergency services, and military logistics. The threshold for “critical” is existential function, not convenience.
By that definition, this essay documents a failure of European governance that is both ongoing and largely undiscussed.
II. The Baseline: Europe Is Already Failing Itself
Energy: Spain and Portugal Go Dark
On April 28, 2025, the entire Iberian Peninsula lost power simultaneously. Sixty million people in Spain and Portugal were without electricity for up to twelve hours. The cause was a cascade failure: two solar generation losses in southwestern Spain triggered a voltage surge the grid could not absorb, which disconnected Spain from the European network, and the whole system collapsed within seconds. Recovery required a black start from zero, initially supported by 900 MW from Morocco via submarine cable and 2 GW from France.
The cause was a grid architecture decision. Spain’s grid operators had left insufficient conventional generation online to provide voltage stability. The bulk of Spain’s solar and wind capacity runs on grid-following inverters, which require a stable voltage and frequency reference to operate: they consume stability rather than provide it. Grid-forming inverters can replicate the stabilizing behavior of conventional generation, but Spain did not mandate them, and the installed base is dominated by the cheaper grid-following variety. Spain also operates as an “energy island” with only 3.4% interconnection to the rest of Europe, well below the EU target of 10-15%, and had just 25 MW of installed battery storage against a 500 MW target.
The technology to make high-penetration renewables grid-stable exists. Mandating grid-forming capability has been standard practice in other jurisdictions for nearly a decade. Spain chose not to.
Baltic Sea Cables
Between November 2024 and January 2025, seven submarine cables were damaged in the Baltic Sea. On Christmas Day 2024, the Estlink-2 electricity cable connecting Finland and Estonia failed along with multiple telecommunications cables in the same maritime area, caused by a single tanker linked to sanctions-evading networks. Estlink-2 remained out of service for seven months at repair costs of roughly 70 million euros. A single ship passage severed critical energy and communications links between two NATO members for half a year.
Heat Deaths
Heat-related mortality in Europe is among the highest in the developed world. Between 2022 and 2024, over 181,000 people died from heat-related causes across 32 European countries, roughly 110 per million per year. The best comparable US estimate (Lee and Dessler, GeoHealth 2023) puts the American figure at around 33 per million. Air conditioning is nearly absent across northern and central Europe, and governments have actively reinforced that situation on energy grounds. Europe has known about this mortality pattern since the 2003 heatwave. Most member states still have no maximum indoor temperature standard for rental properties. Finland and Sweden are partial exceptions: both set upper temperature thresholds above which tenants can seek rent reductions, but neither obliges landlords to actually install cooling.
The scale of heat mortality under a multi-week grid failure is addressed in Section V.
Germany: A Special Case
Germany deserves separate treatment. With the largest economy in Europe, its infrastructure failures are a political and organizational problem accumulated over decades of deliberate underinvestment under the debt brake (Schuldenbremse), not a resource constraint. Deutsche Bahn alone carries an estimated maintenance backlog of 45 to 50 billion euros.
On the evening of June 23, 2026, all trains in Germany halted simultaneously. The cause: a failure in GSM-R, the digital radio system used for communication between train drivers and control centers. Without GSM-R, no train can move safely. A worker swapping out a component during routine maintenance brought down the entire network. Germany’s national rail, the logistics backbone that Bundeswehr planning depends on for moving armored vehicles to the eastern flank, has a single communications system with no redundancy and no failover.
On January 3, 2026, a far-left activist group set fire to a cable bridge over the Teltow Canal in Berlin’s Lichterfelde district, damaging several high-voltage cables. The result: 40,000 households and 2,000 businesses lost power for four days, the longest blackout in Berlin since 1945. Five hospitals switched to backup generators. An 83-year-old woman died. S-Bahn service was suspended across multiple lines. The repair took four days because multiple cable systems with incompatible designs had to be joined, a task that normally takes weeks.
A maintenance swap halts national rail. One arson attack blacks out the capital for four days. Germany recorded 6,300 heat deaths in the summer of 2024 alone. None of these events involved a foreign adversary, a coordinated attack, or extreme weather. Germany is a NATO member with explicit obligations to serve as the primary logistics corridor for eastern flank reinforcement. Its critical infrastructure cannot currently fulfill that role.
The Pattern
European infrastructure was designed for maximum efficiency under conditions of permanent peace, integrated supply chains, and zero adversarial pressure. Every system was optimized to reduce cost under normal conditions. Redundancy was treated as waste.
III. The Threat Environment Has Changed
Everything documented above happened without meaningful external pressure. The adversarial layer sits on top of an already fragile system.
Russia’s Proof of Concept
Russia has spent years systematically targeting Ukrainian power generation as a strategic weapon. The pattern is documented and deliberate: coordinated missile and drone strikes timed to maximize grid stress, targeting transformer substations that take months to replace, hitting the same infrastructure repeatedly to exhaust repair capacity. Ukraine has survived partly through extraordinary resilience and adaptation, and partly because Russia’s precision strike capacity has limits.
Grid attacks work. The limiting factor is precision and scale.
Volt Typhoon: Already Inside
In May 2023, Microsoft publicly attributed a Chinese state-sponsored intrusion campaign to a group designated Volt Typhoon, linked to the People’s Liberation Army. A joint advisory from the FBI, CISA, and NSA in January 2024 stated that Volt Typhoon had been present in some US critical infrastructure systems for at least five years before discovery.
Volt Typhoon’s goal is pre-positioning, not data theft. They use “living off the land” techniques: no custom malware, no anomalous traffic patterns, only legitimate system tools and valid credentials. They are forensically nearly invisible. Per US government characterization, the purpose is wartime activation, most likely timed to a Taiwan conflict scenario. Confirmed target sectors include energy, water, communications, and ports.
Several EU member state CERTs and ENISA have issued non-public advisories on similar tactics in European infrastructure. The European public record is thin because governments prefer not to confirm the extent of their own compromise.
Pre-positioning is already underway. The switches are in place. Conflict activates what is already there. The Stuxnet model, years of covert preparation culminating in a deniable precision strike, is a peacetime operation. The Volt Typhoon model is a wartime switch: silent presence, years of patience, activation on command.
Baltic Cable Cutting as Doctrine
Seven cables in two months, executed by vessels linked to Russian-adjacent networks, with zero meaningful response from European governments or NATO, establishes a precedent: European undersea infrastructure is a free-fire zone for grey-zone operations. The cost to the attacker is negligible. The cost to Europe is seven months of degraded energy and communications links between NATO members. That ratio will not discourage further operations.
IV. Novel Attack Vectors Europe Has Not Accounted For
The Inverter and AC Vector
Huawei and Sungrow together hold majority market share in European residential and commercial solar inverters. Sungrow alone has tens of gigawatts installed across Europe. By default, these devices communicate continuously with cloud servers operated by their Chinese manufacturers. The vendor retains remote access as a designed feature.
These inverters can be remotely curtailed, meaning their power output can be reduced to zero on command. Chinese-manufactured air conditioning units, increasingly prevalent across Europe as temperatures rise, can be remotely commanded to maximum load. The combination: curtail solar output across tens of gigawatts simultaneously while spiking demand via coordinated AC activation. The event would be attributed to a software fault; there is no intrusion forensics to follow.
The Physics
European grid frequency is maintained at 50 Hz. Stability requires continuous real-time balance between generation and load. The Spain event demonstrated that a generation shortfall of a few gigawatts, occurring within seconds, cascades faster than any human or automated response can compensate: automatic protection systems disconnect generation to prevent equipment damage, which amplifies the imbalance, which triggers further disconnections.
The inverter and AC attack only needs to push frequency outside the recovery envelope, not take out every device. With tens of gigawatts of remotely controllable inverters installed across European grids, that threshold is already reachable. Spain’s grid-following inverter monoculture, which consumes frequency stability rather than providing it, means the grid becomes less able to absorb the shock precisely as the shock is applied.
EU climate targets require continued solar deployment. Every additional gigawatt of Chinese inverter capacity expands this exposure.
V. What Happens When the Grid Goes Down
The Spain outage lasted hours and was described as a serious crisis. Below is an estimate of what a multi-week grid failure looks like across a densely populated European country under conflict conditions, where rapid repair is not possible.
| Timeframe | What happens |
|---|---|
| 0 to 24 hours | Hospitals on generator fuel (typically 24 to 72 hour supply). Traffic systems fail. Communications degrade as cell towers exhaust battery backup. |
| 1 to 3 days | Smaller hospital generators run out. ICU patients, ventilator-dependent people, and dialysis patients begin dying. Water treatment plants lose pump capacity; clean water fails in urban centers. |
| 3 to 7 days | No clean water at scale. Heating and cooling loss becomes acute. Food cold chain fails. Supermarket supply chains halt. |
| 2 to 4 weeks | Mass mortality. Conservative estimates for a multi-week full blackout in a dense European country range from tens to hundreds of thousands of deaths, concentrated among the elderly, infants, and chronically ill. |
| 6 weeks and beyond | Even after power returns, supply chains and logistics networks require weeks to months to restart. |
The 2003 European heatwave killed approximately 70,000 people with fully functioning infrastructure and hospitals. A winter blackout of two to three weeks, under conflict conditions where hospital resupply is disrupted, would likely exceed that substantially.
Military Functionality
Bases have generators and fuel reserves, typically seven to thirty days depending on country. The binding constraint is what happens outside the base.
European military logistics doctrine has relied heavily on civilian rail for heavy equipment movement since the Cold War. The Bundeswehr explicitly plans to use Deutsche Bahn for moving armored vehicles to the eastern flank. As of June 23, 2026, a routine maintenance component swap halted all German rail simultaneously. Rail signaling systems are almost entirely grid-dependent. Catenary power is grid-dependent. A multi-week grid failure means no rail, which means no heavy logistics, at exactly the moment it is needed.
Fuel supply chains collapse within days. Refineries, pumping stations, and distribution infrastructure all require grid power. A military trying to mobilize by road without fuel distribution, with degraded communications, while simultaneously managing a civilian humanitarian crisis, is not a credible conventional deterrent.
Command and control systems are partially hardened, but they depend on civilian fiber and telecommunications backbone for most operational communication. That backbone fails without power.
VI. The AI Capability Gap
Physical and architectural vulnerabilities are one problem. There is a separate dimension receiving almost no attention in European policy: the frontier AI capability gap and what it means for the offense-defense balance in cyberspace.
Friction Is the Security Model
Security in digital systems runs on friction: the cost and skill required to find and exploit vulnerabilities exceeds what most attackers can bring to bear. Nation-state actors and professional red teams have always been capable of finding complex zero-days; the friction model holds against everyone below that threshold.
Frontier coding models collapse that threshold. A motivated mid-tier actor with access to a Fable-class model can build and deploy working exploits that previously required a dedicated security research team and months of work. The skill floor drops; the pool of capable attackers expands; cost per attack falls. Even for well-resourced state actors, lower cost means higher volume and broader simultaneous target coverage.
The Current Capability Map
The United States has Fable-class models. Claude Fable 5 scores 80.3% on SWE-bench Pro, currently the least-contaminated major coding benchmark, versus roughly 55 to 60% for the best Chinese models. The US government’s decision to suspend Fable’s export access in June 2026 is an acknowledgment, however clumsily executed, that these models constitute a strategic capability with direct national security implications.
China is not there yet; based on the trajectory of model development over the past eighteen months, parity is plausible within eight to twelve months. That estimate is speculative; the direction is not.
Europe has Mistral. Mistral Medium 3.5 scores 77.6% on SWE-bench Verified, placing it at approximately rank 22 globally, roughly 11 percentage points below Claude Opus 4.8, the current best publicly available US model. On coding ability, agentic behavior, and tool use, European models are not in the same tier as the US frontier.
The standard defense of Mistral in European policy circles is that it performs consistently across European languages. This is true. It is also a vanity metric. Multilingual parity on a model uncompetitive on any dimension relevant to strategic autonomy, economic productivity, or cyber defense is not an achievement worth citing in a security context. Being equally behind state-of-the-art in twenty languages is not a geopolitical asset.
What This Means for Cyberspace
The offense-defense balance in cyberspace already favors offense. Attackers need one path in; defenders need to close all of them. AI makes that gap worse: automated vulnerability discovery, exploit generation, and coordinated attack scaling all benefit offense more than defense.
Europe enters this environment with no frontier model capability, demonstrably fragile critical infrastructure, and pre-positioned adversary access already in place. The AI capability gap removes the last layer of friction keeping the problem manageable.
Building a Fable-equivalent domestically in any relevant timeframe is not realistic: the compute infrastructure, the talent concentration, and the capital are all absent. Europe faces a binary choice: negotiate deep access to US frontier AI as a formal strategic dependency, or accept permanent second-tier status in the capability that increasingly determines both economic and military outcomes. Neither option is good, and the first is largely theoretical. A US administration that suspended Fable export access within weeks of its release and has shown little appetite for deepening European security dependencies is unlikely to share frontier AI capability on terms that serve European strategic autonomy. That leaves the second option as the realistic baseline. There is no clear path out of this in any near-term timeframe. Pretending Mistral closes the gap is not a plan; it is an excuse to avoid confronting how bad the situation actually is.
VII. What Needs to Happen
The technology to fix most of what is documented here exists. The obstacle is political will and fiscal priority. The following is what would need to happen for European critical infrastructure to plausibly hold up under adversarial pressure.
Grid Hardening and Decentralization
The grid is too fragile and too centralized. The Spain event, the Berlin arson blackout, and the Estlink cable failure all demonstrate that single points of failure exist at every level of the energy system. The investment agenda requires: redundant transmission routing, distributed generation and storage so that no single failure propagates across the whole system, and accelerated interconnection between member states to the EU’s own stated 15% target, which most members have not met.
Decentralization also addresses the inverter attack vector directly: a grid with distributed storage and microgrids capable of island operation cannot be frequency-shocked the same way a tightly coupled centralized grid can.
Deutsche Bahn’s 45 to 50 billion euro maintenance backlog is a direct military logistics liability. Germany’s Schuldenbremse makes this investment politically impossible under the current fiscal framework. That framework needs to change. Critical infrastructure investment is defense spending.
Hardware Stack Control
The problem with Chinese hardware in European grid infrastructure is the software stack and cloud connectivity, not the hardware itself. The policy requirement: any grid-connected device must be capable of operating entirely behind a European-controlled network boundary, against local servers, with no mandatory communication to manufacturer cloud infrastructure. For grid-scale equipment, the requirement should extend to a full European software stack.
The requirement is that hardware serve European operational requirements. Devices that cannot meet this requirement should not be permitted to connect to European grid infrastructure.
All new solar inverter installations should additionally be required to use grid-forming rather than grid-following architecture. Australia and the UK have already moved on this. The Spain event documented the cost of not doing so.
Offensive Cyber Deterrence
Europe has almost no offensive cyber capability and treats the subject as politically taboo. Deterrence requires a credible retaliation threat. Attacking European infrastructure currently carries essentially no cost for adversaries. The Baltic cable cutting continues precisely because there is no credible response framework, legal, military, or diplomatic. This requires open political discussion and willingness to develop and acknowledge offensive capability. The alternative is a standing invitation.
Unified Crisis Authority
ENISA is a compliance body. It has no operational authority during a cross-border infrastructure crisis. When multiple grids fail simultaneously during conflict, there is no EU-level authority with the mandate or capability to coordinate response. This is a governance gap requiring political agreement between member states reluctant to cede sovereignty. The reluctance is understandable. The cost of the alternative is documented in Sections II through V of this essay.
NATO mobilization plans need to be explicitly stress-tested against degraded or absent civilian grid scenarios. The current planning assumption that civilian infrastructure functions is incompatible with the threat environment described in Section III.
Physical Infrastructure Protection
A legal and military framework for responding to grey-zone infrastructure attacks needs to exist. Physical monitoring of critical undersea infrastructure, redundant cable routing, and clear escalation doctrine for vessels engaged in suspected infrastructure targeting are all achievable. None of them currently exist in operational form. The Baltic incidents established that the cost of attacking European infrastructure is low and the cost to Europe is high. That ratio needs to be reversed.
AI Capability
Europe cannot close the frontier model gap domestically in any timeframe relevant to the near-term threat environment. Structured access to US frontier AI is the obvious alternative, but that path requires a US administration willing to treat European cyber capability as a shared strategic interest. The current one has shown no such inclination. The honest policy position is that Europe is behind, the gap is widening, and there is no obvious way out. Pointing to Mistral’s multilingual consistency scores is not a policy response.
VIII. Conclusion: The Window Is Closing
Everything documented in this essay happened in peacetime, without a meaningful external stressor. The infrastructure is already failing on its own.
On top of that, adversaries have demonstrated systematic grid targeting works as a weapon, pre-positioned access is already in place, and the AI capability gap is collapsing the friction that previously kept sophisticated attacks expensive. The actors threatening European infrastructure are ahead on all three counts, or will be soon.
The inverter and AC vector described in Section IV grows larger every year alongside European green energy deployment and needs only a command to a server that already exists.
Europe has no resilience margin left to absorb any of this. The window for building that margin before it is needed is measurable in months, not years. Infrastructure investment in a crisis is reactive, expensive, and largely too late. Once a conflict begins, procurement slows, political consensus fractures, and the mistakes that could have been fixed years earlier cannot be fixed under fire.
The question is whether Europe’s political institutions can act at the speed the situation requires. The evidence so far is not encouraging.