Safeguarding society’s digital backbone: Why critical infrastructure is a matter of national security

As Europe faces a rapidly evolving cyber threat landscape, the systems that keep societies running have become prime targets. Safeguarding critical infrastructure is now essential to maintaining national security.

Europe’s threat landscape has shifted.

Today’s attackers rarely target the most fortified systems first. Instead, they exploit the weakest links – often found in critical infrastructure. As energy grids, water systems, logistics networks, and healthcare services become increasingly digitized and interconnected, they are also more exposed.

Cyberattacks on critical infrastructure are increasing across Europe, particularly in energy, healthcare, transport and other essential services.

The EU Agency for Cybersecurity (ENISA) reports a sharp rise in cyber incidents targeting critical infrastructure operators, with availability disrupting attacks and ransomware among the top threats affecting essential services across the EU¹. A 2025 European cybersecurity assessment shows that reported security incidents across the EU rose by 18% in a single year, with healthcare, energy and transport identified as the most heavily impacted sectors, and an overall 69% increase in critical infrastructure incidents since 2020². Together, these government level findings confirm that the risks are both real and accelerating.

Operators of critical infrastructure are increasingly on the front line. Building cyber resilience therefore requires more than technical controls; it requires clear governance based on the strategic importance of these systems to societal stability and national security. Decisive action is needed across regulation, leadership, and collaboration.

A global threat, affecting Nordic security

Recent incidents underline that the Nordic region is not immune. In September 2025, pro-Russian hacktivists launched coordinated DDoS campaigns against Finnish government websites and political parties³.

In Denmark in 2023, cyber criminals launched a simultaneous attack on 22 energy companies in Denmark, compromising large parts of the country’s energy infrastructure. The attack – the country’s largest ever cyber incident – appears to have been carried out by hackers linked to Russian intelligence⁴.

Just a year later, the Tureby-Alkestrup Waterworks were targeted by attackers who manipulated water pressure, causing pipes to burst and leaving hundreds of homes without water. Danish intelligence later confirmed the attack was part of a broader campaign targeting European essential services⁵.

In Norway, a cyber-attack in April 2025 compromised the control systems of the Risevatnet dam in Bremanger, Western Norway. Hackers exploited a weak password to access the dam’s remote-control interface and opened a water discharge valve to full capacity for four hours, releasing hundreds of liters of water per second. Norway’s Police Security Service (PST) publicly attributed the attack to pro-Russian cyber actors. "The purpose of this type of action is to contribute to influence, as well as create fear or unrest in the country's population, said PST chief Beate Gangås⁶.

These are not isolated incidents. According to DNV Cyber’s How Cyber Resilient is Norway report, 66% of critical infrastructure professionals in Norway say they have seen an increase in cyberattacks over the past few years. Fifty nine percent say their industry is dealing with constant low-level attacks on their systems from foreign states.

Exploiting supply chain vulnerabilities

Critical infrastructure organizations are not the only targets. Attackers increasingly exploit complex supply chains, including vendors and third-party service providers with network access. In Sweden, a data breach at IT provider Miljödata in August 2025 led to system outage across around 200 municipalities, exposing employee data and highlighting how a single supplier can become a systemic risk.

Our research finds that Norwegian critical infrastructure executives have far less confidence in the resilience of their suppliers – both their immediate suppliers and subsequent tiers – than their own organization. Only 40% are confident in their immediate supply chain and only 38% are confident in the lower-tier operators (e.g. fourth and fifth parties). The supply chain can be the soft underbelly providing attackers with alternative pathways into critical infrastructure.

A Nordic perspective on infrastructure vulnerability

Finland’s comprehensive security model makes vital societal functions a shared responsibility across government, industry and civil society. Applied to cyber, this approach explicitly recognises critical infrastructure operators as part of national resilience. Elements of Finland’s approach have now been adopted into EU level strategies⁴.

Across the Nordic region, military cybersecurity capabilities are generally strong. Water utilities, healthcare systems, and local logistics hubs vary widely in cyber maturity. This decentralization creates blind spots that adversaries actively exploit. Similar patterns exist across other Nordic countries, where critical systems are often managed by a mix of public and private actors with differing capabilities and responsibilities.

What needs to change

Cyber resilience must start with clear recognition of what is critical and governance must reflect importance to society and national security. Nordic countries need decisive action across regulation, leadership, and collaboration.

Strengthening resilience through regulation and innovation

The European and international cybersecurity regulatory landscape has undergone rapid transformation to strengthen resilience in the face of sophisticated cyber threats. EU frameworks such as the NIS2 and the Cyber Resilience Act (CRA) provide a foundation for improving cybersecurity across sectors, but compliance alone is not sufficient. Resilience must be strengthened through risk management: investments in advanced threat detection, regular security testing, and incident response plans must go beyond compliance and be exercised, not merely documented.

The role of leadership in cyber preparedness

Leadership is central to preparedness. CIOs and senior executives must treat cybersecurity as a strategic, board level risk, translating technical vulnerabilities into operational and societal consequences. In the public sector, resilience depends on effective coordination across ministries, agencies, and municipalities, supported by sustained political commitment and cross border cooperation.

Building trust in the digital ecosystem

Trust is the cornerstone of any digital society. As critical infrastructure becomes more interconnected, the need for trusted relationships between suppliers, operators, and regulators becomes a prerequisite for resilience. This includes robust threat-intelligence sharing, harmonizing standards, and ensuring that cybersecurity requirements are embedded into procurement processes and supplier governance.

Nordic countries can lead the way by establishing regional platforms for collaboration, bringing together public and private stakeholders to exchange insights and coordinate responses. An example of this is the Nordic Cyber Healthcare Forum, comprising healthcare leaders, CISOs, risk managers, regulators, and technology experts with a shared focus on strengthening cyber resilience.

These platforms show how practical cooperation can reduce fragmentation and improve collective response to cyber threats, while also serving as a model for others.

Investing in resilience

Securing critical infrastructure requires sustained investment. For operators of critical infrastructure, this means recognizing their role in national security. Visibility into supply chains, proactive threat detection, and coordinated incident response must become standard practice. Investing in resilience today is the only way to avoid disruption tomorrow.

This shift is also reflected at the alliance level. At the July 2024 NATO Summit, Allies agreed to establish a new Integrated Cyber Defence Centre at SHAPE in Mons, Belgium. One year later, at the June 2025 summit in The Hague, NATO member states committed to raising defence spending to 5% of GDP, explicitly recognizing cybersecurity and critical infrastructure protection as integral to collective defence.

DNV welcomes initiatives that strengthen cybersecurity investment and awareness. Protecting critical infrastructure is ultimately about protecting society itself. As cyber-attacks grow in volume and sophistication, decisive action and effective collaboration between governments, operators and industries are no longer optional, they are essential to national security.

Sources: