

Since Russia's invasion of Ukraine in February 2022, the floor of the Baltic Sea has quietly become one of the most contested spaces in European security. What used to be a maintenance footnote — the occasional fishing trawler snagging a cable — has turned into a recurring pattern: a commercial vessel drops anchor, drags it for kilometers along the seabed, and severs a power line, gas pipeline, or fiber-optic cable that keeps a NATO member connected to the rest of Europe. Since 2022, close to a dozen subsea cables and pipelines in the region have been damaged, and investigators increasingly describe the pattern as deliberate rather than accidental.
For a region often nicknamed the "NATO Lake" — nine of the ten Baltic Sea littoral states are now NATO members — this has forced a rapid rethink of what "critical infrastructure protection" actually means when the target sits under 50–200 meters of cold water and the attacker can hide behind a flag of convenience. This piece walks through the full timeline, the mechanics of how these incidents actually happen, why prosecuting them is so hard, how NATO and the EU have responded, and where the vulnerabilities still sit heading into the rest of 2026.
The Baltic is small and shallow by ocean standards — roughly 149,000 square miles with an average depth of only about 180 feet, accessible to the wider world through just three narrow choke points in the Danish Straits: the Great Belt, the Little Belt, and Øresund. That shallowness is exactly what makes its cables and pipelines vulnerable: they sit close enough to the surface that a dragging anchor can reach them without any special equipment. The region carries some of Europe's busiest data and power interconnectors, linking the Nordic states, the Baltic states, Germany, and Poland — a dense web of subsea infrastructure that most people never think about until it breaks.
Since 2022, roughly ten subsea cables connecting the region have been cut, with a striking concentration — seven of them — occurring in just the three months between November 2024 and January 2025. That clustering is a big part of why 2025 marked a turning point in how seriously European governments started treating the threat.

Timeline: From Nord Stream to the Fitburg
The modern chapter of this story opens in September 2022, when explosions ruptured the Nord Stream 1 and 2 gas pipelines — the most dramatic single act of undersea sabotage in the region's history, and one that remains formally unattributed to this day despite multi-country investigations. What followed was not a one-off but a slow drumbeat of incidents, most sharing a near-identical operational signature: a bulk carrier or tanker linked to Russia's sanctions-evading "shadow fleet" transits the area, its anchor makes contact with the seabed, and a cable or pipeline is severed kilometers away from where the ship eventually stops.

A year after Nord Stream, in October 2023, the Balticconnector gas pipeline between Finland and Estonia was severed. Finnish investigators traced the damage to the Chinese-flagged vessel NewNew Polar Bear — a ship that, notably, had recently completed a pioneering transit of Russia's Northern Sea Route in coordination with Russian authorities. China initially denied involvement; roughly ten months later it acknowledged the vessel had caused the damage but attributed it to bad weather rather than intent.
Just over a year after that, on November 17–18, 2024, two cables were cut within 24 hours of each other roughly 200 kilometers apart: the BCS East-West Interlink connecting Sweden and Lithuania, and the C-Lion1 cable connecting Finland and Germany. Suspicion centered on the Chinese-flagged Yi Peng 3, which had departed the Russian port of Ust-Luga days earlier; maritime tracking data placed the vessel at the exact time and location of both breaches. China eventually allowed representatives from Germany, Sweden, Finland, and Denmark to board the ship alongside Chinese investigators in December 2024, but a Swedish inquiry ultimately found no conclusive evidence of deliberate wrongdoing.
The most consequential case may be the Eagle S incident of December 25, 2024, when the Cook Islands-flagged tanker was caught by Finnish authorities dragging its anchor across the Estlink 2 power cable and four telecom lines connecting Finland and Estonia. Finland seized the vessel and treated it as a shadow-fleet sabotage case — but in October 2025, a Finnish court dismissed charges against the captain and crew, ruling that prosecutors had failed to prove intent, and that any negligence claim would have to be pursued against the ship's flag state instead. No charges were brought against the Emirati owner, Caravella LLC FZ, and the vessel was released. That outcome exposed a legal vacuum that has shaped much of the debate since.
The pattern repeated on the last day of 2025, when the cargo vessel Fitburg — en route from Russia to Israel — was seized by Finnish special forces for allegedly sabotaging an Elisa telecoms cable running from Helsinki across the Gulf of Finland to Estonia. The incident began at 4:53 a.m. local time when Elisa detected a significant data disruption; within hours, Finland's Border Guard, customs authorities, Defense Forces, and Safety and Chemicals Agency were all mobilized. Investigators found seabed tracks suggesting the anchor had been dragged for "several tens of kilometers," a distance well beyond what accidental anchoring typically produces. President Alexander Stubb issued a statement stressing that Finland was prepared to respond to a range of security challenges. Days later, Latvian authorities boarded a separate vessel suspected of damaging a telecom link to Lithuania, though police later said they found no direct evidence tying that particular ship to the damage.
Every one of these incidents runs into the same wall: proving intent under maritime law is extraordinarily difficult. A dragged anchor looks identical whether it was an accident caused by bad weather or a deliberate act — the physical evidence on the seabed doesn't distinguish motive. Investigators also have to contend with flags of convenience, multinational crews, and vessels that can simply sail into international waters where a coastal state's jurisdiction runs out. The Eagle S dismissal made this painfully explicit: the court didn't dispute that the ship caused the damage, only that prosecutors couldn't prove it was done on purpose.
This is compounded by a broader structural problem — repair capacity. The global median time to fix a severed submarine cable is estimated at around 40 days, and even under favorable Baltic Sea conditions, the full cycle from incident to restored service typically takes at least two weeks. Each cable splice can require up to sixteen hours of specialized work before the line can be redeployed and tested. Cable-laying and repair ships are a scarce, specialized commercial fleet that isn't designed to operate at surge capacity during an adversarial campaign — which is exactly the gap Europe is now trying to close.
Almost every vessel implicated in these incidents traces back to Russia's so-called "shadow fleet" — an armada of aging tankers and bulk carriers assembled since late 2022 to keep Russian oil exports moving despite Western sanctions and the G7 oil price cap. Understanding its scale helps explain why enforcement has been so difficult. Estimates of the fleet's total size vary by source and methodology, but most serious analyses converge on a range of roughly 600 to over 1,300 vessels globally, depending on how broadly "shadow fleet" is defined — with Ukraine's own government tracker listing over 1,300 ships as of February 2026. Whatever the precise count, sanctioned or suspect tankers are believed to carry somewhere between 18% and 20% of global oil-tanker capacity, a share far too large to simply intercept ship by ship.
These vessels share a common operational profile: registration under non-sanctioning flag states such as Gabon, Palau, Cook Islands, or Cameroon; ownership through opaque shell companies; falsified or non-existent insurance from reputable maritime insurers; frequent AIS transponder spoofing or "dark sailing" to hide their movements; and an average age well above fifteen years, which raises both sabotage suspicion and genuine safety risk — the fleet has already produced its share of groundings, spills, and fires. By early 2026, roughly a third of tankers transiting the Baltic were found to be carrying insurance certificates from sanctioned Russian insurers rather than legitimate Western underwriters, and the number of false-flagged vessels detected in the Baltic reportedly quadrupled in the second half of 2025 alone.
Enforcement has intensified sharply since late 2025 — the EU's designated-vessel list has climbed toward 600 ships, the US Coast Guard and European navies have moved from monitoring to actively boarding and seizing tankers, and Germany, Sweden, Estonia, and Belgium have all carried out interceptions in Baltic and North Sea waters through the first half of 2026. Yet Russia has responded by re-flagging tankers under its own registry and reportedly deploying uniformed personnel aboard shadow vessels to photograph and monitor coastal infrastructure such as bridges — a sign that the standoff between sanctions enforcement and sanctions evasion is intensifying rather than winding down, and that undersea cables are only one visible symptom of a much larger maritime confrontation playing out in the same waters.
| Date | Infrastructure Affected | Countries Linked | Suspected Vessel | Outcome |
|---|---|---|---|---|
| Sep 2022 | Nord Stream 1 & 2 pipelines | Russia–Germany | Unconfirmed (explosives) | Still under multi-country investigation |
| Oct 2023 | Balticconnector gas pipeline | Finland–Estonia | NewNew Polar Bear (China-flagged) | Beijing later attributed it to bad weather |
| Nov 2024 | BCS East-West Interlink | Sweden–Lithuania | Yi Peng 3 (China-flagged) | Ship boarded with China's consent; Swedish inquiry inconclusive |
| Nov 2024 | C-Lion1 data cable | Finland–Germany | Yi Peng 3 (same voyage) | Same inconclusive outcome |
| Dec 2024 | Estlink 2 power cable + 4 telecom lines | Finland–Estonia | Eagle S (Cook Islands-flagged) | Charges dismissed Oct 2025 — intent not proven |
| Jan 2025 | Latvia–Gotland telecom cable | Latvia–Sweden | Vezhen (Malta-flagged) | Ruled accidental; vessel released |
| Feb 2025 | C-Lion1 damaged again | Finland–Germany | Unidentified | Third disruption on same cable in months |
| Nov 2025 | Lithuania–Latvia telecom cable | Lithuania–Latvia | Docked vessel at Liepaja | Boarded; no conclusive evidence found |
| Dec 2025 | Elisa telecom cable | Finland–Estonia | Fitburg | Crew held/travel-banned; investigation ongoing |
| Feb 2026 | — (policy response) | EU-wide | — | €347M Cable Security package announced |
NATO's answer has been Baltic Sentry, launched in January 2025 as an expanded component of the existing Combined Task Force Baltic — adding more patrol vessels, aircraft, and staff rather than standing up an entirely new command. As Danish naval officers involved in the effort have described it, the mission is coordination and vigilance, not blanket security: cable and pipeline owners retain primary responsibility for protecting their own assets, and NATO's role is to monitor, deploy quickly when something happens, and support the coastal state that actually has jurisdiction. Estonia's national security advisor has described the deeper lesson learned since the Balticconnector incident as an operational one — that undersea infrastructure security has to be treated as inherently multinational, coordinated not just at the government level but between agencies and the private companies that actually own the cables.
On the policy side, the European Commission has moved in stages. Its 2025 Joint Communication on submarine cable security, presented by Executive Vice-President Henna Virkkunen, set out a five-part plan — prevention, detection, response, recovery, and deterrence — running through 2026. That culminated in February 2026 with a €347 million subsea infrastructure package and an accompanying "Cable Security Toolbox," the largest EU-level investment in this space to date. A notable slice of that funding — about €20 million, roughly 5.7% of the package — is earmarked for a Rapid Repair Pilot that pre-positions modular repair equipment in Baltic ports, aiming to compress the incident-to-restoration cycle. Separately, in December 2025 the EU and its member states issued a joint declaration committing to make full use of existing international law-of-the-sea frameworks to address shadow-fleet threats and undersea infrastructure protection together, rather than treating them as separate problems.

Strategic Context: Why This Matters Beyond the Baltic
The Baltic incidents are widely read as an expression of a broader Russian naval strategy that has been building since the early 2000s, with particular emphasis on undersea capability — a continuation of Cold War-era Soviet thinking about disrupting NATO's ability to resupply and communicate across the Atlantic. Framed that way, cable-cutting isn't really about any single cable; it's a low-cost, deniable way to signal reach and impose cost, sitting just below the threshold that would trigger a NATO Article 5 response.
It also matters globally because the Baltic isn't unique — it's simply the most visible test case. The same shallow-water, anchor-drag playbook could, in principle, be replicated anywhere merchant traffic passes near critical cable corridors: the Taiwan Strait, the Red Sea, the North Sea. Analysts increasingly frame the Baltic pattern as a preview of a broader undersea-infrastructure risk that global shipping lanes and data networks will have to account for, particularly as roughly 95% of the world's intercontinental data traffic still travels through submarine cables with very little redundancy in some corridors.
Two structural gaps stand out from the record so far. First, maritime jurisdiction frameworks under the UN Convention on the Law of the Sea (UNCLOS) make it very hard to prosecute sabotage when a vessel's flag state has no real interest in cooperating — exactly the enforcement gap exposed by the Eagle S dismissal. Proposals now circulating in EU policy circles call for reforming these frameworks so that infrastructure sabotage can be prosecuted independent of flag-state cooperation, alongside newer legal innovations such as pre-arranged flag-state consent for boarding suspect vessels. Second, the commercial repair-ship market is structurally not built for surge capacity; it's sized for routine, predictable fault rates, not a sustained campaign of deliberate damage. Closing that gap would likely require a dedicated public-private repair fleet, a proposal that some analysts argue should be folded into the EU's next long-term budget cycle from 2028 onward.
| Mechanism | Launched | Scope | Key Limitation |
|---|---|---|---|
| NATO Baltic Sentry | Jan 2025 | Added patrol vessels, aircraft, staff under CTF Baltic | Monitors and supports — does not have unilateral enforcement authority |
| EU Joint Communication on Cable Security | 2025 | Prevention/detection/response/recovery/deterrence framework | Multi-year rollout; funding trailed the policy framework |
| EU €347M Cable Security Package | Feb 2026 | Largest EU-level subsea infrastructure investment to date | Rapid Repair Pilot covers only ~5.7% of total funding |
| EU Declaration on Law-of-the-Sea Use | Dec 2025 | Commits to using existing UNCLOS tools against shadow-fleet threats | Relies on flag-state cooperation that is often absent |
| National seizures (Finland, Latvia, Belgium, Sweden) | Ongoing | Direct vessel interception and detention | Prosecutions repeatedly fail on the "intent" standard |
A few threads are worth tracking heading into the rest of 2026: how the €347 million package actually gets disbursed and whether the Rapid Repair Pilot measurably shortens restoration times; whether ongoing extradition cases — including a Ukrainian man whose handover to Germany was approved by Italy's top court in November 2025 — produce the first real conviction tied to coordinated sabotage; whether the EU's planned 20th sanctions package extends vessel listings or introduces a broader maritime-services ban on Russian crude; and whether NATO's Baltic Sentry framework gets replicated in other vulnerable corridors. For the Defence AI community specifically, this is also a live use case for AI-assisted maritime domain awareness — anomaly detection on AIS ship-tracking data, automated anchor-drag pattern recognition from seabed sonar surveys, and fusion of satellite, acoustic, and traffic data to flag suspicious vessel behavior before a cable is cut rather than after.