Hybrid Warfare: Linking Drones, Cyberattacks, and Disinformation

7.2.2026 | ARROWS law firm

In today's business environment, companies face a coordinated threat that goes far beyond traditional cybercrime. Hybrid warfare—the integration of tactics including cyberattacks, drone operations, and disinformation campaigns—directly impacts corporate infrastructure. If your organization operates in critical sectors or manages sensitive data, understanding these threats is essential. This article explains the risks and how to build defenses protecting your company's continuity.

Picture illustrates a specialist explaining hybrid warfare defense.

Article contents

Understanding hybrid warfare and its business impact
The cybersecurity and incident response legal framework
Risk scenarios and regulatory consequences
Building your organizational response framework

Understanding hybrid warfare and its business impact

Hybrid warfare represents a fundamental shift in how adversaries target organizations and nations. Rather than declaring open conflict, actors use coordinated combinations of conventional military tactics, cyberattacks, disinformation, sabotage, and economic pressure. These strategies aim to destabilize targets while maintaining plausible deniability, having evolved dramatically with the integration of artificial intelligence.

For commercial enterprises, hybrid threats are no longer theoretical concerns, manifesting as cyberattacks disrupting production or drones conducting surveillance. The interconnected nature of these tactics means a single incident can trigger cascading failures across multiple systems. Your power supply might be disrupted by sabotage while your communications are compromised by cyberattacks.

What makes hybrid threats particularly dangerous for business is their ambiguity. Companies struggle to attribute attacks, determine appropriate responses, and navigate the legal complexities that arise when traditional security measures prove insufficient. ARROWS Law Firm regularly advises commercial entities on these emerging security risks and helps them understand the legal framework within which they must operate.

The three pillars of hybrid attack: How drones, cyberattacks, and disinformation work together

Unmanned aerial vehicles (UAVs) have become a primary tool in hybrid operations targeting infrastructure sectors. Unlike traditional aircraft, drones offer adversaries speed, low cost, reduced attribution risk, and the ability to operate from beyond conventional defensive perimeters. For companies managing energy facilities or telecommunications networks, drone threats have evolved from theoretical risks to documented realities.

In recent incidents across Europe and beyond, drones have been used for surveillance of power plants, oil and gas facilities, and telecommunications infrastructure. Documented incidents in the United States and Europe have demonstrated how easily commercial platforms can be modified to cause deliberate damage. More recent cases involve coordinated drone operations designed to gather intelligence on facility layouts before launching attacks.

The threat extends beyond direct physical damage, as drones equipped with surveillance capability can identify patterns in your operations. When combined with cyberattacks on your SCADA systems and disinformation campaigns claiming responsibility, the damage multiplies exponentially. These combined tactics create a multiplier effect that traditional physical security cannot address in isolation.

Cyberattacks as force multipliers in hybrid operations

Cyberattacks serve as the digital component of hybrid warfare strategies, often coordinated with physical operations to maximize disruption. Unlike standalone cybercriminal attacks motivated by financial gain, hybrid cyber operations support broader geopolitical objectives. These include destabilizing economies, undermining public confidence in institutions, and weakening adversary capabilities.

The sophistication of hybrid cyber operations has increased dramatically, with attacks no longer requiring direct access to systems. Adversaries now conduct preliminary cyber reconnaissance, compromise supply chain partners, and exploit vulnerabilities in interconnected systems. The cyberattacks on Ukraine's power grid demonstrated how cyber disruption can affect millions of civilians and create second-order economic damage.

For your organization, the risk is compounded by the convergence of cyber threats with physical operations. Your power supply depends on digital control systems vulnerable to cyberattacks, and your communications infrastructure can be jammed or compromised. Your supply chain partners may be targeted with ransomware, disrupting your production and proving traditional cybersecurity budgets insufficient.

Importantly, the legal liability for cyber incidents has expanded dramatically in recent years. Companies are increasingly expected to implement "reasonable" cybersecurity measures proportionate to their risk profile and industry sector. ARROWS Law Firm helps businesses navigate these complex compliance obligations and defend against regulatory enforcement actions.

Disinformation as a weapon against corporate trust and markets

Disinformation campaigns targeting corporations have become increasingly sophisticated and economically damaging. Unlike traditional propaganda, modern disinformation exploits algorithmic amplification, deepfakes, and coordinated bot networks. These tools spread false narratives at a scale and speed that traditional fact-checking cannot match.

Corporate disinformation campaigns can target your reputation, your products' safety, your leadership's integrity, or your financial viability. Consider the impact of market "flash crashes" triggered by false information, such as the 2013 incident involving a hacked tweet about the White House. For companies with publicly traded securities, disinformation poses a direct financial risk that can trigger rapid valuation declines.

The convergence of disinformation with cyberattacks and drone operations amplifies damage. After a cyberattack compromises your systems, false narratives spread claiming data was stolen for adversaries' benefit. In these scenarios, your own truth becomes difficult to establish in real-time market environments where perception drives trading behavior.

Regulatory bodies now recognize disinformation as a systemic risk requiring corporate governance attention. Financial regulators in multiple jurisdictions have begun requiring companies to implement controls detecting and responding to false narratives. ARROWS Law Firm advises companies on these emerging governance obligations and represents businesses in regulatory investigations following disinformation incidents.

microFAQ – Legal tips on corporate hybrid threat recognition

1. How can my company distinguish hybrid attacks from ordinary cybercrime or operational incidents?
Hybrid attacks typically display coordination across multiple domains—cyberattacks aligned with drone surveillance or disinformation campaigns. Ordinary cybercrime usually focuses on financial theft or ransomware demands. Hybrid operations aim at destabilization and attribution ambiguity. The timing coordination is often the giveaway: incidents that seem coincidental may actually be synchronized.

2. What legal obligations does my company have to detect and report hybrid incidents?
Obligations depend on your industry and jurisdiction. Critical infrastructure operators face mandatory incident reporting under sector-specific regulations. Financial institutions must comply with the DORA (Digital Operational Resilience Act) framework in the EU, requiring rapid notification to authorities. Data breaches affecting personal information trigger GDPR or state privacy law reporting requirements. Contact office@arws.cz to understand your specific obligations.

3. If I cannot immediately identify the source of an attack, am I liable for failing to report it?
Not automatically, but you must report the incident itself. Regulations typically require notification "without undue delay" or within strict timeframes (e.g., 24 or 72 hours) once you've confirmed a significant incident occurred, regardless of attribution. Uncertainty about the attacker's identity doesn't excuse reporting delays regarding the breach or outage itself. Documentation of your investigation process is crucial for defending against regulatory enforcement later.

The legal and regulatory response: What companies must now do

Nations and multinational regulatory bodies have codified requirements for companies to prepare for and respond to hybrid threats. The most comprehensive frameworks come from the European Union, whose geographic proximity to hybrid conflict zones makes it a regulatory innovator. Its significant technological infrastructure further drives the need for robust legal standards in this space.

The EU's NIS2 Directive requires "essential" and "important" entities across critical sectors to implement risk-based cybersecurity measures. NIS2 applies to medium-sized and larger entities in energy, transport, banking, healthcare, water management, and digital infrastructure. Critically, NIS2 makes management bodies personally accountable for cybersecurity compliance, meaning board members can face liability for failures.

In the United States, critical infrastructure sectors operate under sector-specific regulations. The Electricity Subsector faces NERC CIP standards, while financial institutions must comply with GLBA and regulations from bodies like the SEC. Each framework shares common elements: risk assessment, incident response planning, supply chain security management, and rapid notification obligations.

For companies with international operations, regulatory complexity multiplies. A European subsidiary must comply with national laws transposing NIS2, while a U.S. subsidiary navigates federal and state frameworks. ARROWS Law Firm regularly advises companies operating across multiple jurisdictions on harmonizing cybersecurity compliance programs.

The personal liability challenge for corporate leadership

Modern cybersecurity regulations have shifted accountability from IT departments to corporate boards and senior management. Delaware courts have established precedent that directors can face personal liability for failing to implement adequate oversight systems. Shareholders have successfully challenged board decisions regarding cybersecurity investments, arguing that inadequate preparation breaches directors' duty of care.

The standards courts and regulators apply require boards to act proactively. Boards must actively monitor cybersecurity risks rather than passively accepting IT department reports. Additionally, they must question whether security investments are proportionate to identified risks and establish clear accountability for cybersecurity performance.

For European companies, NIS2 personal accountability provisions create comparable risk. National implementations explicitly make management bodies liable for non-compliance. Fines for the entity can reach €10 million or 2% of global annual turnover, with specific provisions holding executives personally liable.

What complicates this further is that courts increasingly hold misleading cybersecurity disclosures against directors. If your annual report claims you've implemented "best-in-class" security practices but a breach reveals significant gaps, directors can face claims of material misrepresentation. ARROWS Law Firm assists boards and senior management in establishing cybersecurity governance frameworks that satisfy legal requirements while managing operational realities.

microFAQ – Legal tips on corporate leadership accountability for hybrid threats

1. What specific cybersecurity governance activities should our board be conducting?
Boards should review cyber risk assessments quarterly, approve incident response plans, monitor security investments and their effectiveness, ensure executives are trained on cybersecurity risks, and document their oversight activities. Many companies now appoint dedicated cybersecurity board committees or require board members to attend cybersecurity training. This documentation protects individual directors by demonstrating active engagement with the risk.

2. If a hybrid attack succeeds despite our security investments, can we face liability for inadequate preparation?
Possibly, but liability usually hinges on negligence rather than the breach itself. Courts recognize that perfect security is impossible, so the standard is "reasonable" preparation relative to identified risks in your industry and company size. If your security posture was demonstrably lower than peer companies, or if you ignored known vulnerabilities while claiming to have addressed them, liability exposure increases significantly.

3. Must our company maintain cyber insurance given these liability risks?
While not always mandatory by statute, it is a critical component of risk management. Cyber insurance serves two functions: it covers financial losses from incidents, and it signals to regulators and shareholders that leadership took risk transfer seriously. Many financial institutions now face requirements to maintain cyber insurance. More importantly, cyber insurance often includes representation coverage—insurers provide attorneys to defend directors and officers in regulatory investigations or shareholder litigation.

Hybrid threats and critical infrastructure: Sector-specific risks

Energy infrastructure faces sustained hybrid threat campaigns from state and non-state actors. Documented campaigns have targeted power grids with coordinated cyberattacks and drone strikes designed to maximize civilian disruption. Energy infrastructure in the Middle East has also been attacked using combinations of commercially available drones and advanced military systems.

For energy companies, the threat is multidimensional, combining physical sabotage with cyber operations. Physical sabotage targeting undersea cables and pipelines combines with cyber operations compromising SCADA systems. The implication is clear: critical infrastructure operates in an environment where physical security measures alone no longer suffice.

Regulatory responses have intensified accordingly. The EU's Critical Entities Resilience (CER) Directive requires energy operators to identify critical assets and assess vulnerabilities. ARROWS Law Firm helps energy operators navigate these converging obligations, advising on regulatory compliance and incident response protocols.

Financial services and market manipulation through hybrid operations

Financial institutions face hybrid threats from multiple directions. Cyberattacks target customer data and transaction systems, while disinformation campaigns target institutional stability and customer confidence. In a notable recent case, AI-generated deepfakes of corporate executives were used to authorize fraudulent fund transfers.

Market manipulation through disinformation represents a systemic financial risk. Flash crashes and rapid valuation changes caused by unverified narratives demonstrate how false information can trigger massive market movements. For financial institutions, regulatory exposure arises in multiple directions, including obligations to disclose material cybersecurity risks.

The intersection of hybrid threats and financial markets creates novel legal liability. Institutions must implement identity verification controls sophisticated enough to defeat deepfake-based impersonation. ARROWS Law Firm assists financial institutions in designing governance frameworks addressing these converging threats and defending against regulatory enforcement.

Water and telecommunications: Vulnerable choke points

Water supply infrastructure and telecommunications networks represent critical choke points increasingly targeted by hybrid operations. Water systems in many developed nations were designed without modern cybersecurity considerations. Systems controlling treatment plant chemical levels often operate on legacy infrastructure with minimal security hardening.

Recent incidents demonstrate both the vulnerability and the consequences. In the US, hackers attempted to increase sodium hydroxide levels in a water supply to dangerous concentrations. In Europe, undersea telecommunications cables have been damaged in incidents raising concerns about sabotage.

For companies operating water utilities or telecommunications infrastructure, hybrid threats combine cyberattacks with drone surveillance. ARROWS Law Firm advises these operators on regulatory compliance strategies, incident response protocol development, and liability management when incidents occur.

The cybersecurity and incident response legal framework

When hybrid incidents occur, regulatory reporting obligations create urgent legal timelines that significantly constrain your response flexibility. The regulatory landscape requires understanding multiple frameworks simultaneously.

Under the EU's GDPR, data breaches involving personal information must be reported to supervisory authorities within 72 hours. This provides less than three days to investigate the breach scope, determine affected individuals, and submit formal notification. The 72-hour clock starts the moment you become aware of the breach, regardless of investigation completeness.

The EU's DORA regulation accelerates timelines for financial entities. Major ICT-related incidents must be reported to the competent authority within strict timelines, often within 24 hours. These overlapping requirements create practical complications, as legal teams must simultaneously investigate the technical incident and assess financial impact.

The complexity deepens when hybrid incidents span multiple jurisdictions. A cyberattack affecting your EU operations triggers GDPR and DORA timelines, while attacks on U.S. subsidiaries trigger different requirements. ARROWS Law Firm assists companies in establishing incident response protocols that satisfy complex reporting timelines.

Ransomware payment decisions and sanctions compliance

When hybrid operations include ransomware attacks, payment decisions create extraordinary legal complexity compounded by geopolitical factors. The decision to pay or refuse ransom demands affects not only immediate incident resolution but also regulatory compliance. It also impacts future targeting risk and potentially liability for funding sanctioned entities.

Both U.S. (OFAC) and EU sanctions regimes impose strict liability standards for payments to sanctioned entities. If your company pays a ransom demand to a threat actor later identified as sanctioned, you face significant civil penalties regardless of your intent. This creates a genuine dilemma: delaying payment increases operational damage, while accelerating it increases compliance risk.

Recent enforcement actions demonstrate the seriousness. Authorities have prosecuted vendors and payment platforms facilitating ransomware payments to sanctioned entities. Regulators examine whether your company conducted due diligence on threat actors before payment and whether you screened payment recipients against sanctions lists.

The regulatory landscape now assumes companies will experience ransomware incidents and expects them to maintain comprehensive response procedures. ARROWS Law Firm helps companies establish ransomware response protocols meeting regulatory expectations, including sanctions compliance procedures.

microFAQ – Legal tips on ransomware response and regulatory compliance

1. Must our company notify law enforcement immediately when we discover ransomware, or should we negotiate payment first?
Notification is generally recommended and sometimes mandatory (e.g., under CIRCIA in the US or NIS2/DORA in the EU for significant incidents). Early notification allows law enforcement to provide guidance on the specific threat actor. Many agencies maintain threat actor intelligence identifying which groups are sanctioned—early notification may prevent you from inadvertently paying sanctioned entities. Document your investigation timeline meticulously because regulators will later examine whether you took reasonable steps to avoid sanctions violations.

2. If we pay ransom and later discover the recipient was sanctioned, what are the consequences?
Penalties under OFAC or EU sanctions regimes can be substantial. You may face civil penalties ranging from tens of thousands to potentially millions depending on circumstances. Additionally, regulators may investigate whether your company failed to implement reasonable sanctions compliance procedures. This is why having documented payment decision processes (including sanctions screening steps) is critical—it demonstrates reasonable care even if a payment later proves to have gone to a sanctioned entity through circumstances you couldn't reasonably have detected.

3. Can our cyber insurance help manage ransomware payment liability?
Yes, in several ways. First-party cyber coverage often includes ransom costs (though this varies by policy). Third-party coverage can include defense costs and regulatory settlement expenses if you face enforcement action after payment. More importantly, insurers providing ransom negotiation services often help identify threat actors and assess sanctions risks—essentially providing expert guidance reducing your liability exposure. Review your policy details carefully with office@arws.cz to understand your specific coverage.

Risk scenarios and regulatory consequences

Risks and Sanctions	How ARROWS helps (office@arws.cz)
Power grid cyberattack combined with drone surveillance : Attackers compromise SCADA systems controlling transmission and distribution while drones film facility locations and security protocols, enabling follow-up physical sabotage. Resulting blackouts cause cascading failures.	Regulatory compliance and incident response representation : ARROWS helps energy operators establish NIS2/NERC CIP-compliant security frameworks, develops incident response protocols satisfying regulatory notification requirements within mandatory timelines, and represents operators before regulators.
Ransomware attack with financial institution data exposure : Attackers encrypt your backup systems and demand ransom, threatening to disclose customer data. Payment decisions must satisfy DORA incident reporting timelines, GDPR notification requirements if personal data is exposed, and sanctions screening.	Incident response and sanctions compliance legal advice : ARROWS assists financial institutions in documenting payment decisions satisfying regulatory scrutiny, conducts real-time legal screening of threat actors against sanctions lists, and helps prepare regulatory notifications meeting DORA 24-hour timelines.
Disinformation campaign targeting your company's financial stability : False claims spread through social media that your company's infrastructure was compromised and customer data was stolen. Stock price falls significantly before you can issue corrected information. Shareholders file derivative litigation.	Governance documentation and shareholder litigation defense : ARROWS helps document board cybersecurity oversight activities demonstrating reasonable care, advises on disinformation response protocols and media strategy, and represents board members in shareholder derivative litigation.
Supply chain compromise affecting multiple customers : Attackers compromise your software to insert malware affecting your customer base. Customers file claims alleging you failed to implement adequate secure development practices. Regulators investigate whether you comply with vulnerability disclosure requirements.	Vendor risk management and regulatory defense : ARROWS advises on supply chain security protocols satisfying NIS2 and equivalent frameworks, helps implement secure development lifecycle standards, and represents your company before regulators investigating software security practices.
Drone surveillance preceding physical sabotage at critical facility : Drones are detected filming your water treatment plant security perimeter over multiple days. Subsequently, physical sabotage occurs damaging critical equipment. Regulatory authorities question whether you had adequate physical security measures.	Critical infrastructure security compliance and incident response : ARROWS helps companies implement CER Directive/national critical infrastructure laws, advises on drone detection system deployment and legal implications, and represents companies in regulatory proceedings following sabotage incidents.

Understanding your compliance obligations: A practical breakdown

Determining which hybrid threat regulations apply to your organization requires understanding multiple factors. You must consider your industry sector, company size, geographic location, and the types of personal data you process. Additionally, you must determine whether you are classified as "essential" or "important" infrastructure.

Companies in energy, telecommunications, water, financial services, healthcare, and digital infrastructure sectors face the highest compliance burdens. For these sectors, the EU's NIS2 Directive requires medium-sized and larger entities to implement comprehensive cybersecurity frameworks. The U.S. imposes comparable requirements through sector-specific regulations like NERC CIP and HIPAA.

Geography matters significantly. Companies operating in the EU must comply with GDPR regardless of where their headquarters are located if they offer goods/services to EU residents. This creates extraterritorial obligations for international companies, meaning a U.S. company processing European customer data must comply with notification requirements.

Your company's size affects compliance intensity, with larger organizations facing more stringent obligations than small companies. But small businesses shouldn't assume they're exempt, as regulations increasingly apply if they operate in critical sectors. ARROWS Law Firm helps companies conduct compliance assessments determining which regulations apply to their specific situation.

Essential steps to hybrid threat readiness

Building hybrid threat readiness requires integrating physical security, cybersecurity, crisis communication, and legal compliance frameworks into a coherent organizational response. For most organizations, this involves several interconnected steps.

First, conduct a comprehensive risk assessment addressing physical, cyber, and informational threats. NIS2 and equivalent frameworks explicitly require documented risk assessments identifying vulnerabilities and potential impacts. These assessments should address hybrid threat scenarios, not just isolated cyberattacks or drone incidents.

Second, implement layered security controls addressing physical perimeter protection and cybersecurity hardening. Physical security measures must address threats from uncrewed systems, as traditional perimeter fencing fails when adversaries operate aerial platforms. Cybersecurity controls should address operational technology and IT systems equally.

Third, establish incident response procedures with explicit timelines for regulatory notifications. Your procedures should address coordinating across IT, legal, communications, and leadership simultaneously. Pre-established notification templates and decision trees enable rapid response satisfying regulatory timelines.

Fourth, maintain comprehensive documentation of security decisions, risk assessments, and governance activities. Documentation demonstrates that your organization acted with reasonable care, serving as a critical defense if incidents occur. This is essential if regulators later question whether you took adequate precautions.

Fifth, implement employee training and awareness programs addressing hybrid threat scenarios. Studies consistently show that social engineering and phishing remain significant attack vectors. Employees represent both a vulnerability and your first line of defense against disinformation.

The complexity of implementing these measures while maintaining operational continuity challenges most organizations. ARROWS Law Firm assists companies in designing compliance frameworks addressing these requirements without creating unworkable operational burdens.

International perspectives: How different jurisdictions approach hybrid threats

The regulatory response to hybrid threats has varied significantly across jurisdictions, creating challenges for multinational organizations trying to achieve efficient consolidated compliance.

European Union approaches emphasize unified frameworks applicable across member states. Directives like NIS2 and CER establish baseline requirements that EU member states must implement in national law. This creates comparative regulatory consistency, reflecting geographic exposure to hybrid operations and recognition that national fragmentation creates vulnerabilities.

United States frameworks remain more sector-specific and geographically fragmented. Federal regulations like NERC CIP and HIPAA establish baseline requirements for specific sectors, while states maintain individual cybersecurity laws. U.S. companies often find it simpler to comply with the most stringent state requirements as de facto national standards.

United Kingdom approaches transitioned from EU frameworks post-Brexit while maintaining significant regulatory alignment. UK entities remain subject to GDPR equivalents and face sector-specific requirements through bodies like the Financial Conduct Authority. The UK approach attempts to maintain regulatory compatibility with EU frameworks while establishing independent standards.

Comparative complexity creates genuine challenges for multinational organizations. Rather than implementing four separate compliance programs, sophisticated organizations build integrated frameworks incorporating the most stringent requirements across jurisdictions. ARROWS Law Firm assists multinational companies in this consolidation, helping identify overlapping requirements.

Our Prague-based team regularly handles cross-border transactions and multinational compliance matters. We combine deep knowledge of European legal requirements with experience advising international clients navigating U.S., UK, and other jurisdictions. When your organization faces hybrid threats spanning multiple geographies, having counsel familiar with comparative legal obligations is essential.

microFAQ – Legal tips on multinational hybrid threat compliance

1. If we comply fully with EU NIS2 requirements for our European operations, does that automatically satisfy U.S. requirements for our American facilities?
Partially. NIS2 establishes comprehensive baselines that often exceed sector-specific U.S. requirements (with exception of critical infrastructure sectors where NERC CIP, for example, imposes comparable rigor). However, NIS2 doesn't address state-level U.S. data privacy laws (like CCPA) or specific industry requirements like HIPAA. Your compliance strategy should map requirements across jurisdictions to identify gaps rather than assuming NIS2 compliance transfers automatically.

2. Which jurisdiction's requirements should we prioritize when they conflict?
Generally, the most stringent requirements should drive your baseline compliance, because satisfying the strictest framework typically satisfies less stringent requirements simultaneously. For example, implementing GDPR breach notification procedures and timelines (72 hours) often satisfies state-level U.S. requirements (which can range up to 60 days). Identify the jurisdiction with the most stringent requirements affecting your organization and build your compliance framework around that standard.

3. Do we need separate cyber insurance policies for each jurisdiction?
Not necessarily, but verify that your policy covers incidents in all relevant jurisdictions. Many cyber insurance policies apply globally, but coverage details, exclusions, and regulatory defense provisions vary. Have your insurance broker review policies specifically confirming coverage for EU, U.S., UK, and other relevant jurisdictions. Additionally, verify that insurers will defend you in regulatory proceedings across all relevant jurisdictions—some policies limit defense scope.

Technology and emerging threats: AI, deepfakes, and evolving hybrid operations

The technological sophistication of hybrid operations has accelerated dramatically with AI advancement. Artificial intelligence enables cyberattacks at scale and speed previously requiring human expertise, alongside deepfakes so convincing that traditional video verification fails.

AI-driven cyberattacks automate reconnaissance and exploitation, enabling adversaries to identify and compromise vulnerabilities rapidly. Deepfake technology combined with social engineering creates novel authentication bypass vectors. The $25 million fraudulent transfer executed through deepfaked video calls in Hong Kong demonstrated that voice and facial recognition alone are insufficient.

AI-generated disinformation poses unique detection and response challenges. Traditional fact-checking operated on the assumption that false claims would eventually be identifiable through investigation. If algorithms can generate convincing false video or audio indistinguishable from authentic content, the traditional cycle of correction breaks down.

Regulatory frameworks are evolving to catch up with technological realities. Most regulations written in the 2010s assume human-generated content. Companies implementing AI systems without mature governance and security frameworks face compounded risks. AI systems themselves become attack surfaces, and models can be compromised or poisoned with false training data.

For organizations implementing AI systems, this creates novel governance requirements. Directors now face potential liability if AI systems are deployed without adequate security controls. ARROWS Law Firm assists companies in designing AI governance frameworks addressing security, compliance, and liability implications simultaneously.

Building your organizational response framework

Hybrid threat preparedness requires moving beyond traditional siloed security approaches. Rather than separate cybersecurity teams, crisis communications departments, and physical security operations, effective hybrid threat response integrates these functions operationally and legally.

Establish integrated incident response governance where cybersecurity teams, legal counsel, and senior executives coordinate in real-time. Many organizations maintain "war rooms" enabling rapid cross-functional decision-making. The legal component should include counsel capable of real-time decision support regarding regulatory obligations and sanctions compliance.

Implement business continuity planning specifically addressing hybrid scenarios. Generic business continuity plans often fail in hybrid incidents because they don't address coordinated cyber-physical attacks. Exercises should simulate scenarios where cyberattacks disable communications precisely when physical incidents occur.

Design communication strategies addressing disinformation response. Many organizations lack pre-established protocols for correcting false narratives spread through social media. By the time organizations issue corrections, algorithmic amplification has already driven false claims to millions of people.

Ensure cyber insurance addresses emerging hybrid threat scenarios. Standard cyber insurance policies often exclude physical damage, sabotage, and terrorism. Review your insurance carefully to ensure coverage extends to hybrid scenarios and covers regulatory investigation defense costs.

ARROWS Law Firm helps companies design these integrated frameworks, ensuring they satisfy regulatory requirements while remaining operationally workable. We've advised numerous companies on building incident response protocols and business continuity plans addressing hybrid threat scenarios.

Executive summary for management

The convergence of drone operations, cyberattacks, and disinformation campaigns represents a novel threat category requiring integrated organizational response. Hybrid operations simultaneously target physical infrastructure, digital systems, and informational environments. Traditional siloed security approaches fail to address these cascading failures.

Regulatory frameworks have shifted rapidly, creating personal accountability for board members and senior executives for cybersecurity governance. NIS2, DORA, and GDPR now make management bodies personally liable for cybersecurity compliance failures. Board-level documentation of security decisions has become critical evidence in regulatory investigations.

Incident response timelines compressed dramatically, requiring legal coordination in real-time during crises. GDPR breach notifications must occur within 72 hours, while DORA requires financial entity reporting even faster. Organizations lacking pre-established protocols risk missing regulatory deadlines or violating sanctions law.

Disinformation campaigns pose systemic financial risk meriting dedicated governance attention. AI-enabled deepfakes enable false narratives to reach millions within hours, affecting market behavior. Companies across sectors have experienced significant valuation impacts from disinformation incidents.

Building effective hybrid threat defenses requires integrating cybersecurity, physical security, legal compliance, and crisis communication capabilities. Compartmentalized approaches where teams operate independently fail when incidents demand simultaneous coordination. Effective preparedness demonstrates integration of these functions operationally and in governance oversight.

Conclusion of the article

Hybrid warfare has transitioned from theoretical geopolitical concern to operational reality affecting corporations across sectors. The integration of drone surveillance, cyberattacks, and disinformation campaigns creates risk profiles that traditional security approaches inadequately address. Companies operating in critical infrastructure and financial services face the highest exposure.

The regulatory response has accelerated dramatically, imposing comprehensive compliance obligations backed by substantial penalties. Regulatory timelines for incident response compress decision-making windows into days or hours, requiring pre-planned protocols. Board-level governance of cybersecurity has transitioned from IT department concern to core fiduciary responsibility.

For your organization, building effective hybrid threat preparedness requires integrating physical security, cybersecurity, crisis communication, and legal compliance. This integration demands expertise spanning multiple domains, with technical specialists and legal counsel working together operationally.

ARROWS Law Firm regularly advises companies on hybrid threat preparedness, helping organizations establish governance frameworks. We assist with risk assessments, regulatory compliance program development, and representation during regulatory investigations. Whether your organization faces European or multinational compliance requirements, we help you navigate complexity efficiently.

Our team combines deep legal expertise with practical understanding of how cybersecurity operations actually function. We've represented clients through incidents and worked with boards developing governance frameworks. As a leading Prague-based law firm, we understand how different jurisdictions approach hybrid threat regulation.

If your organization has experienced hybrid threats or is developing preparedness frameworks, contact office@arws.cz. We can help you assess current vulnerabilities and design compliance frameworks addressing regulatory requirements specific to your industry.

FAQ – Frequently asked legal questions about hybrid warfare: Linking drones, cyberattacks, and disinformation

1. What legal obligations does my company have if drone surveillance is detected over our facilities?
Your obligations depend on your facility type and jurisdiction. If you operate critical infrastructure (energy, water, telecommunications), regulatory frameworks (such as national critical infrastructure protection acts) typically require reporting drone incidents to relevant authorities and implementing detection systems. You should document all observations, notify law enforcement, and conduct security assessments identifying what information adversaries might have gathered. Contact office@arws.cz to discuss reporting obligations specific to your facility and jurisdiction.

2. If we experience a cyberattack during a drone incident, which regulatory notification requirements take priority?
Both notifications may be required simultaneously. Regulatory timelines typically run concurrently—if you discover a cyberattack at 9 AM, your GDPR or DORA notification clock starts immediately even if drone incidents are still unfolding. Your incident response protocol should address coordinating multiple regulatory notifications simultaneously rather than prioritizing one over another. Document your investigation timeline carefully because regulators will later examine whether you adequately investigated all components of the hybrid incident.

3. Can disinformation about our company's cybersecurity practices trigger regulatory liability?
Potentially. Regulations increasingly focus on whether companies make materially misleading statements about their security practices. If disinformation falsely claims your company experienced a breach, regulators may investigate whether your company adequately corrected the record to prevent market manipulation. Alternatively, if your company's own disclosures about security practices were misleading or overstated (greenwashing/cyberwashing), regulators may investigate whether you violated regulations requiring accurate representation of security posture. Proactive disinformation response and accurate security disclosures protect you against these risks.

4. Must our company disclose hybrid threat incidents to investors or the public?
Disclosure obligations depend on your company's status and the materiality of incidents. Publicly traded companies must disclose material cybersecurity incidents (e.g., to the SEC in the US or under Market Abuse Regulation in the EU)—regulatory interpretation has expanded materiality assessments to encompass incidents affecting operational continuity or competitive advantage. Even private companies may face disclosure obligations to customers, business partners, or insurers depending on contractual requirements. When in doubt, consult office@arws.cz regarding disclosure obligations applicable to your situation.

5. How does our cyber insurance coverage address hybrid incidents combining cyberattacks, drone surveillance, and disinformation?
Coverage varies significantly between policies. Standard cyber policies cover cyberattacks but may exclude physical damage from sabotage or drone incidents ("silent cyber" exclusions). Disinformation coverage remains rare in most cyber insurance products. Review your policy specifically for: cyber extortion coverage (relevant if ransom demands follow hybrid incidents), business interruption coverage addressing operational disruptions from combined cyber-physical attacks, crisis management and public relations coverage supporting disinformation response, and regulatory defense coverage for investigations following incidents. Have your broker review coverage gaps with office@arws.cz to identify insurance needs.

6. What internal documentation should we maintain regarding our hybrid threat preparedness activities?
Document all risk assessments, security decision-making processes, governance activities addressing cybersecurity oversight, incident response protocols, and tabletop exercises testing hybrid threat response procedures. This documentation demonstrates reasonable care if incidents later occur and regulators question your preparedness. Critically, document discussions with legal counsel regarding security decisions—this documentation often qualifies for attorney-client privilege, protecting sensitive information from regulatory demands. Maintain separate records of incident response activities themselves, as those may not receive privilege protection.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue. Although we strive for maximum accuracy in the content, legal regulations and their interpretation evolve over time. To verify the current wording of the regulations and their application to your specific situation, it is therefore necessary to contact ARROWS Law Firm directly (office@arws.cz).