Romania Pays the Cyber Price for Backing Ukraine. Where Is the EU?

Ransomware has become a preferred instrument in Russia’s hybrid warfare playbook, allowing hostile actors to strike at the heart of European societies without firing a single shot. Recent breaches of Romania’s water authority, a major coal‑fired power plant and a key oil‑pipeline operator illustrate how these groups time attacks to coincide with political decisions that support Kyiv. By disrupting essential services, they sow economic uncertainty and erode public confidence, reinforcing Moscow’s broader strategy of destabilizing its most vocal allies in the region.

The EU’s cyber‑sanctions framework, introduced in 2019, was designed to impose financial and reputational costs on actors who weaponize cyberspace. In practice, however, it has been applied sparingly—only 17 individuals and four entities have been listed in seven years—while thousands of offensive operations continue unabated. A key structural flaw is the unanimity rule in the Council, which enables any member state to veto a designation. This procedural hurdle has delayed responses to high‑profile incidents such as NotPetya and the Bundestag breach, diluting the deterrent effect and signaling a lack of collective resolve.

To restore credibility, the EU must overhaul its sanctioning process, moving to qualified‑majority voting and accelerating the designation pipeline. Coupling sanctions with rigorous enforcement of the NIS2 Directive would raise the baseline of cyber hygiene across critical sectors, closing the low‑security gaps that ransomware groups exploit. Regional cooperation—exemplified by the trilateral alliance of Romania, Moldova and Ukraine—can further streamline threat intelligence sharing and coordinate swift punitive actions. Together, a more decisive sanctions regime and stronger defensive standards can increase the cost of Russian‑linked cyber aggression, safeguarding Europe’s infrastructure and its economic competitiveness.