Grey-zone tempo, from the operating-asset seat
Four airport closures across three NATO capitals in three weeks and a 13-fold rise in GPS interference over nine months. The operating-asset principal should move ahead of the consensus.
In the second week of October 2025, Vilnius Airport closed twice. The cause both times was meteorological balloons drifting in from Belarus, carrying contraband cigarettes on a trajectory that crossed Lithuanian-controlled airspace (Lithuanian State Border Guard Service, public statements, October 2025). Whatever the motive at the point of origin, the downstream effect was the same as a state-directed drone: a NATO-member airport closed its runway twice in a week and the insurance math for anyone relying on the availability of Baltic infrastructure shifted a little further from the one on the books.
The pattern recurs across the year. Copenhagen Airport closed to drone incursions in late September 2025 (Danish Transport Authority, Reuters reporting). Munich followed in early October 2025 (Bavarian State Police statement, Financial Times). Swedish authorities (Myndigheten för samhällsskydd och beredskap) logged 733 reports of GPS interference affecting airliner traffic in the first nine months of 2025 against 55 reports for the whole of 2023, a 13-fold increase, traced by Swedish and Nordic aviation authorities to devices operating out of Kaliningrad and adjacent Russian territory. NATO launched Baltic Sentry on 14 January 2025 to patrol undersea cable and pipeline infrastructure after the 25 December 2024 cutting of the Estlink-2 interconnector. In the weeks before the 23 February 2025 snap Bundestag election, German authorities documented hundreds of car sabotages attributed to criminals recruited via Viber at roughly 100 euros per car (BBC reporting). Around Easter 2025, approximately 30 telecommunications towers in Sweden were sabotaged without anything being stolen, which rules out ordinary criminality.
The incidents rely on conventional state-programme capability from roughly a decade ago, deployed at scale. They require a Kremlin willing to run grey-zone operations openly, a working supply of recruited gig labour, and the technical sophistication already demonstrated in prior operations rather than any frontier-AI breakthrough. That supply exists, and the evidence through three quarters of 2025 is that it has scaled faster than either the insurance actuarial model or the sell-side research consensus has incorporated.
What the nine-month data actually shows
The useful way to read the 2025 operational data is as an aggregate pattern across nine months. Each event in isolation is explicable as crime, protest, contractor error, or opportunistic state-adjacent activity. Read together, the events describe a sustained rise in the operational tempo of disruption against European critical-infrastructure targets inside a specific geographical corridor, with specific signatures that recur.
Four signatures worth naming. First, airspace disruption at NATO-member airports, documented across September and October 2025 at Copenhagen, Munich, and Vilnius, with the Vilnius incident distinctive for the balloon-and-cigarette vector that state actors can disclaim while still benefitting from the airspace disruption. Second, persistent GPS interference affecting commercial aviation in Baltic and Nordic airspace, with the 2025 incident count an order of magnitude above any prior baseline. Third, subsea infrastructure incidents, culminating in the Estlink-2 cut on Christmas Day 2024 and the subsequent NATO Baltic Sentry deployment. Fourth, recruited gig labour carrying out physical disruption at low per-incident cost on European soil, most documented in Poland, Germany, and Sweden across the first three quarters of 2025.
Elisabeth Braw at the Atlantic Council has been writing about this pattern through 2024 and 2025; the CEPA incident compilation tracks the aviation-specific subset. Both remain outside the cyber-insurance underwriting cycle and the sell-side research consensus on operational-asset risk, at least as of October 2025 broker conversations.
The operating-asset principal’s read
If you are the family office holding a Baltic or North Sea shipping interest, a mid-cap Nordic or Polish telecom, a regional utility with cross-border supply, a data centre in the corridor of European defence exposure, or a mid-market manufacturer with tier-one supply into European defence, the 2025 operational data changes what you should be asking this quarter rather than next year.
Attribution is already settled; the Swedish and Nordic aviation authorities have been attributing the GPS interference to Kaliningrad for months. The principal-seat question is whether the cyber-insurance premium you are paying, the business-interruption cover you are carrying, and the refinancing assumptions in your debt documents are priced against the 2020 threat model that your broker sold you or the 2025 threat model the operational data now describes. Those are different numbers.
On one operational platform I audited last quarter, the CFO quoted the cyber line at one figure and the CIO quoted it at roughly twice that, and neither of them was in the room when the other answered. The two figures were measuring different things against different threat models, but the capital plan was treating them as the same SG&A line. That is the common audit pattern, and in the current environment it is the pattern that matters.
What a principal should be running this quarter
Three moves, each answerable in a fortnight of structured work.
First, identify which of your operational assets sit inside the 2025 corridor of effect. The filter is concrete rather than abstract: a named list covering Baltic and North Sea shipping, northern European regional telecoms, utilities with cross-border supply, data centres adjacent to European defence supply chains, defence manufacturers, and their tier-one suppliers. For each, pull the cyber line, the business-interruption cover, and the debt-document exit assumptions. If those three numbers were set against a 2020 threat model and have not been revisited in 2025, they are probably wrong.
Second, separate the insurance stack into its claims-correlation assumption. Policies priced against independent-events math pay out differently from policies priced against correlated-events math; the difference is the insurer’s capital position twelve to eighteen months from now, not the face value of the policy today. Ask the broker, in writing, which correlation assumption sits behind the current cover on Baltic-exposed and CNI-exposed counterparties. The broker’s answer, or the broker’s hesitation, will tell you where the stack actually sits.
Third, re-run the capital events in the next twenty-four months, refinancings, recapitalisations, secondary offerings, exits, long-term service-contract renewals, against the 2026 reinsurance-renewal environment that the 2025 operational tempo implies. If the lender’s internal exit model is already ahead of yours, the conversation with the lender should happen before the lender opens it.
My read is that cyber insurance books on Baltic-exposed and CNI-adjacent counterparties are mispriced by something in the range of one-and-a-half to three times current premium, and I would stake that position against any broker offering continued capacity on 2023 terms. The question settles inside twelve months, probably in the 2026 reinsurance cycle.
What would make the argument wrong
Three conditions would flatten the structural-tempo reading back to cycle-noise.
The first is that the 2025 figures are already the peak. If H1-2026 data from the Swedish MSB shows GPS interference stabilising or falling, and Baltic Sentry patrolling continues without further cable incidents, the volume argument loses force. Observable in the MSB quarterly reports and NATO Baltic Sentry updates, both public, both measurable at six months.
The second is that attribution complexity unwinds. If the specific sourcing of GPS interference to Russian cities turns out to be less firmly established than Nordic authorities have been asserting, or if the Viber-recruitment pattern in the German and Swedish cases turns out to be bidirectional or commercially motivated rather than state-directed, the named-actor clarity weakens. Observable in reporting from Bellingcat, the Atlantic Council’s Digital Forensic Research Lab, and national broadcaster investigations.
The third is that insurance capacity holds through the 2026 renewals at comparable pricing. If Lloyd’s syndicates writing cyber continue to offer the same limits to Baltic-exposed and CNI-exposed counterparties at 2023-2024 pricing, the market is signalling confidence in its own actuarial model. Either the market is right and the argument here is wrong, or the market has not yet priced in the evidence and the adjustment is pending.
The working assumption under this note is that at least one of those three softens and at most one holds. Mark the note against the observable state at end of Q1 2026 and again at mid-2026.
What I do not yet know
The question I cannot answer from the October 2025 data is whether the cyber-reinsurance market reprices first or withdraws capacity first. The reinsurance market tends to do one before the other, and which comes first materially changes the capital-event math for any operational-asset principal with a refinancing or recapitalisation inside the next eighteen months. The brokers I have asked in the last month do not know either, which is itself a signal.
The question that matters, ahead of that answer, is less about which way the market moves and more about which of your capital events lands inside the window before the market has settled on a direction. If you are running that calculation now against a specific asset or a specific structure, and reaching a different answer from the one this note describes, I would be interested to hear what you are seeing.
Gopal Patel is principal at Navaro Advisory; prior roles include CTO at Auriens and operational audits across services, institutional hospitality, and AI-native procurement.