A New Decentralized Cyberdefense Model Gains Traction in the EU

With the sprawling nature of cyberthreats these days – spanning international borders, permeating the boundaries of corporate digital services into supply chains and public and private infrastructure – the traditional model of a single, central authority managing cyberdefenses doesn’t quite cut it.

Enter the new cyberdefense model that’s been gaining momentum across European governments, agencies, and institutions in recent years: centralized command guiding decentralized action.

Autonomous Endpoint Management is the next phase in cybersecurity – leverage real-time data from millions of endpoints, execute changes at scale, and oversee time-saving automation, all from a unified platform.

“No single authority can have visibility or control over every node in this vast digital ecosystem,” said Raymond Bierens, chairman of the Netherlands-based Connect2Trust Foundation, in an exclusive interview with Focal Point.

The foundation shares threat intelligence with SecOps centers of large public service organizations across the EU. Their collaborations and others reflect the growing recognition that the cyber domain demands not just better tools but also a smarter, more adaptive operating model.

This new model is essentially a more refined iteration of command and control (C2), the standard processes and systems that military leaders use to make decisions (command) and that others rely on to carry them out (control). The emerging pragmatic solution is an approach where agility, collaboration, and resilience take precedence over rigid hierarchy – inspired by the way military defense is changing, and helped by the fact that many ex-military personnel are now working in cybersecurity.

Why move to a (partly, at least) decentralized command-and-control model?

To understand the benefits of decentralization, it’s helpful to turn back – like, waaay back – to the historical shift from centralized to decentralized models in warfare.

No single authority can have visibility or control over every node in this vast digital ecosystem.

“If we look to the Napoleonic era, command was tightly centralized,” Dan Snape, a former Royal Air Force officer and cyberdefense commander for the UK Ministry of Defence, told Focal Point. “Soldiers were not trusted to think; they were required to obey the commands of an officer who told them precisely what to do and when.”

As the centuries passed and warfare evolved through the world wars to contemporary conflict, the shift from centralized command to decentralized execution took hold. “Soldiers were trained and trusted to assess the situation themselves and operate within pre-defined rules of engagement,” Snape continued. “It was a form of delegated authority for the application of military force.”

[Read also: What is DORA – What banks need to know now about the EU’s groundbreaking regulatory framework]

Snape, now managing director at the cybersecurity consulting firm Kaze, based in London, sees the advantages security teams can leverage by adopting a similar framework.

‘Slow is smooth, smooth is fast’

In the context of cybersecurity, decentralization of operational decision-making and execution can bring agility and speed, when done correctly.

If you can develop mature, high-performing teams, they will feel confident enough to accept the empowerment offered.

“If you can develop mature, high-performing teams, they will feel confident enough to accept the empowerment offered,” said Snape. “The processes, technology, and data are the weapon systems at the fingertips of these teams. Speed comes from intentional decision-making and execution. It sounds odd, but slow is smooth, smooth is fast,” he added, referencing a motto from the military’s Special Forces units that highlights the importance of deliberate, practiced actions.

A smooth process, in C2 cyberdefense terms, means intel from local entities getting collected and analyzed in a central SecOps center and immediately fed back to all other local entities, allowing for timely reaction to threats.

That said, decentralization also presents its own challenges, and it might even lead to operational blind spots.

“Two departments both doing risk assessments does not mean that their outcomes are comparable,” said Bierens. “You need interoperability within and across the hierarchy to ensure that you achieve collective mission-readiness.”

[Read also: U.S. Col. Ed Debish (Ret.) on why the “Davidson Window” is an urgent military (and cyber) call to action]

Cultural factors also remain a major barrier to building mature high-performing teams. Many civilian agencies lack the mission-driven ethos that’s ingrained in defense institutions. “These challenges are compounded by the persistence of a view by some that cybersecurity is… someone else’s problem,” said Dan Jones, former head of the cyber delivery team in the UK Ministry of Defense and now a senior security adviser at Tanium (which publishes this magazine). “Bridging that gap takes ongoing education and leadership.”

Despite such challenges, recent geopolitical events and the rise of nation-state threats is encouraging (if not forcing) organizations in both the public and private sector to rely on the guidance and best practices of their national militaries.

How a hybrid approach amplifies the benefits of decentralized command and control (while maintaining a central structure)

A hybrid command-and-control model allows governments to scale core functions centrally – such as intelligence sharing, vendor relationships, and major technology procurement – while preserving the flexibility of local response teams. “It doesn’t have to be centralized from top to bottom,” said Snape. “You need, first, to take the time to define that threat and assess your own capabilities. Only then will you be able to strike a balance between centralized strategic oversight and the speed of activity that comes with decentralized execution.”

[In many civilian enterprises], challenges are compounded by the persistence of a view by some that cybersecurity is… someone else’s problem.

Collaboration is key, said Bierens, referring to the intel sharing by Connect2Trust that allows chief information security officers and their SecOps centers to collaborate voluntarily in a trusted environment. Having European regulations is one thing but implementing them across different countries is another matter. As an example, the NIS2 Directive, an EU set of rules that force large organizations to improve their security stance, is translated into 27 different local laws, which might not be the most efficient way of working.

Success depends on shared doctrine, aligned incentives, and a shared consciousness.

“We took a lesson from [U.S.] General Stanley McChrystal’s ‘Team of Teams’ idea,” Snape said. The now-retired general developed the concept while leading U.S. forces in Iraq – realizing that traditional hierarchical structures couldn’t keep up with the speed and adaptability of decentralized terrorist networks, he broke down silos and fostered a culture of shared consciousness and empowered execution across units. “Based on the same idea, we built small, empowered teams who know their mission, share the same tools and playbook, and have the autonomy to act fast,” said Snape.

This type of collaboration exists between different government organizations, but there are examples in the private sector, too, as more threat actors pursue their economic and geopolitical interests in cyberspace. Case in point: The multinational companies Allianz SE, BASF SE, Bayer AG, and Volkswagen AG joined forces in Germany in 2015 by launching DCSO, the Deutsche Cyber-Sicherheitsorganisation (German Cybersecurity Organization), to counter organized cybercrime and state-controlled industrial espionage.

[Read also: A comprehensive guide to disinformation – as cyber gangs target companies around the world, we cover the best defense strategies]

Experts foresee an increase in such collaborative efforts, especially as bad actors harness the power of AI to execute faster and more relentless cyberattacks.

As with AI, it’s not just defenders who are adapting: Recent malware strains like TransferLoader and Skitnet demonstrate how cybercriminals are using decentralized command-and-control strategies to enhance resilience and evade detection. TransferLoader uses the decentralized InterPlanetary File System (IPFS) to maintain operations even if its primary server is neutralized, while Skitnet employs DNS-based communication in a modular structure to stay hidden. A spate of ransomware attacks on the UK retail sector this past May showcased decentralized tactics to spread across systems rapidly and unpredictably.

Defining roles, responsibilities, and authority

In a decentralized (or federated) model of cyberdefense, one of the trickiest aspects is assigning authority. “If you dictate too much,” warned Jones, “you risk stifling initiative.” Instead, the European experience leans toward soft structures, with coalitions of the willing, bolstered by trust and mutual benefit.

We built small, empowered teams who know their mission, share the same tools and playbook, and have the autonomy to act fast.

“The most successful projects often start from the bottom up,” Bierens added. “You just need to identify those that have the nerve to share their successes and challenges, in order to let others learn and avoid reinventing the wheel.”

The biggest enemy of progress is an increased focus on compliance and controls. “Research shows that managing digital risks is very different from managing compliance,” said Bierens, “since the first enables a federated model, while the latter will take away all sense of ownership on the tactical and operational level.” A pragmatic “proceed until apprehended” ethos – common in defense circles – can be surprisingly effective in cybersecurity.

The role of AI and automation

As with so many other operations, AI and automation will allow decentralized command-and-control centers to operate at scale. Snape sees a future where AI revamps in cybersecurity toolkits, specifically playing three key roles: augmenting SOC operations, accelerating executive decision-making, and streamlining procurement. “If AI can package incidents, simulate options, and recommend actions, you compress decision cycles dramatically,” he said. “That’s the only way we keep pace with adversaries who don’t play by the same ethical rules as we do.”

Every company is cross-border just like most of the internet itself. Threats are transnational. Yet we still respond with national laws and institutions.

In essence, AI doesn’t eliminate the need for human oversight; it demands more from leadership. Strategic decision-makers must be technically literate enough to understand hybrid command-and-control models and employ capabilities effectively.

A European context with global relevance

These developments in the EU carry global implications. In an interconnected world, cyber resilience depends on alignment between public and private sectors, centralized governance, and local initiative. As Bierens noted, “Every company is cross-border just like most of the internet itself. Threats are transnational. Yet we still respond with national laws and institutions.”

[Read also: How to navigate the EU’s AI Act – start with your risk level]

The UK’s recently launched Strategic Defence Review provides one of the clearest signals yet that this approach isn’t just theory – it’s becoming doctrine.

This 2025 Strategic Defence Review reinforces the value of centralized command with decentralized execution, particularly through the creation of the Cyber & Electromagnetic Command. This model treats the digital landscape as a blurred, interdependent ecosystem that requires close collaboration not only across government but also with industry, spanning technology, operations, and people.

The SDR also acknowledges the transformation in threat scale and complexity, and the importance of federated cybersecurity strategies. The UK’s ongoing investment in this hybrid model serves as a clear endorsement of its effectiveness in modern digital defense.

Until then, it’s about progress over perfection. “Don’t wait for the perfect model,” Snape advised. “Think big, start small, act fast to deliver value and build trust. Action is the only true metric of success.”