For two decades, subsea cables were the quiet plumbing of the internet — owned mostly by telcos and hyperscalers, repaired by a small global fleet of cable ships, and largely ignored by policymakers. That era is over. Following a string of damage incidents in the Baltic Sea — including the Estlink 2 power interconnector and the C-Lion 1 fibre cable between Finland and Germany — the European Commission and the High Representative issued a joint EU Cable Security Action Plan in early 2025. Implementation is now moving quickly, with a Cable Security Toolbox, deeper coordination with NATO's Baltic Sentry surveillance mission, and a forthcoming Cable Projects of European Interest (CPEI) list designed to prioritise resilient routes and EU-anchored repair capacity.
This is a serious response to a serious problem. But as Brussels moves from announcement to execution, the policy choices made over the next year will determine whether Europe ends up with a more resilient internet — or a more fragmented, slower-to-build one.
What the Action Plan actually does
The Action Plan, formally titled the Joint Communication on an EU Action Plan on Cable Security, organises EU policy along four tracks: prevention, detection, response, and deterrence. The Cable Security Toolbox bundles risk assessments, vendor screening, and incident-response protocols that Member States can adopt, drawing explicitly on the architecture of the 2020 5G Cybersecurity Toolbox. Joint surveillance with NATO leverages the alliance's Baltic Sentry patrols, launched in January 2025 after the Estlink 2 incident, which involves frigates, maritime patrol aircraft, and naval drones monitoring suspect vessel movements above critical cables.
The CPEI list, modelled on the Projects of Common Interest framework used in energy infrastructure, would let designated cable routes access streamlined permitting and EU financing — likely through the Connecting Europe Facility and the European Investment Bank. The Commission has also flagged repair-capacity gaps: the global cable-ship fleet numbers only around 60 vessels, most contracted to industry consortia, with few European-flagged ships available for emergency response in EU waters.
The threat is real — and so is the temptation to overreach
To be clear, the threat picture has changed. Authorities in Finland and Sweden have publicly investigated incidents involving vessels dragging anchors across cables, and Helsinki's seizure of the Eagle S tanker in late 2024 — reported by Reuters and others as part of a sanctioned "shadow fleet" — turned a previously academic debate about hybrid threats into a live enforcement question. Around 97-99% of intercontinental data traffic moves through subsea cables, according to long-standing figures cited by TeleGeography and the ITU, and Europe's energy interconnectors increasingly run alongside them.
The risk of overreach, however, is equally real. Three patterns warrant attention.
1. Vendor screening should be narrow and evidence-based
The 5G Toolbox precedent is double-edged. It produced coherent risk frameworks, but national implementation diverged into de facto bans of specific vendors with limited public evidence. Cable systems are global by design — a single trans-Atlantic system may involve American, Japanese, French, and Finnish suppliers across cable manufacturing, repeaters, branching units, and submarine line terminal equipment. Blunt vendor exclusions risk delaying projects by years and concentrating supply among a shrinking pool of incumbents. The Commission should resist pressure to convert the Toolbox into a procurement blacklist, and instead focus on auditable security requirements that any qualifying vendor can meet.
2. Repair capacity needs market-friendly fixes
The cable-ship shortage is a genuine bottleneck, but it is a market structure problem, not a sovereignty problem. The current model — long-term private maintenance agreements such as those operated by Alcatel Submarine Networks, SubCom, and the Atlantic and Mediterranean Cable Maintenance Agreements — works because it pools risk across operators. State-funded "EU repair fleets" risk duplicating capacity that already exists under contract. A better path: co-financing additional vessels under public-private partnerships, easing flagging and crewing rules, and pre-positioning spares in EU ports.
3. CPEI must accelerate, not gate-keep
The greatest value the EU can add is permitting reform. Marine permits in some Member States still take two to four years, often longer than the cable build itself. If CPEI status delivers genuine "one-stop-shop" permitting — as the TEN-E regulation does for cross-border energy projects — it will be a major win for European digital infrastructure. If it instead becomes a label awarded selectively to politically favoured routes, it will slow the very build-out it claims to accelerate.
A pro-innovation reading
Europe does not need a doctrine of "cable sovereignty." It needs faster permits, deeper public-private cooperation, and a credible deterrent posture against state-linked sabotage. The Action Plan, read narrowly, offers all three. Read expansively — as a vehicle for industrial policy, vendor exclusion, or duplicative state capacity — it could entrench incumbents and slow the next generation of cable builds connecting Europe to Africa, the Mediterranean, and the Arctic.
The good news: the EU has a track record of course-correcting when industry engagement is strong. The Cable Security Toolbox is still being drafted in working groups under ENISA and the NIS Cooperation Group. The CPEI methodology is open for stakeholder input. Operators, manufacturers, and civil society have a narrow window to shape implementation toward resilience-through-redundancy rather than resilience-through-restriction.
The seabed, finally, has Brussels' attention. The question now is whether that attention produces more cables — or merely more rules.