Cybersecurity in the context of geopolitical changes: From protecting critical infrastructure to tool dependencies
Cybersecurity in the context of geopolitical changes: From protecting critical infrastructure to tool dependencies
From the perspective of a security analyst, whether cyber or otherwise, the year 2026 began with a bang. The US military's access to Venezuelan President Nicolás Maduro shook the world and raised many questions and several causes for concern. It is now confirmed that the US interprets international law in its own way to protect its interests. The possible use of previously unknown cyber capabilities by the US means that this kidnapping case is forcing operators of critical infrastructure in other countries to examine their own resilience.
Other geopolitical events – some on the radar for years, some only briefly in the news – should also be seen as warning signs for European KRITIS. These include attacks from abroad against power supplies, increased Chinese activity against Taiwan and its semiconductor production, and US sanctions against international organizations such as the International Criminal Court.
Critical infrastructure in the crosshairs of state and non-state threat actors
On the night of January 2-3, 2026, it was particularly dark in Caracas. President Donald Trump describes the ability to cause a large-scale power outage as "a certain capability that we [the US] have." US forces were able to operate under cover of darkness because the capital's power supply, a critical infrastructure anywhere in the world, was allegedly disrupted by a cyberattack.
But on the other side of the Atlantic, residents of southwest Berlin also had to do without electricity. It was not a cyberattack, but an arson attack that caused a widespread power outage and demonstrated how unprepared European authorities and operators of critical infrastructure are for a state of emergency. Shortly after the incident was resolved, the German Association of Energy and Water Industries (BDEW) issued a position paper and ten points on the protection of critical infrastructure. Some of these points directly concern those responsible for IT GRC and cybersecurity in companies. For example, the BDEW calls for a reassessment and adjustment of transparency requirements to make it more difficult for potential attackers to find IT security-related information openly on the internet and use it for attacks. At the same time, data protection barriers to the monitoring of critical infrastructure should be reduced in order to deter physical attackers, avert damage, and support investigations with evidence in the event of an emergency.
KRITIS is in the crosshairs of a wide range of threat actors, and IT security must deal with this threat situation. Hardening network edge devices, the Internet of Things (IoT), and OT devices should be a top priority. In production, i.e., OT, in particular, devices and machines that are no longer supplied with updates but are essential for production can often be found. These must be secured at all costs. The IT supply chain has increasingly become the focus of attackers in recent months and should be subject to greater monitoring by service providers.
Technological dependencies and the search for European sovereignty
The already frosty relations between the International Criminal Court in The Hague and the US were further strained in 2025. The US is not a signatory to the Rome Statute and does not recognize the authority of the court. When the court's chief prosecutor, Karim Khan, launched an investigation into the Israeli prime minister and a panel of judges issued an arrest warrant for him, the US government imposed sanctions on Khan and several judges. US companies were no longer allowed to provide services to the individuals concerned. This also affected access to Microsoft accounts. Without further ado, Microsoft Outlook had to be replaced by Proton Mail from Switzerland. US sanctions against European individuals, companies, or entire states could therefore have serious consequences that can only be countered with sovereign European products and services.
The penetration of the European market with Microsoft products and services can probably be seen as the most serious vendor lock-in. However, dependencies on other technologies should not be underestimated either. These include 5G infrastructure from China, some of which is provided by Huawei and ZTE, but also Taiwanese semiconductors, which are used in many components, including in the core telecommunications network. A Chinese war of aggression against Taiwan would have an impact on both the security of our 5G infrastructure – assuming NATO countries would stand by Taiwan – and the stable supply of semiconductors from TSMC and Co. Here, too, Europe can only prevent a worst-case scenario by developing and disseminating independent production chains and IT services.
The responsibility for this lies not only with politicians, who must of course create the framework conditions for the EEA as a business location, but also with end users, who must themselves generate demand for IT solutions produced and operated in Europe. France has just taken a significant step in this direction and is planning to migrate government users from Microsoft Teams to the sovereign solution Visio. The state government of Schleswig-Holstein can also be seen as a pioneer with its separation from Microsoft Office and the planned replacement of Windows.
Taiwan expects a Chinese invasion in 2027. The Trump administration will still be in office until then. So, the second-best time to work on European sovereignty would be today.
Author: Tobias Philipsen