Ready and relevant: JEF shines light into CUI grey zone to deter sub-threshold threats

Despite continuing politico-strategic turbulence in trans-Atlantic relations surrounding the on-going Russo-Ukraine war, NATO remains the standalone multinational military structure for deterring high-end military threats to Western European security. Yet with the war being ‘fought’ strategically by Russia through using hybrid activities in various regions, domains, and contexts across the Euro-Atlantic theatre, multinational structures other than NATO play a crucial role in deterring threats and escalatory risks at the sub-conflict-threshold level. At sea, one such multinational structure is the UK-led, 10-country, Joint Expeditionary Force (JEF).

In recent years, JEF has increasingly focused on maritime matters, due to its geographical area of responsibility (AOR) – the High North, North Atlantic, and North and Baltic sea regions – and the threats assessed in this area, especially since the war broke out in 2022.

Broadly, JEF is designed to provide robust, multidomain, multinational deterrence presence in Northern Europe. It generates non-NATO activity in the air, on land, and at sea to counter sub-threshold threats to member interests across its AOR that would not necessarily precipitate a NATO-led response. The 10 JEF member states – Denmark, Estonia, Finland, Iceland, Latvia, Lithuania, the Netherlands, Norway, Sweden, and the United Kingdom (as framework country) – all hail from this region.

Since being established in 2014, JEF’s maritime presence has been prominent, and increasingly so since 2022. Such maritime presence is crucial in deterring sub-threshold threats in a domain that, by geopolitical definition, is perhaps more open to ‘grey zone’, ‘hybrid’, asymmetric activities, being broadly accessible without the same physical national borders found in the land domain.

Moreover, the North Sea/Baltic Sea region is laced together by maritime links. For example, the 10 JEF states – plus other regional countries like France, Germany, Poland, and Russia – all rely on maritime trade for daily supply and economic development. This maritime trade is manifested in shipping traffic that transits from the North Sea, through the Skagerrak/Kattegat straits, and across the Baltic to the Gulf of Finland. In the context of the Baltic having become – again, by geopolitical definition – the northern maritime flank of the Russo-Ukraine war, the sea lines of communication (SLOCs) that transect it and connect it to the North Sea have become ‘strategic SLOCs’. With the heavy shipping traffic present across the Baltic and North seas, these ‘strategic SLOCs’ are very visible in politico-economic terms, being important for both maritime trade and security reasons. In the latter context, NATO and JEF will wish to support Baltic State, Finnish, and Swedish interests at and from the sea; Russia will also wish to access the North Sea from Kaliningrad and St Petersburg. So, such Baltic Sea ‘strategic SLOCs’ are – once more, by geopolitical definition – contested.

The Baltic and North Seas, plus their surrounding countries, also host another form of ‘strategic SLOC’ that generates daily supply and economic development – the network of critical undersea infrastructure (CUI) pipelines, cables, and other nodes that connect the resident countries to each other and to elsewhere to deliver energy, information, and other resources.

It may or may not be coincidental that the strategic importance of seabed SLOCs and of the Baltic Sea is such that, in the context of the Russo-Ukraine war, a series of CUI-related incidents has occurred in the Baltic since September 2022. The most recent incidents (in October 2023, November 2024, and December 2024) raised political and public awareness in Western European countries regarding the risk to CUI, but also prompted debate about whether such incidents – involving damage mostly to cables (but also pipelines) possibly being caused by ship anchors being dragged at speed along the seabed – were attributable to ‘shadow fleet’ ship activities. Such rogue vessels are used by rogue states to surreptitiously support efforts to evade sanctions, for example: they seem to operate at sea with automatic identification system (AIS) signals turned off and ashore with ownership paper trails cut off.

If such damage was done deliberately, for example to disrupt Western energy and data flows, this would be an archetypal illustration of the use of ‘hybrid’ tactics in the ‘grey zone’ below the conflict threshold, yet with intended strategic-level effects. Thus, responding to such an immediate threat and building near- and longer-term deterrence against it, without necessarily risking escalation, is a perfect task for JEF to tackle. JEF is aimed at sub-threshold threats: and the CUI risk is just that.

“Maintenance of security and stability for the North Atlantic region remains our key tenet,” Captain Dan Thomas – a UK Royal Navy (RN) officer posted as Assistant Chief of Staff (ACOS) Operations at the UK’s Standing Joint Force Headquarters (SJFHQ), Northwood, UK – told ESD in a 22 April 2025 interview: “Everything we’re doing as JEF now and indeed in the 10-year plan must be complementary to NATO, it must reinforce national defence plans, which in turn play into the NATO regional plans and the family of plans therein.” He noted, “everything is designed from the outset to be complementary because why wouldn’t it?”

Regarding CUI itself, Capt Thomas continued, “If we’re looking at security and stability, then protection of anything which has got ‘critical’ in the title is absolutely paramount.” He added, “the CUI issue within the Baltic – but also wider into the North Sea, which is in our AOR too – is absolutely critical”.

Warding off threats

JEF, through its maritime presence and wider response capability, has been tackling the CUI threat under what has developed into the ‘Nordic Warden’ series of operational activities. As the CUI incidents continued, the catalyst for JEF action was defence ministerial direction to look at the CUI risk writ large across JEF’s AOR, particularly in the Baltic. JEF CUI-related activities have been conducted on two occasions; in June 2024, with a task group deployment into the Baltic; and in January 2025, following the December 2024 Baltic CUI incident, when the EstLink2 power cable connecting Estonia and Finland, plus several internet cables, were damaged.

‘Nordic Warden’ response activities are enhanced today by an artificial intelligence (AI)-based software system from US company Palantir, which in this instance was used to help track potential CUI threats and monitor shipping by assessing AIS and other ship positioning data to calculate risks posed by certain vessels (including known ‘shadow fleet’ ships) entering certain areas of interest.

In a UK Ministry of Defence (MoD) statement in January 2025, Defence Secretary John Healey said the system is “a major innovation which allows us the unprecedented ability to monitor large areas of the sea with a comparatively small number of resources”.

NATO itself has a live CUI security activity underway in the region – ‘Baltic Sentry’, which similarly was set up following the December CUI incident. ‘Baltic Sentry’ integrates two NATO standing naval forces (SNFs), various surveillance assets from seabed to space, plus NATO, regional, and national naval platforms and command structures to provide multidomain surveillance and deterrence presence. NATO’s focus at the higher end of the threat and operational spectrums is underlined by the fact that Standing NATO Maritime Group 1 (SNMG1) – NATO’s North Atlantic-based high-readiness maritime task group – is leading ‘Baltic Sentry’, working with high-end capabilities including (for example) F-35 Lightning II fighter aircraft and submarines.

JEF fits neatly into this overall framework, including in a supporting and enabling manner. According to the MoD statement, “The JEF action reinforces existing and planned NATO responses.” It added that ‘Nordic Warden’ was activated under JEF protocols designed to provide response options to be used to protect member state and NATO alliance interests against such threats.

Response options

Known as the JEF Response Options (JROs), these protocols were drawn up following the war’s outbreak in February 2022, as JEF moved to strengthen the sub-threshold, non-NATO security contribution it could make for Baltic region allies and partners. According to JEF, the JROs are “planned integrated military activities designed to enhance multilateral capabilities, reassure countries, deter overt aggression, and complement NATO, throughout the continuum of competition to conflict”. The JROs are based around: the requirement to act quickly to build deterrence, through increasing co-ordinated, collective capability; addressing military (including hybrid) threats; deterring malign actions; and supporting – and sometimes being sequenced with – NATO’s enhanced vigilance activities to provide persistent response.

The JROs are part of a two-fold JEF operational response framework, providing proactive options alongside other, more persistent activities. The JROs enable JEF member states to opt in to what are surge activities designed to prepare and shape a theatre for a wider response, although should the deterrence impact of such a surge succeed then the JRO can be stood down, a 2024 JEF newsletter explained.

“We’ve got in the region of 70 JROs that go across the conventional domains and now increasingly into the hybrid domain,” explained Capt Thomas, noting, “they give our political and military leaders choice, based on pre-planned joint response options that we’ve developed as frameworks … to get after specific activity.”

Alongside the ‘Nordic Warden’ series – and emphasising JEF’s role across sub-threshold and into crisis contexts – other JEF operations, activities, and exercises encompass various air, land, maritime, and joint activities, including: ‘Baltic Express’, JEF’s maritime JRO series, which includes a forthcoming activity involving escort of strategic assets into the Baltic Sea from the North Atlantic, with six JEF countries contributing platforms (ranging from corvettes and patrol boats, to destroyers and frigates, to maritime patrol and ‘fast jet’ aircraft), C2, maritime operations centres (MOC), and civilian agency support; ‘Razor Edge 25’, which features operational activities designed to test the UK’s joint force contribution to JEF requirements in the Baltic and High North regions, including testing some JRO concepts; and the multi-JEF member ‘Tarassis 25’ activity, a six-week period of operations set for the end of 2025, that will test assigned forces and an expanded SJFHQ staff in JRO contexts, including relating to the Russian threat.

Drawn up in 2022 and based around robust military judgements, the JROs have since been matured, including quite swiftly in some areas, Capt Thomas explained: “They’ve been refined – or we’re starting to refine many of them – based on actual, tangible activity, which is a really big step forward.” This certainly is reflected in the CUI context.

JEF first activated a JRO in December 2023, to respond to the CUI risk and following a defence ministerial-level decision taken in November 2023 (itself occurring in the wake of the October 2023 CUI incident). Under this JRO, JEF established a focus on North Atlantic, North Sea, and Baltic Sea presence to counter CUI threats, including conducting the June/July 2024 CUI activity in the Baltic – the first time JEF had generated a maritime force to deploy on CUI tasking.

Ships began deploying to the region in late 2023 to support the JEF CUI focus with precursor activities, including the UK Royal Navy (RN) anti-submarine warfare (ASW)-focused Type 23 frigate HMS Richmond. The JRO ran for four weeks across June and July 2024. From across the JEF members, more than two dozen ships plus almost a dozen supporting aircraft came together, with assets deployed across 2.59 million km² (1 million square mile) maritime area stretching from western UK and western Barents Sea waters, but particularly through the North Sea and into and across the Baltic. Although not a NATO activity, the operation aimed to bring deterrence against the CUI threat through maritime security presence and surveillance, including to support NATO’s enhanced vigilance activity requirements. JEF tasks included patrol at sea and in the air with particular focus on securing offshore assets, sharing intelligence, monitoring Russian ship activity, and building a multi-domain maritime picture.

In a statement published during the operation, JEF said “CUI vulnerability can allow an adversary to use hybrid warfare techniques to destabilise targets by circumventing the methods of standard warfare.”

Illustrating how JEF countries contributed units to meet presence, surveillance, and deterrence requirements, the Royal Norwegian Navy (RNoN) frigate HNoMS Fridtjof Nansen and Skjold class corvette HNoMS Gnist deployed off Norway to secure the Goliat oil field and Nyhamna gas facility, respectively; in the Baltic, Estonian Navy, Finnish Navy and Border Guard, and RN ships worked together. Assets remained under national command, but with JEF co-ordinating activities from SJFHQ.

According to JEF, almost 100 intelligence reports were raised and shared during the deployment, leading to 33 commercial vessels being tracked in areas ranging from Norway’s western approaches to the eastern Baltic. The overall effect was to build situational awareness, share information, and communicate JEF member state intent.

In a statement released when the JRO concluded, JEF highlighted several factors underpinning the activity’s success: the importance of consistent liaison with numerous NATO headquarters to align messaging and emphasise mutual interests; contributing to national interests while complementing NATO’s work; and operating and co-operating effectively in a busy region and operational environment.

“‘Nordic Warden 24’ was a shift from being reactive to being proactive,” said Capt Thomas. While JEF previously had been responding to incidents, the more proactive approach was designed to build deterrence, including through compiling a more comprehensive ‘patterns of life’ picture. “It was about having a coherent effect, having surveillance, looking at maritime domain awareness (MDA), and building an understanding of what activity was going on within the Baltic Sea region,” Capt Thomas added.

The range of assets generated through an up-front ‘force sensing’ process – namely, seeking a generic sense of what forces countries may have available – also gave the JEF planners the opportunity to more effectively apply assets and their outputs to particular areas of interest.

‘Nordic Warden 25’ was done slightly differently. The specific focus again was CUI, with SJFHQ responding within 24 hours to defence ministerial calls to counter the continuing CUI threat, as evidenced by the November and December 2024 incidents. Working closely with the commercial sector, the JEF planners drew up a list of 24 named areas of interest spanning the North Sea, Norwegian Sea, Baltic, and Gulf of Finland. The aim here, Capt Thomas explained, “[Was] essentially to target where we thought international CUI was most vulnerable, and then being able to do something about it”.

What differed this time, however, was the need to work in tandem with NATO’s ‘Baltic Sentry’ CUI activity. This prompted perhaps three primary differences from ‘Nordic Warden 24’.

First, given that all JEF members are NATO members and with ‘Baltic Sentry’ covering a similar aim and area – to deter Baltic CUI risks – but focused on visible, higher-end deterrence presence, priority for contributing physical platforms was given to ‘Baltic Sentry’.

Second, JEF delivered significant value instead for both ‘Nordic Warden’ and ‘Baltic Sentry’ through generating greater autonomy in the at-sea surveillance and analysis function by introducing its software system from Palantir into operational activities for the first time.

Palantir’s system was used to help generate enhanced real-time MDA and recognised intelligence and operational pictures, with participants able to feed in and draw on the open source and intelligence data it uses, explained Capt Thomas. “The system would monitor everything we wanted to monitor. It would alert us if there was something we would be interested in,” he said. Enabled by record, playback, imagery, and analysis functions, and with data including ship names, tracks, and port visits, Palantir’s software “gives you this really good picture of what’s going on,” he added.

The 24 identified areas were ‘geo-fenced’, with Palantir’s software providing information on vessels of interest in each area and parameters that could point to suspicious activity outside of routine ‘patterns of life’. Subject matter experts then determine if any activity flagged automatically by the system is suspicious or not, with the determination and supporting information shared with JEF countries and NATO. “Then we decide whether we’d want to have an effect, based on that,” said Capt Thomas.

With the volume of shipping traffic in the region, the amount and complexity of CUI, and the number of sensors and other information sources collecting data, AI plays a critical role within Palantir’s software. “[It] allows the system to interrogate the huge amount of data and present it in a way that’s digestible for the human to then make a decision,” said Capt Thomas. “We’re harnessing the power in order that, for the operator, it’s easier to see what’s going on.”

Third, integration with other stakeholders – especially NATO Allied Maritime Command (MARCOM), as the operational-level command for ‘Baltic Sentry’ – was more crucial than usual. ‘Baltic Sentry’ is the overarching, ‘umbrella’ construct under which all national and multinational activities targeting the Baltic Sea CUI risk since January have been held. Capt Thomas explained that the NATO and JEF activities were complementary. This complementarity, and overall output effect, was enhanced by the similar but slightly different AORs: ‘Baltic Sentry’ was Baltic-focused; ‘Nordic Warden’ had a wider AOR, including out into the North Sea and North Atlantic. JEF’s already-established close integration with NATO commands was both reflected and reinforced. Operational co-ordination and coherence and information and intelligence sharing between the JEF and MARCOM headquarters (along with Commander Task Force [CTF] Baltic – the German Navy’s new tactical maritime headquarters, which was conducting tactical control of ‘Baltic Sentry’ ships operating under MARCOM command) was very good, Capt Thomas added.

Operationalising effect

The ‘Nordic Warden’ CUI activities and their impact on an issue garnering high-level politico-strategic attention underlined the demonstrable effect JEF continues to have on regional security, particularly with the increased level of integrated operational activities it is conducting.

JEF’s participation in activities and operations in regions ranging from the Arctic to the Baltic underlines its growing impact on Northern European security, acting as a ‘spoke’ in the regional security ‘wheel’ built around the NATO ‘hub’.

In early 2024, JEF forces were deployed to support the opening stages of NATO’s alliance-wide, joint force, multi-domain ‘Steadfast Defender’ exercise, with this presence proving out JEF’s operational concept by demonstrating its deterring or shaping role in the pre-conflict phase, depending on how it is needed to support NATO requirements in peacetime, crisis, or conflict. JEF’s development pathway includes plans to link its own exercise and wider operational activity series more closely with the alliance’s ‘Steadfast’ series, said Capt Thomas.

JEF is being developed around a 10-year campaign plan, Capt Thomas explained. “That aims to [assess] where we are going, where NATO is going, and where we have to continue to develop to stay relevant – to stay at the cutting edge of doing what JEF set out to do in the first place.”

“We’re absolutely pushing the planning horizon out to make sure we are ‘match fit’, to make sure we’re absolutely integrated into the national exercise and defence plans, but potentially – and more importantly – into the NATO series of exercises to ensure what we’re doing is absolutely complementary,” Capt Thomas continued.

Although JEF passed its full operational capability milestone in 2018, it still seeks to enhance its operational outputs. “We continue to morph, we continue to practise, we continue to rehearse alongside with NATO, in order that we stay relevant and agile, and ready to do what JEF needs to do in terms of security and stability, particularly the North Atlantic and Baltic region,” Capt Thomas concluded.

Dr Lee Willett

Author: Dr Lee Willett is an independent writer and analyst on naval, maritime, and wider defence and security matters. Previously, he was editor of Janes Navy International, maritime studies senior research fellow at the Royal United Services Institute, London, and Leverhulme research fellow at the University of Hull’s Centre for Security Studies.