When the Greek government unveiled its National Cybersecurity Strategy 2026–2030 last December, it presented the document as a milestone: a comprehensive roadmap for strengthening national cyber resilience in an era of escalating digital threats. In many respects, the strategy is a serious and thoughtful effort. It recognizes cybersecurity as a foundational pillar of economic stability, public trust, and state capacity. It aligns Greece with the European Union’s evolving regulatory architecture, particularly the NIS2 Directive. And it places welcome emphasis on skills, governance, and preparedness.
Yet for all its technical competence, the strategy suffers from a profound strategic weakness. It looks almost entirely inward — at precisely the moment when cybersecurity has become one of the most internationalized domains of power, conflict, and diplomacy.
This omission is not a minor oversight. It is a myopic choice that risks leaving Greece better administered, but not necessarily better protected.
A Strategy Built for Compliance, Not Power
At its core, the strategy is designed to consolidate domestic capacity. It focuses on workforce development, public-private coordination, institutional clarity, and awareness-raising. These are necessary foundations. Greece, like many European countries, faces chronic shortages of cybersecurity professionals, uneven preparedness across sectors, and fragmented governance. Addressing these gaps is long overdue.
The document is also carefully aligned with EU priorities. Compliance with European standards is treated not just as a legal obligation, but as a strategic anchor. In that sense, the strategy reads as a mature expression of Greece’s Europeanization in digital policy.
But compliance is not strategy. And cybersecurity, more than almost any other policy field, cannot be reduced to internal regulation.
The Missing International Dimension
What is striking about the National Cybersecurity Strategy 2026–2030 is how little it says about the world beyond Greece’s borders.
There is no substantive discussion of cyber diplomacy. No articulation of Greece’s role in shaping international norms of state behavior in cyberspace. No clear vision for bilateral or regional cyber partnerships. Intelligence sharing, joint incident response, collective deterrence, and cooperation with allies are mentioned, if at all, only in vague and procedural terms.
This is deeply problematic. Cyber threats are inherently transnational. Malicious infrastructure, supply-chain vulnerabilities, ransomware networks, and state-linked cyber operations do not stop at national borders. Defensive resilience at home is necessary — but without structured international cooperation, it is insufficient.
More concerning still, the strategy does not situate Greece within the intensifying geopolitical contest over cyberspace. Cybersecurity today is not just about protecting networks; it is about influence, norms, alliances, and power projection. Major actors — from the United States and China to Russia and Iran — treat cyberspace as a strategic domain. So do NATO and the EU. Greece’s strategy, by contrast, treats it largely as an administrative and technical challenge.
A Geopolitical Blind Spot
This inward focus is especially puzzling given Greece’s geopolitical position. Greece’s geographical position at the crossroads of Europe, Asia, and Africa places it at the center of a complex web of geopolitical friction, making its digital infrastructure a prime target for state-sponsored hybrid threats. As Athens solidifies its role as a regional energy and data hub—hosting critical subsea fiber-optic cables and energy interconnectors (such as the GREGY link with Egypt and the Great Sea Interconnector with Cyprus and Israel)—the “attack surface” for regional rivals and non-state actors has expanded significantly. These infrastructures are not just economic assets but strategic liabilities that are vulnerable to cyber-sabotage intended to destabilize the Eastern Mediterranean or disrupt EU energy security. Consequently, Greece’s cybersecurity strategy is increasingly intertwined with its defense policy; the country has recently deepened cooperation with allies like Israel to counter sophisticated “poly-crises,” which range from coordinated drone swarms to malware targeting critical maritime and banking systems.
In this environment, cybersecurity cannot be treated as a purely domestic or regulatory concern. Cyber operations are increasingly woven into regional power dynamics. They intersect with energy security in the Eastern Mediterranean, with the protection of subsea cables and pipelines, with the management of migration flows and border technologies, and with military deterrence in contested spaces. Cyber tools are now routinely used alongside disinformation, economic pressure, and conventional military signaling. This is not a future risk; it is the operating reality of Greece’s strategic environment.
Yet the National Cybersecurity Strategy 2026–2030 largely abstracts cyberspace from this geopolitical context. It describes threats in generic terms, without embedding them in the regional dynamics that shape Greece’s security. There is little acknowledgment that cyber vulnerabilities in ports, energy grids, or communications infrastructure are not just technical risks, but strategic liabilities in a region marked by rivalry and coercion.
This omission matters because Greece is already entangled in cyber geopolitics — whether it chooses to acknowledge it or not.
And yet, the national cybersecurity strategy fails to integrate these realities into a coherent vision. Cyber cooperation appears as a technical supplement rather than a strategic instrument. There is no articulation of how Greece intends to leverage alliances to enhance collective cyber deterrence, no framework for structured regional threat intelligence exchange, and no discussion of how cyber capabilities fit into Greece’s broader defense and foreign policy posture.
This is a strategic missed opportunity.
For middle powers like Greece, influence in cyberspace does not come from scale alone, but from positioning. Countries that shape norms, convene partners, and align cyber policy with diplomacy gain leverage disproportionate to their size. The absence of a clear international cyber strategy risks leaving Greece in a reactive posture — adapting to frameworks designed elsewhere, rather than helping shape them.
The consequences are tangible. Without a defined geopolitical cyber posture, Greece remains vulnerable to asymmetric pressure. Cyber operations targeting infrastructure, government services, or information systems can be used to test political resolve without triggering traditional defense mechanisms. In such cases, deterrence depends less on domestic resilience than on collective signaling and coordinated response — areas where the strategy remains silent.
Moreover, the lack of international vision weakens Greece’s voice in shaping the emerging global cyber order. Norms governing state behavior in cyberspace are still contested. Forums such as the United Nations, NATO, and regional coalitions are actively debating what constitutes responsible conduct, how attribution should work, and when cyber operations cross the threshold into conflict. A country without a clearly articulated position risks becoming a rule-taker in a domain where rules are still being written.
Cybersecurity strategies are no longer just about defending networks. They are about how states understand power, vulnerability, and interdependence in the digital age. By treating cybersecurity primarily as an internal governance challenge, Greece’s strategy underestimates the extent to which cyber policy is now inseparable from geopolitics.
For a country positioned at a strategic crossroads, this is not simply an analytical gap — it is a strategic blind spot.
Why This Matters
The consequences of this omission are not theoretical.
First, deterrence suffers. In cyberspace, deterrence is collective and depends on shared attribution, coordinated responses, and diplomatic signaling. A strategy that does not articulate how Greece contributes to — and benefits from — such frameworks leaves the country exposed.
Second, intelligence sharing remains ad hoc. Timely information about threats, vulnerabilities, and active campaigns is one of the most valuable assets in cyber defense. Without formalized international mechanisms, response times lengthen and damage increases.
Third, Greece forfeits influence. Global cyber norms are being negotiated now — in UN forums, regional groupings, and informal alliances. A country without a clear cyber diplomacy posture has little say in shaping the rules that will eventually constrain it.
A Strategy That Stops Short
None of this negates the value of the National Cybersecurity Strategy 2026–2030. It is a necessary document, and in many respects a solid one. But it stops short of confronting the reality that cybersecurity nowadays is not a domestic policy problem. It is a core element of foreign policy and national security.
For Greece, the challenge is not simply to harden systems and train professionals. It is to decide what role it wants to play in an increasingly contested digital world.
Cybersecurity strategies should not merely describe how states protect themselves. They should explain how states position themselves. On that question, Greece’s current strategy remains largely silent — and in cyberspace, silence is rarely neutral.
Konstantinos Komaitis is a resident senior fellow with the Atlantic Council’s Democracy + Tech Initiative at the Digital Forensic Research Lab (DFRLab). He leads the Council’s work on global digital governance and democracy and brings decades of experience in developing and analyzing internet policy to ensure an open, interoperable, and global internet.
