Joshua Kroeker is the CEO and founder of Reaktion Group. He advises governments and firms on geopolitics and military risk, as well as energy and business in Eastern Europe and Eurasia.
Celine Emma La Cour is Principal Strategist at Reaktion Group, where she specializes in drone warfare, economic security, and geopolitical risk.
The views and opinions expressed in this column are solely those of the author and do not necessarily reflect the official policy or position of AeroTime.
The war in Ukraine is increasingly spilling into Europe in the form of sabotage and drone incidents. Governmental actors as well as private operators of critical infrastructure need to implement resilience measures – and they need to do it fast.
Recent weeks have seen repeated drone-related security incidents across Northern Europe. On May 20, 2026, Lithuanian authorities suspended flights and rail traffic in Vilnius following a drone incursion that triggered emergency alerts and NATO air policing measures. Days earlier, Finland temporarily halted operations at Helsinki Airport following suspected drone activity. Earlier in May, two drones entering Latvian airspace from Russia crashed near an oil storage facility in Rēzekne, damaging several empty oil tanks and triggering a political crisis that resulted in the resignation of the Latvian Defense Minister.
While the incidents caused only limited physical damage, they demonstrated how relatively small and inexpensive drones can generate disproportionate operational, political, and psychological effects when operating near critical infrastructure and civilian transport networks. National-level airspace protection may ultimately depend on political decisions and national capabilities, but private operators can do a great deal to improve early detection, incident response, and coordination with authorities.
The Sub-Threshold Warfare Tracker by the Sahaidachnyi Security Center indicates 22 sabotage attempts against critical infrastructure and 12 sabotage attempts against other economic and industrial targets since the start of the war in Ukraine in 2022 until April 2026.
While drones are not yet the main observed attack vector against civilian critical entities, drones are highly present in the surrounding hybrid-threat ecosystem. In addition to sabotage attempts, the tracker shows 46 airspace violations by drones during the same period, that is, excluding the incidents mentioned above.
What unites these incidents is not the attack method, but rather the target logic. They involve sectors where the attacker can trigger political crises, public alerts, and cross-border and cross-sector cascading effects. Those are exactly the conditions in which drones are attractive because they are cheap, flexible, deniable, and easy to layer onto another attack path.
Target tiers in Europe
Drone use is still maturing inside the broader concept of hybrid warfere where preferred civilian target sectors are already visible in sabotage and cyber data. Analysing the ‘Sub-Threshold Warfare Tracker’ more closely, we find that transport (air, rail, maritime and road transport included) emerges as the most attacked sector, accounting for roughly one-third of incidents where critical infrastructure was targeted. The data shows sabotage or cyberattacks on airports, seaports and terminals, fuel tankers and shipyards, as well as rail lines and road freight. Short-term outages in transport networks can have outsized economic and societal impact, making them lucrative targets.
Energy, including electricity, gas and oil, and digital infrastructure, including telecoms, data centers and networks, attract steady sabotage attempts and cyber-attacks. Targets include undersea cables, telecom hubs, data servers, power grids, wind and solar farms, pipelines, and nuclear and hydro plants. These are critical nodes whose compromise causes systemic effects.
For critical entities, drones are not a separate threat category but a rapidly evolving multiplier of threats that already exist.
Likely targets are not limited to large national operators or prime infrastructure assets. Smaller logistics providers, warehouse operators, and mid-sized utilities providers may in some cases be even more vulnerable due to limited security resources. In 2024, incendiary devices hidden in parcels disrupted DHL and DPD logistics hubs in the UK, Germany, and Poland, while Romania’s pipeline operator CONPET was reportedly targeted by a pro-Russian cyberattack.
Drones can serve multiple roles here: conducting surveillance and reconnaissance ahead of a sabotage attack, creating distractions to divert security personnel or overload response systems, probing or disrupting sensors and communications systems, generating psychological pressure, or even delivering explosives. As drones become cheaper, more autonomous, and more resistant to electronic interference, they increasingly allow both state and non-state actors to project disruptive capability deep into civilian environments at relatively low cost.
Europe’s resilience gap
Europe has acknowledged the threat, but it has yet to fully operationalize the response. The EU’s Critical Entities Resilience (CER) Directive requires Member States to designate critical entities across 11 sectors by July 17, 2026, after which these entities are given 9-10 months to assess and mitigate relevant risks. For many of these entities, this will include the risk of drone incidents. However, significant gaps remain between designation and actual resilience.
The first major gap is the gap between compliance and capability. Across Europe, many operators are conducting risk assessments and resilience planning on paper. These are necessary steps, but they are not enough. In practice, many critical entities still lack deployed detection systems, tested response protocols, trained personnel, and clear operational procedures for drone-related incidents. A rapidly evolving drone threat environment cannot be addressed through static paperwork. Lessons from Ukraine consistently show that resilience depends on operational adaptation, continuous testing, and the ability to integrate intelligence into real-time decision-making. The organizations best prepared for drone threats are those capable of identifying, assessing, and responding to incidents under realistic conditions. Compliance alone does not create operational continuity under rapidly evolving threats.
Civilian infrastructure in a low-intensity battlespace
The second major gap is the civil-military adaptation gap. Europe is still treating many drone threats as primarily military problems, even as they increasingly target civilian infrastructure and commercial operators. The war in Ukraine has demonstrated the importance of concepts such as layered air surveillance, rapid command-and-control (C2), electronic warfare awareness, distributed detection, and continuous operator training. Yet many of these concepts have not meaningfully transitioned into the civilian domain. Airports, ports, logistics hubs, telecom operators, energy infrastructure, and industrial facilities are now exposed to threat environments that increasingly resemble low-intensity battlespace conditions, but without the organizational structures, technical systems, or trained personnel designed to operate within them. Europe, therefore, faces a growing need to adapt military lessons, technologies, and operational thinking into scalable civilian resilience frameworks suited to legally constrained and commercially sensitive environments. Allow us to recall that even a careless drone pilot can shut down an airport, with similar cascading effects to those of a threat actor’s actions.
Recent incidents across Scandinavia in 2025 underline the complexity of the threat. In 2025, drone incursions near airports in Denmark and Sweden triggered operational restrictions and airspace responses, while repeated drone sightings near Equinor’s offshore oil and gas platforms in Norway led authorities to heighten security measures. In such situations, distinguishing between malicious intent, irresponsible drone activity, or navigational disruption often matters less in the moment than the operational consequences themselves.
The third gap is coordination. Drone incidents rarely fall neatly within a single authority structure. They unfold in the grey zone between civilian security, law enforcement, aviation authorities, military responsibility, intelligence services, and privately owned infrastructure. Yet coordination mechanisms between those actors remain fragmented across much of Europe. A private operator may detect suspicious drone activity without clarity on escalation procedures or access to national threat intelligence. Equally, state authorities often lack operational visibility into what private infrastructure operators are observing on the ground. This creates delays in detection, reporting, attribution, and response in the early stages where rapid coordination matters most. Ukraine’s experience demonstrates that resilience depends not only on sensors and interceptors but also on integrated ecosystems in which operators, authorities, and security actors share information and operate through common response frameworks.
Europe is still in the early stages of adapting to the drone threat in the civilian domain, but the direction of travel is clear. For example, Germany announced a major new public-private initiative between Rheinmetall and Deutsche Telekom to develop a nationwide “drone defense shield” aimed at protecting German cities and critical infrastructure from hostile drones and sabotage operations. The initiative came after a sharp rise in suspicious drone activity across Germany in 2025 and 2026. Still, it remains to be seen how this announcement translates into practical resilience, and how fast that happens.
Resilience must move from paper to practice
The challenge for Europe now is operationalizing the response. And again, Ukraine has the answer. It involves layered detection, rapid information sharing, trained personnel, realistic exercises, and close integration between civilian operators, security services, and military structures. Not all critical entities have to buy expensive counter-UAS gear to be prepared – but some might have to. For others it will be enough to make comprehensive risk assessments and improve organizational response mechanisms.
Compliance frameworks and strategic documents matter, but resilience is ultimately measured in response times, trained staff, tested procedures, and the ability to adapt faster than the threat evolves.
Founder & CEO, Reaktion Group