Renan Bendel Vaughan (master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder – UMINHO/BIM/2026/40)
Setting the scene: a political moment and a legal gap
The concept of hybrid threats has become one of the most frequently invoked analytical categories in contemporary European discourse in matters of security. Since its consolidation in the institutional vocabulary of the EU in sequence of the Joint Framework of 2016,[1] the expression migrated progressively from the strategic-military domain to the field of Union law, informing legislative instruments in matters of cybersecurity, critical infrastructures’ resilience and protection of the democratic institutions. However, its legal operability remains uncertain, given that the concept is invoked with increasing frequency in soft-law instruments and in policy frameworks, without this invocation being accompanied by a legal definition sufficiently precise to underpin the normative requirements placed upon it.
The Conclusions of the Council of the EU of 16 March 2026 on advancing the European Union’s capacity to counter hybrid threats constitutes the most recent institutional moment in this evolutive framework.[2] The Council of EU condemned the persistent hybrid threats of state and non-state actors aimed at compromising the security and stability of the Union and its Member States, specifically identifying the sabotage on critical infrastructures, the malicious cyber activities, the foreign information manipulation and interference (FIMI), the election interference, and instrumentalisation of migration. It called for the utmost implementation of the Directives NIS2 and CER, it highlighted the importance of the Cyber Blueprint as a mechanism of collective response and drew attention to the malicious use of emerging technologies, including AI and quantic technologies.
This text departs from the Conclusions of March 2026 to offer a conceptual framing legally sound to examine what hybrid threats are and why their precise definition is relevant to the Union’s constitutional law (which a political instrument tends not to provide). The central argument is that, in the absence of an operative legal definition, the Union response in the face of hybrid threats will remain structurally fragmented, constitutionally blind, politically ambiguous, and normatively insufficient.
The genealogy of a contested concept
The expression hybrid warfare emerges in the Anglo-American strategic-military scholarship to qualify the combination, by state and non-state actors, of conventional, unconventional, irregular, terrorist and criminal means in the same theatre of operations.[3] James Mattis and Frank Hoffman describe this combination as a “menu” of combat methods, from which the opponent chooses and creatively combines conventional techniques, insurgency, terrorism and cyber operations, precisely to avoid Western dominance in conventional warfare.[4] The notion originally designated a convergence of armed violence modes, which demanded of opposing forces an equally multidimensional preparedness.
Since 2014, with the Russian aggression against Ukraine, the concept has been progressively displaced from a strictly military sphere to a broader one, in which what is at stake is the combination of military and non-military, kinetic and non-kinetic instruments in pursuit of strategic objectives while maintaining ambiguity as to the threshold between peace and war. Bettina Renz demonstrates how the literature began to mobilise the concept not only to designate the intervention in Crimea and the Donbas, but also to qualify disinformation campaigns, electoral interference and energetic pressure.[5] Nonetheless, this semantic extension generated criticism regarding the concept’s over-broad scope: in this regard, Damien Van Puyvelde warns that “in practice, any threat can be hybrid as long as it is not limited to a single form and dimension of warfare”, thereby rendering the concept devoid of analytical and legal value.[6]
To address this criticism, part of the international relations scholarship proposes distinguishing between hybrid warfare, in a stricter sense, which includes military components, and hybrid interference, a concept that encompasses, in particular, the coordinated use of non-military means, frequently covert, to exploit structural vulnerabilities of the liberal democracies. Mikael Wigell conceptualised hybrid interference as “the synchronized use of multiple non-military means of interference tailored to heighten divisions within target societies”, defining it as a wedge-driving strategy grounded in the combined use of clandestine diplomacy, geoeconomics and disinformation.[7] This approach has the advantage of situating the phenomenon at the strategic level, allowing one to understand that the central objective is not the military victory, but the erosion of internal cohesion and the capacity for a concerted response on the part of the target.
The Conclusions of the Council of the EU of 16 March 2026 clearly operate in this second register. By enumerating the FIMI, the electoral interference and the instrumentalisation of migration alongside the sabotage and cyber activities, the Council of the EU confirms that the Union is working with a broad, multipronged approach that encompasses the full spectrum of covert sub-threshold to near-kinetic attacks on critical infrastructures.[8] The legal consequence of this breadth is immediate: it means that no single legal instrument can cover the full range of hybrid threats, and that the Union’s response is structurally fragmented across internal market law, the Area of Freedom, Justice and Security (AFSJ), and the Common Foreign and Security Policy (CFSP) including the Common Security and Defence Policy (CSDP). Precisely for this reason, a legally operative definition is a prerequisite for regulatory effectiveness, and not just an academic exercise.
Towards a legally operative definition
The policy definition of hybrid threats produced by the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) and the European Commission’s Joint Research Centre constitutes an indispensable analytical starting point. According to this conceptual framework, hybrid threats are understood as coordinated campaigns, conducted primarily by authoritarian states, which mobilise multiple instruments, cyber, informational, economic and legal, to exploit the systemic vulnerabilities of democratic societies, whilst remaining below the threshold of armed conflict.[9] This definition accurately captures the strategic logic of the phenomenon: the deliberate combination of distinct means aimed at eroding the target’s internal cohesion, without resorting to use of force in the classical sense.
However, this policy-oriented definition is insufficient for legal purposes. A concept that aims to function as legally operational must be capable of bearing the normative weight of specific legal consequences, ranging from State liability for failures in the protection of digital justice to the conditions under which cooperation mechanisms may be suspended or reconfigured, including the delimitation of the Union’s competences in relation to the Member States’ national security prerogatives. Aurel Sari accurately summarises the strategic dimension that a purely policy definition tends to neglect: “from a hybrid threat perspective, the law is best understood as an instrument and as a domain of strategic competition. State and non-state actors routinely employ law to pursue their strategic interests”.[10] If the law itself is simultaneously an instrument and a domain of strategic competition, then a definition of hybrid threats that does not incorporate this dimension is, by definition, legally incomplete.
For the purposes of this text, a legally oriented operational definition is proposed. Hybrid threats, in a legally relevant sense, are understood as the coordinated set of hostile activities, conducted predominantly by states or by actors sponsored by them, that combine primarily non-kinetic means, namely cyberattacks, clandestine digital surveillance operations, disinformation campaigns, and the strategic instrumentalisation of legal or economic instruments, with the objective of exploiting structural vulnerabilities of the democracies of the European Union, maintaining these activities, as a rule, below the threshold of use of force in the classical sense and of easy attribution, but with the potential to compromise fundamental rights, the Rule of law, and the preconditions of mutual trust between Member States.[11]
This delimitation is deliberately more restrictive than the broad political-strategic concept of “hybrid threats” used, for example, in the Commission’s communications, and in frameworks of the Hybrid CoE, this restrictiveness being not a limitation, but a methodological necessity. The determining criterion is not the nature of the instrument used, but rather the i) target, namely the structural vulnerabilities of the Union’s democracies, and the ii) effect, namely the erosion of the constitutional preconditions of the Union’s legal order. Purely military actions are excluded, and the economic or lawfare vectors are only relevant when functionally linked to the disruption of democratic institutions or the erosion of the Rule of law.[12] This choice is simultaneously methodological and juridical-political; restricting the concept to its analytical core is also a normative statement aimed at safeguarding the fundamental rights’ sphere and preventing the hyper-securitisation of the democratic space, a risk that Barry Buzan, Ole Wæver, and Jaap de Wilde identify as inherent to the performative act of designating a phenomenon as a security threat.[13]
The three families of conduct and the Union Law
The operational definition proposed in the section above carries immediate legal implications for considering how Union law relates to hybrid threats. To flesh out this argument, it is useful to distribute the conducts identified in the Conclusions of the Council of the EU of March 2026 into three analytical categories, corresponding to the main sources of hybrid pressure on the Union’s democratic systems.
The first family covers the cyberattacks and the sabotage of critical infrastructures. The Council Conclusions call for the full implementation of the Directives NIS2 and CER as a priority response to this vector.[14] At the legal level, these instruments operate in the register of the internal market (adopted based in Article 114 TFEU) and establish obligations of resilience and notification for essential and important entities. The constitutional problem that the Conclusions do not address arises when a cyberattack to critical infrastructures is attributed to a third State and produces effects equivalent to the use of force, the applicable legal framework shifts to the domains of CFSP, subject to the unanimity of the Council of the EU and excluded, in principle, of the CJEU jurisdiction by force of Article 275 TFEU. The Union thus finds itself facing a structural constitutional asymmetry: it responds technically through internal market instruments but is politically paralysed when the attribution of the threat requires a collective response in the domain of the CFSP.[15]
The second family encompasses the FIMI and the interference in electoral processes. The Council of the EU identifies this vector as a priority and reiterates its commitment to the reinforcement of the media literacy and to the fast-alert mechanisms.[16] At the legal level, the Union’s response to this vector is distributed between the Digital Services Act (DSA), which addresses disinformation only indirectly through the notion of systemic risks, and the CFSP regime of sanctions, that permits restrictive measures against actors responsible for disinformation campaigns but which remains dependent on national attribution assessments and of unanimity in the Council.[17] The existing regulatory framework is therefore reactive and fragmented: there is no legal basis in primary EU law that would allow for an integrated and preventive response to hybrid interference in the European democratic space as such.
The third family encompasses the strategic use of the law and economic instruments, which the literature designates as lawfare, and the instrumentalisation of migration as a pressure vector. What these actions have in common is that they exploit the Union’s own regulatory and institutional structures as vehicles for destabilisation, using the instruments of Rule of law against the very Rule of law. Luigi Lonardo observes that “the EU seems, overall, legally well-equipped to counter the threats” in the sectoral field, but recognises that “a single piece of legislation is neither feasible nor, probably, desirable” to cover the hybrid phenomenon in its entirety.[18] This observation confirms the central argument of this text: that the Union’s response to hybrid threats is technically reasonable in the level of the sectoral instruments, but lacks a juridical-constitutional horizontal framing capable of articulating these instruments in a coherent logic of protection of the values of Article 2 TEU.
The institutional moment and what remains to be done by the law
The Conclusions of the Council of the EU of 16 March 2026 represent a significant political commitment. It condemned, identified vectors, called for the implementation of sectoral instruments and recognised the necessity in reinforcing the collective capacity of the Union to face hybrid threats. This commitment must not be underestimated; in a context of growing pressure on European democracies – consistently documented in the reports of the European Parliament and in the assessments of the Hybrid CoE, –, the political affirmation that the hybrid threats constitute a strategic priority of the Union has a value of its own.[19]
But a political commitment is not (and should not be) normatively sufficient. An analysis of these three conduct families reveals that the Union’s response to hybrid threats suffers from structural fragmentation that cannot be resolved by simply accumulating sectoral instruments: the asymmetry between the internal market framework and that of the CFSP, the reliance on national assessments of attribution, the requirement for unanimity in the Council of the EU for collective responses, and the absence of a horizontal legal basis in primary law for an integrated response to the hybrid phenomenon as such. As Sari warns, “navigating the legal threat landscape demands a strategic approach, one that recognizes the systematic nature of the threat, matches the level of effort expended by hostile powers and accepts the need to compete more effectively in the legal domain”.[20] The Union has its tools; what lacks is a juridical-constitutional framework that brings them together.
This gap has a precise constitutional dimension: Article 2 TEU enunciates the Rule of law, the democracy, and the fundamental rights as founding values of the Union. The hybrid threats, in their diversity of vectors and in their logic of sub-threshold erosion, precisely target these values: they do not confront them frontally but do undermine the conditions that make them possible. A Union that responds to these threats only at the sectoral level, without articulating this response with the constitutional framework of Article 2 TEU, runs the risk of protecting the infrastructure without protecting the values that the infrastructure serves. The institutional moment opened by the Conclusions of March 2026 is, therefore, also a moment for the law: the task of legal scholarship is to translate political commitment into constitutional clarity, and it is to this task that the present text seeks to contribute.
[1] European Commission and High Representative of the Union for Foreign Affairs and Security Policy, Joint Communication to the European Parliament and the Council: joint framework on countering hybrid threats — A European Union response, JOIN(2016) 18 final, April 6, 2016, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A52016JC0018.
[2] Council of the European Union, Council conclusions on advancing the EU’s capacity to counter hybrid threats, March 16, 2026, https://data.consilium.europa.eu/doc/document/ST-7349-2026-INIT/en/pdf.
[3] Frank G. Hoffman, Conflict in the 21st century: the rise of hybrid wars (Arlington, VA: Potomac Institute for Policy Studies, 2007), 14–28.
[4] James N. Mattis and Frank Hoffman, “Future warfare: the rise of hybrid wars,” Proceedings 131, no. 11 (2005), https://www.usni.org/magazines/proceedings/2005/november/future-warfare-rise-hybrid-wars.
[5] Bettina Renz, “Russia and hybrid warfare,” Contemporary Politics 22, no. 3 (2016): 283–300, https://doi.org/10.1080/13569775.2016.1201316.
[6] Damien Van Puyvelde, “Hybrid war — does it even exist?,” NATO Review, 2015.
[7] Mikael Wigell, “Hybrid interference as a wedge strategy: a theory of external interference in liberal democracy,” International Affairs 95, no. 2 (2019): 262–263.
[8] Council of the European Union, Council conclusions on advancing the EU’s Capacity to counter hybrid threats.
[9] P. Cullen, et al., The landscape of hybrid threats: a conceptual model (public version), ed. G. Giannopoulos, H. Smith and M. Theocharidou, EUR 30585 EN (Luxembourg: Publications Office of the European Union, , 2021), 18–35, https://publications.jrc.ec.europa.eu/repository/handle/JRC123305.
[10] Aurel Sari, Hybrid threats and the law: building legal resilience, Hybrid CoE Research Report 3 (Helsinki: European Centre of Excellence for Countering Hybrid Threats, 2021), 7–8, https://www.hybridcoe.fi/wp-content/uploads/2021/10/20211104_Hybrid_CoE_Research_Report_3_Hybrid_threats_and_the_law_WEB.pdf.
[11] Sari, Hybrid threats and the law, 12–22; P. Cullen, et al., The landscape of hybrid threats, 18–35.
[12] P. Cullen, et al., The landscape of hybrid threats, 26–35; Sari, Hybrid Threats and the Law, 18–26.
[13] Luigi Lonardo, “EU law against hybrid threats: a first assessment,” European Papers 6, no. 2 (2021): 1092–1095, doi: 10.15166/2499-8249/514; Barry Buzan, Ole Wæver, and Jaap de Wilde, Security: a new framework for analysis (Boulder, CO: Lynne Rienner, 1998), 24.
[14] Council of the European Union, Council conclusions on advancing the EU’s capacity to counter hybrid threats, March 16, 2026.
[15] Aurel Sari, Hybrid threats and the law, 34–39; Lonardo, “EU law against hybrid threats,” 1086–1088.
[16] Council of the European Union, Council conclusions on advancing the EU’s capacity to counter hybrid threats.
[17] Council of the European Union, Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, OJ L 129I, May 17, 2019; Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, OJ L 129I, May 17, 2019, https://eur-lex.europa.eu/eli/dec/2019/797/oj/eng.
[18] Lonardo, “EU law against hybrid threats,” 1093.
[19] European Commission, 2025 Rule of Law Report: Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, COM(2025) 900 final (Brussels: European Commission, 2025), https://commission.europa.eu/strategy-and-policy/policies/justice-and-fundamental-rights/upholding-rule-law/rule-law/annual-rule-law-cycle/2025-rule-law-report_en; European Centre of Excellence for Countering Hybrid Threats, Hybrid threats as a concept, https://www.hybridcoe.fi/hybrid-threats-as-a-phenomenon/.
[20] Sari, Hybrid threats and the law, 35.
Picture credit: by Tima Miroshnichenko on pexels.com.
Official Blog of UNIO 