When the threat crosses the border: what spring 2026 has revealed about protecting critical infrastructure

In the spring of 2026, a series of unmanned aerial systems were detected over Finnish territory. Finnish authorities assessed the systems as of Ukrainian origin, with electronic interference or a technical failure likely causing their deviation. No hostile intent towards Finland was established.

The incidents are significant not for what they were, but for what they demonstrated. A combat system can appear without warning above a logistics corridor, an energy node or a coastal approach, in an already degraded electromagnetic environment due to active jamming, without any deliberate targeting of the state beneath it. The threat does not require intent to produce consequences.

Finland's authorities responded with the seriousness the situation warranted. Surveillance and readiness in the affected areas were increased, and counter-drone exercises were initiated. In April, the government applied for European funding to develop detection and counter-drone capabilities along the eastern border and the Gulf of Finland, covering detection systems, neutralisation, integration and training. The process of building a layered, regional response architecture is underway.

That response reflects an understanding that has become operational across NATO: no single system or layer addresses the full scope of the UAS threat. Effective counter-drone capability combines detection, classification, decision support and selective response across multiple domains and tiers. Each layer compensates for the limitations of the others. The question for any infrastructure operator or procurement organisation is not which single solution to procure. It is how the layers fit together and what each layer is required to do.

The regulatory moment

This question does not arise in isolation. Across the European Union, the regulatory framework for critical infrastructure protection is at a significant juncture. The Critical Entities Resilience Directive (CER) covers eleven sectors, including energy, transport, digital infrastructure and water. Member states are required to identify their critical entities by 17 July 2026. Once identified, those entities are subject to obligations: risk assessments, resilience plans and incident reporting requirements follow on defined timelines.

Airports are among the most exposed categories of critical infrastructure in this context. They concentrate essential services, operate across multiple regulated frequency bands, handle continuous air traffic, and sit at the intersection of civil and security requirements. A counter-drone incident at an airport is not only a security event. It is also an operational, regulatory and reputational event. The tolerance for collateral disruption is close to zero.

The spring 2026 incidents in Finland occurred precisely at this moment. They did not create the requirement. They illustrated it in terms that procurement organisations, capability development units and infrastructure operators across the EU can read directly.

The electromagnetic constraint

The operational constraint that defines counter-drone for critical infrastructure is this: a port, a data centre, an electricity substation or an airport does not operate in an electromagnetic vacuum. It depends on the same radio frequencies, GPS signals and communication links that an adversary might seek to disrupt. A response system that addresses one threat by degrading another part of the operational environment is not a solution. It is a redistribution of the problem.

The Finnish incidents illustrated this specifically. Significant GPS disruption was recorded during the same period when the systems came down. That overlap describes an environment in which detection relying on a single sensor domain and response systems relying on broad-spectrum interference operate at reduced effectiveness precisely when the threat is present.

Multi-domain detection addresses this directly. An RF signature alone is insufficient when GPS interference is active and targets may be operating below standard detection thresholds. Acoustic and hyperspectral sensing resolve ambiguities that RF alone cannot. Rapid, confident classification follows because acting against a non-hostile system in a live infrastructure environment incurs real operational costs.

A learning problem, not a library problem

Classification, however, is only as reliable as the system's understanding of the current threat. An adversary that changes frequencies, alters flight profiles, or fields a previously unencountered platform will defeat a system that relies on a fixed response library. What is required is a platform that classifies and responds based on learned behaviour, not one that matches against a catalogue that was current at the time of procurement and remains static thereafter.

The same logic applies to the response. Selective, non-kinetic neutralisation, limited to confirmed hostile systems, is the only approach that preserves the operational continuity of the infrastructure it is intended to protect. Broad-spectrum interference is not legally available in most civil infrastructure environments across the EU and, in many contexts, would undermine the very systems the operator is required to keep running.

The funding application Finland has submitted to the EU, and the detection and counter-drone architecture it describes, reflect a regional network approach rather than a point solution. That framing is operationally correct. The threat does not operate within a single perimeter. The response capability cannot either.

What the spring 2026 incidents provided, beyond their immediate significance for Finland, is a documented and credible baseline for requirements under development across the alliance. The combination of long-range UAS operations, active electronic warfare and GPS degradation, operating simultaneously near civilian and military infrastructure, is not confined to a single border. The capability requirement it generates is not confined to a single country.

The CER deadline of July 2026 will determine which entities across the EU have formal resilience obligations. The operational requirement that those obligations reflect already exists.