ABSTRACT
The Danish Defence Intelligence Service (DDIS) released on October 3, 2025 an unclassified assessment concluding that Russia is “highly likely” engaged in hybrid warfare against the West and NATO, operating deliberately below the threshold of armed conflict while intensifying military provocations since spring 2025; the document elevates the threat of military provocations against NATO member states to HIGH, sabotage against the Danish Armed Forces to HIGH, destructive cyberattacks against Denmark to MEDIUM, malign influence operations against Denmark to LOW, and conventional military attack against Denmark to NONE. The assessment defines hybrid warfare as the aggressive, combined use of political, economic, informational, and military means to pressure and undermine adversaries without triggering Article 5 thresholds, and it documents recent patterns including airspace violations with fighter jets, helicopters, and attack drones; disruptive and destructive cyber activity targeting critical infrastructure; and aggressive maritime behavior such as reckless navigation, simulated attacks, and jamming of communications and GPS. The published English-language paper, titled “Assessment of the hybrid threat to Denmark”, details these findings and the accompanying risk taxonomy, and it anchors the update in observable events across Europe and the Baltic Sea region since 2022 with notable intensification after spring 2025. See DDIS “Assessment of the hybrid threat to Denmark,” October 3, 2025.
The DDIS threat matrix specifies that HIGH denotes one or more actors with capacity and specific planning for harmful activity or that have already carried out attempts; MEDIUM denotes capacity and intention but no indications of specific planning; and NONE indicates no signs of a threat, with no actors possessing both capacity and intent for attacks against Denmark. The assessment clarifies that Russia “highly likely” perceives itself in conflict with the West and is preparing for potential war with NATO even as it seeks to avoid actions that could trigger collective defense, while simultaneously testing and shifting thresholds for what could activate Article 5. The document emphasizes that hybrid warfare’s attribution challenges require a holistic evaluation of actors’ abilities, intentions, and capabilities rather than incident-by-incident legal proof, a framing consistent with prior DDIS reporting on hybrid means and their integration with overt military behavior. See DDIS “Assessment of the hybrid threat to Denmark,” October 3, 2025 and DDIS news release, October 3, 2025.
Within the air and maritime domains, the assessment records that Russia has “deployed fighter jets to protect its shadow fleet” transporting Russian oil out of the Baltic Sea and has violated NATO states’ airspace with fighter jets, helicopters, and attack drones; the states “most affected” in recent months are Poland, Estonia, Finland, and Romania. It further notes that Russian military units since 2022 have escalated threatening behavior, from reckless navigation to simulated attacks on NATO forces and jamming of civilian and military communications and GPS, illustrating a multi-vector pressure campaign intended to probe responses and raise concern that NATO is on a path toward war while remaining below formal thresholds. These observations are aligned with the DDIS’s stated objective risk levels and its temporal markers identifying renewed intensification since spring 2025. See DDIS “Assessment of the hybrid threat to Denmark,” October 3, 2025.
Complementing the intelligence perspective, official Danish governmental releases during September–October 2025 document domestic operational responses to suspected drone incursions and elevated vigilance. The Danish National Police reported on September 24, 2025 the opening of an investigation into multiple unidentified drones over Copenhagen Airport on September 22, 2025, describing an “intense” investigative and intelligence effort to identify operators and motives, and on September 25, 2025 the National Operational Staff (NOST) was activated to coordinate cross-agency responses after suspicious drone activity near Copenhagen Airport, with additional coordination meetings among authorities. These official notices provide institutionally verifiable confirmation of drone-related disruptions and the activation of national coordination mechanisms without asserting attribution, consistent with the attribution caution in the DDIS assessment. See Copenhagen Police notice, September 24, 2025 and National Police notice, September 25, 2025. (politi.dk)
The Danish Defence Command (Forsvaret) simultaneously documented guidance and actions regarding drones near military sites, stating in an English-language notice published in late September 2025 that the Danish Armed Forces “may choose to take down drones over military installations” subject to threat and risk assessments, and confirming observations at several installations including Skrydstrup Air Base and the Jutland Dragoon Regiment, while withholding operational specifics given ongoing investigations. This official defense communication aligns with the DDIS’s elevation of sabotage and military provocation risks and demonstrates practical readiness measures short of kinetic escalation. See Forsvaret, “Regarding drones over Denmark,” 2025. (forsvaret.dk)
In the civil aviation domain, Munich Airport issued official press communications confirming drone sightings on the evenings of October 2–3, 2025, with German air traffic control initially restricting and then suspending operations at 22:18, leading to the preventive closure of both runways from 22:35 and resulting in 17 cancellations and 15 diversions before operations resumed the next morning, followed by additional sightings on October 4, 2025 that delayed the start of operations until gradual stabilization later that day. These events, documented by the airport operator itself, corroborate the DDIS’s cross-border pattern recognition about intensified hybrid-domain pressures affecting both military and civilian infrastructures in Europe. See Munich Airport press: “Drone sighting at Munich Airport,” October 3, 2025 and Munich Airport newsroom: “Another drone sighting,” October 4, 2025. (Aeroporto di Monaco)
Alliance-level deterrence activities verified on official NATO channels provide contextual evidence of maritime and air vigilance in adjacent theaters during September 2025. STRIKFORNATO announced NEPTUNE STRIKE 25-3 running September 22–26, 2025 across Europe, describing it as a large-scale multinational enhanced Vigilance Activity integrating carrier strike operations and joint effects; earlier 2025 iterations and related events, including BALTOPS 25 (June 2025) and complex training under NEPTUNE STRIKE 25-2 (July 2025), are likewise documented by NATO channels, underpinning a consistent operational tempo oriented toward deterrence, readiness, and integration across the Baltic Sea and North Sea regions. These official records establish the factual backdrop for Danish frigate and air contributions during the same timeframe. See NATO/STRIKFORNATO: “NATO launches third iteration of NEPTUNE STRIKE 2025,” September 19, 2025, Allied Command news: NEPTUNE STRIKE 25-2, July 27, 2025, and NATO newsroom: BALTOPS 25 concludes, June 23, 2025. (Sfn NATO)
National participation and specific Danish assets are verified by Forsvaret, which published on September 23, 2025 that the frigate HDMS Niels Juel participated alongside Danish fighters, surveillance aircraft, and helicopters in NEPTUNE STRIKE activities, coordinated with U.S. carrier aviation and varied naval warfare tasks; Forsvaret also notes concurrent maritime exercises in the Baltic Sea and related tasks under its international operations pages. These official Danish releases substantiate the presence and role of the Danish Navy and Air Force in alliance activities during the period in question, providing authoritative corroboration independent of media photography or secondary reporting. See Forsvaret news, September 23, 2025 and Forsvaret international cooperation page. (forsvaret.dk)
Historical DDIS products furnish continuity with the October 2025 assessment by outlining earlier judgments about Russia and hybrid tactics. The February 11, 2025 update on the threat from Russia to the Kingdom of Denmark reaffirmed 2024 outlook conclusions while adding nearer-term adjustments, and the December 2024 “Intelligence Outlook” synthesized multi-domain threats including cyber, sabotage, and influence in the Nordic neighborhood, all of which are referenced implicitly in the October 2025 paper’s escalatory timeline. The existence and availability of these official documents on the DDIS website strengthen the provenance of the October 2025 escalation narrative and provide an evidentiary chain across 2024–2025 without reliance on speculative inference. See DDIS “Opdateret vurdering af truslen fra Rusland,” February 9, 2025 and DDIS “Intelligence Outlook 2024,” December 9, 2024. (Forsvarets Efterretningstjeneste)
Policy and capability responses inside Denmark in 2025 further contextualize the hybrid threat environment in ways germane to risk mitigation. The Ministry of Defence announced on July 22, 2025 an agreement to acquire four long-range drones to strengthen surveillance over the Arctic and North Atlantic, financed through the Acceleration Fund and earlier political agreements, while Forsvaret reported fielding new combat-capable drone systems to Army units and training drone instructor cadres during 2025 in light of operational lessons drawn from Ukraine. Together with proposed legislative measures before the Folketing addressing unlawful drone activity near military areas, these steps map onto the layered approach implied by DDIS: bolster surveillance and response, increase resilience, and harden critical nodes while attribution and escalation remain deliberately ambiguous. See Ministry of Defence, July 22, 2025, Forsvaret, March 10, 2025, Forsvaret, July 14, 2025, and Folketinget bill L 211 (2024-1). (Forsvarsministeriet)
The DDIS assessment’s cyber component references pro-Russian actors’ destructive activity and reconnaissance against critical infrastructure, including a December 2024 water utility incident in Denmark, while noting that current circumstances make large-scale destructive cyberattacks less likely than preparatory intrusions and intermittent disruptive operations. The document connects these patterns to broader hybrid campaigns since 2023, including influence operations and the exposure of sabotage networks whose activity subsided after autumn 2024. This calibrated reading underlines why DDIS assigns differential threat levels across sabotage, cyber, influence, and conventional attack, and it clarifies why national law enforcement, defense authorities, and civil aviation operators’ actions in September–October 2025 fit within a prevention-oriented, attribution-constrained posture. See DDIS “Assessment of the hybrid threat to Denmark,” October 3, 2025.
Finally, alliance posture and Danish participation during September 2025 demonstrate how military exercises and enhanced vigilance activities complement national measures without crossing escalatory thresholds. NEPTUNE STRIKE 25-3 encompassed carrier operations, amphibious landings, submarine patrols, surface warfare, and integrated air missions over Denmark and allied airspace, as verified by NATO and Forsvaret, with the frigate HDMS Niels Juel and Danish air assets participating alongside allied fleets and aviation. The congruence between the DDIS’s description of hybrid escalatory behavior and the alliance’s layered training and deterrence posture indicates a shared strategic assessment: prepare for intensified hybrid pressure, maintain legal and operational discipline to avoid inadvertent crossing of Article 5 thresholds, and institutionalize rapid coordination across defense, police, and civil aviation authorities to manage drone and electronic warfare hazards that are likely to persist in 2025–2026. See NATO/STRIKFORNATO, September 19, 2025 and Forsvaret, September 23, 2025. (Sfn NATO)
CHAPTER INDEX
Clear Lessons from Denmark (2022–Present): Rules, Authorities, and Real-World Safety
- Hybrid Threat Taxonomy and Risk Levels in the October 3, 2025 DDIS Assessment
- Documented Air and Maritime Provocations Affecting Denmark and Adjacent NATO Airspace
- Drone Incursions and Civil Aviation Disruptions: National Police, Defence Command, and Airport Operator Records
- Alliance Vigilance Activities and Danish Contributions during NEPTUNE STRIKE 25-3
- National Mitigation Measures: Procurement, Training, and Legal Responses to Unmanned Systems
- Cross-Domain Escalation Management: Avoiding Article 5 Triggers while Hardening Critical Infrastructure
Clear Lessons from Denmark (2022–Present): Rules, Authorities, and Real-World Safety
This chapter summarizes the main facts and lessons from the earlier chapters in clear, everyday language. It focuses on what has happened in and around Denmark since 2022, what public authorities have published, how European and transatlantic rules work, and what practical steps reduce risk to people and services. All examples and rules cited below come from official sources that anyone can read.
What “hybrid” activity means in this context
Hybrid activity means pressure that stays below open warfare. It can involve close approaches by military ships, pointing tracking radars at aircraft or vessels, flying drones near sensitive sites, interfering with satellite-navigation signals used by planes and ships, and probing computer networks. Denmark’s intelligence service states that Russia is using such methods against NATO countries and the wider West. On 3 October 2025, the Danish Defence Intelligence Service (DDIS) published an update describing these activities and listing current threat levels inside Denmark. The document says the threat of sabotage against the Danish Armed Forces is “HIGH,” and the threat of destructive cyberattacks against Denmark is “MEDIUM.” The assessment also explains that these activities are kept below the threshold of armed conflict. See the English-language page and the linked publication: Assessment of the hybrid threat to Denmark (October 3, 2025) and the PDF Assessment of the hybrid threat to Denmark (October 3, 2025). (Forsvarets Efterretningstjeneste)
How NATO and the EU define an “armed attack”
NATO’s basic collective-defence rule is Article 5 of the North Atlantic Treaty. It says that if one member is the victim of an armed attack, the others will consider it an attack against all. NATO’s political body, the North Atlantic Council, decides case by case whether an incident is an “armed attack.” There is no automatic trigger for ambiguous events like radar pointing, drones near airports, or electronic interference. The public explanation and the treaty text are posted on NATO’s official site: Collective defence and Article 5. (NATO)
The European Union has its own mutual-assistance rule. Article 42(7) of the Treaty on European Union says that if an EU Member State is the victim of armed aggression on its territory, the other Member States must provide aid and assistance by all the means in their power. The rule also says this must fit with NATO commitments for countries that are in NATO. The European External Action Service explains how Article 42(7) works on its official page and in a short PDF: Article 42(7) TEU — the EU’s mutual assistance clause and Article 42(7) TEU (PDF). (Servizio Europeo per l’Azione Esterna)
Why the authorities focus on civil tools first
Because hybrid activity is designed to stay below the legal line of “armed attack,” authorities use civil law, safety rules, and targeted policing as the first response. This protects the public and avoids accidental escalation. The goal is to keep essential services working, gather facts, and only consider collective-defence decisions if there is clear evidence of armed aggression.
How Denmark has handled recent drone activity
In late September 2025, Denmark’s defence command said drones were observed near multiple military installations, including the Air Base at Skrydstrup and the Jutland Dragoon Regiment barracks in Holstebro. The defence command stated it was supporting the police with relevant capabilities. The update was posted on the defence website: Vedrørende dronehændelser over Danmark (September 27, 2025). (For Svaret)
For the same period, the Ministry of Transport announced a nationwide temporary ban on all civil drone flights during the EU summit week. The public notice states the dates and purpose of the ban: Luftrummet lukkes for al civil droneflyvning (Transportministeriet). (trm.dk)
At the same time, the Ministry of Defence announced that several countries loaned anti-drone systems to Denmark to help protect the EU summit in Copenhagen, and that NATO contributed as well. The official announcement lists the supporting nations and explains that this is a temporary reinforcement for a specific event: En række lande bidrager med antidrone-kapaciteter til det kommende EU-topmøde i København (September 29, 2025). (fmn.dk)
These steps—public updates, a time-limited civilian ban, allied loaned equipment—show how authorities reduce risk without claiming an “armed attack.” They also show that police and defence actors can work together under national law.
The legal basis inside Denmark for handling unlawful drones over defence sites
On 20 June 2025, Denmark adopted Law No. 714. It authorizes the armed forces, in coordination with the police, to neutralize unlawful drones in restricted airspace over defence sites using proportionate means. The legal text is on the official legislation portal: Lov nr. 714 af 20/06/2025. This is a narrow, targeted power designed for safety and security around military locations. (EASA)
How aviation safety is managed during satellite-navigation problems
Satellite-navigation interference (often called GNSS interference) can cause aircraft to lose accurate position fixes or receive false warnings. European aviation bodies treat this as a safety and operations issue. On 18 June 2025, the European Union Aviation Safety Agency (EASA) and the International Air Transport Association (IATA) released a joint plan for airlines, airports, and air-navigation service providers. The plan calls for maintaining backup ground-based navigation aids, improving crew procedures, and supporting technical fixes that speed recovery after signal loss or spoofing. See EASA’s official press release: EASA and IATA outline comprehensive plan to mitigate GNSS interference risks (June 18, 2025). (EASA)
EUROCONTROL, which coordinates the European air traffic network, has published technical material that explains the operational effects of GNSS radio-frequency interference and the mitigations used by pilots and controllers. A January 30, 2025 network brief describes standard measures and near-real-time monitoring concepts: Mitigating GNSS Radio Frequency Interference (RFI) (January 30, 2025, PDF). EUROCONTROL has also documented work on minimum operational networks to ensure key navigation beacons remain available when needed: Minimum Operating Network — Concept and Design Criteria (January 14, 2025, PDF). (Eurocontrol)
These aviation measures show that safety can be maintained with existing tools and procedures. They do not require declaring an “armed attack.” They are designed for routine use whenever the network faces interference.
How the EU strengthens critical-infrastructure resilience
EU law requires Member States to identify essential services and make sure operators reduce their risks. The main law is the Directive on the resilience of critical entities (CER). It covers sectors like energy, transport, digital infrastructure, water, and health. The official legal text is available on EUR-Lex: Directive (EU) 2022/2557 (CER). The CER framework makes risk reduction a legal duty and creates a basis for audits and enforcement. (EASA)
Cybersecurity across many sectors is covered by the NIS2 Directive. NIS2 sets baseline security measures and incident-reporting rules for designated “essential” and “important” entities. It also requires national strategies and cross-border cooperation. The European Commission explains the scope and implementation on its official policy page: NIS2 Directive — policy page. (Eurocontrol)
Together, CER and NIS2 create a set of civil obligations that can be used quickly during hybrid pressure. They do not depend on military decisions. They help keep electricity, water, transport, hospitals, and networks functioning during difficult periods.
Why undersea cables are getting new protection
Undersea cables carry most international data. If they are damaged, finance, government services, and daily communications can be affected. On 21 February 2025, the European Commission and the High Representative issued a plan to strengthen cable security and resilience across the whole cycle: prevention, detection, response, repair, and deterrence. The plan is published on the Commission’s website and has a fact page that summarizes the actions: Joint Communication — strengthen the security and resilience of submarine cables (February 21, 2025) and the press-release PDF: Press release: strengthening the security and resilience of submarine cables (February 21, 2025). There is also a consolidated action-plan page on EUR-Lex: EU Action Plan on Cable Security (February 21, 2025). (Strategia Digitale Europea)
These measures matter because they provide clear roles and funding routes for prevention, monitoring, and rapid repair. They allow a fast civil response if something happens under the sea, without assuming an “armed attack.”
How NATO supports resilience without implying war
NATO uses defensive “vigilance activities” that are visible and time-bound. They are designed to reassure the public, deter unsafe behavior, and protect infrastructure. On 14 January 2025, NATO announced “Baltic Sentry” to increase presence in the Baltic Sea and help safeguard critical undersea infrastructure and nearby links. See the NATO announcement: Baltic Sentry (January 14, 2025). NATO’s maritime command also summarized the effort on its site: NATO’s Baltic Sentry steps up patrols (January 14, 2025). (NATO)
During high-profile events, Allies sometimes provide extra air-defence coverage on a temporary basis. For late September and early October 2025 in Denmark, NATO’s public site for Supreme Headquarters Allied Powers Europe (SHAPE) posted an update on air defence during the EU meetings in Copenhagen: NATO, nations defend sky during summits in Denmark (October 2025). (For Svaret)
These actions are public and defensive. They do not mean a collective-defence clause is being considered. They are intended to reduce risk and reassure the public.
How the pieces fit together in daily practice
A typical sequence for a complex incident might look like this:
• An unusual drone is reported near a sensitive site. The police and defence authorities check the report. If the location is a defence site with a no-fly zone, the armed forces have legal authority to neutralize the drone using proportionate means, in coordination with the police, under Law No. 714. If it is near an airport, aviation safety rules apply first. (EASA)
• If aircraft navigation signals are unreliable, air-traffic controllers and pilots follow standard procedures. They may rely on backup ground beacons, change routing, or delay departures until the signal environment stabilizes. These steps come from the EASA–IATA plan and EUROCONTROL network guidance. (EASA)
• If a high-profile public event is underway, the government can request allied support. For the EU summit in Copenhagen, several countries loaned anti-drone systems, and NATO contributed. This is published by the Ministry of Defence. (fmn.dk)
• If an undersea cable or other critical link is affected, the EU’s cable-security plan supports prevention, detection, response, and repair, with roles for national authorities and ENISA. The plan’s pages explain how workstreams are organized. (Strategia Digitale Europea)
Each step uses public rules and published procedures. None of these steps requires declaring that an “armed attack” has taken place. That political and legal decision is reserved for clear cases of armed aggression.
Simple definitions used in this chapter
Armed attack: a violent act that meets the legal standard for collective defence under NATO’s Article 5 or the EU’s Article 42(7). Political leaders decide this case by case, based on evidence. See: NATO Article 5 and EU Article 42(7). (NATO)
Hybrid activity: actions intended to pressure a country without open war. Examples include close approaches at sea, radar pointing, airspace violations, satellite-navigation interference, cyber operations, and drone flights near sensitive sites. The DDIS report explains this in the Danish case: Assessment of the hybrid threat to Denmark (October 3, 2025). (Forsvarets Efterretningstjeneste)
Critical infrastructure: systems that are essential for society and the economy, such as power, water, transport, digital networks, and health services. The EU sets legal rules for risk reduction in the CER Directive and sets cyber obligations in NIS2. See: CER Directive and NIS2 policy page. (EASA)
GNSS: satellite-based navigation and timing signals. Civil aviation uses GNSS for navigation, but can switch to other procedures and aids when GNSS is disrupted. See: EASA–IATA plan (June 18, 2025) and EUROCONTROL GNSS RFI brief (January 30, 2025). (EASA)
Undersea cables: fiber-optic cables on the seabed that carry most international data traffic. The EU launched a cable-security and resilience plan on 21 February 2025. See: Joint Communication on submarine cables. (Strategia Digitale Europea)
What citizens need to know
Public safety relies on simple steps that work together. If you hear about a drone near an airport or a base, or about navigation problems affecting flights, authorities will use known procedures first. Flights may be delayed or rerouted. The police and the defence command may restrict airspace temporarily, including civilian drones, as they did during the EU summit in Copenhagen. These measures are there to keep everyone safe. See: Transport Ministry drone-flight notice and defence update on drone observations. (trm.dk)
What local and national officials need to know
The tools to manage these incidents already exist in public law and guidance:
• Threat picture: use official intelligence assessments to brief communities and operators. The DDIS update of 3 October 2025 is the current reference for Denmark. DDIS hybrid-threat assessment (English page and PDF). (Forsvarets Efterretningstjeneste)
• Civil protection and cybersecurity: use CER and NIS2 to enforce risk reduction and incident reporting for essential services. CER Directive and NIS2 policy page. (EASA)
• Aviation safety: apply the EASA–IATA plan and the EUROCONTROL network guidance for GNSS interference. EASA–IATA plan and EUROCONTROL GNSS RFI brief. (EASA)
• Undersea infrastructure: use the EU cable-security plan to organize prevention, monitoring, and rapid repair. Joint Communication on submarine cables and EU Action Plan on Cable Security (EUR-Lex). (Strategia Digitale Europea)
• Allied support: request time-bound, defensive assistance when needed. NATO’s Baltic Sentry and the published SHAPE update for Denmark during the EU meetings are current examples. Baltic Sentry (NATO) and SHAPE Denmark summits page. (NATO)
• National legal powers: apply the Danish law that authorizes neutralization of unlawful drones over defence sites, with police coordination. Lov nr. 714 af 20/06/2025. (EASA)
Why this matters to society
These steps are about public safety and continuity of services. They help prevent small incidents from becoming big crises. They keep planes flying safely when satellite signals are unreliable. They reduce the chance that a drone near a base or an airport causes confusion or an accident. They make sure that if an undersea cable is damaged, there are plans and teams ready to locate the problem and repair it. They also keep political and legal decisions at the right level: civil tools and safety procedures for day-to-day risks, and collective-defence articles reserved for clear cases of armed aggression.
The examples cited above show that, as of late September and early October 2025, Denmark and its partners are using these tools in public, documented ways: public threat reporting by the intelligence service; temporary civilian drone restrictions for a specific week; allied loaned systems during an EU summit; published aviation plans to handle GNSS interference; and an EU plan for undersea cables. None of these steps rely on speculation. They are all on official pages that can be checked.
Key takeaways, in one place
- The threat picture is public. DDIS states that Russia is using hybrid methods against NATO countries and the West. The current Danish threat levels are published and are updated as needed. Assessment of the hybrid threat to Denmark (October 3, 2025). (Forsvarets Efterretningstjeneste)
- The legal thresholds for collective defence are high. NATO’s Article 5 and the EU’s Article 42(7) apply to armed attacks. Leaders decide based on facts. There is no automatic trigger for ambiguous events. NATO Collective defence and Article 5 and EEAS Article 42(7) page. (NATO)
- Civil rules protect daily life. The CER Directive and NIS2 set duties for risk management and cybersecurity across essential sectors. CER Directive and NIS2 policy page. (EASA)
- Aviation has a clear playbook for navigation interference. EASA, IATA, and EUROCONTROL explain practical steps to keep flights safe during GNSS jamming or spoofing. EASA–IATA plan and EUROCONTROL GNSS RFI brief. (EASA)
- Undersea cables have an EU action plan. It guides prevention, monitoring, and repair with clear roles for Member States and EU bodies. Joint Communication on submarine cables and EU Action Plan on Cable Security (EUR-Lex). (Strategia Digitale Europea)
- NATO presence is defensive and transparent. Activities like Baltic Sentry and summit air-defence coverage are public measures to reduce risk. Baltic Sentry (NATO) and SHAPE Denmark summits page. (NATO)
- Denmark has a targeted national power to deal with unlawful drones over defence sites. Law No. 714 provides the authority, with police coordination and proportional use of force. Lov nr. 714 af 20/06/2025. (EASA)
Why this is important now
The steps listed above are practical and already in use. They protect people and services during a period of higher hybrid pressure without rushing into decisions about war. They give airlines and airports predictable procedures when navigation signals are unreliable. They give telecommunications operators and energy companies clear rules for risk reduction and incident reporting. They give public authorities and allies tools to secure major events, like the EU summit in Copenhagen, with temporary and transparent measures. And they keep collective-defence clauses for the rare situations where there is clear evidence of armed aggression.
Citizens can look up the sources cited here to confirm each point. Officials can use the same sources to design local plans, communicate with the public, and coordinate across agencies. The approach is fact-based, public, and designed to lower risk. That is why it matters to everyone who depends on safe travel, stable power and water, reliable communications, and calm, lawful responses to complex incidents.
Hybrid Threat Taxonomy and Risk Levels in the October 3, 2025 DDIS Assessment
The Danish Defence Intelligence Service (DDIS) sets out an unclassified hybrid-threat taxonomy dated October 3, 2025, specifying graded risk levels across sabotage, cyber operations, military provocations, influence activities, and conventional attack, with the updated matrix presented in the English-language publication “Assessment of the hybrid threat to Denmark,” October 3, 2025 and mirrored in the Danish version “Vurdering af den hybride trussel mod Danmark,” October 3, 2025; the document assigns HIGH to sabotage against the Danish Armed Forces, HIGH to military provocations against NATO countries, MEDIUM to destructive cyberattacks against Denmark, LOW to malign influence operations inside Denmark, and NONE to an outright conventional attack against Denmark, while characterizing Russia as “highly likely” engaging in hybrid warfare against the West and NATO below the threshold of armed conflict. (Forsvarets Efterretningstjeneste)
The DDIS risk-scale semantics indicate that HIGH corresponds to the presence of one or more actors with both capability and specific planning for harmful activity or evidence of executed or attempted actions, MEDIUM reflects capability and intention without indications of specific planning, LOW reflects limited indications of both capability and intent, and NONE indicates “no signs” of a threat where no actors possess both capability and intent toward the defined target set; these gradations are stated explicitly in the DDIS English publication’s summary table and reiterated on the DDIS product page Assessment of the hybrid threat to Denmark and the Danish news release Vurdering af den hybride trussel mod Danmark, each dated October 3, 2025. (Forsvarets Efterretningstjeneste)
The definitional core of hybrid warfare in the DDIS schema emphasizes the deliberate orchestration of political, economic, informational, and military instruments as pressure below formal wartime thresholds, with the October 3, 2025 text noting Russia “highly likely sees itself as being in conflict with the West” and is “currently conducting hybrid warfare against NATO and the West,” while “testing the threshold for what may trigger Article 5”; this formulation is consistent with continuity language found in prior DDIS annuals, notably “Intelligence Outlook 2024,” December 9, 2024, which situated destructive cyber, espionage, and sabotage within a rising threat continuum. (Forsvarets Efterretningstjeneste)
The DDIS assessment highlights cross-domain manifestations—reckless navigation, simulated attacks, and jamming of communications and GPS—as military behaviors designed to intimidate and probe responses while remaining sub-threshold; it also catalogs aviation-domain violations by fighter jets, helicopters, and attack drones affecting Poland, Estonia, Finland, and Romania “in recent months,” and explicitly states that Russia has “deployed fighter jets to protect its shadow fleet” exporting Russian oil from the Baltic Sea; each of these elements appears in the October 3, 2025 DDIS publication’s narrative sections that structure the hybrid campaign as a calibrated test of allied resolve. (Forsvarets Efterretningstjeneste)
The link between risk-taxonomy assignment and domestic protective measures in Denmark is visible in contemporaneous official notices documenting drone incidents and consequent coordination triggers: the Danish National Police recorded on September 24, 2025 an ongoing investigation into multiple unidentified drones over Copenhagen Airport on September 22, 2025, while the National Operational Staff (NOST) was placed in an operational posture on September 25, 2025 to synchronize cross-agency action; these institutional statements provide authoritative evidence of real-time threat management and align with the DDIS rationale for elevating sabotage and provocation risk levels. See Copenhagen Police notice, September 24, 2025 and National Police notice, September 25, 2025. (politi.dk)
The Danish Defence Command (Forsvaret) issued an English-language notice on September 27, 2025 titled “Regarding drones over Denmark,” confirming drone observations at multiple military locations including Skrydstrup Air Base and the Jutland Dragoon Regiment, and stating that the Danish Armed Forces “may choose to take down drones over military installations” subject to threat and risk assessment; this policy articulation reflects the DDIS threat taxonomy’s operationalization into rules of engagement and site-defense postures under a sub-threshold paradigm. See Forsvaret, “Regarding drones over Denmark,” September 27, 2025. (Forsvaret)
The Forsvaret Danish-language bulletin of September 28, 2025 confirmed “drone observations during the night” at several military locations and indicated that “multiple capabilities were deployed,” while refraining from disclosing operational specifics; this reticence is consistent with the attribution and counter-measure ambiguity contemplated by the DDIS framework, which stresses the evidentiary challenges of hybrid attribution and the need to balance transparency with operational security. See Forsvaret, “Droneobservationer i nat,” September 28, 2025. (Forsvaret)
Alliance-level vigilance activities frame how the DDIS scale interfaces with multinational deterrence: STRIKFORNATO announced NEPTUNE STRIKE 25-3 for September 22–26, 2025 across Europe, describing a large-scale enhanced Vigilance Activity integrating carrier strike and joint effects; although exercises are not themselves part of the DDIS risk matrix, their timing and scope underline a shared allied assessment of elevated sub-threshold pressure and the necessity of integrated maritime-air readiness in the Baltic Sea and North Sea. See NATO/STRIKFORNATO release, September 19, 2025. (Sfn NATO)
National participation records corroborate the operational ecosystem surrounding the DDIS matrix: Forsvaret confirmed on September 23, 2025 that the frigate HDMS Niels Juel and Danish air assets participated alongside allied forces in NEPTUNE STRIKE activities, coordinated with U.S. carrier aviation; this official confirmation demonstrates the linkage between the assessed external pressure and internal-alliance readiness measures without asserting causation beyond what institutional sources state. See Forsvaret news, September 23, 2025.
The DDIS also situates cyber and sabotage within a calibrated spectrum. In “Intelligence Outlook 2024,” December 9, 2024, the Centre for Cyber Security inside the Danish defense intelligence structure recorded VERY HIGH for cyber espionage and cybercrime and MEDIUM for destructive cyberattacks, establishing a baseline that the October 3, 2025 hybrid assessment refines by weighting sabotage against the Danish Armed Forces as HIGH and destructive cyber threats to Denmark overall as MEDIUM—a differentiation that reflects both observed patterns and resource prioritization for protective measures. (Forsvarets Efterretningstjeneste)
Temporal escalation markers in the DDIS hybrid study specify intensification “since spring 2025,” particularly in military provocations and pressure around maritime routes in the Baltic Sea; this is contextualized by the DDIS February 11, 2025 interim analysis, “Opdateret vurdering af truslen fra Rusland mod Rigsfællesskabet”, which discussed the pace at which Russia’s capacity to threaten NATO might evolve and foreshadowed a continued reliance on sub-threshold instruments—a through-line the October 3, 2025 update codifies in the new hybrid matrix. (Forsvarets Efterretningstjeneste)
Within the DDIS framework, maritime intimidation examples include “reckless navigation,” “simulated attacks,” and illumination of vessels and aircraft with tracking radars; while the DDIS document refrains from enumerating every single event, it integrates these behaviors into the HIGH category for military provocations toward NATO states. The policy corollary is that national forces should prepare for frequent, ambiguous, harmful conduct falling short of kinetic thresholds, a posture mirrored by Forsvaret’s public guidance authorizing the downing of drones over military installations subject to risk assessment. See DDIS assessment, October 3, 2025 and Forsvaret, September 27, 2025. (Forsvarets Efterretningstjeneste)
The DDIS taxonomy’s explicit assignment of LOW to domestic influence operations inside Denmark indicates an evidence-based recalibration rather than a blanket elevation across all vectors; this contrasts with the VERY HIGH cyber espionage baseline in December 2024 and suggests that while malign narratives persist, the most acute pressure in 2025 concentrates on sabotage risk to defense assets and physical-world provocations against allied forces, consistent with DDIS’s attribution-aware methodology that emphasizes observed capability and concrete planning indicators. See Intelligence Outlook 2024 and DDIS assessment, October 3, 2025. (Forsvarets Efterretningstjeneste)
Domestic legal-administrative measures around unmanned systems illustrate the translation of hybrid-risk recognition into civilian-security governance: Copenhagen Police issued multiple notices in September 2025 including a temporary nationwide prohibition on civil drone flights through October 3, 2025 in connection with EU events and summit security, as well as advisories on traffic disruptions and restricted airspace; these notices are archived on politi.dk and demonstrate how airspace governance tools are activated in support of hybrid-threat mitigation. See Traffic impact under EU summits, September 29, 2025 and EU-chairmanship traffic and drone restrictions, September 17, 2025. (politi.dk)
Operational reinforcement by allied partners further underwrites the hybrid-risk picture without making causal claims beyond official texts: Forsvaret reported in late September 2025 that foreign troops and equipment from multiple allies—including Finland, France, Netherlands, Norway, Poland, Sweden, Germany, Ukraine, United Kingdom, and United States—were contributing capabilities to support Denmark’s handling of the security situation; such deployments are framed as assistance to civil and military authorities amid increased drone activity and broader security concerns. See Forsvaret: “Allierede bidrag betyder udenlandske soldater i Danmark,” late September 2025. (Forsvaret)
Procurement and capability acceleration decisions in 2025 map onto the taxonomy’s emphasis on surveillance, resilience, and short-range defense against unmanned threats. The Ministry of Defence announced on July 22, 2025 an agreement to acquire four long-range drones to extend surveillance over the Arctic and North Atlantic through dedicated funding tracks, while Forsvaret reported the fielding of new short-range combat-capable drones to the Army and the accelerated arrival of anti-drone shotguns to supplement close-in defense at installations—measures publicly described as long-planned but expedited. See Ministry of Defence, July 22, 2025, Forsvaret, March 10, 2025, and Forsvaret, “Nye og gamle kapaciteter til bekæmpelse af objekter i luftrummet,” late September 2025. (Forsvaret)
The DDIS model’s focus on “testing thresholds” is visible in the aviation-security record across the region. Munich Airport documented official drone sightings on the evenings of October 2–3, 2025, leading to an operational halt and 17 cancellations with 15 diversions, followed by additional sightings on October 4, 2025 that delayed starts; these operator-verified details illustrate the civilian impact channel through which hybrid pressures manifest even without confirmed state attribution, a nuance the DDIS report underscores by prioritizing capability-intention indicators over definitive attribution for each discrete event. See Munich Airport press, October 3, 2025 and Munich Airport newsroom, October 4, 2025.
The taxonomic distinction between MEDIUM destructive cyber risk and HIGH sabotage/provocation risk reflects an institutional judgment calibrated by observed incident types and their probable impact. In December 2024, the DDIS cyber annex set VERY HIGH for cyber espionage and cybercrime while retaining MEDIUM for destructive cyberattacks, a configuration that the October 3, 2025 hybrid document preserves by elevating physical-world risk vectors affecting defense and alliance operations while maintaining cyber destructive risk at an intermediate level; this is conceptually consistent with the DDIS caution that hybrid campaigns exploit attribution friction and escalation management logic to avoid crossing into openly warlike behaviors that could consolidate allied consensus for collective defense. See Intelligence Outlook 2024 and DDIS hybrid threat assessment, October 3, 2025. (Forsvarets Efterretningstjeneste)
The DDIS’s explicit assignment of NONE to the risk of a conventional armed attack against Denmark complements its classification of military provocations as HIGH, clarifying a critical strategic nuance: the DDIS views current Russian conduct as coercive and escalatory, but controlled to remain below direct kinetic engagement thresholds with NATO forces; this appraisal supports national and alliance resource prioritization toward surveillance, counter-UAS, maritime domain awareness, and rapid interagency coordination rather than mobilization for imminent interstate war. The DDIS English and Danish publications dated October 3, 2025 present these twin conclusions in parallel. See DDIS assessment (EN), October 3, 2025 and DDIS assessment (DA), October 3, 2025. (Forsvarets Efterretningstjeneste)
As a doctrinal instrument, the DDIS taxonomy encourages policy makers to treat hybrid activity as a sustained condition rather than episodic anomalies. The official DDIS hub for threat assessments aggregates these products for public consumption, and the dedicated hybrid-threat explainer page consolidates guidance and references to joint DDIS–PET warnings issued since May 2024 regarding elevated risks associated with support to Ukraine; this corpus demonstrates that the October 3, 2025 paper is not an outlier but the latest iteration of a public-facing analytical line tracking hybrid pressure on Denmark and allies. See DDIS assessments hub and DDIS explainer “Den hybride trussel,” May 20, 2025. (Forsvarets Efterretningstjeneste)
The translation of taxonomy into practice also appears in Forsvaret’s rolling communications during September–October 2025, which outline support to Police authorities, an expected increase in foreign troop presence to assist Denmark, and the activation of interagency platforms; the Forsvaret English front page lists these notices chronologically, making visible the unity of effort among defense and civilian agencies responding to the evolving hybrid picture. See Forsvaret (EN) front page, updated late September–early October 2025. (Forsvaret)
In sum, the DDIS hybrid-threat taxonomy dated October 3, 2025 articulates a precise allocation of risk across vectors, grounded in multi-domain observations and reinforced by the documented actions of Danish authorities and alliance partners during September–October 2025; its policy significance lies in prioritizing counter-sabotage and counter-provocation measures, sustaining cyber resilience without overstating imminent destructive campaigns, and preserving escalation control as the governing principle under conditions of persistent sub-threshold confrontation. The official sources cited—DDIS publications and product pages, politi.dk incident notices, Forsvaret operational communications, and NATO/STRIKFORNATO exercise releases—collectively validate the taxonomy’s content and the risk-level assignments without requiring speculative inference beyond what the institutions themselves publish. See DDIS assessment (EN), October 3, 2025, DDIS assessment (DA), October 3, 2025, Copenhagen Police, September 24, 2025, National Police, September 25, 2025, Forsvaret, September 27, 2025, Forsvaret, September 28, 2025, NATO/STRIKFORNATO, September 19, 2025, and Forsvaret, September 23, 2025. (Forsvarets Efterretningstjeneste)
Documented Air and Maritime Provocations Affecting Denmark and Adjacent NATO Airspace
The Danish Defence Intelligence Service (DDIS) records an escalation of maritime and aviation coercion since spring 2025, characterizing “reckless navigation,” illumination of aircraft and ships with tracking radars, signal interference, and sub-threshold intimidation as constituent elements of hybrid pressure; this is summarized in the English-language paper Assessment of the hybrid threat to Denmark, October 3, 2025, which assigns HIGH to military provocations against NATO members and situates the pattern within a broader view that Russia “highly likely” perceives itself in conflict with the West while avoiding a crossing of overt war thresholds. (Forsvarets Efterretningstjeneste)
Directly corroborating those judgments, Reuters reported on October 3, 2025 that DDIS briefed repeated episodes inside the Danish Straits where Danish Air Force helicopters and naval vessels were “targeted by tracking radars” and “physically pointed at with weapons” from Russian warships, that Russian vessels “sailed on collision courses” with Danish ships, and that a Russian warship was “anchored in Danish waters for over a week,” with DDIS also describing carriage of sonar and jamming equipment and at least one episode of extensive GPS interference assessed as “highly probable”; the piece places these incidents in the context of an intensified regional pattern of airspace violations and infrastructure disruptions since 2022, while clarifying that Denmark’s agencies still rate the risk of a conventional attack as NONE. See Denmark reports repeated Russian naval provocations in its straits, October 3, 2025. (Reuters)
Within Danish airspace and its immediate approaches, the principal aviation manifestations in September–October 2025 were concentrated around suspected unmanned incursions and precautionary air-defence posture rather than identifiable state-flagged aircraft crossing borders; DDIS nonetheless points to recent months in which airspace violations by fighter jets, helicopters, and attack drones “most affected” Poland, Estonia, Finland, and Romania, reinforcing the finding that coercion is applied across the Baltic Sea and Black Sea frontiers as a continuum of pressure below kinetic thresholds. See Assessment of the hybrid threat to Denmark, October 3, 2025. (Forsvarets Efterretningstjeneste)
Operationally, the Danish Defence Command (Forsvaret) confirmed multi-site drone observations and set out publicly the guidance that the Danish Armed Forces “may choose to take down drones over military installations,” conditioned on threat and risk assessments; this English-language notice, dated September 27, 2025, and the Danish-language overnight update, dated September 28, 2025, identify locations including Skrydstrup Air Base and the Jutland Dragoon Regiment while withholding tactical details due to ongoing investigations, exemplifying the restrained but explicit defensive posture appropriate to sub-threshold provocations. See Regarding drones over Denmark, September 27, 2025 and Droneobservationer i nat, September 28, 2025. (Forsvaret)
Civil-aviation impacts in adjacent air corridors underscore the hybrid dilemma’s spillover. Munich Airport recorded confirmed drone sightings on the evenings of October 2–3, 2025, with air traffic initially restricted at 22:18 and both runways closed from 22:35, causing 17 cancellations and 15 diversions before flights resumed in the morning; further sightings on October 4, 2025 delayed start-up until gradual normalization later that day. These operator-verified advisories document the precautionary curtailment of civilian movements when attribution is unclear and risk management becomes pre-emptive. See Drone sighting at Munich Airport, October 3, 2025 and Another drone sighting, October 4, 2025.
Inside Denmark, law-enforcement bulletins show the interagency activation curve during the September 2025 cluster. The Copenhagen Police announced on September 24, 2025 an investigation into multiple unidentified drones over Copenhagen Airport on September 22, 2025, and the National Operational Staff (NOST) notified on September 25, 2025 that it had been put into operational readiness to coordinate authorities after recurring activity near critical infrastructure; both notices confine themselves to factual steps and avoid attribution, precisely matching the evidentiary caution present in the intelligence taxonomy. See Orientering om efterforskning…, September 24, 2025 and NOST er i operationsberedskab…, September 25, 2025. (Forsvarets Efterretningstjeneste)
Alliance responses in the same window demonstrate how air and maritime vigilance is scaled when ambiguous threats accumulate. NATO’s Supreme Headquarters Allied Powers Europe (SHAPE) publicized air-defence measures aligned with the EU leaders’ meetings in Copenhagen, noting multi-national assets deployed to defend the summit skies and contextualizing those actions within ongoing maritime surveillance efforts under the Baltic Sentry construct, while highlighting the predominance of European naval contributions since January 2025. See NATO, nations defend sky during summits in Denmark, early October 2025. (shape.nato.int)
The maritime-deterrence backdrop includes NEPTUNE STRIKE 25–3, an enhanced Vigilance Activity that STRIKFORNATO announced for September 22–26, 2025 across Europe, integrating carrier strike aviation, surface warfare, anti-submarine operations, and amphibious components to demonstrate readiness and freedom of navigation across critical sea lanes in the North Sea and Baltic Sea; this official release provides temporal and geographic framing for Danish naval and air deployments in the weeks surrounding the documented provocations. See NATO/STRIKFORNATO release, September 19, 2025. (Sfn NATO)
The specific Danish participation record, issued by Forsvaret on September 23, 2025, confirms that HDMS Niels Juel and Danish fighters, surveillance aircraft, and helicopters joined allied forces under NEPTUNE STRIKE, with imagery showing USS Gerald R. Ford operations and descriptions of integrated air–maritime training over Denmark and in adjacent waters; the bulletin emphasizes deterrence, the safeguarding of free navigation, and the protection of maritime choke points, directly echoing the concerns raised by provocations in the Danish Straits. See Forsvaret deltager i stor NATO-aktivitet med USA, September 23, 2025. (Forsvaret)
At the start of 2025, the North Atlantic Council and SHAPE introduced the Baltic Sentry framework to elevate presence and protect critical infrastructure in the Baltic Sea, including undersea cables and energy routes, while explicitly aiming to counter destabilizing acts; that institutional decision underpins subsequent measures in September–October 2025 and sets an alliance baseline for maritime domain awareness that intersects with the sub-threshold incidents tracked by DDIS. See NATO launches ‘Baltic Sentry’, January 14, 2025 and SHAPE: Baltic Sentry to enhance NATO’s presence, January 14, 2025. (NATO)
In parallel with Baltic measures, NATO launched Eastern Sentry in September 2025 to heighten posture along the eastern flank, with the Secretary General’s September 12, 2025 press event describing a flexible, agile construct designed to deliver “more focused deterrence and defence” exactly where needed; while not a Denmark-specific activity, this second sentry framework illustrates the alliance’s east-to-north arc of vigilance that interacts with the Danish maritime theatre as part of an integrated response to hybrid-domain provocations. See NATO launches “Eastern Sentry”, September 12, 2025 and Joint press conference remarks, September 12, 2025. (NATO)
NATO Allied Air Command reporting in mid-September 2025 recorded the alliance’s defensive reaction to Russian drones entering Polish airspace, providing official confirmation that the multi-national air-policing network responded immediately and decisively; the Ramstein-issued article situates those events within the broader air-policing enterprise that has operated continuously since 2004 over the Baltic region, demonstrating how ambiguous unmanned intrusions are managed within standing alert architectures. See NATO Air Policing: Guarding the Skies When It Matters Most, September 15, 2025 and Enhanced Air Policing overview. (NATO Academy)
In the Arctic approaches adjoining Denmark’s strategic area of responsibility, Forsvaret documented September 2025 activities under Arctic Light 2025, emphasizing increased presence in and around Greenland and listing the deployment of the frigate Niels Juel, EH-101 helicopters, F-16 fighter jets, and allied contributions including France’s FS Garonne; although a training context, this posture reflects operational adaptation to hybrid maritime risks that include contested surveillance, unmanned flights, and freedom-of-navigation challenges. See Large-Scale Exercise in Greenland with NATO Allies, September 4, 2025. (Forsvaret)
Within the Baltic Sea proper, Forsvaret reported September 2025 participation in a “large maritime exercise in the Baltic Sea” intended to ensure free navigation and counter attempts to obstruct shipping routes, explicitly referencing training in tactical maritime warfare under a realistic crisis scenario; such training provides the procedural backbone for confronting collision-course tactics and electronic harassment described by DDIS and corroborated by Reuters. See Denmark participates in large maritime exercise in the Baltic Sea, September 2025 and Reuters, October 3, 2025. (Forsvaret)
The combined documentary record therefore establishes a specific pattern for Denmark and adjacent NATO airspace: assertive Russian naval behaviors in the Danish Straits including weapons pointing, radar illumination, collision-course navigation, and electronic interference; simultaneous ambiguous unmanned incursions over or near critical infrastructure leading to precautionary closures and interagency activation; and allied maritime-air deterrence activities that scale in response while hewing to legal thresholds to avoid inadvertent escalation. The pattern is articulated in institutional sources without speculative linkage and is time-bounded by September–October 2025. See Assessment of the hybrid threat to Denmark, October 3, 2025; Reuters, October 3, 2025; Forsvaret, September 27–28, 2025; Politi.dk, September 24–25, 2025; NATO/STRIKFORNATO, September 19, 2025; and SHAPE summit air-defence note, early October 2025. (Forsvarets Efterretningstjeneste)
Emergent operational themes from the record point to three linked coercive techniques. First, proximate intimidation at sea leverages navigation risk and sensor illumination to compel caution by Danish crews while maintaining deniability; this technique is described in the DDIS paper’s references to “reckless navigation,” “simulated attacks,” and GPS interference and is evidenced by Reuters’ reporting of collision-course patterns and weapon-pointing in the Danish Straits. See DDIS, October 3, 2025 and Reuters, October 3, 2025. (Forsvarets Efterretningstjeneste)
Second, unmanned aerial intrusions exploit civilian-safety regimes to generate disproportionate disruption with minimal exposure, as shown by the Munich Airport stoppages on October 2–4, 2025 and by Copenhagen’s late-September 2025 law-enforcement posture, both officially recorded by the responsible operators and agencies; these episodes illustrate how a handful of sightings can trigger cascading preventive measures across air-traffic and security systems even without definitive attribution. See Munich Airport, October 3–4, 2025 and Politi.dk, September 24–25, 2025.
Third, alliance-wide vigilance activities—Baltic Sentry, NEPTUNE STRIKE, and Eastern Sentry—sustain a legal, visible presence that counters sub-threshold tactics without conceding escalation dominance; NATO’s official pages describe how these constructs concentrate maritime and air capabilities in the Baltic Sea and along the eastern flank, while Forsvaret’s entries verify Denmark’s concrete contributions, including HDMS Niels Juel and multi-type aviation. See NATO: Baltic Sentry launch, January 14, 2025; SHAPE Baltic Sentry note; STRIKFORNATO NEST 25–3, September 19, 2025; and Forsvaret participation, September 23, 2025. (NATO)
The DDIS also notes that Russia has “deployed fighter jets to protect its shadow fleet” exporting Russian oil from the Baltic Sea, and highlights repeated airspace violations impacting Poland, Estonia, Finland, and Romania “in recent months”; these statements are integral to the intelligence narrative and strictly attributed to the DDIS publication itself, avoiding extrapolation beyond the text. See Assessment of the hybrid threat to Denmark, October 3, 2025. (Forsvarets Efterretningstjeneste)
Attribution restraint remains a legal and strategic constant across the official documents. Politi.dk and Forsvaret notices describe observable events and administrative actions without assigning responsibility; NATO’s releases document deployments and vigilance without naming culprits for specific drone clusters; DDIS’s analytical language anchors its judgments in capability and intention indicators rather than asserting courtroom-grade proofs. This disciplined approach is visible in the precise wording of the September 2025 notices and the October 2025 intelligence assessment, both of which confine themselves to verifiable facts while warning of a likely increase in the hybrid threat in the coming years. See Politi.dk, September 24–25, 2025 and DDIS, October 3, 2025. (Forsvarets Efterretningstjeneste)
As an effects ledger for September–October 2025, the authoritative sources therefore document: maritime intimidation in the Danish Straits featuring weapons pointing and radar illumination; dangerous close-quarters navigation assessed as collision-course behavior; carriage and probable use of jamming systems producing GPS interference; multi-site drone observations at Danish military facilities with authorization to neutralize intruding devices when warranted; temporary airport closures and diversions in Germany; interagency activation in Denmark; and multi-national air-defence reinforcement over Copenhagen during EU events. Each element is anchored in official texts—DDIS, Forsvaret, Politi.dk, NATO/SHAPE/STRIKFORNATO, and the Munich Airport operator—with the Reuters dispatch capturing the press-conference phrasing that made the DDIS allegations publicly legible. See DDIS, October 3, 2025; Forsvaret, September 27–28, 2025; Politi.dk, September 24–25, 2025; NATO/SHAPE, early October 2025; STRIKFORNATO NEST 25–3, September 19, 2025; and Reuters, October 3, 2025. (Forsvarets Efterretningstjeneste)
Drone Incursions and Civil Aviation Disruptions: National Police, Defence Command, and Airport Operator Records
Between 22 September 2025 and 4 October 2025, Denmark and adjacent European airspaces experienced a significant cluster of unidentified drone incursions affecting civil aviation, military installations, and national security posture. The following review draws exclusively from publicly accessible operator statements, police releases, defence communications, and air-traffic control records.
On 22 September 2025 (evening local time), Copenhagen Airport suspended operations for nearly four hours following multiple sightings of large drones within its controlled airspace. According to Reuters, Danish police later stated that two to three large drones had flown deliberately with toggled lighting behavior and then vanished, causing 31 flight reroutings affecting over 20,000 passengers. The police described the operator as “capable,” with sufficient tools and intent to elicit disruption. See Drones that shut Copenhagen Airport flown by ‘capable operator’, Danish police say, September 23, 2025.
Local Danish media and official statements confirm that NOST (the National Operative Staff) was moved to heightened readiness during the period. The National Police declared that the drone flights targeted critical infrastructure, though no group claimed responsibility. See Denmark bans drone flights after fresh drone sightings at military bases, September 28, 2025.
The Danish Defence Command corroborated multiple unmanned aerial sightings over military sites in Jutland and Zealand, especially Skrydstrup Air Base—home to F-16 / F-35 jets—and Air Base Karup, which shares infrastructure with Midtjyllands Airport. The defense ministry publicly reported deploying “several capacities” in response and supported police with undisclosed counter-UAS measures. See New drones sighted over Denmark’s largest military base, September 27, 2025.
To curtail further risk, Denmark announced a nationwide ban on civil drone flights, particularly timed to coincide with the incoming EU summit in Copenhagen, which ran early October. The ban was formally ordered on 28 September 2025, following overnight incursions at multiple military bases. See Denmark bans drone flights after fresh drone sightings at military bases, September 28, 2025.
Aalborg Airport (which shares runways with military infrastructure) was also affected: on 24–25 September 2025, it experienced temporary flight interruptions. Reports indicated drone sightings in the vicinity, but no official attribution or detailed descriptions beyond that. The cumulative disturbance prompted nationwide trajectory advisories and danger declarations in controlled airspace zones. These incidents are referenced in Danish media coverage and aviation summaries. No direct air-traffic authority bulletin beyond media reporting is publicly confirmed.
Munich Airport offers a proximate case study in drone-induced civil aviation disruption with verified press documentation. On 2–3 October 2025, German air traffic control (DFS) restricted flight operations starting 22:18 local time, later suspending all flights overnight. Munich Airport documented 17 departures canceled and 15 incoming flights diverted, affecting nearly 3,000 passengers. Operations resumed at 05:00 local time the next morning. See Press: Drone sightings at Munich Airport, October 3, 2025.
The Munich Airport press office reaffirmed that detection and defensive measures against drones are the responsibility of federal and state police agencies. The coordination and notification chains between air traffic control, airport operations, and law enforcement are described as pre-established and institutionalized. See Another drone sighting at Munich Airport, October 3, 2025.
Reuters also reported that Munich Airport would gradually resume operations from 7:00 a.m. (05:00 UTC) after the drone incursions forced delays in early flights. That notice cited recovered normal flight schedules and confirmed the affected durations. See Munich Airport to resume flight operations after drones in airspace caused delays, October 4, 2025.
Several supplemental reports suggest that Germany’s DFS has logged 144 drone overflight incidents nationally in 2025, with 35 tied to Frankfurt Airport alone. These figures derive from Euronews summarizing national air navigation service disclosures. See Espionage or hobby? German authorities to get tough on drones, September 24, 2025.
On 4 October 2025, Munich Airport again came under drone-related disruption, forcing a second closure within 24 hours. Al Jazeera reported that 46 flights were canceled or delayed, with police confirming two simultaneous drone sightings near the north and south runways around 23:00 local time. The drones departed before identification. See Munich airport resumes operations after more drone sightings halted flights, October 4, 2025.
France24 media confirmed that on 27 September 2025, new drone activity was observed over Denmark’s largest military base—Skrydstrup—during the same week as airport incidents. The unidentified drones attracted local and national force deployments. See New drones sighted over Denmark’s largest military base, September 27, 2025.
CBS News likewise published that Copenhagen Airport flights were suspended overnight because two to three large drones were seen, and that Denmark’s Defence Ministry reported the presence at its military facilities. See Danish defense ministry reporting drones spotted at defense facilities, September 27, 2025.
The Wikipedia page summarizing 2025 Danish drone incidents provides an aggregated timeline: it states that the initial disruption at Copenhagen Airport lasted near four hours, with Aalborg, Esbjerg, Sønderborg, and Skrydstrup among affected sites between 22 and 28 September 2025. It notes that NOST was mobilized at full readiness and that authorities described operators as capable but unidentified. See 2025 drone incidents (Denmark) Wiki summary.
Across the data set, several salient patterns emerge (without speculative inference beyond source text). The majority of disruptions occurred at night, concentrated on major airports and military bases, timed to coincide with significant political events (e.g., EU summit in early October). The scale of passenger displacement—tens of thousands cumulatively—points to strategic pressure beyond local nuisance. Authorities uniformly declined attribution beyond describing operators as having tools, intent, and capability. Several states, notably in Germany, have responded via national policing frameworks—retaining drone defense responsibility at state or federal police levels rather than fully militarizing responses.
Alliance Vigilance Activities and Danish Contributions during NEPTUNE STRIKE 25-3
The North Atlantic Treaty Organization (NATO) classifies NEPTUNE STRIKE 25-3 as an enhanced Vigilance Activity designed to demonstrate cross-domain maritime-air integration under Supreme Allied Command while remaining below wartime thresholds; Naval Striking and Support Forces NATO (STRIKFORNATO) announced the iteration for September 22–26, 2025, framing it as a large-scale, multi-national event executed “across Europe,” with carrier-enabled joint effects and synchronized contributions from multiple Allied fleets and air components. The official release specifies the window and the theatre-wide nature of operations, placing emphasis on command-and-control under Allied authority and the objective of strengthening credible deterrence through visible, legal movements and activities in international and Allied waters and airspace. See NATO/STRIKFORNATO: “NATO launches third iteration of NEPTUNE STRIKE 2025,” September 19, 2025. (NATO Special Forces Network)
The Danish Defence Command (Forsvaret) publicly confirmed national participation on September 23, 2025, detailing a composite contribution consisting of the frigate HDMS Niels Juel, F-16 and F-35 fighter aircraft, surveillance aircraft, and helicopters; the bulletin lists concurrent tasking in the North Sea and Baltic Sea, while the broader activity also encompassed the Mediterranean and Adriatic under Allied control. The same Forsvaret release enumerates sample Allied naval platforms present in the activity’s various theatres, including USS Gerald R. Ford, TCG Anadolu, ITS San Giorgio, and USS Mount Whitney, and states that more than 10,000 sailors, soldiers, pilots, and marines from 13 Allied nations were integrated for the week. See Forsvaret: “Forsvaret deltager i stor NATO-aktivitet med USA,” September 23, 2025. (For Svaret)
Within NATO’s communications architecture, the enhanced Vigilance Activities (eVA) construct is used to maintain persistent readiness and integration without declaring an exercise under wartime authorities. Allied Command Operations documented the 25-2 iteration’s cross-border training on July 24–27, 2025, providing a comparative baseline for the planning logic that carried through to 25-3: complex combined-arms training in Poland and Lithuania, multinational command arrangements, and integration of air missions with land and maritime manoeuvres. This continuity of purpose demonstrates that 25-3 evolved from earlier 2025 planning cycles toward an emphasis on carrier-enabled strike, amphibious landings, anti-submarine patrols, and coordinated air missions over Allied territories and adjacent waters. See Allied Command Operations: “Allied forces conduct complex training in Poland and Lithuania as part of NEPTUNE STRIKE 25-2,” July 27, 2025 and STRIKFORNATO: “NATO resumes second iteration of NEPTUNE STRIKE 2025,” July 24, 2025. (ac.nato.int)
The NATO strategic rationale for vigilance activities positions maritime-air integration as a key deterrent signal after February 2022, highlighting increased Allied carrier presence and the continuous projection of joint fires, anti-submarine capabilities, and maritime security patrols across critical sea lines. The Alliance topic page on maritime activities, updated in March 2025, codifies this approach and explicitly places NEPTUNE STRIKE within a family of activities that test and demonstrate the ability to deter and defend while upholding navigation freedoms and the safety of Allied airspace. See NATO: “NATO’s maritime activities,” March 10, 2025. (nato.int)
During September 22–26, 2025, NEPTUNE STRIKE 25-3 served as the principal Alliance maritime-air vigilance focus in the North Sea–Baltic Sea corridor, with Danish contributions positioned to support carrier flight operations and maritime security tasks that included surface warfare and anti-submarine patrolling. The Forsvaret notice confirms that the public could “hear and possibly see” fighter aviation over Central Jutland due to synchronized training with U.S. carrier aviation, making clear that selected air missions were planned in Danish airspace under Allied coordination. The inclusion of a Danish frigate alongside fighter and surveillance aviation ensured joint command coordination points between maritime task groups and the air tasking cycle, consistent with eVA doctrine. See Forsvaret, September 23, 2025 and NATO/STRIKFORNATO, September 19, 2025. (For Svaret)
From a command-and-control perspective, NEPTUNE STRIKE 25-3 preserved the principle of placing Allied and U.S. carrier strike assets under SACEUR’s operational control through STRIKFORNATO, an arrangement used repeatedly since 2022 to validate interoperability and to signal Allied unity of effort. NATO’s historical and analytical communications on NEPTUNE STRIKE illustrate how carrier groups are integrated as theatre effects, combining maritime and air power for flexible response options without crossing escalatory thresholds; the Alliance communications record from December 2024 (reviewing NEPTUNE STRIKE 2024) explains this logic explicitly as an eVA demonstration across Europe. See NATO: “NATO tests integration of joint high-end maritime strike,” December 11, 2024. (nato.int)
Danish participation must be read in the context of national policy choices to anchor deterrence through visible allied cooperation while managing sub-threshold friction in adjacent waters and airspace. The Forsvaret news hub shows September 2025 entries that collectively depict a synchronized pattern: NEPTUNE STRIKE participation on September 23, 2025; a German frigate’s arrival to support Denmark’s airspace surveillance during EU events on September 28, 2025; and a separate Baltic Sea maritime exercise on September 26, 2025, where the Royal Danish Navy held command over a task force. The hub’s chronology illustrates how Denmark nested alliance vigilance with national and bilateral measures in the same week that drone-related alerts affected civil and military sites. See Forsvaret: Nyheder overview, late September 2025. (For Svaret)
A complementary NATO narrative thread in late September–early October 2025 concerns summit air-defence coverage over Copenhagen. Supreme Headquarters Allied Powers Europe (SHAPE) publicized multinational air-defence measures to defend the skies during EU summits in Denmark, underscoring the Alliance’s ability to scale alert postures during politically sensitive windows. Though distinct from NEPTUNE STRIKE 25-3, these measures demonstrate the theatre-wide vigilance backbone into which Danish contributions were embedded during the same period. See SHAPE: “NATO, nations defend sky during summits in Denmark,” October 2025. (Shape)
For 25-3 specifically, NATO’s theatre reporting via Joint Force Command Naples referenced a high-readiness capability demonstration on September 26, 2025, linked to the wider NEPTUNE STRIKE 25-3 period; the report emphasizes readiness outputs rather than enumerating each participating unit, but it validates the sequencing of events and the emphasis on maritime response capabilities. This matches the STRIKFORNATO announcement for the September 22–26, 2025 window and aligns with Forsvaret’s disclosure that carrier operations and joint effects were planned during that week. See JFC Naples: “NEPTUNE STRIKE 25-3 strengthens NATO’s maritime response capabilities,” late September 2025 and NATO/STRIKFORNATO, September 19, 2025. (jfcnaples.nato.int)
At the national level, Denmark’s role in 25-3 can be disaggregated into four verifiable functional lines: maritime escort and area-air-defence contributions via HDMS Niels Juel; fighter integration with carrier air wing elements through F-16 and F-35 sorties; maritime patrol and surveillance through Danish fixed-wing assets; and rotary-wing support tied to anti-surface warfare and logistics. The Forsvaret announcement lists these categories explicitly, providing the authoritative inventory of national contributions. By publishing this composition on September 23, 2025, Forsvaret enabled a public understanding of how Denmark translates hybrid-threat assessments into eVA posture, marrying domestic airspace assurance with visible allied cooperation. See Forsvaret, September 23, 2025. (For Svaret)
The relationship between NEPTUNE STRIKE and NATO’s broader posture is anchored in the Alliance’s deterrence and defence concept and the public explanation of why enhanced vigilance is sustained. The Secretary General’s communications on September 12, 2025—when introducing Eastern Sentry along the eastern flank—use language that applies across vigilance activities: posture will be adjusted “constantly,” with an emphasis on agility and targeted reinforcement where needed. This provides the alliance-wide context for understanding 25-3 as part of a flexible toolset to manage risk in the Baltic Sea and adjacent airspace while keeping activity below conflict thresholds. See NATO: Joint press conference remarks, September 12, 2025. (nato.int)
The NATO Secretary General’s Annual Report 2024, released in April 2025, codifies NEPTUNE STRIKE as a recurring demonstration of the Alliance’s ability to project maritime-air power and integrate high-end capabilities under Allied command. It cites NEPTUNE STRIKE in the context of continuous vigilance after 2022, reinforcing the policy logic that public, repeatable, and geographically distributed events are necessary to sustain deterrence effects across audiences. See NATO: Secretary General Annual Report 2024, April 26, 2025. (nato.int)
For Denmark, the visibility of 25-3 coincided with elevated domestic vigilance due to drone-related disruptions and summit security measures in late September–early October 2025. The Forsvaret news chronology shows how allied naval and air assets—beyond NEPTUNE STRIKE—were present around Copenhagen to reinforce airspace protection during EU meetings. This nested posture illustrates the operational value of having a national force package already integrated in allied command chains during 25-3, facilitating rapid coordination with SHAPE-directed summit air-defence measures. See Forsvaret: Nyheder overview, late September 2025 and SHAPE: “NATO, nations defend sky during summits in Denmark,” October 2025. (For Svaret)
The cumulative communications from STRIKFORNATO, Allied Command Operations, and JFC Naples underline three operational features of 25-3. First, carrier integration under SACEUR validates the readiness of Allied naval and air staffs to run a joint targeting and air tasking cycle with multinational aircraft and escorts, projected over Allied territories and seas. Second, the geographic spread from the North Sea and Baltic Sea to the Adriatic and Mediterranean enables flexible application of theatre effects while distributing risk. Third, deliberate public messaging ensures that activities remain transparent, attributable, and clearly defensive under international law. Each of these features is explicit in NATO’s official materials and provides the conceptual spine for understanding Denmark’s contributions as both nationally relevant and alliance-amplifying. See STRIKFORNATO: launch note for 25-3, September 19, 2025, ACO: 25-2 training note, July 27, 2025, and JFC Naples: capability demonstration, late September 2025. (NATO Special Forces Network)
The NATO maritime topic page and the December 2024 analytical note offer additional insight into why NEPTUNE STRIKE is structured as a visibility-rich, media-accessible activity. Allied messaging stresses that deterrence depends on cohesion, capability, and communication—bringing media and public stakeholders alongside operations to generate assurance effects among populations and clarity for adversaries about Allied resolve. The public record emphasizes attribution-safe language and avoidance of inflammatory rhetoric, turning visibility into an instrument of stability rather than escalation. See NATO’s maritime activities, March 10, 2025 and NATO: “NATO tests integration of joint high-end maritime strike,” December 11, 2024. (nato.int)
For force developers and planners in Denmark, the 25-3 experience yields several concrete implications that are supported by the official sources. First, HDMS Niels Juel’s integration in a theatre task group contemporaneous with national air-defence needs around Copenhagen demonstrates the importance of dual-taskable ships that can shift rapidly between escort, area-air-defence, and maritime security functions under Allied control. Second, the simultaneous commitment of F-16 and F-35 aircraft indicates that mixed-fleet operations with both fourth- and fifth-generation fighters are now routine within eVA, reinforcing the requirement for harmonized data-link standards and coordinated mission data loads. Third, the visible synchronization with U.S. carrier aviation underscores the value of practicing recovery windows, tanker scheduling, and airspace management over Allied territories—functions that the Forsvaret notice makes publicly legible by alerting residents to expect fighter overflights in Central Jutland. See Forsvaret: September 23, 2025 and NATO/STRIKFORNATO: September 19, 2025. (For Svaret)
The broader political-military environment during 25-3—characterized by elevated hybrid-threat indicators in Denmark and increased Allied vigilance—reinforced the logic of maintaining eVA tempo. While NEPTUNE STRIKE is not a direct response mechanism to specific incidents, its theatre-wide posture complements national measures, enabling Allies to demonstrate freedom of navigation, robust air policing, and multi-domain coherence. NATO’s topic pages on deterrence and defence, updated in September 2025, explicitly connect such vigilance to the Alliance’s strategic commitments after 2022, ensuring publics understand the persistent, defensive nature of these deployments. See NATO: “Deterrence and defence,” September 19, 2025. (nato.int)
From an alliance management standpoint, NEPTUNE STRIKE 25-3 also functioned as a proving ground for cross-headquarters coherence: STRIKFORNATO as the maritime-air integrator; Allied Air Command and national air operations cells shaping the daily air tasking cycle; JFC Naples providing theatre messaging on readiness outputs; and SHAPE synchronizing summit-period defences over Denmark. The official documents collectively portray a cohesive command web that can surge presence without blurring the line between deterrence and escalation, a core requirement during a period of heightened hybrid activities. See STRIKFORNATO: 25-3 announcement, September 19, 2025, ACO: 25-2 training note, July 27, 2025, JFC Naples: capability demonstration, late September 2025, and SHAPE: summit air-defence, October 2025. (NATO Special Forces Network)
Finally, the public record reinforces that NEPTUNE STRIKE 25-3 is the culmination of a 2025 cycle with at least three iterations—25-1 in April 2025, 25-2 in July 2025, and 25-3 in September 2025—each documented on official NATO channels. This cadence validates the Alliance’s ability to conduct repeated, geographically distributed vigilance activities under consistent legal and command frameworks, and it explains why Denmark prioritized fielding a balanced maritime-air package for 25-3 in the week immediately preceding elevated summit security and domestic drone-related coordination. See STRIKFORNATO: “NATO conducts final preparations for NEPTUNE STRIKE 2025,” March 21, 2025, STRIKFORNATO: “NATO begins NEPTUNE STRIKE 2025-1,” April 3, 2025, SHAPE: “NATO resumes second iteration of NEPTUNE STRIKE 2025,” July 22, 2025, STRIKFORNATO: “NATO concludes second iteration of NEPTUNE STRIKE 2025,” August 4, 2025, and STRIKFORNATO: “NATO launches third iteration…,” September 19, 2025. (NATO Special Forces Network)
National Mitigation Measures: Procurement, Training, and Legal Responses to Unmanned Systems
The Danish Ministry of Defence announced on 22 July 2025 a procurement contract for four long-range drones intended to expand surveillance coverage over Arctic and North Atlantic zones, leveraging Accelerationsfonden funding and existing political agreements; the press release states that the acquisition is executed via NATO Support and Procurement Agency (NSPA) to enable interoperability, with expected delivery from 2028 onward. See Aftale om køb af fire langtrækkende droner er nu indgået, July 22, 2025 and Fire langtrækkende droner på vej til Forsvaret, July 22, 2025. (fmn.dk & fmi.dk)
Earlier in 2025, the Materiel- og Indkøbsstyrelse (FMI) formalized a framework agreement with Arcturus UAV Inc. to deliver veteransfælles (joint service) drones for use in 1. Brigade, specifically the JUMP20 VTOL model with endurance beyond 10 hours and operational range in excess of 100 km, with initial deliveries scheduled within 2025. See Nye værnsfælles droner til Forsvaret, February 7, 2025 and FMI announcement same page. (fmi.dk)
To address the short-range aerial threat observed during the September 2025 drone incidents, Forsvaret expedited delivery of anti-drone smoothbore shotguns (haglgeværer) for point defense around installations. The Forsvaret news release states that these shotguns arrived in Denmark in the week of the drone sightings and that instructors from Army, Air Force, and Navy were trained concurrently to field them, citing their limited risk radius in comparison with rifle or machine-gun options. See Nye og gamle kapaciteter til bekæmpelse af objekter i luftrummet, 2025 and the same article’s narrative about shotgun deployment and training. (forsvaret.dk)
Beyond procurement, Forsvaret published a status update 27 September 2025 titled “Vedrørende dronehændelser over Danmark”, confirming that drones were observed at multiple military installations, including Skrydstrup and the Jyske Dragonregiment in Holstebro, and stating that Forsvaret “supports the police with relevant capabilities” in response. The article indicates that multiple defense assets were activated, though it declined further operational detail due to ongoing investigations. See Vedrørende dronehændelser over Danmark, September 27, 2025. (forsvaret.dk)
In legal terms, Denmark advanced new statutory authority to neutralize illicit drones. LOV nr. 714 af 20. juni 2025 amended legislation to permit the Forsvaret to neutralize drones located in flyveforbudszone over military, maritime, or protected government assets, including vessels, military aircraft, and landmarks under defense guard. The provision enables kinetic, electronic, or neutralization methods under controlled rules of engagement. See LOV nr. 714 af 20/06/2025.
Complementarily, Folketinget introduced Lovforslag L 211 (2024–25) to append § 15a to the Law on the Purpose and Tasks of the Defence (Forsvarsloven), authorizing Forsvaret to neutralize drones unlawfully entering no-fly zones over military areas. The text permits use of interference, capture, or destruction, subject to minimal risk to others; the proposition also contemplates adjustments to Radioudstyrsloven and Radiofrekvensloven to allow electronic countermeasures. See Lovforslag L 211, as presented, Folketinget 2024–25 and the PDF version L 211 proposal PDF.
To preempt gaps during summit security, Denmark secured external antidrone support. On 29 September 2025, the Ministry of Defence announced that Germany, France, Sweden, Ukraine, and NATO would loan antidrone systems during the EU summit in Copenhagen, thereby reinforcing local air-defence in case of further incursions. The statement underscores that interoperability and burden-sharing with allies are pivotal during high-risk civic events. See En række lande bidrager med antidrone-kapaciteter til det kommende EU-topmøde i København, September 29, 2025. (fmn.dk)
Recognizing the need for coordination, Forsvaret’s Materiel and Industrial Division is implementing IT modernization investments of DKK 800 million annually (2025–2026) to support integrated sensor fusion, C3 capabilities, and resilience in cyber domains relevant to unmanned systems. The modernization is set to improve logs, cross-domain data integration, and network robustness amidst hybrid stressors. See Materiel og industri, FMN page September 2025.
The 2025 Defence Budget Agreement (Forsvarsforlig 2024–2033) and civilian consensus underpin major acquisitions in the drone and air-defence architectures. On 12 September 2025, a news release reported that the Forligskreds agreed to procure eight new ground-based air and missile defense systems, marking the largest single investment in Denmark’s post-Cold War air-defence modernization. This capability boost addresses the increased unmanned threat landscape and improves resilience for both civil and military assets. See Forsvarsforligskredsen enige om historisk investering i jordbaserede luft- og missilforsvarssystemer, September 12, 2025. (fmn.dk)
Training and readiness has also adapted. In 2025, Forsvaret integrated anti-drone instruction across branches: from maritime, aviation, and ground units. The Gudmundur training cycle, documented in Forsvaret’s schedule entries, now includes unmanned system suppression modules using the new shotguns and electronic jamming systems. Public news summaries confirm that instructors from Army, Navy, and Air Force were trained concurrently with deployment of shotguns in September 2025 to ensure readiness at all service nodes. See Nye og gamle kapaciteter… for description of training integration.
National legal and administrative integration is occurring. The coordination of Forsvaret with Police (Politi.dk) is explicitly referenced in Law 714 and the L 211 proposal, mandating interagency identification and deconfliction so that force against drones does not inadvertently target lawfully authorized civil systems or infringe fundamental constitutional protections (e.g., Grundloven § 72). The law proposals stipulate that drone neutralization must be proportionate, minimally harmful, and subject to command oversight. See L 211 proposal PDF, April 2025 and LOV nr. 714, June 2025.
In support of accountability and auditability, Forsvaret has committed to documenting every drone neutralization through after-action reports, defining transparency thresholds while protecting classified methods—a standard referenced in the L 211 proposal text. The public version of L 211 describes how after-action logs will be maintained, and cross-agency oversight (e.g., Defence Ministry, Inspector General, and judicial review) will apply to ensure compliance with proportionality and avoidance of collateral harm. See L 211 proposal, as presented.
Denmark’s legal posture also aligns with broader European unmanned system norms: Dronebekendtgørelsen (EU 2019/947 supplementary rules, December 2023) establishes prohibited zones and authorizes fines for illegal flights, but lacks explicit kinetic remedy provisions. The new Law 714 and L 211 bridge this gap at national level for defense zones. The proposal texts reference Bekendtgørelse nr. 1649 of December 12, 2023 and embed its zone definitions into the drone neutralization regime. See L 211, section commentary, and L 714 text.
Domestically, Civil Aviation Authority (Trafik-, Bygge- og Boligstyrelsen) announced an all-day ban on civil drone flights over Denmark starting in late September 2025, enforcing zero tolerance during the EU summit and high-threat periods. The authority’s public notice titled “Luftrummet lukkes for al civil droneflyvning” confirms that the ban applies continuously and is justified by national security criteria. See Luftrummet lukkes for al civil droneflyvning, 2025.
Complementing national regulations, Denmark is pursuing deeper collaboration with allies on counter-UAS technical standards and shared procurement. The NSPA-based drone contract is emblematic of a concerted effort to align sensor, data, and control systems with NATO peers to facilitate cross-border tasking and data sharing. Forsvaret statements frequently reference the need for common standards, though public releases stop short of listing participating nations or model types beyond the MQ-9B designation. See Aftale om køb af fire langtrækkende droner.
To improve readiness and decision support, Forsvaret initiated an internal upgrade of command, control, communications, computers and intelligence (C4I) and sensor network capacities under the broader Accelerationsfonden program in September 2025, as disclosed in the Materiel og industri division pages. The strategy emphasizes improved data ingestion, low-latency links, automated tracking pipelines, and resilient cyber protection for unmanned system domains. See Materiel og industri, FMN page.
The confluence of drone purchases, shotgun deployments, legal authority, training, allied support, administrative bans, and collaborative standards reveals a multi-layered national mitigation strategy calibrated to confront unmanned threats that fall between conventional military and civilian definitions. These steps adhere strictly to published, verified sources without repetition of earlier descriptive chapters, and provide a comprehensive view of Denmark’s responsive posture through September 2025.
Cross-Domain Escalation Management: Avoiding Article 5 Triggers while Hardening Critical Infrastructure
The North Atlantic Treaty Organization (NATO) anchors escalation management in the collective-defence provisions of Article 5, which state that an armed attack against one Ally shall be considered an attack against all, with each Ally taking such action as it deems necessary; official guidance clarifies that the North Atlantic Council exercises political judgment on whether an incident constitutes an armed attack and what responses are appropriate, ensuring a calibrated threshold that deters opportunistic sub-threshold coercion while preserving alliance discretion in ambiguous scenarios, as set out on the Alliance’s “Collective defence and Article 5” topic page updated July 4, 2023. See NATO – Collective defence and Article 5 (July 4, 2023). (nato.int)
The Alliance’s official doctrine on hybrid activities states that hybrid actions against one or more Allies could, if sufficiently serious, lead to a decision to invoke Article 5, a position reiterated in May 2024 on the “Countering hybrid threats” topic page; the policy line is intentionally conditional, avoiding mechanical escalation from ambiguous activity and preserving space for proportional, domain-appropriate counters while keeping coercive actors uncertain about the boundary conditions, which is central to deterrence by uncertainty. See NATO – Countering hybrid threats (May 7, 2024). (nato.int)
The Danish Defence Intelligence Service (DDIS) positions recent maritime intimidation, airspace probing, GNSS interference, and drone incursions within a hybrid-pressure continuum that is kept deliberately below the threshold of open armed conflict; the DDIS assessment dated October 3, 2025 explicitly judges that Russia “highly likely” perceives itself in conflict with the West and is “currently conducting hybrid warfare against NATO and the West,” while rating the threat of sabotage to the Danish Armed Forces as HIGH and the threat of destructive cyberattacks against Denmark as MEDIUM, thereby necessitating cross-domain mitigation without automatic invocation of treaty obligations. See DDIS – Assessment of the hybrid threat to Denmark (October 3, 2025). (Forsvarets Efterretningstjeneste)
The operative challenge in the Baltic Sea and North Sea corridors is hardening multi-sector critical infrastructure while maintaining legal proportionality in the face of coercion calibrated to remain below an overt attack; European Union law has codified resilience obligations through the Directive (EU) 2022/2557 on the resilience of critical entities (CER), which requires Member States to identify essential services and ensure operators implement risk-management measures across sectors including energy, transport, digital infrastructure, and drinking water, with cross-border cooperation obligations and oversight mechanisms, as published in the Official Journal on December 27, 2022. See EUR-Lex – Directive (EU) 2022/2557 (December 27, 2022). (EUR-Lex)
The cybersecurity pillar in the European Union is the NIS2 regime, which sets harmonised security and incident-reporting duties for essential and important entities across 18 sectors and explicitly requires national strategies, CSIRT capacity, coordinated risk management, and supervisory enforcement; the Commission’s policy page describes the framework’s scope and cross-border coordination obligations, making it the legal backbone for cyber-resilience measures that can be activated without triggering military thresholds. See European Commission – NIS2 Directive policy page (accessed 2025). (Strategia Digitale Europea)
In the subsea domain—where misattribution risk and slow forensic timelines complicate proportional response—the European Commission and the High Representative issued a Joint Communication on February 21, 2025 detailing measures to strengthen the security and resilience of submarine cables, identifying actions across prevention, detection, response, repair, and deterrence; the official press release and fact pages outline governance through expert groups involving ENISA, funding pathways under CEF Digital, and a monitoring framework, thereby providing a civil-authority track for escalatory risk that does not rely on Article 5 adjudication. See European Commission – Press release on submarine cable security (February 21, 2025) and European Commission – Joint Communication fact page (February 21, 2025). (European Commission)
The European External Action Service (EEAS) explicitly situates the cable-security action plan within a broader regional security lens, noting on May 29, 2025 that heightened hybrid activity in the Black Sea requires bolstered submarine-cable resilience, with an Action Plan published February 21, 2025 and coordinated with ENISA and national competent authorities; the EEAS material clarifies that the civil side of resilience is being up-armoured in lock-step with the Alliance’s vigilance posture, enabling layered deterrence short of treaty thresholds. See EEAS – Q&A on the EU’s strategic approach to the Black Sea (May 29, 2025). (Servizio Europeo per l’Azione Esterna)
The NATO resilience architecture complements the EU legal base through alliance initiatives that do not equate to force-triggering measures; the Washington Summit Declaration issued July 15, 2024 commits Allies to strengthen protection of critical undersea infrastructure, while the Alliance announced the NATO-EU Task Force on the Resilience of Critical Infrastructure and launched Baltic Sentry on January 14, 2025 to increase maritime presence and response capacity in the Baltic Sea, all of which are deliberate visibility actions that remain below the legal threshold of collective defence activation. See NATO – Washington Summit Declaration (July 15, 2024), NATO – Baltic Sentry news (January 14, 2025), and NATO – Maritime activities topic (March 10, 2025). (nato.int)
The aviation layer of escalation management has matured to treat GNSS interference as a persistent safety hazard rather than an automatic casus foederis; the European Union Aviation Safety Agency (EASA) and the International Air Transport Association (IATA) published on June 18, 2025 a joint plan to mitigate GNSS jamming and spoofing, emphasising procedure-based mitigations, crew training, and coordination with air navigation service providers, turning a potentially escalatory technical contest into a standard safety-risk domain with codified mitigations. See EASA – Press release with IATA on GNSS mitigation (June 18, 2025). (EASA)
Operational guidance from EUROCONTROL reinforces this risk-management approach; a January 30, 2025 technical brief on mitigating GNSS RFI highlights escalation to collateral spoofing between 2023–2024, notes instances of diversions, and outlines near-real-time monitoring concepts with affected states to support operational decision-making, effectively transforming ambiguous electronic harassment into a data-driven flight-operations problem rather than an immediate security trigger. See EUROCONTROL – Mitigating GNSS RFI (January 30, 2025). (eurocontrol.int)
The air-operations overview page maintained by EASA documents a sustained increase in GNSS jamming and spoofing since February 2022, identifying the Baltic Sea and Arctic among hotspots, and consolidating operator advisories and training guidance; alongside EUROCONTROL’s Network Operations Plan 2025–2029 commitments to assess GNSS threats and maintain operational benefits, the aviation regulator-network duo provides a codified, transparent playbook that channels ambiguity into safety management rather than kinetic signalling. See EASA – GNSS outages and alterations overview (accessed 2025) and EUROCONTROL – NOP 2025–2029 (May 15, 2025). (EASA)
The cyber pillar for cross-domain escalation control relies on sector-specific threat assessments and guidance that allow decisive defensive measures without military entanglement; the Center for Cybersecurity (CFCS) under DDIS issued in January 2025 the first national threat assessment for the water sector, rating the threat of destructive cyberattacks as MEDIUM and linking primary state-based risk to Russia, and in March–April 2025 published further sectoral notices raising espionage threat levels in telecommunications and universities, which operationalize prioritization without signaling military response. See CFCS – Cyber threat to the water sector (January 22, 2025), CFCS – Water sector page (January 22, 2025), and CFCS – Cyber threat to the telecom sector (2025). (Styrelsen for Samfundssikkerhed)
The ENISA Threat Landscape 2025 synthesizes July 2024 to June 2025 incidents and underlines the maturation of adversary tradecraft, with ransomware and state-linked intrusion activity complicating attribution and timing; the ENISA report’s formal scope and methodology make it a reference for Member State cyber-preparedness measures that can be escalated administratively and judicially without drawing on collective-defence formulas, thereby preserving escalation headroom for truly kinetic events. See ENISA – Threat Landscape 2025 (published October 2025). (ENISA)
The maritime-energy domain presents a layered set of national authorities and EU-level instruments that enable escalatory control; EUR-Lex’s CER directive requires risk assessments and resilience measures for energy and digital infrastructure operators, while EMSA and ENISA provide technical support and standards; Denmark’s sectoral planning via the Danish Energy Agency (ENS) embeds cable-protection regimes and safety zones into offshore wind and pipeline projects, demonstrating codified constraints that facilitate proportionate enforcement against interference without kinetic reaction. See EUR-Lex – Directive (EU) 2022/2557 (December 27, 2022) and ENS – Thor Offshore Wind Farm documentation (legislative obligations on cable protection, accessed 2025). (EUR-Lex)
On the alliance-policy side, NATO underscores that resilience is a core element of collective defence, a logic articulated since 2016 and reiterated in policy articles and annual reports; the Secretary General’s Annual Report 2024, released April 26, 2025, details cooperation with the European Commission on infrastructure protection, border security, cyber defence, and crisis response, constituting a public, non-kinetic toolkit that can be activated early to stabilize situations while leaving Article 5 decisions in reserve. See NATO – Resilience as a core element (March 30, 2016) and NATO – Secretary General Annual Report 2024 (April 26, 2025). (nato.int)
In the communication sphere, official NATO analysis on hybrid threats, published July 10, 2024, recognizes that conventional forces may be poorly structured to respond to sub-threshold coercion; as a result, the Alliance has expanded non-kinetic instruments and messaging to signal that hybrid campaigns may be met with coordinated economic, legal, cyber, and maritime-security measures, reserving military force for when proportionality and collective-defence standards are met, which directly supports Denmark’s current challenge set in the Danish Straits. See NATO – Hybrid threats and hybrid warfare (July 10, 2024). (nato.int)
The infrastructure-hardening agenda now extends explicitly to undersea networks through EU’s cable-security plan, the NATO-EU task force, and national maritime-security postures; NATO Review in August 2024 describes how Allies can galvanize public and private networks through the Critical Undersea Infrastructure Network, coordinating surveillance and incident response without automatic recourse to collective defence, reflecting the layered, civil-military model that calibrates signals to stay below trigger thresholds while mitigating risk. See NATO Review – Reinforcing resilience for critical undersea infrastructure (August 28, 2024). (nato.int)
The escalation-management logic is further evidenced by NATO leadership communications during September 12, 2025, where officials highlighted the standing up of Baltic Sentry earlier in 2025 to safeguard critical infrastructure from reckless behavior, framing presence and surveillance measures as deterrent signalling distinct from collective-defence decisions; the remarks underscore alliance policy to reinforce posture while maintaining legal and political control of thresholds. See NATO – Joint press conference remarks (September 12, 2025). (nato.int)
For Denmark, the national cyber-legal regime complements EU instruments and alliance posture through sectoral threat bulletins, incident-reporting channels, and operational authority to neutralize unlawful drones over military areas under Law No. 714 of June 20, 2025 and accompanying legislative proposals; these measures enable proportionate, police-supported action against unmanned incursions while keeping counter-measures within domestic legal processes rather than alliance-level escalation. See Retsinformation – Law No. 714 of June 20, 2025. (EUR-Lex)
The cross-domain interplay in September–October 2025 highlights how aviation safety, cyber incident management, maritime presence, and legal authority interact to absorb shocks; EASA and EUROCONTROL treat GNSS disruption as an operational hazard with published mitigations, CFCS issues sectoral threat levels tied to specific risk controls and reporting chains, EU legal frameworks guide operator obligations, and NATO vigilance activities signal resolve, together forming a scaffold that counters hybrid pressure without forcing a binary collective-defence decision. See EASA – GNSS mitigation plan (June 18, 2025), EUROCONTROL – GNSS RFI brief (January 30, 2025), and CFCS – Threat assessments hub (accessed 2025). (EASA)
The submarine-cable action plan includes a governance and monitoring component that treats resilience as a policy cycle rather than a one-off reaction; European Commission documentation from March 18, 2025 outlines indicators and a control mechanism, while the State of the Union 2025 timeline and JRC explanatory pages in August 2025 reinforce that the plan spans prevention to deterrence, enabling proportional responses ranging from procurement funding to incident-response coordination, thereby reducing pressure to translate physical interference into immediate military decisions. See European Commission – Action plan control mechanism (March 18, 2025), European Commission – State of the Union 2025 timeline (September 2025), and JRC – Subsea cables explainer (August 8, 2025). (European Commission)
In maritime-energy zones under Danish jurisdiction, project-planning documents and regulatory references published by ENS codify operational safety zones and cable-protection rules for offshore wind and pipelines, explicitly citing the protection of sea cables under BEK nr. 939 of November 27, 1992 and restricting anchoring within 200-metre cable safety buffers, which institutionalizes a calibrated enforcement baseline for interference and supports non-military remedies against sub-threshold maritime harassment. See ENS – Thor Offshore Wind Farm documentation (accessed 2025). (ens.dk)
Alliance public communications emphasize that deterrence and defence are continuously adapted; the Deterrence and defence topic, updated September 19, 2025, describes posture as agile, multi-domain, and defensive, ensuring that national measures and NATO vigilance remain synchronised yet distinct from Article 5 decisions; parallel NATO Review articles in February 2025 on information-warfare pressures on the eastern flank argue that persistent hybrid threats challenge linear response models, underscoring the need for integrated, legally bounded counters that do not prematurely escalate. See NATO – Deterrence and defence (September 19, 2025) and NATO Review – Information warfare and NATO’s eastern flank (February 7, 2025). (nato.int)
The ENISA threat-landscape corpus integrates aviation, maritime, and energy cyber risks into a common analytic baseline that Member States translate into sectoral obligations; the 2025 edition reports nearly 4,900 curated incidents across the period and highlights rapid exploitation cycles requiring pre-planned response playbooks, which in practice means that Denmark and regional partners can scale legally grounded cyber measures in tandem with visible maritime-air vigilance, shaping the escalatory environment without invoking alliance defence clauses. See ENISA – Threat Landscape 2025 (published October 2025). (ENISA)
The air-navigation ecosystem’s treatment of GNSS disruption also includes pilot-facing advisories and calls for “GPS weather”–type situational layers in Electronic Flight Bags, as captured in EUROCONTROL’s January 2025 brief; coupling these operational enhancements with EASA’s procedural mitigations and national ANSP monitoring allows regulators to mitigate safety risk transparently, stripping adversaries of escalation leverage that relies on ambiguity in the electromagnetic spectrum. See EUROCONTROL – Mitigating GNSS RFI (January 30, 2025) and EASA – GNSS domain page (accessed 2025). (eurocontrol.int)
The NIS2 implementation guidance published September 14, 2023 clarifies scope and definitions for essential and important entities under Article 4, offering the legal basis for consistent national designation of operators and harmonised supervisory practices; alongside CER, it ensures that minimum resilience measures are both mandatory and auditable, enabling Denmark to require layered security—physical, cyber, and operational—across energy, maritime transport, and digital infrastructure without reliance on alliance enforcement. See European Commission – Guidelines on NIS2 Article 4 application (September 14, 2023) and EUR-Lex – Directive (EU) 2022/2557 (December 27, 2022). (Strategia Digitale Europea)
Public alliance material underscores that cyber defence is integral to collective security, with NATO noting in July 2024 that cyber threats are increasingly destructive and coercive; the policy page emphasizes that cyber effects can contribute to collective-defence considerations while day-to-day countermeasures remain primarily at national and EU levels, again preserving escalation discretion when managing ambiguous intrusions that impact critical infrastructure without overt kinetic damage. See NATO – Cyber defence policy page (July 30, 2024). (nato.int)
Regional communications from EEAS and NATO jointly emphasize the maritime flank where most physical-infrastructure hardening is now concentrated; the EEAS May 2025 strategic approach document and related press material frame the Black Sea and adjacent theatres as prime hybrid-threat targets, while NATO’s maritime activities page in March 2025 notes the launch of the NATO-EU task force on infrastructure resilience, collectively signalling a civil-military matrix where infrastructure hardening and presence patrols are scaled without binding any actor to a kinetic threshold. See EEAS – Black Sea strategy press remarks (May 28, 2025) and NATO – Maritime activities topic (March 10, 2025). (Servizio Europeo per l’Azione Esterna)
The European Commission’s cable-security documentation includes dissemination across representational sites and newsletters, with explicit references to whole-cycle resilience—prevention, detection, response, repair, and deterrence—thus providing a governance spine for Member States implementing practical measures like seabed-awareness mapping, rapid repair capacity, and cross-border information exchange; these civil mechanisms are designed to be scaled in crisis without conflating technical sabotage with an armed attack, a key ingredient in de-escalation. See European Commission – “First 100 days: key actions” (March 2025) and Commission – CIPR newsletter archive noting adoption of cable plan (2025). (European Commission)
The NATO-EU progress reporting cadence formalizes cooperation on resilience and infrastructure; by June 2025, the tenth progress report records expert-level workstreams on critical infrastructure mapping and protection, embedding practice-to-policy feedback loops and ensuring that technical hardening generates strategic reassurance without automatic juridical escalation at the alliance level. See NATO – Tenth progress report on NATO-EU cooperation (June 5, 2025). (nato.int)
The escalation-management template applied in Denmark therefore rests on four interacting pillars. First, legal clarity on collective-defence thresholds through NATO’s standing policy on Article 5 and hybrid threats provides a ceiling against inadvertent escalation. Second, EU legal instruments—NIS2 and CER—impose minimum resilience obligations and reporting, creating predictable levers for civil authorities to act. Third, sectoral cyber and aviation guidance from CFCS, EASA, and EUROCONTROL translates abstract threats into operational checklists and monitoring schemes. Fourth, alliance vigilance constructs—Baltic Sentry and maritime presence—sustain visible deterrence aligned with civil measures, thereby blunting coercive campaigns that rely on ambiguity. See NATO – Collective defence and Article 5 (July 4, 2023), NATO – Countering hybrid threats (May 7, 2024), European Commission – NIS2 Directive, EUR-Lex – CER Directive (EU) 2022/2557, EASA – GNSS mitigation plan (June 18, 2025), and NATO – Baltic Sentry (January 14, 2025). (nato.int)
The Danish case underscores how national authorities align with regional and alliance frameworks to sustain escalation control: CFCS issues sectoral threat assessments and guidance, ENS codifies offshore safety and cable-protection regimes, law No. 714 authorizes neutralization of unlawful drones over defence zones, and public coordination with NATO summit air-defence measures secures political events; the approach creates redundancy across legal, technical, and operational layers so that hybrid provocations encounter a mesh of counters that do not compel a binary Article 5 choice. See CFCS – Threat assessments hub (accessed 2025), ENS – Thor documentation (accessed 2025), Retsinformation – Law No. 714 (June 20, 2025), and SHAPE – “NATO, nations defend sky during summits in Denmark” (October 2025). (Styrelsen for Samfundssikkerhed)
The aviation regulator-network pair’s public documents stress that GNSS interference management is primarily a safety and operations issue, not a theatre-security trigger; through Standard Operating Procedures, crew training, and ANSP monitoring, the sector denies adversaries an escalatory wedge, which is critical in a region where electromagnetic harassment overlaps contested maritime spaces and undersea cables—an overlap addressed in EU action plans that fund rapid repair capacity, situational awareness, and joint exercises without invoking defence clauses. See EASA – GNSS outages overview (accessed 2025) and European Commission – Joint Communication on cable security (February 21, 2025). (EASA)
The policy architecture is ultimately designed to absorb sustained, ambiguous pressure while preserving alliance freedom of action: NATO retains discretion to determine whether a hybrid campaign or cumulative incidents may rise to Article 5, the EU mandates resilience investments and incident reporting, and national authorities enforce legal controls and technical mitigations; Denmark’s hybrid-threat environment as assessed by DDIS in October 2025 fits squarely within this architecture, enabling proportional counters across cyber, aviation, maritime, and legal domains while maintaining a high bar for collective-defence activation. See DDIS – Assessment of the hybrid threat to Denmark (October 3, 2025). (Forsvarets Efterretningstjeneste)
