At least 11 undersea cable sabotage incidents hit the Baltic Sea between October 2023 and December 2025. What followed tells you something about how the West responds to hybrid warfare: NATO launched Baltic Sentry in January 2025, the EU published its Cable Security Action Plan a month later, and the US passed the Strategic Subsea Cables Act in early 2026. Three distinct frameworks. Three different sets of authorities. Three different assumptions about what cable protection actually requires. Each one was a response to a vulnerability that neither military nor legal frameworks were designed to address. None of them has yet demonstrated it can stop the attacks.
The cables themselves carry more than 95% of intercontinental data traffic and somewhere around $10 trillion in daily financial transactions. Getting the protection architecture wrong risks splitting the global internet into national-security silos — the stakes that make the full scope of the undersea infrastructure challenge one of the defining strategic questions of the decade. This article walks through each layer of the strategic problem, from what Baltic Sentry actually deploys to which surveillance technology makes sense for the budget available.
What is NATO’s Baltic Sentry operation and what assets does it deploy?
NATO launched Baltic Sentry on 14 January 2025 as an enhanced Vigilance Activity tasked with protecting undersea cables and pipelines in the Baltic Sea. It deploys frigates from Standing NATO Maritime Group 1, maritime patrol aircraft including P-8 Poseidons and Atlantique 2s, and over 20 uncrewed surface vessels for persistent surface monitoring. The operational concept is straightforward: visible patrols raise the risk calculus for anyone thinking about dragging an anchor across a cable corridor.
The launch came out of the Helsinki Summit of Baltic Sea allies, convened after Estlink-2 and Balticconnector made the sabotage campaign a strategic priority. Command runs through Allied Maritime Command at Northwood and Commander Task Force Baltic at Rostock, with Mainsail AI providing a common operating picture that fuses satellite imagery, sonar data, and operator-reported anomalies. The headline number is the response time: cut from 17 hours to roughly one hour through direct information sharing between NATO and cable operators.
Beneath the surface, Task Force X, NATO Allied Command Transformation’s experimental unit, put drones in the water within six weeks of the summit tender call, testing uncrewed underwater vehicles and AI-driven sensor fusion for seabed surveillance. Phase 2, signed by eight Baltic Sea states plus France, the Netherlands, and the US, transitioned from experimental fleets to nationally owned capabilities. Alongside this, the UK-led Joint Expeditionary Force activated Nordic Warden, an AI-based ship-tracking system subsequently handed over to NATO, which compiles a register of shadow fleet vessels and fuses intelligence across the Nordic and Baltic area.
Then there is Gotland Sentry, Sweden’s unilateral cable-protection patrol around Gotland, operating alongside both NATO and EU frameworks as a national initiative filling gaps that institutional coordination has not closed. The Finnish Border Guard launched a maritime surveillance centre in January 2026 specifically for cable monitoring.
The limitation is the one you would expect: Baltic Sentry is an operation, not a permanent architecture. It depends on rotating member-state contributions. When national navies face competing demands, the continuity risk is real.
NATO’s Baltic Sentry vs. the EU’s Cable Security Action Plan — how do their approaches and authorities differ?
That institutional impermanence is not unique to NATO. It mirrors a broader fragmentation in how the West organises cable protection: NATO and the EU bring complementary tools to the problem, but they operate on different timelines, with different member-state compositions and different legal authorities. Their coordination in practice remains untested.
On the NATO side: military presence, operational deterrence, and the Article 5 framework, though cable sabotage has never been treated as an armed attack. The Maritime Centre for the Security of Critical Undersea Infrastructure at Northwood coordinates expertise across ten participating nations. Mainsail AI does the anomaly detection. Twelve boardings under national authorities occurred in Baltic Sentry’s first year.
On the EU side: the Cable Security Action Plan, launched February 2025 with approximately €1 billion, operates through civilian institutions. It covers prevention, detection, response, recovery, and deterrence through vulnerability assessments, repair-capacity coordination, and sanctions on shadow fleet operators. The Connecting Europe Facility allocated €327 million for new cable infrastructure. A proposed Cable Vessels Reserve aims to address the repair bottleneck: fewer than 75 cable ships operate worldwide, and the median repair time sits at about 40 days globally. The NIS2 and CER Directives now require cable operators to report security incidents.
The US parallel is the Strategic Subsea Cables Act of 2026, which mandates interagency coordination, sanctions against individuals who damage cables, and threat-information sharing with private operators. It is a regulatory response, not a military one.
The difference is one of authority: NATO can deter but not regulate. The EU can coordinate and sanction but cannot patrol. Do these frameworks add up to coherent defence, or do the gaps at the seams, different decision-making timelines, different member-state compositions (the EU includes non-NATO members; NATO includes non-EU members like the US and UK) create vulnerabilities that attackers are already working through? The evidence does not yet support a clear answer.
Military deterrence vs. legal accountability as responses to cable sabotage — which approach has more evidence of effectiveness?
Neither approach has demonstrated it works. The structural difference, though, matters: military deterrence operates proactively, while legal accountability only engages after the damage is done. If you are deciding where to put resources, that distinction is worth your attention.
The deterrence evidence is thin. A NATO official noted “zero incidents of malicious damage” between January 2025 and the Fitburg case in December 2025, and the one measurable improvement is the response-time reduction from 17 hours to one. But the seven-incident window from November 2024 to January 2025 coincided with Baltic Sentry’s initial deployment, and whether faster response deters attackers or simply shifts their tactics remains unproven. The Fitburg incident on 31 December 2025 demonstrated that attackers adapted rather than stopped.
The legal evidence is worse. Zero convictions worldwide for undersea cable sabotage. The Fitburg investigation took 19 months to reach a referral stage. In one closely watched example, the Eagle S case, where Finnish prosecutors charged the captain and two crew over the December 2024 Estlink-2 incident, was dismissed by a Helsinki court in October 2025 on jurisdictional grounds: the court found it lacked authority to prosecute acts by a foreign-flagged vessel in international waters. Finland was left paying the defendants’ legal expenses.
UNCLOS Articles 113 to 115 make cable disruption a punishable offence if done “wilfully or through culpable negligence,” but the convention does not specify penalties, and flag-state jurisdiction protections create the enforcement gap that hybrid warfare works through. The UN General Assembly Resolution 78/69 from December 2023 recognised the problem but carries no binding force.
Then there is the resilience dilemma: measures that make infrastructure more resilient, route bifurcation, rapid repair, redundancy, can paradoxically make sabotage harder to prosecute because they reduce the observable disruption. If a cut cable causes no consumer-visible outage, the political will to pursue a prosecution that requires 19 months and faces jurisdictional hurdles may simply evaporate. The law governing peacetime navigation was not designed to deter state-directed sabotage conducted through deniable commercial proxies.
Securitisation and route bifurcation vs. cooperative interconnection — which approach better preserves long-term cable resilience?
If neither deterrence nor law reliably stops the attacks, the next question is architectural: do you harden the cables or keep them open? This is a central strategic question in undersea cable governance, because the answer determines whether cables remain global commons or become Balkanised national-security assets. The economic stakes of getting it wrong reach billions per day in disruption costs.
The securitisation argument is that threats require hardening: route bifurcation to avoid chokepoints like the Danish Straits and the Gulf of Finland, sovereign cable ownership, trusted-vendor requirements, cable route secrecy, and exclusion of adversarial states from cable consortia. Google and Meta’s Echo and Apricot cable systems were explicitly designed to avoid landfall in China and routing through the South China Sea. The Quad Partnership for Cable Connectivity and Japan’s economic security agenda both reflect this logic.
The cooperative interconnection argument points out that cables have historically functioned because they are neutral, commercial, and universally accessible. The International Cable Protection Committee articulates best practices but has no enforcement authority. UNCLOS provides the multilateral governance framework. Open consortia and shared ownership created the dense redundancy that makes the system resilient.
The concept of weaponised interdependence, developed by Henry Farrell and Abraham Newman, explains the dilemma: the networks that create global economic interdependence can be exploited by states controlling critical nodes. But disconnection may create greater vulnerability than interconnection. As one analysis puts it, “fragmentation will not only create new vulnerabilities but also undermine the resilience that has made cables largely secure in the first place.”
Then there is the hyperscaler dimension. Google, Meta, Microsoft, and Amazon now control roughly 90% of transatlantic cable capacity, up from 10% in 2014. Traditional European operators represent about 2% of total transatlantic capacity. This private concentration introduces a sovereignty concern that securitisation logic amplifies. If the cables are privately owned, and the owners are American tech companies, who decides whether a route is secure?
The route-diversification criteria are practical: geographic chokepoint avoidance, landing-station diversity, coastal-state risk profiles, and repair-fleet access. But the strategic choice underneath them, security through fragmentation or resilience through interconnection, remains unresolved.
Distributed Acoustic Sensing vs. uncrewed underwater vehicle patrols vs. satellite-based vessel tracking — which offers the most cost-effective cable protection?
No single technology wins across all threat models. The architecture that works is layered, and the real question — explored across the technology enabling seabed awareness — is what mix delivers the best detection-to-intervention chain for the budget you have to spend.
Distributed Acoustic Sensing turns existing fibre-optic cables into continuous acoustic sensors. In the Baltic context, Finnish telecom Elisa successfully tested DAS in the Gulf of Finland, detecting exceptional seabed vibrations and building an automated alerting service. A 100-kilometre cable effectively becomes 10,000 virtual sensors, polling at least 1,000 times per second. The marginal cost is low because you are using fibre you already own. The limitation is coverage: DAS only senses near the cable, not the seabed between routes.
UUVs provide mobile investigation and the possibility of interdiction. Task Force X tests them from the NATO Research Vessel Alliance. In July 2025, the Alliance detected the acoustic signature of a ship’s anchor hitting the seabed, with data fused through Mainsail. But UUVs have high capital costs and endurance measured in hours to days. They cannot provide the persistent coverage that cables need.
Satellite tracking combines AIS, synthetic aperture radar, and optical imagery for wide-area coverage at moderate cost. Nordic Warden and Mainsail AI fuse satellite data with other sources to flag suspicious vessel behaviour. The problem: AIS can be spoofed or deliberately disabled, and satellite revisit times are measured in hours, not minutes. Satellites can identify vessel behaviour but cannot confirm seabed activity.
If you are allocating a cable-protection budget across these three technologies, four criteria matter, but they are not equally weighted. For the Baltic, with its shallow waters and dense shipping traffic, detection-to-intervention latency and false-positive rate matter more than cost-per-kilometre or scalability. A false positive that sends a frigate chasing a fishing trawler costs real money and erodes political support for the mission. For Indo-Pacific coverage, the ranking flips: scalability and cost-per-kilometre dominate because the area is an order of magnitude larger and the cable routes are fewer and more concentrated.
The threat model determines which technology you prioritise: DAS excels against anchor-drag attacks with their distinctive acoustic signature at known cable locations. Satellite tracking excels against dark ships loitering in cable corridors. UUVs are the only option for investigating what the other layers detect. Routinely putting frigates and destroyers on cable patrol is not sustainable. The layered architecture you want has satellite tracking providing wide-area cuing, DAS providing persistent cable-proximate confirmation, and UUVs handling mobile investigation. Your budget question is what ratio of each layer.
Baltic Sentry demonstrates that undersea cable protection sits at the intersection of institutional, doctrinal, architectural, and technological choices where no single framework prevails. The institutional landscape is fragmented and coordination untested. Neither military deterrence nor legal accountability has a convincing evidence base. The securitisation-versus-interconnection debate has structural stakes for the global internet itself. And the surveillance technology mix is not just an engineering decision: it reflects deeper disagreements about what the internet’s physical backbone should be.
The open question is the one every framework described here was built to handle, and none is ready for: what happens when a sabotage incident is clearly attributable to a state actor but falls below the Article 5 threshold, and the legal framework has no jurisdiction to prosecute? Each path involves trade-offs that cascade through the system, a dynamic we trace across the broader strategic landscape of undersea infrastructure protection. The value lies in understanding what is lost with each choice.
Frequently Asked Questions
Who is behind the undersea cable sabotage in the Baltic Sea?
No state has claimed responsibility, and formal attribution remains elusive. Western intelligence agencies point to Russia as the most likely actor, citing the pattern of incidents coinciding with broader hybrid warfare campaigns, the involvement of vessels from Russia’s shadow fleet, and the strategic logic of testing NATO’s response to grey-zone provocations. However, maritime evidence in international waters is fragmentary, and the legal standards for state responsibility are difficult to meet without a smoking gun.
How long does it take to repair a damaged undersea cable?
Typically two to four weeks from the moment a fault is detected. The bottleneck is rarely the repair itself but the availability of specialist cable repair vessels, of which fewer than 60 operate worldwide. After a remotely operated vehicle locates the break, the vessel must lift the cable, splice in a replacement section, and lower it back to the seabed, all while contending with Baltic Sea weather that can delay operations by days.
Why can’t undersea cables simply be buried to protect them from sabotage?
Burial is standard practice in shallow waters, up to roughly 1,500 metres, to protect cables from fishing trawlers and anchors, but it does not prevent sabotage. A determined ship dragging an anchor across a known cable corridor can still snag and sever a buried cable. In deeper water, burial is technically infeasible. The Baltic Sea’s average depth of 55 metres means most cables remain within reach of surface-deployed equipment, burial or not.
How much does Baltic Sentry cost, and who pays for it?
NATO does not publish a consolidated Baltic Sentry budget because the operation draws on member-state-contributed assets rather than a dedicated funding line. Each contributing nation bears the cost of its own frigates, aircraft, and uncrewed systems. Operating a single frigate costs several hundred thousand euros per patrol day. The EU’s parallel Cable Security Action Plan has allocated approximately €1 billion for undersea infrastructure resilience through 2027, split between member-state contributions and Connecting Europe Facility funds.
Has NATO ever considered invoking Article 5 for a cable sabotage incident?
Article 5 has been formally discussed but never invoked for undersea cable sabotage. The legal threshold for an “armed attack” is deliberately high, and grey-zone operations like cable cutting are designed to fall below it. NATO allies have instead opted for calibrated responses: enhanced surveillance through Baltic Sentry, diplomatic démarches, and sanctions against shadow fleet operators. Invoking Article 5 would require consensus among all 32 allies and a level of attribution that no incident has yet achieved.
What is a shadow fleet, and how does it make cable sabotage difficult to stop?
A shadow fleet is a network of commercially registered vessels operating with opaque ownership structures, often carrying sanctioned cargo or performing tasks for states seeking plausible deniability. In the Baltic context, these vessels are typically older tankers with unclear insurance and flag-state arrangements. Their ambiguous status frustrates both interdiction and prosecution, because it is unclear whether they are commercial or military, and which state has jurisdiction over a ship flagged in one country, owned through shell companies in another, and crewed by nationals of a third.
Are cable operators legally required to report damage or suspicious activity near their infrastructure?
The EU’s NIS2 and CER Directives, both in effect from late 2024, now require critical infrastructure operators including cable companies to report security incidents and maintain risk-management frameworks. Outside the EU, however, reporting obligations remain patchwork. The UNCLOS framework, which governs most international cable corridors, imposes no mandatory reporting requirement for damage, and many operators historically preferred to handle incidents quietly to avoid alarming commercial clients or triggering insurance complications.
What happens to internet connectivity if multiple Baltic Sea cables are cut at the same time?
A single cable cut rarely causes consumer-visible disruption because traffic reroutes automatically through redundant paths. A coordinated multi-cable attack, however, could saturate remaining capacity and degrade service across Northern Europe, manifesting as slower speeds, increased latency, and dropped connections rather than total blackout. Financial markets would feel the impact most acutely: settlement systems and trading platforms rely on the lowest-latency routes, and rerouting through longer paths adds milliseconds that matter for automated trading.
How do navies and cable operators actually share threat intelligence in real time?
Under Baltic Sentry, NATO’s Mainsail AI platform ingests commercial AIS data, satellite imagery, and operator-reported anomalies into a common operating picture accessible to both naval commanders and participating cable operators. The practical breakthrough was cutting the detection-to-response window from 17 hours to approximately one hour, achieved not by new surveillance capability but by eliminating the institutional delay between a cable operator noticing something unusual and a naval asset being in position to investigate.
Is the Indo-Pacific region facing similar undersea cable threats?
Yes, and the stakes are arguably higher. The Indo-Pacific carries a larger share of global data traffic with fewer redundant routes and more geographic chokepoints, including the Strait of Malacca, the Luzon Strait, and the South China Sea. China’s extensive survey vessel activity near cable corridors, combined with its control over key landing stations, has prompted Japan, Australia, and Quad partners to accelerate cable protection efforts, though no Indo-Pacific equivalent of Baltic Sentry yet exists at comparable scale.
Can AI accurately distinguish between accidental cable damage and deliberate sabotage?
Not yet, and this is one of the hardest problems in cable surveillance. Anchor drags from a fishing vessel that has lost power produce nearly identical acoustic signatures to anchor drags from a vessel deliberately loitering over a cable corridor. AI systems like Nordic Warden and Mainsail AI can flag suspicious patterns, such as AIS transponders switched off near cable routes or vessels deviating from commercial shipping lanes, but the final determination of intent still requires human assessment of context, vessel history, ownership, and geopolitical circumstances.
