Hamburg Cyber Conference Tackles Russian Atta
Germany hosts a key cybersecurity conference amid rising threats.
Model Diplomat8 min readEurope

Hamburg's Cyber Conference Meets a Europe Under Russian Fire
Germany convenes the Shaping Cybersecurity Conference 2026 as Russia-linked cyber and sabotage operations against EU critical infrastructure hit a post-Cold-War high — and Europe's response remains fragmented.
When Germany's Federal Foreign Office, the Institute for Peace Research and Security Policy at Hamburg (IFSH) and ESMT's Deep Institute open the Shaping Cybersecurity Conference 2026 in Hamburg and Berlin on July 9–10, the ambient noise around them is louder than the agenda. Russia-linked operators breached a Norwegian dam in April 2025, torched a Warsaw–Lublin rail viaduct on the Ukraine supply line on November 16, 2025, and, according to
The Economist, knocked out 30 Polish energy facilities on December 29 as temperatures plunged. The thesis of this conference — that Europe still lacks a joint attribution and response mechanism worthy of the threat — is now the operational fact of European security, and the EU's new Cyber Solidarity Act is being stress-tested in Ukraine before Brussels has agreed how to use it at home.
The event runs under Chatham House Rule, but the political message is not confidential. Berlin is using an academic conference to advance a policy shift it cannot yet push through the EU as a package: faster joint attribution, an "active cyber defence" doctrine, and a hard link between civilian cyber resilience and NATO's Article 5 threshold.
The threat picture Berlin is briefing against
The numbers are unusually specific for a policy field that hides behind classification. In his June 2025 keynote at the previous edition, Minister of State Florian Hahn told delegates that cyberattacks on German companies, state institutions and infrastructure rose by more than 55% in the first months of 2025 versus 2024. The European Parliamentary Research Service, in its January 2026
Cybersecurity Act Revision briefing, puts the 2024 EU-wide increase in cyberattacks at 150%.
The European Repository of Cyber Incidents (EuRepoC), the German-Estonian consortium funded in part by the Federal Foreign Office, logged 179 politically-relevant operations against EU targets in 2025 — fewer than the 211 in 2024, but affecting more organisations (388 versus 357). Its authors, led by SWP's Annegret Bendiek, read that as consolidation, not de-escalation: single operations now cascade through supply chains and managed service providers. Germany was the single most targeted member state with 17 tracked incidents, ahead of France, Italy and Poland.
The composition of the threat matters more than the count. EuRepoC found disruptive elements in 69% of operations attributed to Russian origin, up from 55% a year earlier — a 14-point jump that Norway's PST security service chief Beate Gangaas, speaking in August 2025, said was visible in the field. The April 2025 intrusion by Z-Pentest at the Lake Risevatnet dam — where a valve was held open for hours — is the case Norwegian officials cite privately as the near-miss that could have crossed a red line.
Why this conference, this year
The Federal Foreign Office is not neutral ground. It is the lead ministry in Germany's cyber-attribution procedure, and — under Foreign Minister Johann Wadephul in the new CDU-SPD coalition — has secured a coalition commitment to build "active cyber defence" capacity, including a possible constitutional amendment first floated by his predecessor Annalena Baerbock at the first NATO Cyber Defence Conference in Berlin.
Two developments frame the July 9–10 agenda more precisely than any conference blurb.
First, the EU Cyber Solidarity Act — Regulation (EU) 2025/38 — entered into force on February 4, 2025 and, per
EUR-Lex, required ENISA to publish interoperability guidelines for cross-border cyber hubs by February 5, 2026. Those hubs, the EU Cybersecurity Reserve, and the European Cybersecurity Incident Review Mechanism are the operational scaffolding Berlin wants to weaponise. On June 15, 2026, the Council took the first live test:
Implementing Decision (EU) 2026/1354 authorised deployment of the Reserve to Ukraine, invoking the Cyber Solidarity Act's third-country provisions and citing Russia's targeting of the KA-SAT network and Ukrainian rail as justification. Kyiv, in other words, is now the pilot programme for Europe's own crisis mechanism.
Second, the Commission's January 20, 2026 Cybersecurity Act 2 (CSA2) proposal reopens ENISA's mandate and — for the first time — creates a horizontal framework for non-technical supply-chain risk, aimed squarely at foreign-controlled vendors subject to extraterritorial law. Rapporteur Marketa Gregorova (Greens/EFA, Czechia) is expected to steer the file through the Industry, Research and Energy committee this autumn. Whatever consensus emerges in Hamburg will feed the Council position.
The attribution problem the Germans are trying to fix
Attribution is the pivot. In its September 2024 Joint Cybersecurity Advisory with the FBI, CISA and NSA, Germany's BfV publicly identified GRU Unit 29155 — the same team linked to the 2018 Salisbury Novichok attack — as running a cyber unit targeting NATO and EU critical infrastructure since 2020. Estonia followed with its own attribution of the 2020 compromise of three ministries. Yet, as EuRepoC noted in its 2025 balance, only one 2025 incident — the intrusion at the Czech Foreign Ministry — triggered a joint EU-level political response, alongside earlier attributions of German and Czech incidents in 2024 and the UK's April 2025 sanctions on GRU actors. "Even if the statement can be understood as an attempt to present a united European front," Bendiek and co-authors write, "it reveals more fragmentation than cooperation."
The Cyber Intelligence Institute's Prof. Dennis-Kenji Kipker, who will chair a July 10 roundtable in Berlin, has spent the past year arguing that Europe's cyber defence has structural gaps — most visibly the absence of a common attribution standard and a slow-moving certification framework under the existing Cybersecurity Act. That framework's stalled uptake is the specific problem CSA2 tries to solve.
Berlin is also exporting the model outward. Hahn's June 2025 speech confirmed the launch of a "Cyber Diplomacy Network for the Western Balkans" — Germany treats Serbia, Montenegro, North Macedonia and their neighbours as a Russian cyber frontline. The Ninth Tallinn Mechanism meeting statement, issued jointly with allies, extends the same logic to civilian cyber capacity-building in Ukraine.
The proxies problem — and why NATO's Article 5 threshold is quietly moving
The most consequential shift in 2025 was not a new tool but a new adversary structure. SWP's Jakob Bund argues in Hand and Glove that the boundary between Russian state cyber operations and "hacktivist" or criminal groups has collapsed. Operation Eastwood, coordinated by Europol and Eurojust between 14 and 17 July 2025 across 11 European countries and the US, dismantled parts of the NoName057(16) DDoSia infrastructure and produced arrests in France and Spain — the first serious dent in a group European agencies now treat as a state proxy.
The physical side of the same campaign is more dangerous. On November 16, 2025, Polish PM Donald Tusk called the Warsaw–Lublin rail explosion "an unprecedented act of sabotage"; two Ukrainian suspects believed hired by Russian services escaped to Belarus. In January 2026,
Lithuanian prosecutors charged a multinational group with GRU-directed arson against a supplier of radio scanners to Ukraine's army. BBC reporting confirmed the July 2024 DHL parcel plot — devices ignited at Leipzig and Birmingham as a Russian test run for cargo flights to North America — with 22 people in custody in Lithuania and Poland by early 2026.
That escalation is doing to European policy what years of white papers could not. As analyst Ulrike Franke told NPR in February 2026, a fatal railway derailment linked to Russia "may be entering Article 5 territory." Bundeswehr Inspector-General Carsten Breuer's line, cited by
Konrad-Adenauer-Stiftung, is now standard doctrine in Berlin: "Hybrid attacks on us in Germany are reality, every day."
What the conference will actually decide — and what it won't
Nothing binding. But three things are being socialised in Hamburg this week that will shape EU cyber policy through 2027.
First, faster joint attribution. Berlin wants EU and NATO frameworks to replicate the German inter-ministerial procedure Hahn described in 2025 — with the goal of naming a state operator within days, not months, and coupling attribution to Cyber Diplomacy Toolbox sanctions and to the EU Cybersecurity Reserve's 48-hour response requirement under Article 19 of Regulation 2025/38.
Second, active defence with legal cover. The coalition agreement commits to a Germany-wide architecture combining the BSI, Bundeswehr, federal and state police, and private CERTs. The unresolved question — whether German constitutional law permits "hack-back" — will not be settled at IFSH, but the political ground is being prepared.
Third, decoupling critical ICT supply chains. CSA2's non-technical risk framework is the vehicle; the target, per the European Parliament's January 22, 2026 resolution, is "foreign-controlled vendors" in 5G and 6G — code, in practice, for Chinese equipment and, increasingly, for US managed-services providers exposed to extraterritorial demands.
What it will not resolve: the growing transatlantic gap. Singapore's RSIS this year characterised the 2026 US National Cyber Strategy as "aggressive and isolationist," authorising responses beyond the cyber realm and drawing private firms into offensive operations. That posture is orthogonal to the German-EU model of coalition attribution, judicial process and civilian resilience. Hamburg's agenda quietly assumes Europe will have to run its cyber policy without confident US alignment for the first time in two decades.
Diplomat View
The conference is not the story. The story is that the July 9–10 gathering is the last major public forum before the EU Council formalises its position on CSA2 in the autumn — and Berlin is using it to lock in a specific answer to a question Europe has ducked since ViaSat in February 2022: what counts as a cyber attack worth a collective response. The evidence points one way. Russian doctrine has moved from espionage to disruption; the operator base has moved from GRU officers to hybrid proxies; and the target set has moved from ministries to dams, rails and DHL warehouses. Without a joint attribution standard carrying automatic legal consequences, Europe's Cyber Solidarity Act remains what it is today: a Ukraine subsidy programme with an EU letterhead. Two developments would change that forecast: a Council-level joint attribution to a specific 2026 incident before December, and the CSA2 non-technical risk framework surviving ITRE without being gutted by member-state carve-outs. If either fails, the next serious sabotage incident on NATO soil will be met with national, not European, retaliation — and the Article 5 debate moves from the conference circuit to the North Atlantic Council chamber.
What to watch next
- July 10, 2026 — Kipker's Berlin roundtable on structural deficits in Europe's cyber defence closes the conference; the public read-out on joint attribution mechanics is the first signal of whether Berlin's consensus-building worked.
- Autumn 2026 — Council general approach on the
Cybersecurity Act 2 and NIS2 amendments; the fate of the non-technical supply-chain framework decides whether Chinese and US vendor risk is treated as equivalent.
- February 5, 2027 — Commission's mandated report to Parliament and Council on Cyber Solidarity Act implementation; the first data on whether the EU Cybersecurity Reserve moved beyond Ukraine.
- Ongoing — Any Russia-attributed incident on NATO territory causing civilian casualties. As NPR's sources conceded, that is the moment the Article 5 threshold stops being an academic conference topic.
Discover more

US Politics
SNAP Food Assistance Faces Legal Challenges
In 2026, SNAP faces stricter eligibility rules and mounting legal challenges, threatening food assistance for the millions of Americans who rely on the program.

Global Politics
Xi Jinping Calls China-Russia Ties 'Precious'
Xi Jinping's description of China-Russia ties as 'precious' reflects a strategic imbalance, with Beijing dictating terms in the partnership.
India
Rajnath Singh's Durga Squad for 2026 Polls
Rajnath Singh's Durga Squad promised women's safety in Bengal but has since disappeared from the agenda, revealing BJP's true priorities.

Global
US Reinstates Iran Blockade, Splits Hormuz
US reinstates naval blockade of Iran on July 14, ending 26-day ceasefire. Strait of Hormuz splits into competing toll lanes as traffic collapses to 23 ships daily. 60-day war-powers clock ticks toward Congress.