European cybersecurity strategy has never been busier. The European Union has produced the NIS2 Directive, the Cyber Resilience Act, an expanded ENISA, a cyber sanctions regime, and a diplomatic toolbox for responding to malicious cyber operations. Member states have published national cybersecurity strategies, stood up cyber commands, and pledged billions in investment.
None of this answers a basic question: what does winning look like?
Activity isn’t strategy
Strategy connects means to ends. It explains how the things you do produce the political outcomes you want. Europe has accumulated impressive cyber means. Agencies, frameworks, regulations, capabilities. But it has not articulated what political outcome all this machinery serves.
This is not a trivial omission. Without a theory of victory, you cannot make trade-offs. You cannot decide whether to prioritize resilience or deterrence, offense or defense, sovereignty or interdependence. You simply do everything, hope something works, and call the activity “strategy.”
The result is a continent that generates cyber policy at remarkable volume while struggling to explain what success would look like if it arrived.
Contradictory logics
Europe’s cyber efforts contain at least four implicit theories of victory, and they do not sit comfortably together.
The resilience camp believes victory means absorbing attacks and recovering quickly. Invest in defenses, harden critical infrastructure, build redundancy. If adversaries cannot cause lasting damage, they lose.
The deterrence camp believes victory means changing adversary behavior through punishment. Attribute attacks, impose sanctions, signal consequences. If adversaries fear costs, they stop.
The norms camp believes victory means building international consensus on acceptable behavior. Support UN processes, promote the Paris Call, develop shared rules. If everyone agrees on red lines, violations become costly.
The sovereignty camp believes victory means reducing dependence on non-European technology. Build European cloud infrastructure, invest in domestic champions, limit foreign vendors in critical systems. If Europe controls its own stack, adversaries lose leverage.
Each logic has merit. The problem is that pursuing all four simultaneously creates contradictions.
Resilience requires accepting that attacks will happen and optimizing for recovery. Deterrence requires believing you can prevent attacks through credible threats. These are different strategic postures with different investment priorities.
Sovereignty demands reducing dependence on American technology. But Europe’s most capable cyber defenders, and much of its threat intelligence, come from American companies. Strategic autonomy and operational effectiveness pull in opposite directions.
Nobody has reconciled these tensions. Instead, European policy documents gesture at all four logics while committing to none.
Measuring nothing
Here is a simple test for whether you have a theory of victory: can you describe what a good year looks like?
If Europe had a successful 2025 in cybersecurity, how would anyone know? Fewer reported incidents? That could mean better defense or worse detection. More attributions? That could mean more attacks or more willingness to call them out. Faster recovery from ransomware? More prosecutions? Higher compliance with NIS2?
The absence of clear success criteria reveals the absence of strategic clarity. Europe tracks inputs, budgets allocated, directives transposed, agencies staffed, because it cannot define outputs.
This is not a measurement problem. It is a conceptual problem. You cannot measure progress toward a destination you have not identified.
Resilience as abdication
When strategists do not know how to win, they default to survival. Resilience has become Europe’s answer to nearly every cyber question. How should we respond to ransomware? Build resilience. State-sponsored espionage? Resilience. Critical infrastructure threats? Resilience.
Resilience is valuable. It is not a theory of victory. It is what you pursue when you have given up on shaping adversary behavior and accepted that attacks are a permanent condition to be managed rather than a problem to be solved.
A continent that defines success as “absorbing punishment well” has made a significant strategic choice, whether it admits it or not. It has decided that the offensive advantage in cyberspace is insurmountable, that deterrence does not work, and that the best achievable outcome is limiting damage.
Perhaps this is correct. But Europe has not made this argument explicitly. Resilience has become the default not through strategic deliberation but through the absence of it.
Means without ends
European cybersecurity strategy discourse focuses relentlessly on means. Capabilities, agencies, budgets, frameworks, regulations, coordination mechanisms. The assumption seems to be that accumulating enough means will eventually produce desired ends.
This inverts how strategy works. Strategy starts with the political outcome you want and works backward to the means required. Europe has done the opposite. It has built means and hoped ends would emerge.
The Cyber Resilience Act will improve product security. NIS2 will raise baseline defenses across critical sectors. These are genuine accomplishments. But accomplishments toward what?
If the goal is making Europe a harder target, these measures help. If the goal is deterring adversaries from attacking in the first place, they are insufficient. If the goal is shaping international norms, they are largely irrelevant. The value of any policy depends on the theory of victory it serves.
What clarity requires
Developing a genuine European cyber strategy would require uncomfortable conversations.
It would require admitting that resilience, deterrence, norms, and sovereignty sometimes conflict, and choosing priorities when they do.
It would require defining what success looks like in terms that can actually be measured, even if the metrics are imperfect.
It would require acknowledging that cyber strategy is not a technical problem but a political one, implicating questions about European autonomy, transatlantic relationships, and acceptable risk.
It would require stating, plainly, what outcome Europe seeks and how its actions are supposed to produce it.
Until Europe has this conversation, it will continue generating cyber policy without cyber strategy. The activity will look impressive. The results will remain unclear.
