Europe’s critical services are under pressure. Some of it is visible, like drones over airfields. Some is quieter, like the 6,000 hostile attempts per hour against Danish water systems.
Neither is random. Both are part of a growing pattern of hybrid activity that probes the gaps between physical and digital defences.
In May 2023, 22 Danish energy companies were compromised in a coordinated cyberattack. The sector’s response involved isolating systems and rerouting operations. It was a serious reminder that one missed login can have national consequences.
Now, Denmark’s water utilities are asking for a national plan after reporting constant digital pressure and near-daily hybrid attacks. DR News
The threat is not limited to Denmark. It is a Europe-wide trend and a sign that essential systems are being tested through the people, tools, and accounts that power daily operations.
From airspace to tap water: one pattern, two headlines
Denmark’s water sector says it faces daily hybrid attacks and is asking for a clear, coordinated plan because water is “our most critical resource.” That is not an isolated warning. It is the same pressure we saw when drones disrupted airspace and triggered ministerial responses across the region. Both stories are signals of a steady campaign that probes for small gaps before something larger follows.
Sources: DR on daily hybrid attacks against water utilities; FT on Danish drone incidents and government response.
FT: https://www.ft.com/content/4c03d08e-4a05-4d98-8d09-2927c74a211a
Hybrid attacks begin with people
These campaigns do not always start with critical systems. They start with everyday access. A shared password for a supplier portal. A contractor login to a telemetry dashboard. A reused credential on a forgotten SaaS tool.
Each of these can be the first step toward control. And each of them often sits outside Single Sign On, beyond the view of central IT.
This is what makes access the real frontline. The same tactics that test runways also test your identity perimeter. And without complete visibility, attackers find space to move.
Why access security is the frontline
Perimeter tools are necessary, yet modern estates span hundreds of cloud services and supplier portals where central identity does not always reach. Single Sign On improves experience and policy enforcement, but it does not cover every service and can become a single point of failure when used alone. The edge is where attackers start.
The fastest way to strengthen cyber resilience is to close the gaps in identity and access:
- Enforce unique, high-strength passwords on all accounts, not just the major ones
- Apply multi factor authentication everywhere, even on non-SSO logins
- Give administrators a full access inventory, so they can revoke rights in seconds, not days
- Use encrypted, zero knowledge vaults that ensure only the user can see their credentials
These are the foundations of access control that work. And they are directly aligned with NIS2, the EU directive that puts identity security and access traceability at the heart of cyber strategy.
NIS2 puts resilience, identity and access under the spotlight
NIS2 is Europe’s shift from compliance by checkbox to resilience by design. It expands who is in scope and elevates identity and access from an IT detail to a board-level obligation because a single access lapse can ripple into society through outages, safety issues and loss of trust.
What NIS2 expects in practice:
- Clear management responsibility for cyber risk, access control and incident reporting
- Minimum measures that touch daily identity work, including multi factor, strong cryptography, asset and access inventories, vulnerability handling, staff training and continuity planning
- Real consequences for failure, with significant fines and explicit management accountability
For critical infrastructure, the message is unambiguous. Identity is now critical infrastructure in its own right.
References: NIS2 explainer and sector guidance; Eurelectric on systemic risk in the power sector.
What to prioritise next
If you lead or secure a critical organisation in Europe, start with access. Here is where to focus:
- Map all identities and shared accounts, across IT and business SaaS
- Extend protection beyond SSO with enterprise password management
- Automate 2FA wherever possible, especially on third-party and contractor tools
- Build auditable trails that support reporting, revocation and recovery
- Store credentials in encrypted vaults anchored to user devices, not infrastructure
Hybrid threats will not slow down. The Danish water story, the energy campaign in 2023 and the recent drone incidents are not separate threads. They are one pattern. Hybrid pressure is designed to be cheap, quiet and cumulative. It seeks out small gaps that lead to large consequences.
