Turning the tide: NATO, national, and multinational efforts build Baltic CUI security

In mid-January 2025, NATO stood up ‘Baltic Sentry’, an activity designed to build surveillance presence to deter increasing threats to critical undersea infrastructure (CUI) on the Baltic seabed. This move is one of several national, multinational, and wider NATO activities that have been established and integrated to address the Baltic CUI threat.

CUI vulnerability has been a long-standing theoretical risk for NATO and its member states, with senior military leaders first publicly pointing out this vulnerability around a decade ago. However, the theoretical risk became reality on 26 September 2022, when two Nord Stream gas pipelines were ruptured by explosions off the Danish island of Bornholm in the Baltic Sea. No responsibility for the damage was formally claimed or attributed.

This did not prove to be an isolated incident. What could be construed as a campaign against Baltic Sea CUI perhaps began in October 2023, when the BalticConnector gas pipeline and several communications cables running between Estonia and Finland were damaged. In November 2024, an internet cable connecting Sweden and Lithuania and a telecommunications cable connecting Finland and Germany were cut. On 25 December 2024, the EstLink2 power cable and several nearby internet cables again running between Estonia and Finland were damaged. The cause of all three incidents since October 2023 has not been formally confirmed publicly: however, national and NATO public and political debates have focused on the possible involvement of ‘shadow fleet’ commercial vessels doing the damage by dragging their anchors across the seabed while sailing at speed.

‘Shadow fleet’ ships are commercial vessels that appear to be trying to operate below the ‘registration radar’, running without automatic identification system (AIS) switched on when at sea, and having ownership trails that are difficult to trace ashore. Such ships are often associated with sanctions-busting activities like smuggling oil to and from countries that are under international embargo on such imports and exports.

The Baltic Sea is a very busy shipping environment, with all types of commercial and naval vessels present there, using and securing in turn what are crucial international sea lines of communication (SLOCs) that cross it. It is also a very busy CUI environment, with its seabed criss-crossed by numerous CUI nodes of different types.

Broadly, CUI nodes include: oil, gas, and other natural resource pipelines; communications, data, and power cables; environmental and other monitoring sensors, both civilian and military; oceanographic/hydrographic research instrumentation; and energy ‘hardware’ like windfarms, oil rigs, and wave-power generation and other resource platforms.

The Baltic Sea’s relatively shallow depths, when combined with its dense CUI and shipping patterns, lends the region to being an area in which rogue state or non-state actors might conduct a campaign of targeting CUI while attempting to maintain plausible deniability.

Threat response

Following the December 2024 incident, NATO Secretary General Mark Rutte said NATO would increase its military presence in the Baltic Sea region. NATO had been ramping up its regional presence for some time, given the deteriorating security situation there and Finland and Sweden’s accession to NATO (in April 2023 and March 2024, respectively).

While eight Baltic states are now NATO members, the fact that Russia is not means the Baltic remains a contested environment. Baltic Sea maritime access is increasingly significant for Russia in relative terms, with its Mediterranean maritime access more restricted, following Türkiye closing the Bosphorus and Dardanelles Straits to all navies (with an exception for vessels returning to their home port) in the wake of the full-scale Russian invasion of Ukraine in February 2022, and with port access in Tartus, Syria no longer available after the fall of the Assad regime.

For NATO, the establishment of ‘Baltic Sentry’ was, however, a significant, formal statement of intent to build presence and surveillance deterrence against the CUI threat. Announcing on 14 January 2025 that ‘Baltic Sentry’ was operational, the Supreme Headquarters Allied Powers Europe (SHAPE) said that Allied Command Operations (ACO) would oversee the multi-domain activity. Under ACO, Joint Force Command Brunssum leads the joint operational element, including synchronising multi-domain activities. NATO Allied Maritime Command (MARCOM) is co-ordinating enduring maritime presence activities throughout the region. Commander Task Force (CTF) Baltic, the German Navy’s newly established tactical maritime headquarters, can conduct tactical control of ships operating under MARCOM command.

General Christopher Cavoli – a US general serving as Supreme Allied Commander Europe (SACEUR) – said in the SHAPE statement that “‘Baltic Sentry’ will deliver focused deterrence throughout the Baltic Sea and counter destabilizing acts like those observed [in December 2024]. It is indicative of the alliance’s ability to rapidly respond to such destabilization, and shows the strength of our unity in the face of any challenge.”

The MARCOM-based NATO Centre for Security of CUI (NMCSCUI) was established in June 2023 and made responsible for operational-level networking and expertise support for countering CUI threats, as one of two NATO CUI co-ordination cells (the other being the Brussels-based, strategic-level, Critical Undersea Infrastructure Coordination Cell, established in February 2023). The Centre will support ‘Baltic Sentry’ through providing decision-making and activity co-ordination input relating to CUI protection and response. Such input includes building information sharing to help Allies better understand the operating environment.

Two NATO standing naval forces (SNFs) are committed to supporting the task – Standing NATO Maritime Group 1 (SNMG1), and Standing NATO Mine Counter Measures Group 1 (SNMCMG1). These are MARCOM’s North Atlantic-focused SNFs. While their remit is North Atlantic-wide, the increasing Baltic security threats including the CUI challenge mean they are spending more and more time there.

SNMG1 is activity lead. At the time of writing, it consists of: The Royal Netherlands Navy’s (RNLN’s) De Zeven Provincien class air-defence and command frigate HNLMS Tromp as flagship (with the RNLN commanding the group); the Belgian Naval Component’s M class frigate BNS Louise-Marie; the French Navy’s Type A69 D’Estienne d’Orves class patrol vessel FS Enseigne De Vaisseau Jacoubet and Durance class auxiliary vessel FS Somme; along with the German Navy’s K130 Braunschweig class corvette FGS Magdeburg.

SNMCMG1 consists of: the RNLN survey ship HNLMS Luymes (as flagship, embarking a Belgium-led command staff); the German Navy Frankenthal class coastal mine-hunting vessel FGS Datteln; and the RNLN Tripartite/Alkmaar class minehunter HNLMS Schiedam.

Since ‘Baltic Sentry’ was launched, Finnish and Swedish naval ships – namely the Hamina class fast-attack patrol vessel FNS Pori, and the Visby class corvette HSwMS Visby – have operated within SNMG1. These two navies, plus for example the Estonian Navy, have also been conducting national operations across the region to counter the CUI threat.

Together, the two NATO SNFs bring significant surveillance presence in a multi-domain context, but with particular emphasis on surveilling surface threats, as NATO seeks to build situational awareness and situational understanding (SASU) through enhancing the recognised maritime picture, including assessing who might be doing what, and where, on the surface. SNMG1 also brings deterrence punch in the form of its high-end anti-air, anti-surface, and anti-submarine capabilities. SNMCMG1 brings sub-surface and seabed surveillance capability expertise: the former, in the form of remotely operated uncrewed underwater vehicles (ROVs/UUVs); the latter, in the form of explosive ordnance disposal (EOD) divers.

Overall, across the two SNFs and other national platforms operating alongside them in what is known as ‘associated support’ – whereby an asset is not committed formally to the SNF, but uses its presence locally to support the group’s operations – the ‘Baltic Sentry’ order of battle (ORBAT) includes surface ships, submarines, satellites and radars, uncrewed systems, and fixed-wing aviation including maritime patrol and fast jet aircraft. In the latter context, the presence of two Royal Netherlands Air Force F-35s overhead of the two SNFs in the eastern Baltic early on in ‘Baltic Sentry’ may have been designed to send a message to any rogue state actor, perhaps supporting the CUI campaign that NATO is putting high-end military muscle behind ‘Baltic Sentry’ in both the maritime and air domains.

With this range of capabilities assembled to provide deterrence through presence and surveillance, ‘Baltic Sentry’ is designed to shine a light onto the activities of the ‘shadow fleets’ and other rogue elements that may be supporting a CUI threat campaign. “We’re the eyes and the ears,” Commodore Arjen Warnaar – Commander (COM) SNMG1 – told ESD onboard Tromp during a media day at sea in the Gulf of Finland, as ‘Baltic Sentry’ got under way. “We know something has happened. We’re increasing our patrols. We’re showing ourselves. We’re monitoring basically everything here at the moment. That sends a clear message.” Cdre Warnaar added, “If something is going to happen here, it’s highly likely we’ll detect it.”

Alongside sending a deterrence message to rogue actors, SNMG1 and SNMCMG1 are present in the Baltic to send a reassurance message to allies. For example, in February 2025, SNMG1 conducted a port visit to Gdansk, Poland while SNMCMG1 called into Liepāja, Latvia. According to MARCOM statements, the two SNF COMs discussed CUI issues in the region and how the SNFs can support NATO Allies.

The SNFs, including those in the Baltic, can also be used to support wider NATO operational capability developments. For example, in late February, Tromp – plus Danish and German naval vessels – supported a combined MARCOM/NATO Allied Command Transformation (ACT) capability demonstration involving integrating uncrewed surface vessels (USVs) into SNF operations, as part of the process of preparing the capability to support ACO operational requirements and activities, especially enhanced vigilance presence, across the Euro-Atlantic theatre.

It could also be construed that conducting such a capability test was designed to demonstrate to any actors behind a CUI campaign that more capability could now be made available to counter this threat.

Technical assistance

Alongside providing assurance and operational assistance, NATO is also developing its capacity to counter the Baltic Sea CUI threat and the evolving underwater challenge more widely within the context of NATO efforts to harness autonomy and digital capabilities to improve at-sea surveillance.

NATO’s new Task Force X initiative is central to this effort. Created under ACT and announced on 5 February 2025, Task Force X will develop a fleet of autonomous systems to provide persistent surveillance, detect and track threats, and enhance maritime situational awareness (MSA) especially in the underwater battlespace, NATO said in a statement. The Baltic CUI threat is illustrative of this requirement, it added. Underlining the impact of its role, Task Force X provided USVs and other inputs for the Baltic Sea capability demonstration. ACT and ACO work together on Task Force X to develop capabilities that exploit emerging and disruptive technologies like autonomous systems and artificial intelligence (AI) in maritime operations to enhance MSA in support of SLOC and CUI security, the statement continued. Task Force X provides a framework for NATO states to contribute autonomous capabilities to Alliance activities in an integrated manner. A core focus for Task Force X will be capability interoperability and scalability.

Outlining the plan for Task Force X back in January 2025, Secretary General Rutte said “We have agreed today to launch an initiative to deploy new technologies to this [CUI security] effort, including a small fleet of naval drones, to provide enhanced surveillance and deterrence. We are also working with allies to integrate their national surveillance assets with NATO, ensuring comprehensive threat detection.”

In the NATO statement, Admiral Pierre Vandier – a French naval officer, and Commander (COM) ACT – said “Task Force X will integrate uncrewed systems with existing naval forces, before transitioning to a fully autonomous fleet operating independently to counter threats and protect critical infrastructure. It will collect data between uncrewed systems and other emergent technologies, fuse that data within a resilient network, and utilize AI to shape MSA.”

Multinational approaches

Alongside the NATO and national efforts targeting the Baltic CUI threat, non-NATO multinational efforts are playing a part. For example, back in January 2024, the UK-led, 10-country Joint Expeditionary Force – Maritime (JEF-M) task group conducted a large-scale deployment into the Baltic Sea to provide, again, deterrence through presence and surveillance. In the wake of the outbreak of the Russo-Ukraine war, JEF – established back in 2014 – moved to develop JEF Response Options (JROs) to enhance the sub-threshold, non-NATO security contribution it could make for Allies and partners in the North Sea/Baltic Sea region. This particular deployment – JRO 3.2, which involved more than two dozen ships, plus aircraft, from across the JEF membership – covered waters stretching from the western Barents Sea to the eastern Baltic seas. While not being a NATO activity, its focus on maritime security threats such as Baltic CUI was designed to support NATO’s enhanced vigilance requirements for the region.

Alongside providing physical deterrence presence in the Baltic, JEF has also moved to counter the activities of ‘shadow fleet’ vessels looking to operate there. In January 2025, JEF activated for the first time what the UK Ministry of Defence (MoD) referred to, in a statement on 5 January, as an advanced reaction system designed to track potential CUI threats and monitor Russia’s ‘shadow fleet’. Named ‘Nordic Warden’, the AI-based system is designed to assess data, including from AIS networks, to calculate the risk posed by any vessel entering areas of interest. This included, the statement noted, specific Russian ‘shadow fleet’ ships. If a particular risk is perceived, the system will send out a real-time warning to JEF participant countries and NATO allies. According to the statement, ‘Nordic Warden’ covers 22 areas of interest, across the English Channel, North Sea, the Kattegat and Skagerrak Straits, and the Baltic.

Countering threats such as the Baltic CUI challenge requires a range of responses, from strategic, to operational, to tactical. ‘Baltic Sentry’ in one sense covers all three, being a strategic-level response to what is a clear and present threat to Alliance interests, with the response manifested in operational and tactical activities. From the JEF perspective, its Baltic deployment and the development of ‘Nordic Warden’ are operational- and tactical-level components. Responses across all three levels must be underpinned by effective, task-relevant capability.

In terms of delivering security across the Euro-Atlantic theatre, NATO is – in a simple sense – a ‘hub’ around which security can be built. Multi-national constructs like JEF can be seen as ‘spokes’ that mutually support and reinforce the ‘hub’.

Another ‘spoke’ in the North Sea/Baltic Sea region is the Northern Naval Capability Co-operation (NNCC) construct. In 2022, six Northern European countries – Denmark, Finland, Germany, The Netherlands, Norway, and Sweden (Finland and Sweden then as non-NATO members) – established NNCC to assess how to build industrial collaboration to augment naval capability. The first formal meeting was held in Copenhagen, Denmark on 26 September 2022 – the same day the Nord Stream pipelines were blown up. Responding to the CUI threat became an immediate NNCC priority, as the six countries looked to seize the opportunity to ‘do something’ collectively about the problem – especially through harnessing the ‘mass’ in uncrewed capabilities and underwater knowledge possessed by the commercial sector, to help build maritime SASU, particularly in the underwater domain. Thus, NNCC established the Seabed Security Experimentation Centre (SeaSEC) in December 2023.

SeaSEC is currently under Dutch lead and headquartered at Scheveningen in The Netherlands. However, plans include options to rotate leadership and headquarters location. SeaSEC is looking to build SASU at a joint and combined level across the North and Baltic seas by exploiting existing technology available in the commercial sector. Collaboration between navies and industry is key. SeaSEC is not setting out to provide an incident response capability. However, it aims to improve collective capability for underwater detection, tracking, data processing, and information transfer, plus fusing information from different sources, to generate actionable information at the speed of relevance to support response options and increase deterrence against CUI threat actors and activities.

To help build capability to achieve this aim, the SeaSEC headquarters boasts conference, planning, and virtual testing facilities ashore, plus a 26 km² area for at-sea testing, including a dedicated 2.6 km² exclusive area where objects can be placed on the seabed for training without risk of accidental interference by other sea users. With seabed depths of up to 20 m offshore, with a sandy bottom, and with other CUI close by, Scheveningen’s area is ideal for testing detection of threats such as buried explosive devices, or anchors being dragged across the seabed. SeaSEC calls its combined virtual/real training capability ‘sandbox and salt’. This integrated approach is focused on SeaSEC’s primary geo-operational task – to help identify small objects on the seabed.

Alongside being a ‘hub’ for sharing technology and information, SeaSEC is also a ‘hub’ for sharing ideas. It is a location where navies can test conceptual and operational use cases for securing CUI, and where they can do so in partnership with industry: navies get to know how industry can contribute to meeting the surveillance requirement; and industry gets to know how navies want it to contribute to the surveillance requirement.

In capability terms, SeaSEC focuses on testing systems with higher technology readiness levels (TRLs) – for example, TRL6 or upwards – to test capability that is more developed and perhaps more ready for use. Indeed, the focus on integrating naval and commercial maritime capabilities underlines how addressing the CUI threat is very much a multi-agency function.

Rear Admiral Fredrik Lindén – a Royal Swedish Navy submariner currently posted as Director Naval Systems at Sweden’s defence materiel agency FMV (Försvarets materielverk), told ESD that using the phrase ‘CUI protection’ rather than ‘seabed warfare’ can help clarify which sector or which agency is best suited to tackle which part of the CUI threat. Using the term ‘seabed warfare’ risks it being seen as a naval matter and not as a wider concern that requires a combined, integrated civil-military response.

In purely naval terms, the changing nature of the threat across the Euro-Atlantic theatre, and the outbreak of conventional war, demonstrates that a ‘just in time’ mindset to defence procurement needs to be replaced by ‘just in case’ approach, with NATO countries in a dynamic now of trying to catch up with the threat, said Rear Adm Lindén.

Seabed challenge

SeaSEC has already hosted industry capability demonstrations on two occasions, in December 2023 and June 2024, where the use of uncrewed vehicles and the use of information were tested and developed. The next step will be taken in May 2025, when industry will gather at Scheveningen for a 10-day ‘Challenge Week’ period.

Several ‘Challenges’ will be conducted, including: finding, tracking, and identifying unknown underwater vehicles operating in an area; finding small objects, which could be explosive devices, placed around a pipeline; detecting and reporting any anomalies on the seabed in a set area; monitoring a set of transect lines, detecting anything that crosses the line and identifying what it may be (such as an uncrewed system or a diver); and demonstrating the ability to send data back to shore.

SeaSEC is also looking at the role of USVs in providing surveillance and information to counter the CUI threat, noting that USVs will be a central element of future naval force structures and their requirement for surface-based surveillance in dealing with, for example, CUI threats. SeaSEC’s work with industry underlines the extent to which tackling the CUI threat requires a multi-sector, and multi-agency approach. Its model can have relevance to other capability areas across NATO, and European Union (EU), naval operational requirements.

The Baltic CUI threat, and the political support in place to tackle it, due to the clear and present challenge it poses to NATO and national interests in terms of the risk to key daily societal requirements including access to data or power supplies, is underlining to NATO countries the need to build MSA as a whole, but especially in the underwater domain, as well as the wider importance of using the sea to deter threats to Alliance interests. The response through deploying SNMG1 and SNMCMG1, or the JEF-M task group, plus building capability through SeaSEC, underline that a response can be generated using available technology and sharing available data to tackle the threat.

Dr Lee Willett

Author Box: Dr Lee Willett is an independent writer and analyst on naval, maritime, and wider defence and security matters. Previously, he was editor of Janes Navy International, senior research fellow in maritime studies at the Royal United Services Institute, London, and Leverhulme research fellow at the Centre for Security Studies, University of Hull.