Nordic-Baltic security in a sea of allies: Sweden’s role in countering hybrid threats in the Baltic Sea region

Sweden and Finland’s accession to NATO in 2024 has completed the Alliance’s northern arc, effectively transforming the Baltic Sea into what is often described as an “allied lake.” Yet the geostrategic gains of the Alliance have not eliminated the region’s exposure to sub-threshold aggression, especially against critical infrastructure in the energy, data, communications, and transportation sectors. As Russia continues to probe NATO’s resolve with hostile actions calibrated to stay below the threshold of armed conflict, the core challenge for Sweden—as a Baltic littoral state and a NATO member—and for the Alliance more broadly is to extend deterrence and defense to the sub-threshold domain. Failing to close this gap risks signaling political hesitation to Russia, which, in turn, might increase the likelihood that hybrid pressure escalates into a conventional conflict.

Geostrategic shift after recent NATO enlargement

Sweden and Finland’s accession to NATO closed the long-standing strategic gap in the Baltic Sea region. With nearly the entire northern coastline—from Norway to the Baltic states—now within NATO’s defense perimeter, only Russia’s Gulf of Finland coastline and the Kaliningrad exclave remain outside of the Alliance’s territory. This shift significantly strengthens NATO’s ability to reinforce the Baltic states and secure vital lines of communication in the entire region. Central to this new posture is Sweden’s Gotland island, whose location at the geographic center of the Baltic Sea gives NATO a decisive position from which to influence regional air and maritime movement and to counter Russia’s anti-access/area denial (A2/AD) capabilities, preventing the eastern Baltic from being sealed off militarily.

These strategic gains extend westward to the Danish Straits, the critical maritime chokepoints linking the Baltic and North Seas. With Sweden’s accession, NATO now controls both sides of these passages, enhancing the Alliance’s freedom of maneuver and safeguarding naval reinforcement routes. This consolidated control simultaneously restricts the operational flexibility of Russia’s Baltic Fleet, reinforcing NATO’s dominance across the broader Baltic maritime space.

Sub-threshold aggression in the Baltic Sea region

These geostrategic shifts in the Nordic-Baltic security map favor NATO and were met with an asymmetric response from Russia. Hesitant to use conventional military power against the enlarged Alliance, yet willing to test NATO’s readiness and political cohesion, Russia adapted to operate within the “allied lake” by employing covert hybrid tactics that exploit sub-threshold seams in NATO’s deterrence and defense posture. Russia’s goal is to relativize and downplay the Alliance’s strategic advantage in the Baltic Sea region. Russia bets that its strategy of persistent sub-threshold pressure can convince the Nordic-Baltic societies that NATO is weak, unready, and unwilling to defend its member states, while signaling that Russia can retain the initiative within the so-called “NATO lake.”

Russia’s hybrid toolkit includes, but is not limited to, sabotage against undersea energy, data, and telecommunications cables; recurrent airspace violations using military jets, drones, and meteorological balloons; and massive disruptions to civilian aviation through Global Positioning System (GPS) jamming and spoofing. Russia’s hybrid attacks are designed to exploit the characteristics of the Baltic Sea and its surroundings as a densely networked area, with vital infrastructure such as pipelines, cables, liquified natural gas terminals, ports, and airports connecting the littoral states to form an integrated energy, communications, transportation, and trade hub.

As the sub-threshold contest formally unfolds in a peacetime setting where traditional military superiority offers limited deterrent value, NATO’s geostrategic advantages resulting from the recent enlargement do not seamlessly translate into operational leverage against Russia’s hybrid strategy in the Baltic Sea region.

The Alliance has recognized the problem and has taken steps to improve information sharing, coordination, and situational awareness. This is demonstrated by the recent launch of the Baltic Sentry maritime and Eastern Sentry multi-domain activities, the creation of a Critical Undersea Infrastructure Network, and the establishment of a Maritime Centre for the Security of Critical Undersea Infrastructure within NATO’s Maritime Command in Northwood, United Kingdom. Despite progress, NATO still lacks a comprehensive sub-threshold deterrence and defense architecture that would enable swift responses to hybrid attacks and also serve to deter future disruptions.

Challenges with sub-threshold aggression

Sub-threshold attacks are designed to blur the lines between peacetime incidents and deliberate hostile actions, complicating the ability of NATO and littoral states to calibrate their responses. It is a combination of structural, legal, political, and technical constraints that create the gray zones that Russia exploits.

Sabotage of critical infrastructure in the Baltic Sea almost always occurs in environments where determining responsibility is slow, uncertain, and highly contestable. Underwater pipelines and data cables lie in complex maritime traffic zones where accidental damage can look nearly identical to deliberate interference, making attribution analysis lengthy and often inconclusive. Russia also relies on commercial vessels and proxy actors—mainly from its shadow fleet—to launch hybrid operations, as seen recently in sabotage incidents against undersea energy infrastructure, and as suspected in some cases of drone sightings near European airports.

The timing, political context, and type of attacks clearly point to Russia as the mastermind behind them. But because Moscow deliberately sustains this activity below the threshold of open conflict, allies lack the definitive evidence and legal grounding required for a conventional collective response. This creates a cycle of operational hesitation in which Western governments know who is responsible but cannot act decisively without risking escalation, undermining international law, or generating political divisions among NATO capitals. This ambiguity is precisely what Russia seeks to exploit.

Much of the critical infrastructure that has been targeted by sabotage includes undersea pipelines and cables that lie in international waters or exclusive economic zones (EEZ), where states have limited enforcement authority and ambiguous rights to interdict suspicious vessels. Russia conducts hybrid attacks through civilian-flagged or dual-use vessels, exploiting legal regimes that protect freedom of navigation under the United Nations Convention on the Law of the Sea (UNCLOS) and constrain states from boarding or detaining ships without incontrovertible evidence. Despite these legal constraints, Finland has set a significant precedent by boarding the Cook Islands-flagged tanker Eagle S, which had damaged the Estlink 2 power cable connecting Estonia and Finland. Although this did not directly target Russia as the mastermind behind the attack, it at least had ramifications for the proxies executing its plans.

Furthermore, there is an acute issue with multi-actor and inter-agency coordination, which is crucial for countering hybrid threats. In addition to running through several EEZs and international waters, resulting in a single hybrid attack affecting several countries, critical infrastructure is often civilian and privately owned, further expanding the number of actors to consult in the event of an attack. As armed forces, coast guards, intelligence agencies, and private operators act under different mandates, gaps emerge in who can respond, when, and under what legal justification.

Finally, there is a significant technological challenge. Russia’s war of aggression against Ukraine has accelerated its ability to combine inexpensive technologies—unmanned systems, electronic warfare tools, and simple disruptive devices—with covert tactics to generate asymmetric, high-cost effects for Baltic Sea littoral states. Europe is developing cost-effective countermeasures, but these capabilities still lack scale and, more importantly, the defense-industrial and governmental alignment needed to drive rapid operational innovation. Only by testing new technologies early and repeatedly in realistic operating environments can innovators adapt to a fast-evolving threat landscape and stay ahead of Russian tactics rather than merely reacting to them. At the same time, European critical infrastructure often relies on bespoke, complex systems that are difficult to repair quickly and frequently lack redundancy or standardized backup capabilities, making them especially vulnerable to sabotage.

Sweden’s edge in countering hybrid threats

As NATO adapts to this nontraditional security environment, Sweden offers several unique advantages that position it at the center of the Alliance’s hybrid deterrence and defense architecture. While Sweden’s geography provides strategic depth and operational access to allied armed forces that would greatly benefit the Alliance in wartime, it is Sweden’s institutional, societal, and technological foundations that give it leverage in shaping an effective allied response to hybrid threats evolving in the gray zone between war and peace.

First, Sweden’s deeply institutionalized model of civil-military integration, underpinned by its Total Defence concept, offers NATO a framework for improving cross-sectoral, multi-actor coordination in response to hybrid threats. Through this concept, Sweden integrates its armed forces, government agencies, civilian infrastructure operators, municipalities, private companies, and the population into a single national preparedness system. This is precisely the type of model NATO now needs for the sub-threshold domain, in which deterrence hinges on multi-actor inputs for better situational awareness and cross-domain coordination on responses.

Second, Sweden’s advanced, technologically sophisticated armed forces are well designed to operate effectively in environments most prone to hybrid pressure. The Swedish Navy’s shallow-water expertise and underwater domain awareness platforms are uniquely adapted to the Baltic Sea’s complex environment, making Sweden one of NATO’s most capable members for monitoring seabed infrastructure and detecting anomalous maritime activity. Similarly, the Swedish Air Force—with its advanced Gripen fleet, dispersed basing model, surveillance systems, and deep interoperability with other Nordic nations—provides NATO with a regionally integrated situational awareness model that can identify anomalies early and shorten the decision window for response.

Beyond operational capabilities, Sweden’s well-established defense industry and research ecosystem have the potential to give the Alliance a technological advantage in sub-threshold competition. From innovations in integrated surveillance systems to advanced unmanned platforms and cutting-edge electronic warfare solutions, Sweden brings industrial depth and innovation capacity that can directly support NATO’s emerging initiatives on seabed security, autonomous systems, and contested electromagnetic environments.

Third, Sweden’s regional integration with other Nordic and Baltic states creates a multiplier effect for sub-threshold deterrence and defense. Sweden participates in the Nordic Defense Cooperation (NORDEFCO) format, the Joint Expeditionary Force (JEF), the Nordic-Baltic Eight (NB8) group, and numerous trilateral and bilateral arrangements with Finland, Norway, Denmark, and the Baltic states. These formats enable intelligence sharing, coordinated crisis procedure, surveillance, and cross-border military support. The combined effect of these formats is a resilient, interoperable, and politically agile security ecosystem in which hybrid aggression against one state is more likely to be detected, shared, interpreted correctly, and met with a coordinated response.

Finally, Sweden’s political credibility and strategic culture give it influence within NATO’s internal debates on how to deter hybrid threats effectively. Sweden has long prioritized resilience, whole-of-society readiness, and the defense of critical infrastructure as core pillars of national security. As NATO strives to articulate clearer thresholds for hybrid aggression and to improve coordination between civilian and military domains, Sweden can help the Alliance integrate resilience, societal endurance, infrastructure protection, and rapid attribution mechanisms into its broader deterrence and defense model.

Steps forward for Sweden and NATO

As hybrid aggression becomes an increasingly central feature of Russia’s strategy in the Baltic Sea region, Sweden and NATO must adopt a forward-leaning posture that closes the current gaps between NATO’s geostrategic advantages and its sub-threshold operational vulnerabilities. In this area, Sweden and NATO should pursue a dual-track approach: strengthening the capacity to respond rapidly and effectively to hybrid attacks when they occur, while building a credible, Alliance-wide deterrent that raises the political and operational costs of sub-threshold aggression before it occurs. The following recommendations outline priorities for Sweden and NATO as they consolidate an effective hybrid deterrence and defense architecture in the Baltic Sea region.

I. Measures to strengthen the responses to hybrid attacks

1. Increase pressure on Russia’s shadow fleet.
   
   Sweden should work with the European Union (EU) and regional groups to expand the list of sanctioned shadow fleet vessels, blocking their access to services and ports. Sweden, along with other Baltic littoral states, should argue that vessels that are improperly insured or flying under false flags do not have the right of free navigation under UNCLOS. Such vessels can be denied passage near critical infrastructure sites and can be boarded for inspections.
   
2. Create a Nordic-Baltic interagency hybrid-attribution cell.
   
   Sweden could lead efforts to fuse intelligence, maritime surveillance, cyber forensics, and private-sector reporting on suspicious activities close to critical infrastructure sites. The goal is to shorten the time between an incident and a coordinated response. This cell should promote a more flexible interpretation of attribution: when identifying the ultimate chain of command behind an attack is impossible within relevant timelines, NATO and the EU should adopt the principle that proxies can be targeted with diplomatic, legal, or economic consequences. This would help erode the network of intermediaries willing to take risks on behalf of state actors.
   
3. Apply Ukraine’s lessons on operational innovation.
   
   Russia’s war of aggression against Ukraine shows that rapid integration of new technologies can shift an adversary’s cost-benefit calculus. Sweden and NATO should establish mechanisms, such as testing corridors along the Baltic littoral, to accelerate the deployment of unmanned systems, counter-UAS (unmanned aerial system) solutions, distributed sensors, and electronic warfare tools. The keys are modularity, adaptability, and cost-effectiveness, rather than high-end technological excellence.
   
4. Enhance redundancy and standardization of critical infrastructure.
   
   Sweden should advocate within the EU for standardized infrastructure, backup systems, and repair capabilities. Europe’s infrastructure is interconnected but technologically fragmented. The EU should establish a standing capability to conduct urgent repairs after sabotage against critical infrastructure. This would shorten response time, reducing Russia’s ability to generate lasting effects through low-cost attacks. Harmonizing standards and repair protocols could significantly reduce downtime and prevent Russia from exploiting single points of failure.
   
5. Expand joint situational awareness and incident response exercises.
   
   Sweden can lead recurring exercises focused on hybrid scenarios such as cable failures, GPS interference, and anomalous vessel activity. Regular rehearsals of multi-agency cooperation improve legal coherence, decision speed, and interagency coordination.

II. Measures to strengthen deterrence against further sub-threshold aggression

1. Operationalize NATO’s 1.5-percent resilience spending pillar.
   
   NATO should operationalize the new 1.5-percent resilience spending pillar, agreed to during the 2025 The Hague NATO Summit, to build a durable Alliance-wide architecture for sub-threshold defense. NATO should define which projects qualify, how performance should be measured, and which outcomes at the regional and Alliance levels are required for sub-threshold deterrence and defense architecture to merge into the broader NATO defense and capability planning process.
   
2. Support innovation among Baltic-littoral defense tech companies.
   
   Regional companies understand the operational environment better than global contractors. Sweden and NATO should streamline procurement processes and enable rapid field testing, replicating successful Ukrainian models. This would keep NATO ahead of Russian adaptation cycles.
   
3. Impose coordinated consequences on hybrid proxies.
   
   Deterrence in the gray zone requires clear, predictable penalties. NATO members should agree that hybrid attacks—whether carried out by Russian state vessels, intelligence operators, or commercial proxies—will trigger coordinated diplomatic expulsions, maritime inspections, targeted sanctions, or legal action against the companies enabling malign activity.
   
4. Clarify NATO’s hybrid thresholds.
   
   Sweden should advocate for clearer definitions of hostile hybrid acts requiring collective action. Thresholds should consider intent, pattern, and cumulative destabilization, rather than rigid criteria that Russia could exploit.
   
5. Deepen integration with Nordic-Baltic frameworks.
   
   Integration with Nordic and Baltic response frameworks should be deepened. Sweden should leverage NORDEFCO, JEF, and NB8 to build habitual coordination on detection, strategic communications, and consequence management. More coherent regional messaging and synchronized decision-making will increase the credibility of deterrence and limit Russia’s opportunities to isolate or pressure individual states.

Toward a Nordic-Baltic sub-threshold deterrence architecture

The strategic task now facing Sweden and NATO is to convert geostrategic advantage in the Baltic Sea region into operational resilience in the sub-threshold domain. Hybrid threats will remain Russia’s preferred tool in the region for as long as they continue to produce political hesitation and asymmetric effects. Sweden’s accession to NATO offers an opportunity to close this gap by strengthening rapid-response mechanisms and shaping a credible, collective deterrence framework for the sub-threshold domain. By driving operational innovation, improving attribution processes, hardening critical infrastructure, and enabling coordinated regional action, Sweden can help ensure that hybrid aggression in the Baltic Sea produces not operational indecision, but strategic backlash.

Justina Budginaite-Froehly is a nonresident senior fellow with the Atlantic Council’s Europe Center and Transatlantic Security Initiative within the Scowcroft Center for Strategy and Security. Her professional focus is on security and defense-related issues, including defense industrial developments, military mobility, and energy security in Europe.

This issue brief was made possible by support from the Swedish Ministry of Foreign Affairs. The Atlantic Council maintains a strict intellectual independence policy for all its projects and publications. The Council requires all donors to agree to the Council maintaining independent control of the content and conclusions of any products resulting from sponsored projects.

Report Jan 2, 2026

The evolution of Latvia’s defense and security policy in resilience building

By Armands Astukevičs and Elīna Vrobļevska

Latvia has embraced a broader concept of national resilience encompassing not only military strength but also the resilience of its society, the continuity of government and essential services during crises, the protection of critical infrastructure, and the cultivation of psychological defense among its populace.

Defense Policy Europe & Eurasia

Issue Brief Nov 26, 2025

How the Baltic Sea nations have tackled suspicious cable cuts

By Elisabeth Braw

Two places in the world’s oceans see a lot of suspicious maritime behavior: the Baltic Sea, and the waters around Taiwan. Elisabeth Braw reports from the NATO task force charged with protecting the undersea cables and pipelines essential to daily life in Europe, with lessons for Baltic states and Taiwan, too.

Europe & Eurasia Maritime Security

Dispatches Jan 22, 2026

The US is taking action against Russia’s shadow fleet. In the Baltic Sea, Europe should follow suit.

By Justina Budginaite-Froehly

European nations should force Russia’s shadow fleet out of the Baltic Sea and help to reshape the maritime legal order.

Maritime Security Northern Europe

The Transatlantic Security Initiative aims to reinforce the strong and resilient transatlantic relationship that is prepared to deter and defend, succeed in strategic competition, and harness emerging capabilities to address future threats and opportunities.

Learn more

Image: by Tom Fisk