Listen to the article
By Andre Pienaar
For the first time, cyberattacks rank as the most serious security risk across the G7. Russia is blending cyber and kinetic operations against European energy grids. The Munich Security Report 2026 maps a threat landscape in which the line between cybersecurity and energy security has effectively ceased to exist.
The prominence that this year’s annual Munich Security Report gives to cybersecurity and energy security in its analysis is striking.
According to the Munich Security Index 2026, the polling instrument embedded within the Munich Security Conference’s flagship annual report, cyberattacks by nation state adversaries are now ranked as the single most serious national security risk across the aggregate G7 ranking.
This is the first time in the index’s five-year history that a technology-related threat has occupied the top position, and it did not arrive there by a narrow margin. Across the G7, cyber risk has climbed three ranking positions since 2021, while environmental risks have steadily fallen. Disinformation campaigns from enemies, the information warfare sibling of cyber operations, have surged even more dramatically, rising nine positions to rank fourth. Together, they represent a tectonic shift in how democracies understand the national security threats they face. The battlespace that matters most, in the collective judgement of G7 citizens, is now digital.
The numbers behind the alarm
The country-level data in the Munich Security Index warrants close examination. Germany records the highest cyber risk score of any country surveyed, at 75 out of 100, with 73 per cent of respondents considering cyberattacks an imminent threat and a striking 39 per cent feeling their country is unprepared to deal with them. That combination, the highest perceived threat paired with the highest perceived vulnerability in the G7, is unusual in the index and constitutes the clearest signal for cybersecurity investment anywhere in the Western alliance.
The United Kingdom follows closely, with a cyber risk score of 74 and a five-point increase from 2024, the sharpest upward movement on this risk among the G7. Seventy-one per cent of British respondents consider the threat imminent. France records 66, Italy 65 and Japan 64. In Japan, cyberattacks are the only risk perceived as more serious than last year, with every other risk in the index declining. The Japanese public, it appears, sees its country’s digital exposure as a singular and growing vulnerability in an otherwise stabilising threat landscape.
For the BRICS countries, Brazil, India, China and South Africa, the picture is different in emphasis but not in direction. Environmental risks retain the top positions in the BRICS aggregate, as they have since 2021. But cyberattacks have risen to seventh place, and disinformation has climbed to eleventh. The convergence is clear. Cyber threats are ascending globally, but the alarm is loudest in precisely those nations whose critical infrastructure is most deeply digitised and whose adversaries have the most sophisticated offensive capabilities.
“Russia has brought war back to Europe. And we must be prepared for the scale of war our grandparents or great-grandparents endured.”
Mark Rutte, NATO Secretary General, December 2025
The grid as grey zone
The 2026 Munich Security Report provides the analytical context that transforms these polling numbers from abstract risk perceptions into an operational threat assessment. The report’s chapter on European security, authored by Nicole Koenig, documents a sharp escalation in Russia’s hybrid warfare campaign across Europe throughout 2025. The term hybrid has been used loosely in strategic discourse for over a decade, but the report describes something specific and qualitatively new. This is the deliberate blending of cyber and kinetic operations against energy infrastructure, designed to blur the boundary between war and peace.
Russia, the report states, is “increasingly blending cyber and kinetic tactics in its suspected surveillance, sabotage operations, and attacks on energy grids.” This is not a forecast or a warning about future capabilities. It is a description of operations underway. The accompanying data shows a dramatic rise in suspected Russian hybrid incidents across EU and NATO countries between 2022 and 2025, encompassing sabotage, arson, vandalism, cyberattacks, drone overflights, espionage, and a particularly distinctive category, “bloody and flammable parcels”, that speaks to the deliberately provocative and psychologically calibrated nature of these operations.
The autumn of 2025 saw a particularly sharp escalation. In September alone, approximately 20 Russian drones intruded into Polish airspace, while three Russian MiG-31 fighter jets violated Estonian airspace for twelve minutes, prompting both governments to invoke Article 4 consultations under the North Atlantic Treaty, which provides for allied consultations when a member perceives a threat to its territorial integrity or security. These incidents were not isolated provocations. Analysts cited in the report view them as deliberate efforts by Moscow to probe Europe’s defences, sow division, intimidate publics, and weaken support for Ukraine by diverting attention towards domestic security.
The critical word in the report’s formulation is grids. Energy grids are not merely a target among many in Russia’s hybrid campaign. They are the target that connects the cyber domain to the physical domain, that translates a digital intrusion into a consequence, lights going out, heating systems failing, hospital equipment shutting down, industrial processes halting. An attack on an energy grid is simultaneously a cyberattack, an act of economic warfare, a psychological operation, and, depending on its scale and consequences, a potential trigger for Article 5 deliberations. It is the point at which the neat analytical distinction between cybersecurity and energy security collapses entirely.
A pincer on European energy
Russia’s hybrid operations against energy delivery systems do not exist in isolation. The Munich Security Report documents a second pressure vector that compounds the threat. This is China’s deployment of sweeping critical mineral export controls. Beijing’s curbs on critical minerals, the report notes, “have not just hit the US but countries in all parts of the world”, disrupting global markets including “Europe’s automotive and defence sectors”.
The significance of this convergence, Russian attacks on energy delivery infrastructure from one direction, Chinese chokepoints on energy transition supply chains from another, cannot be overstated. European energy security is being squeezed from both ends simultaneously. The systems that deliver energy today are under kinetic and cyber assault. The supply chains needed to build the energy systems of tomorrow are being weaponised by a rival power.
Europe’s cyber dependency trap
Perhaps the most strategically consequential finding in the Munich Security Report is one that receives less attention than the headline geopolitical analysis but carries greater operational weight for the defence and cybersecurity sectors. The report identifies the specific capability domains where Europe remains “critically dependent on the US”: air and missile defence, drones, strategic transport, intelligence, and explicitly cyber capabilities.
This dependency has deepened precisely as the threat has intensified. Between 2022 and 2024, US systems accounted for approximately 51 per cent of equipment spending by European NATO members, up from roughly 28 per cent between 2019 and 2021. European governments continue to miss their own target, agreed in 2007, of spending 35 per cent of procurement budgets jointly. The result is a continent that is spending vastly more on defence, while simultaneously becoming more dependent on the USA.
In the cyber domain, this dependency creates a specific and acute vulnerability. The report calls on European governments to “strengthen civil preparedness and develop coordinated measures to detect, counter, and proactively deter Russia’s intensifying hybrid campaign.” The verb sequence is revealing: detect, counter, deter. These are the core functions of a mature cyber defence posture, and the report is effectively acknowledging that Europe does not yet possess them at the level required to operate independently of American support.
Washington’s approach to European security has become, in the report’s assessment, “increasingly conditional”, with the Trump administration tying access to the US security umbrella to alignment with its economic interests. The July 2025 EU-US trade deal is widely interpreted as a concession made to maintain the security guarantee.
The six-month clock
Embedded within the report’s discussion of Russian military capabilities is a data point that should concentrate minds across European capitals. Intelligence agencies, the report states, estimate that Russia could reconstitute its forces for a “regional war” in the Baltic Sea area within two years of a potential ceasefire in Ukraine, and for a “local” operation against a single neighbour within six months.
The six-month timeline is the one that matters most for the cyber and energy security discussion. A localised Russian operation against a Baltic or Nordic state would almost certainly be preceded and accompanied by intensified cyber operations against that nation’s energy infrastructure, communications networks, and government systems. The hybrid operations documented in the report, the drone overflights, the airspace violations, the sabotage incidents, the attacks on energy grids, are not random provocations. They are rehearsals. They are the reconnaissance phase of a campaign whose operational phase could begin within months of a ceasefire.
For nations on the frontline, Finland, Estonia, Latvia, Lithuania, Poland and Sweden, this timeline demands a fundamentally different posture towards cybersecurity and critical infrastructure protection. It is no longer a matter of building resilience over a decade-long planning horizon. It is a matter of hardening systems against an adversary that is actively probing defences, mapping vulnerabilities, and testing response times. The energy grid, in this context, is not merely critical infrastructure to be protected. It is the primary terrain on which the next phase of hybrid conflict will be fought.
The defence spending paradox
European NATO members have increased defence budgets by approximately 41 per cent between 2021 and 2025. All allies are estimated to have met the two per cent GDP spending target in 2025. NATO leaders have agreed to a far more ambitious five per cent target, comprising 3.5 per cent on regular defence and 1.5 per cent on security-related measures, to be reached by 2035. Russia, for its part, is spending approximately eight per cent of GDP on security and defence, sustaining an expanded war economy now entering its fifth year.
These numbers represent a generational shift in European defence investment. But the report identifies a structural contradiction at the heart of this spending surge that is particularly relevant to the cybersecurity and energy security sectors. Rising defence budgets are fuelling what the report calls “a new wave of industrial nationalism that risks deepening fragmentation, inflating costs, and eroding fragile public support”. Procurement remains largely national, joint targets are persistently missed, and the default option for many governments is to assemble US-designed systems on European soil rather than develop genuinely indigenous alternatives.
In the cybersecurity domain, this pattern creates a specific opportunity. Unlike major weapons platforms, fighter jets, missile systems and armoured vehicles, where European industrial capacity genuinely lags and where interoperability with US systems is a legitimate requirement, cybersecurity is a domain where European and allied firms can compete on capability, where sovereignty requirements create natural demand for non-US solutions, and where the speed of innovation favours agile providers over incumbent defence primes. The report’s identification of cyber capabilities as a domain where Europe is “critically dependent” on the US is, simultaneously, a description of a strategic vulnerability and a map of a market opportunity.
“We have a simple choice, either money today, or blood tomorrow. I’m not talking about Ukraine; I’m talking about Europe.”
Donald Tusk, Polish Prime Minister, December 2025
The convergence thesis
The Munich Security Report 2026 does not set out to make a case for the convergence of cybersecurity and energy security. Its purpose is broader, a comprehensive assessment of the state of the international order. But read carefully, the evidence it assembles makes that case more powerfully than any purpose-built analysis could.
Consider the cumulative picture. Cyberattacks are now the number one risk in the G7, recognised as such by the populations whose infrastructure is under attack. Russia is conducting blended cyber-kinetic operations against European energy grids as part of an intensifying hybrid warfare campaign. China is weaponising the critical mineral supply chains upon which the energy transition depends. European defence spending is surging, but the continent remains critically dependent on the US for cyber capabilities. Intelligence agencies estimate that Russia could launch a localised operation against a single European neighbour within six months of a ceasefire. And the energy grid, the point where digital vulnerability translates into physical consequence, sits at the intersection of all these pressures.
The line between cybersecurity and energy security has not merely blurred. For the nations on Europe’s eastern and northern flanks, it has ceased to exist. Protecting the grid is a cyber mission. Defending against cyberattack is an energy security imperative. The institutional, industrial, and investment frameworks that persist in treating these as separate domains are operating on assumptions that the threat environment has already invalidated.
The report’s authors conclude their European chapter with a call for the continent to move “far more decisively to become a genuine security provider”. They specifically call for “rapid agreement on shared capability priorities” in areas including cyber, and for governments to “strengthen civil preparedness and develop coordinated measures to detect, counter, and proactively deter” the hybrid campaign. This is the right diagnosis. But it will remain merely a diagnosis unless it is accompanied by investment at scale, at speed, and in the integrated fashion that the threat demands to build collective defence.
The energy grid is the battlefield. Cyber is a weapon as part of hybrid warfare. And the clock is running to build collective defence.
Andre Pienaar is the CEO and Founder of C5 Capital, a specialist investment firm focused on energy security, headquartered in Washington DC, with offices in London and Vienna.
The Munich Security Report 2026, “Under Destruction”, was published by the Munich Security Conference in February 2026. The full report is available at securityconference.org.
