Hybrid Threats

What is a Hybrid Threat?

A hybrid threat is the possibility of a coordinated hostile conduct from a state actor, non-state actor, or actor operating domestically or transnationally, characterised by the integrated use of multiple instruments of coercion or destabilisation, including cyber operations, information manipulation, economic pressure, legal or regulatory interference, and actions in the physical domain, directed at undermining countries, organizations, and the constitutional order. External origin is characteristic but not constitutive. The definitional core lies in the multi vector, strategically unified nature of the hostile activity.

EU and NATO practice overwhelmingly conceptualise hybrid threats as foreign (external to the state or the Union). The strategic documents, operational playbooks, and institutional mechanisms are oriented toward foreign state actors, state proxies, and transnational non state actors.

This focus is largely justified. However, this doctrinal emphasis does not convert externality into a necessary legal prerequisite. Threats emerging from actors located within the jurisdiction but operating under foreign direction, in coordination with foreign interests, or just because of ideology, fall fully within the hybrid threat definition.

Internal actors can constitute hybrid threats if their conduct meets the structural criteria. Hybrid threats are defined by strategic intent, coordination across multiple instruments or domains, aiming at the disruption or subversion of essential functions or societal stability. An actor located inside the jurisdiction may satisfy all three criteria.

In legal and strategic practice, a threat is not defined through a fixed, closed list of elements. It is a flexible and open textured concept, covering:

1. Capability,

2. Intent,

3. Credible possibility of hostile action,

4. The hostile action itself.

A hybrid risk is a category of internally assessed exposure within an entity’s legal and governance framework, arising when multi vector hostile activity interacts with the entity’s vulnerabilities and regulatory obligations, creating the potential for concurrent adverse effects across multiple domains, including legal, operational, financial, reputational, and compliance, that may impede the achievement of statutory, supervisory, or corporate objectives. Its legal significance is derived from duties of care, diligence, and risk based compliance imposed on the entity by sectoral legislation, regulatory authorities, and internal governance standards.

The terms hybrid threats and hybrid risks belong to distinct conceptual orders within legal analysis, regulatory doctrine, and risk governance methodology. Although they arise from the same empirical phenomena, they must not be confused.

A hybrid threat is capability attributable to hostile actors. A hybrid risk refers to the assessment of potential adverse effects within the risk and compliance architecture of an entity or system. This distinction is necessary to preserve analytical clarity, and ensure coherent regulatory interpretation.

The term risk belongs to the lexicon of governance, compliance, and regulatory doctrine. It describes the uncertainty on the objectives of an entity. Risk classification depends on an entity’s statutory obligations, operational mission, regulatory environment, and corporate objectives.

A threat concerns the adversary, its intentions, capabilities, and actions. A risk concerns the entity, the potential deviation from legally mandated or self-defined objectives.

Hybrid threats and hybrid risks are not synonymous and should not be treated as interchangeable, but there are laws and policies that treat these terms as interchangeable.

Maintaining the distinction is important for legal clarity. It ensures that the adversary’s coordinated hostile conduct is assessed within the frameworks designed for national and supranational security, and that an entity’s exposure to the consequences of such conduct is assessed within the frameworks designed for risk management, compliance, and supervisory review.

---

The evolution of hybrid threats.

The earliest uses of the term hybrid threat emerged within the military, where it described threats that combined conventional military operations with irregular tactics. At this stage, the concept had a kinetic orientation, reflecting concerns that hostile actors might combine traditional combat with asymmetric methods such as guerrilla operations or terrorism.

The doctrinal focus remained tied to the law of armed conflict and the definition of armed attack. The legal focus was on the threshold question of when a state could invoke self defence, and on the permissibility of countermeasures.

As developments in cyber operations, disinformation, and economic instrumentalisation expanded the adversarial toolbox, the term hybrid threat moved beyond the battlefield. It began to mean the coordinated use by hostile actors of diverse non kinetic instruments designed to remain below the threshold of armed conflict, but capable of producing strategic effects.

This shift broadened the applicable legal framework. Hybrid activity increasingly intersected with areas such as public international law governing interference in internal affairs and human rights. The evolution of hybrid threats was a structural change in the way harm could be inflicted, because of the erosion of the distinction between military conflict and peacetime coercion.

With the expansion of the threat landscape, supranational entities adopted the hybrid threat as an organising category for corporate governance. Security and defence doctrines began to describe hybrid threats as coordinated, multi-dimensional hostile activities aimed at destabilising democratic institutions, critical infrastructures, supply chains and societal trust. The legal significance of this reframing lies in the integration of hybrid threats into policy areas that fall squarely within cybersecurity, data protection, financial regulation, energy security, transport security, and the resilience of essential and critical entities. Hybrid threats were not viewed exclusively as matters of foreign and defence policy, and became legally relevant to the construction of both regulatory frameworks.

This broadened legal understanding reflects the realisation that complex societies present multiple interdependent vulnerabilities. Hybrid methods exploit precisely these complex interdependencies. Cyber operations can undermine financial stability. Disinformation can erode electoral integrity. Legal harassment or regulatory manipulation can weaken market confidence. Supply chain coercion can compromise essential services. The hybrid threat matured into a concept describing deliberate exploitation of systemic vulnerabilities through coordinated hostile activity. Legally, this made hybrid threats relevant to foreign interference law, criminal law, cybersecurity obligations, regulatory governance, sanctions regimes, and civil liability.

The evolution of hybrid threats produced a corresponding evolution in the legal obligations. If hybrid threats exploit structural vulnerabilities, then countries and organizations are expected to adopt frameworks that ensure resilience across interconnected domains. This expectation has been embedded in multiple laws and regulations requiring countries to establish national cybersecurity strategies, national competent authorities, coordinated disclosure frameworks, crisis management arrangements, and enhanced cross border information sharing mechanisms. The evolution of hybrid threats has reshaped the allocation of responsibility between countries and organizations.

An important step in the evolution came with the recognition that private entities play a structural role in resilience. As hybrid threats often target network and information systems operated by private actors, as well as data, financial services and digital platforms, the legal framework began to impose risk based obligations on private operators. These obligations were not conceptualised as responses to a specific threat actor, but as requirements to manage the risks arising from a hybrid threat environment. The evolution of the hybrid threat transformed corporate governance and compliance expectations.

The evolution of hybrid threats has also required a reconceptualisation of resilience as a legal principle. Resilience moved from a policy objective to a legal requirement embedded in legislation governing critical infrastructure, cybersecurity, data protection, financial stability and essential services. The hybrid threat environment became a driver for the codification of resilience obligations, shifting states and regulators from reactive to anticipatory corporate governance. The threat landscape’s evolution produced a legally significant evolution in risk interpretation, requiring organisations to model scenarios that deliberately combine multiple hostile vectors in a coordinated manner.

---

Why is a drone incident at an airport or rail facility a hybrid threat?

It begins with a drone that crosses into the controlled airspace of an airport, or the secured perimeter of a railway hub. A single cheap object becomes a multi domain expensive disturbance.

The drone’s entry into restricted space triggers the legal requirements when there is danger to human life. Aircrafts must hold, divert, or ground. Trains may stop, slow, or be rerouted. The carefully orchestrated choreography of transport collapses into emergency protocols.

Then, cybersecurity steps in. Every drone is treated as a potential vector for digital intrusion, a reconnaissance platform scanning communication frequencies, a device capable of intercepting or jamming signals. Cybersecurity legislation becomes relevant, because in a hybrid incident the physical intruder may be the first layer of a deeper multi domain attack.

Critical infrastructure law creates obligations. Airports and railway hubs are designated as essential nodes whose disruption has material consequences across borders and economies. A drone, by its mere presence, threatens continuity of service. This instantly transforms the incident into a matter of national and supranational concern. Critical entity obligations surface, incident reporting thresholds activate, and all stakeholders, including supervisory authorities, counterparties to contract, and citizens expect rapid, documented, risk based responses.

Criminal law must be considered too. The drone’s origin, operator and intent are unknown. The ambiguity itself is a legal problem, because attribution is uncertain. Law enforcement must treat the drone as a potential instrument of sabotage, surveillance, or terrorism.

The cascade then moves into the economic domain. A suspended runway or halted rail corridor creates immediate financial losses. There are grounded aircrafts, stranded passengers, delayed freight, contractual breaches, compensatory duties, insurance exposure. An operational pause becomes an economic shock.

The reputational domain follows. Public confidence in the safety of national infrastructure is fragile. The image of a drone moving unchallenged above an airport or rail line becomes a symbol of vulnerability. Boards of directors and senior management are questioned for perceived failures in surveillance, detection, preparedness and resilience.

Regulatory interdependence is the next problem. One drone activates aviation law, rail law, cybersecurity law, critical-infrastructure regulation, data protection obligations, insurance frameworks and criminal statutes simultaneously. No single function can contain the event. No single legal regime can define it.

The incident is a hybrid risk because a simple cheap drone simultaneously challenges several legal orders, stresses multiple regulatory obligations, and exposes structural vulnerabilities that transcend disciplines.

---