InfrastructureEU Unveils Secure Submarine Cable Infrastructure Strategy
The EU published a submarine cable security strategy in February 2024. They are concerned about dependencies and vulnerabilities in undersea data infrastructure. For anyone running global networks, this signals increased regulatory attention on cable route diversity and physical security.
Verified for technical accuracy — Kodi C.
On the European Commission and the High Representative published a Joint Communication setting out a European strategy for secure and resilient submarine cable infrastructure. The plan responds to heightened geopolitical tensions, sabotage incidents affecting undersea cables in the Baltic and North Seas, and the EU’s heavy reliance on third-country suppliers. It sets up a five-pillar agenda covering risk assessment, financing, industrial policy, crisis response, and international partnerships. The Commission will coordinate with Member States, the European External Action Service, and industry to deploy the strategy through 2024, with many measures dovetailing with the NIS2 Directive, the Critical Entities Resilience (CER) Directive, and the EU Cybersecurity Strategy.
The Joint Communication highlights that over 97% of EU international data traffic runs through submarine cables, yet European operators control less than 20% of the market. Recent attacks and disruptions underscore vulnerability to sabotage, espionage, and supply chain dependencies. The strategy proposes creating an EU Submarine Cable Security Toolbox by the end of 2024, developing an investment pipeline via the Global Gateway initiative, and mobilising blended finance—including the Connecting Europe Facility, InvestEU, and European Investment Bank instruments—to co-fund secure, redundant routes. It also calls for establishing a public-private coordination platform to share threat intelligence, incident data, and good practices.
Why it matters for governance teams
Telecom operators, cloud providers, hyperscalers, and critical infrastructure owners depend on submarine cables for connectivity. The new strategy signals that EU institutions expect forward-looking governance rather than ad hoc responses. Teams must align their security programs with the forthcoming toolbox, which will probably mirror the 5G Security Toolbox approach by specifying measures on supply chain vetting, physical security, redundancy, and monitoring. NIS2 already designates submarine cable operators and essential digital infrastructure providers as “essential entities,” subjecting them to risk management obligations, incident reporting within 24 hours, and potential supervisory actions.
The strategy also emphasizes diversification of suppliers and routes. Boards should evaluate concentration risk in their global connectivity portfolios, ensuring contracts address redundancy, maintenance access, and security standards. Procurement teams will need to assess vendor ownership structures, geopolitical exposure, and compliance with EU investment screening mechanisms. Failure to adapt could result in regulatory pressure, higher insurance premiums, or inability to qualify for EU funding streams.
Governance checkpoints
- Risk assessment alignment: Conduct full risk assessments of submarine cable dependencies, incorporating threat scenarios such as sabotage, anchor drag incidents, seismic events, and cyber-physical attacks. Map these assessments to NIS2 and CER requirements and ensure results feed into enterprise risk registers.
- Supply chain vetting: Implement due diligence for cable suppliers, marine maintenance providers, and landing station operators. Evaluate beneficial ownership, compliance with EU sanctions, cybersecurity certifications, and track record. Integrate security requirements into procurement contracts and service-level agreements.
- Redundancy planning: Develop connectivity diversification roadmaps—e.g., alternative cable routes, satellite backup, terrestrial cross-border links. Document recovery time objectives and capacity thresholds. Engage with EU funding instruments if pursuing co-financed projects.
- Incident response and crisis coordination: Update incident response plans to include coordination with national authorities, the European Union Agency for Cybersecurity (ENISA), and the future Cable Security Coordination Platform. Prepare to provide situational awareness during hybrid attacks using the EU Hybrid Rapid Response Teams.
- Monitoring and telemetry: Enhance monitoring of cable performance, landing station security, and vessel activity near infrastructure. Integrate data into security operations centers and share relevant alerts through information-sharing and analysis centers (ISACs).
Boards should receive periodic updates on submarine cable resilience metrics, such as number of routes meeting redundancy criteria, progress on supplier diversification, incident response readiness scores, and funding applications submitted.
How to implement this
Q1–Q2 2024: Launch cross-functional working groups including network engineering, security, legal, and public affairs. Map existing cable assets, landing stations, and maintenance agreements. Evaluate compliance gaps relative to NIS2 Articles 21–23 and CER obligations. Engage with national regulators to understand upcoming supervisory expectations.
Q3 2024: Prepare for the EU Submarine Cable Security Toolbox by drafting internal policies on supplier selection, security controls (for example, tamper detection, surveillance, physical access), and redundancy targets. Identify projects suitable for Global Gateway or Connecting Europe Facility funding and assemble feasibility studies.
Q4 2024: Implement updated incident response playbooks and conduct exercises simulating cable sabotage, including coordination with naval authorities and energy grid operators. Establish data-sharing agreements with threat intelligence providers and maritime situational awareness platforms.
2025 and beyond: Execute capital projects to add redundancy, upgrade landing stations, and deploy advanced monitoring (fiber sensing, AI-based anomaly detection). Integrate continuous improvement loops informed by EU toolbox guidance and regulatory audits. Report progress in sustainability and resilience disclosures to satisfy investor expectations.
International coordination
The strategy prioritizes collaboration with like-minded partners (G7, NATO, Quad) to align security standards, coordinate financing for global routes, and support developing countries in building resilient links. Companies operating transoceanic cables must harmonize EU requirements with U.S., UK, and Indo-Pacific regulations, ensuring consistent security baselines. Participation in multilateral projects may require additional due diligence, export control reviews, and transparency commitments.
The Commission will also assess whether to propose legislation creating a dedicated European fund or guarantee scheme for cable projects, complementing Global Gateway financing. Teams preparing investment proposals should assemble environmental and social impact assessments, procurement compliance plans, and cybersecurity strategies to satisfy due diligence. Early engagement with national promotional banks can accelerate co-financing approvals.
Member States should update national security reviews for landing stations and cable ownership. Operators should anticipate additional licensing conditions, such as requirements for EU-based network operations centers, mandatory security clearances for maintenance crews, and data localization for telemetry. Documenting compliance with these conditions will be critical when renewing licenses or bidding on new routes.
Risk watch
Monitor development of the EU Cable Security Toolbox and any accompanying delegated acts. Track Member State initiatives, such as national investment screening regimes or critical infrastructure laws, that may impose licensing or ownership restrictions on cable projects. Pay attention to insurance market shifts, as underwriters may adjust premiums based on adherence to the toolbox. Keep abreast of geopolitical tensions affecting key chokepoints (for example, North Sea, Mediterranean, Arctic routes) and integrate intelligence into risk assessments.
By embedding the EU’s submarine cable strategy into governance frameworks—covering risk management, procurement, incident response, and international cooperation—teams can strengthen resilience, qualify for funding, and assure regulators that Europe’s digital arteries remain secure.
Continue in the Infrastructure pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Infrastructure Resilience Guide
Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.
-
Edge Resilience Infrastructure Guide
Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.
-
Infrastructure Sustainability Reporting Guide
Produce audit-ready infrastructure sustainability disclosures aligned with CSRD, IFRS S2, and sector-specific benchmarks curated here.
Cited sources
- European Commission — Joint Communication on a European Strategy for Secure Submarine Cable Infrastructure (February 21, 2024) — digital-strategy.ec.europa.eu
- Joint Communication — Secure Submarine Cables (PDF) — commission.europa.eu
- ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.