"Hybrid threat" has moved from think-tank language to a board-level concern. The conflicts in Ukraine and the Middle East have shown that cyber operations, influence and pressure below the threshold of open war now travel alongside conventional force — and that European organisations, far from the front line, feel the spillover. This article draws the practical lessons for a business that is not a government but shares the same digital terrain.
At a glance
- The shift: cyber operations, influence and disruption used as instruments below the threshold of war.
- The exposure: European organisations feel spillover through shared infrastructure, suppliers and identity.
- The response: identity, tested continuity and actionable intelligence — the substance behind NIS2 and DORA.
What we mean by a hybrid threat
A hybrid threat combines conventional and unconventional means — cyber, disinformation, economic and physical pressure — to achieve an aim without triggering a formal state of war. For a business the relevant point is not attribution but effect: the same techniques used against states are reused, commoditised and pointed at ordinary organisations.
Ukraine: the most visible laboratory of modern digital conflict
Ukraine has become the clearest case study in cyber-enabled conflict: attacks on critical infrastructure, wiper malware, and operations timed to physical events. The techniques do not stay contained — tooling and tradecraft leak into the wider criminal ecosystem, which is how a conflict far away becomes a threat to a European manufacturer or supplier.
Iran and the Middle East: operations, influence and pressure below the threshold
The Middle East shows the other face of hybrid activity: cyber operations blended with influence campaigns and pressure calibrated to stay under the threshold of open conflict. For European organisations the lesson is that motivation is no longer only financial; disruption and signalling are objectives in their own right.
Europe in a less stable environment
The result is a more unstable backdrop in which critical infrastructure, supply chains and identity are all in scope. European organisations do not need to be targets of a state to be affected — shared cloud, shared suppliers and shared software mean the blast radius reaches far beyond the intended victim.
What a European organisation should take from this
The lessons converge on a handful of priorities, none of them exotic:
- Identity is the new perimeter. Phishing-resistant MFA and control of privileged and cloud/M365 access matter more than another edge box.
- Vulnerability management beyond scanning. Prioritise by real exploitation and exposure — see prioritising real risk.
- The supply chain is part of the risk field. Third-party risk is now front-line, not paperwork.
- Continuity must be tested, not just documented. Rehearsed business continuity is what separates a bad day from a crisis.
- The SOC must look beyond technical alerts. A managed SOC should read context, not just fire alerts.
- Threat intelligence must be actionable. Intelligence only helps if it changes what you defend and detect.
NIS2, DORA, ENS and ISO 27001: not bureaucracy, but a resilience structure
Read in this light, the frameworks stop looking like paperwork. NIS2, DORA, Spain's ENS and ISO 27001 describe exactly the resilience a hybrid environment demands: risk management, tested continuity, supplier control and incident readiness. They are a structure for surviving pressure, not a box to tick.
Where to start
Without launching an endless programme, the useful first moves are to get honest visibility of exposure through an attack-surface review and security audit; to harden identity and re-prioritise vulnerabilities by real risk; and to rehearse continuity and incident response rather than assume they work. That is resilience you can evidence — and the honest answer to whether your organisation could withstand real hybrid pressure. To work through it, get in touch.