The Financial Dimension of EU Internal Security Threats

In April 2025, the EU published its updated internal security strategy, ProtectEU, underlining the reality that the lives of European citizens ‘have become less secure’. Hybrid threats, organised crime networks and terrorist threats from outside the EU have an increasing impact on the EU’s internal security. In addition, the traditional list of threats posed by organised crime and terrorists is expanding, and now includes sabotage, increasing use of ransomware attacks and active financial measures to undermine and destabilise European democracy.

In June 2025, soon after the publication of ProtectEU, the UK published its updated National Security Strategy (NSS). The NSS highlights many of the same threats as ProtectEU, and is rooted in addressing similar hostile foreign states and state-sponsored actors.1. Finance runs as a common thread through the threats states face – and from which they seek to protect themselves. ProtectEU calls for ‘following the money’ as a crucial element of efforts to combat organised crime and terrorism. The UK’s NSS goes further, arguing that ‘all elements of our security are supported by our ability to tackle illicit finance . . .  [including from] terrorist networks, serious and organised crime groups, and hostile state actors’.

Against this backdrop, in September 2025, the Centre for Finance and Security at RUSI convened a roundtable discussion at RUSI Europe’s offices in Brussels to assess the financial dimension of the internal security threats facing the EU and how finance underpins this wide spectrum of traditional and emerging threats. The discussion considered both the current effectiveness of the EU’s toolkit and responses, and opportunities to strengthen these aspects, in the face of the evolving threat landscape. The discussion featured experts from across the European Commission, European External Action Service (EEAS), Council of the EU, UK Foreign, Commonwealth & Development Office, civil society and the private sector.

Methodology

This Insights Paper is based on a review of relevant policy literature, notably the ProtectEU and UK NSS documents, and the unattributable contributions of participants in the roundtable. Unless otherwise indicated, statements in this paper reflect points raised during the discussions. The paper is intended to provide a framing for future engagements on this topic.

ProtectEU

ProtectEU outlines the major internal security threats to the EU and describes proposed initiatives to counter these challenges. The strategy advocates for three main principles:

1. A ‘change of culture on security’ is needed, especially with the aim of embedding a ‘whole-of-society’ approach into recommended action.
2. Security considerations should be ‘integrated and mainstreamed across all EU legislation, policies and programmes, including EU external action’.
3. Security merits ‘serious investment’ by EU member states and the private sector.

Threats listed in the document are wide-ranging and include terrorism, organised crime, sabotage, weaponisation of migration, information manipulation, cyberattacks and election interference. The repeated references to the financial dimension of these threats – including a dedicated section on ‘following the money’ – suggest that the EU is increasingly recognising the importance of addressing the role of finance in confronting internal and external security challenges. The roundtable scrutinised the extent to which this recognition is being translated into action.

A core element of ProtectEU addresses the rising prevalence of hybrid campaigns targeting the EU. In response, the bloc intends to intensify its response efforts by boosting ‘its operational and analytical capacities for identifying and mitigating hybrid threats’, enhancing cross-border cooperation, strengthening the resilience and security of external borders, reinforcing cybersecurity and increasing the resilience of critical infrastructure, among other measures. The strategy also identifies shortcomings at Europol – a cornerstone of the EU’s internal security – including that its current mandate does not cover rapidly rising threats, such as sabotage, hybrid operations and information manipulation.

ProtectEU also emphasises the importance of ‘following the money’ to disrupt organised crime and terrorism. In this context, confiscating assets is considered essential, supported by expanded EU-wide information sharing that leverages information gathered by national financial intelligence units (FIUs).

In short, ProtectEU signals greater EU recognition that the financial dimension of security threats requires urgent action. However, evidence of the implementation of a finance-led approach is scarce.

The Current State of the EU’s Illicit Finance Response

The threats identified in ProjectEU dominated the roundtable conversation, focusing on four main themes:

1. The link between organised crime and illicit money flows.
2. Financing of sabotage and terrorism.
3. Active financial measures, including financing of foreign interference.
4. The expansion of sanctions, including those related to criminal networks and – as indicated in Ursula von der Leyen’s State of the Union address – irregular migration.

To illustrate these challenges, examples were drawn primarily from the EU but also include experience from the UK and other neighbouring countries.

A recurring insight throughout the discussion was the central role of illicit finance as an enabler that underpins organised crime, terrorism and hybrid threats. While these activities are typically treated separately by policymakers, investigators and law enforcement, the fundamental problem is identical: the same (or similar) financial instruments and techniques are being leveraged to support harmful operations.

While states generally acknowledge illicit finance as one of the main factors fuelling, scaling and amplifying these threats, there remains a notable divergence in how they each incorporate this issue into their domestic and international policies. A participant noted that the UK, for example, places responding to illicit finance as a central part of its investigation of domestic cases of serious and organised crime. On the international front, committing resources to focus on illicit finance is more challenging, unless a clear threat to the UK is identified. Available funding is typically dedicated to the impact of illicit finance on development projects – specifically, how illicit financial flows restrict the development of broader economic and institutional systems.

During the roundtable discussion, a participant raised the role of illicit finance in countries such as Georgia, Moldova and Ukraine. Though illicit finance in these countries does not pose an immediate domestic threat to the UK, it does undermine the UK’s ability to carry out its foreign policy objectives (such as supporting the development of democracies and related governance and institutions). Therefore, this paper argues for the need for the UK and EU to intensify the focus on illicit finance in partner countries – for example, by providing training on cryptocurrency tracing – to enable them to fully comprehend how hostile states exploit financial channels to pursue their interests, beyond the borders of a particular country. A better understanding of the use of illicit finance to pursue geopolitical goals would enable the formulation of viable countermeasures to further foreign policy goals, even if there is no direct threat posed to the EU or UK.

Some participants argued that significant work has already been done at the EU level on illicit finance from a variety of angles, including to support responses to organised crime, money laundering, terrorist financing, election interference and sanctions evasion. The consensus in the room was that while the EU has established frameworks, legislation, policies and mechanisms for cooperation, as well as supporting public–private partnerships (PPPs), it remains to be seen to what extent these tools are being used effectively by member states to strengthen the EU’s internal security.

In the same vein, one of the key accomplishments highlighted by participants was the EU's anti-money laundering and counterterrorist financing (AML/CTF) package, which attempts to strengthen rules and bridge legislative gaps across member states in response to the financial crime scandals of the last decade. This package includes an important proposal for establishing a new EU authority, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) – an institution that coordinates national competent authorities involved in AML and CTF, including supervisors and FIUs. Given its recent creation, the effectiveness of AMLA remains to be seen, with some expressing concerns that it represents a backward step that will increase bureaucracy, rather than creating a dynamic agency that will enhance the effectiveness of the EU’s response to illicit finance.

In summary, the current state of play reflects a landscape where domestic and EU-wide frameworks and mechanisms have been established, but questions remain as to how these frameworks will be translated into effective action against key contemporary threats through coordinated, unified efforts across states and institutions.

Key Threat Vectors

The roundtable examined a variety of current threats to the internal security of the EU, focusing on those which have a notable financial dimension.

Terrorist Financing

The international community's approach to terrorist financing has changed over the past 15 years. The EU has expended substantial resources on counterterrorism through investing in multinational coalitions, including combating terrorist financing. Thankfully, terrorist attacks in Europe have significantly reduced since their peak 10 years ago; however, renewed calls for investment in counterterrorism from the European Commission in both the 2024–2029 Political Guidelines and ProtectEU underline that responses to terrorist financing are lagging, tending to be primarily reactive and responding to crises as they arise.

As large-scale terrorist incidents have become less frequent, resources and attention have been diverted away from monitoring and addressing terrorist financing – this was characterised by participants as shortsighted, from a strategic perspective. For example, new threats, such as those emanating from right-wing extremist networks, are increasingly sophisticated in their financial practices. Tools ranging from online crowdfunding to the use of cryptocurrencies and other new technologies are blunting historic responses to terrorist financing and underline the importance of the EU taking a stronger and more committed approach to the issue.

In this context, the current frameworks do not appear to be sufficiently dynamic to address future risks. For the EU to remain prepared for evolving terrorist financing risks – notably related to sabotage – sustained strategic engagement is more important than episodic responses.

Financing of Sabotage

While ‘traditional’ terrorist attacks in Europe have decreased over the past decade, the situation regarding politically motivated violence has become more complex. Sabotage attacks against critical infrastructure and other symbolic targets intended to disrupt the EU’s internal security have increased dramatically, especially since Russia's full-scale invasion of Ukraine in 2022.

Russia has long been seen as a central player in funding and coordinating sabotage across Europe. Participants noted that the growth of the digital space, particularly social media, has made recruiting actors to conduct these attacks considerably easier – presenting material challenges for security authorities charged with strengthening member state responses to sabotage. Investigative journalism repeatedly reveals how encrypted platforms like Telegram are enough to recruit operatives, assign tasks, send instructions, facilitate payment and maintain high levels of anonymity.

While sabotage is not new, this evolution of technology has facilitated new methods of recruitment and operation, including a phenomenon that has been termed 'gig-economy sabotage', which involves hiring people through social media to perform sabotage tasks in exchange for payment based on their success. The agents accountable for executing the operations are usually young and from vulnerable populations, such as unemployed nationals of EU member states, or Ukrainian refugees and teenagers who attract little suspicion due to their nationality. It is the financial dimension of these attacks that is most notable. They normally circumvent established banking system controls by avoiding traditional payment methods, relying instead on back channels, intermediaries, cryptocurrencies and in-kind transfers. Leaving little to no identifiable paper or digital trace, gig-economy sabotage attacks create disruption difficulties for law enforcement and FIUs.

The range of channels and tools used to finance sabotage reveals gaps in EU member states' security responses. Participants noted the need for the international community to respond swiftly to this new reality and update enforcement and intelligence tools; otherwise, Europe will continue to be subject to escalating low-cost and high-impact operations that evade conventional oversight.

In the end, participants agreed that, in a world where hybrid threats are becoming increasingly sophisticated and new technology tools are leveraged, counter-sabotage strategies need to undergo a fundamental rethink. Such strategies should integrate digital platforms, social media providers and a full range of new technologies into policy responses to maintain deterrence and operational readiness.

Financing of Election Interference and Information Manipulation

Alongside physical acts of sabotage, the EU faces a growing number of threats in the information and political domains, including election interference and foreign information manipulation and interference. These challenges are especially pressing in European neighbourhood countries that are also in Russia’s sphere of influence, where a wide range of channels and tactics are used by Moscow to undermine democratic processes and erode public trust in state institutions.

Hostile states employ a variety of schemes to manipulate information and raise funds for their malign influence operations. Propaganda campaigns are often coordinated by companies that appear to be public relations or communication firms, but in fact serve as deliberate disinformation centres. They develop narratives tailored to the target audience, fund the dissemination of these narratives and recruit and provide compensation to individuals who spread false information. Utilising digital technologies and social media platforms can enable these campaigns to be coordinated at unprecedented speeds and scale with minimal resources.

The speed of these campaigns puts defenders at a disadvantage. Often, by the time investigators identify the actors, gather evidence and take legal or administrative action, the campaign has usually already had its intended effect.

Financing of large-scale propaganda campaigns and election interference have been reported in Georgia, Moldova and other eastern European countries. Media outlets with foreign links and opaque financial institutions have become increasingly influential, amplifying the impact of misinformation and concealing its operational and financial chain.For example Cash smuggling, which is frequently made possible by intermediaries and money mules, was used by the Kremlin and its supporters to try and influence Moldova’s 2024 and 2025 national elections; so too were crypto-based and other forms of value transfer. Similar vulnerabilities have been identified in other countries as they prepare for national elections, including Armenia, which faces parliamentary elections in 2026.

To combat the threat of election manipulation and financing of disinformation, the EU has established the European Democracy Shield. Although strong political commitment and institutional frameworks are in place, the implementation of these policies remains a challenge. The success of this effort requires an integrated approach by EU institutions, member states and partner countries, combined with financial oversight, intelligence sharing and digital monitoring to detect, track and stop influence operations before they can achieve their desired outcomes.

Barriers to Effective Response

Having reviewed the financial dimension of the notable threats facing the internal security of the EU, participants turned to the barriers that continue to hinder the effective use of financial intelligence, along with the broader financial tools necessary in addressing these threats within the EU.

At the outset, participants highlighted the challenge of balancing the need for immediate responses with the development of measures that ensure longer-term effectiveness.

Fragmented Responses

The fragmented nature of the EU’s response to the threats it faces was identified as a central barrier to progress. For example, given the cross-border nature of organised crime, the bloc’s response should be more closely integrated with foreign policy objectives. However, this is challenging, as it requires deploying skills and resources across multiple branches of public administration that are too often operating in silos.

This silo effect also shapes the way threats are conceptualised. Participants stressed the importance of developing more coherent approaches that engage the widest possible range of government stakeholders, with some arguing that ‘follow the money’ should be the central focus on which coordinated responses can be built. (It was noted that the ‘follow the money’ approach is increasingly favoured in the UK.) The criminals often use the same financial techniques across different crime types, offering opportunities for synergy and efficiency in response design. This point was illustrated through the example of hawala, an informal funds transfer system that facilitates multiple types of illicit activity (such as organised crime, counterterrorism or sabotage). In such case, policy responses should be designed collectively, rather than in fragmented, issue-specific ways.

Participants observed that one of the underlying causes of these fragmented approaches lies in entrenched institutional cultures. Individual ambitions and narrow professional priorities often impede broader cooperation, making it more difficult to shift mindsets and adopt more integrated frameworks. This, the authors believe, must change.

The Speed Gap

Barriers that persist between the public and private sectors, as well as across national borders, compound the response challenge. A clear illustration of this point came from the financial domain: it currently takes many days for the main tool for cross-border evidence requests in the EU, the European Investigation Order, to be executed, while money can leave the EU in just one day. The rules, in other words, no longer reflect the realities of modern financial markets.

Additionally, participants noted that police and prosecutors often do not prioritise financial investigations, in part because such investigations typically take longer . This means that – in some cases – introducing a financial dimension can be perceived as obstructing the progress of a case. Nevertheless, strengthening financial investigations was seen as essential, with the central question being how to make them a consistent reality in practice.

One of the reasons this barrier is so persistent lies in resources. Investigators with financial expertise are scarce, and many of those with the necessary skills are drawn into the private sector, rather than public service. Structural factors also play a role: the criminal justice system remains heavily rooted in traditional criminal law approaches. Strengthening financial investigations by boosting resources is a necessary step to fighting financial crime.

Bridging the Information-Sharing Gap

Another reason the barrier between the public and private sectors persists is the continued shortfall in information sharing, despite longstanding PPP initiatives. The activities and leadership of Europol’s EFIPPP (European Financial Intelligence Public–Private Partnership), designed to facilitate collaboration, were seen as a positive step, but replication of this model is inconsistent within member states. Europol’s project on public–private cooperation and asset recovery was highlighted as an example of the added value that comes from bringing actors together and was suggested as a format that should be replicated for other topics. While much emphasis is placed on ‘information exchange’, participants underlined the fact that the real need is for sustained dialogue and for this information to be actively used – something which remains elusive.

Practical challenges also arise within governments themselves. Sensitive information is often gathered by intelligence agencies, but this material is rarely shared with, for example, sanctions teams, because of concerns that it could undermine ongoing investigations. This raises broader questions, such as:

• Who should collect information that is admissible in court, and should open sources play a greater role?
• How can the criminal justice system be protected from compromise, while still ensuring that relevant information reaches ministries of foreign affairs?

Participants debated whether new structures might be required and whether NGOs could help fill this gap without disrupting internal systems.

The discussion on barriers to effective responses concluded with a clear lesson: the tools to bridge the gaps already exist, but implementation is key. The experience of CTF demonstrates that when measures are applied effectively, they can constrain operations and reduce the scale of attacks. But responses need to constantly adapt. Organised crime groups and other illicit actors have adapted their operations by shifting into underground banking or exploiting new technologies, such as cryptocurrencies: shifts that require tracking and confronting, too. Participants unequivocally agreed that the tools to respond already exist; the challenge is to apply them consistently, while recognising and identifying where barriers lie and managing them realistically.

Tools and Levers Available

The discussion then turned to an examination of how the range of existing tools and levers could be more effectively deployed to counter the threats set out in ProtectEU.

Information Sharing and Data Quality

As noted above, participants agreed that public–private and private–private collaboration in information sharing remains both the most significant gap to be addressed and, at the same time, an area that has seen notable progress in recent years across various themes and jurisdictions.

An important development highlighted was the improvement in collaboration and information exchange among different government agencies. While each agency approaches illicit finance from a distinct angle – FIUs focus on money laundering and terrorist financing, police on drug trafficking and other forms of criminality, and other authorities on sanctions evasion – they are increasingly cooperating to build a more integrated response to illicit finance, given its centrality to these forms of crime.

For example, a participant representing the Belgian authorities highlighted national efforts to strengthen cooperation across agencies, offering a valuable perspective from a member state. In Belgium, prosecutors previously worked with a limited list of predicate offences, which is now being expanded to include sanctions evasion. In the past, sharing related information required coordination with Belgium’s General Administration of the Treasury and often involved reclassifying cases under organised crime or other offences to enable them to proceed. 

In response to the fragmentation of responsibilities across member states, the establishment of AMLA has the potential to bring new impetus and serve as an additional tool to advance integrated responses to combat financial crime.

In that context, the workshop discussion turned to the EU level, and the opportunities the new EU AML Package presents to better leverage partnerships and information sharing across EU jurisdictions. At the national level, a large amount of data exists, but there is still no meaningfully effective platform for exchange across member states – something that is being addressed via efforts focused on integrating various pieces of existing EU legislation. Further complication is presented by the considerable operating differences between FIUs across the EU. Participants underlined the importance of enhancing cross-border collaboration and coordination by using existing mechanisms more effectively first, without introducing additional procedures: a consistent theme throughout the discussion.

The discussion was enriched by contributions offering a UK perspective, where PPP efforts increasingly centre on the concept of data fusion. The National Economic Crime Centre has been redefining the practical understanding of PPPs, with significant work over the past year focused on integrating and analysing data from multiple sources to enhance collective effectiveness. This is a vision that the EU and member states would benefit from adopting.

Sanctions, Hybrid Threats and Organised Crime

Many individuals within EU policy circles only became actively familiar with sanctions in the context of Russia’s 2022 full-scale invasion of Ukraine. However, as indicated in ProtectEU and subsequent comments by the European Commission president, interest in the use of sanctions in response to criminal activity – such as the facilitation of irregular migration – is growing. Participants noted that the use of sanctions in this way presents a different set of implementation challenges to those against Russia. Central to success is ensuring clarity of underlying objectives during the design phase; these objectives may differ significantly from those related to Russia sanctions. 

For instance, in the context of irregular migration, the goal is not asset seizure but rather to render certain individuals and businesses, as one participant put it, ‘toxic and untouchable’. Moreover, irregular migration intersects with foreign policy considerations, particularly in cases where migration is weaponised by hostile states. Caution is therefore needed when discussing new sanctions tools, to avoid framing every initiative through the lens of the Russia sanctions experience.

As one representative of a member state noted, in relation to organised crime and hybrid threats, sanctions can be very effective in complementing diplomatic efforts – especially when engaging with countries where extradition is not available. This form of sanction should, therefore, form part of the traditional diplomatic toolbox: used in partnership with other countries, rather than against them.

A participant from a European institution added that law enforcement’s understanding of the strategic value of sanctions should be strengthened. In Belgium and the Netherlands, for example, administrative approaches are used to disrupt criminal activity, such as by dismantling houses where migrants work or by closing shops and restaurants. This represents prevention rather than enforcement: not the direct application of the law, but measures designed to pre-empt criminal behaviour. The participant noted that sanctions can be applied with the same philosophy, targeting criminals where law enforcement cannot reach. The US, for instance, has used drug-related sanctions to target companies supplying trucks to Latin America or hotels laundering money for cartels, thereby tackling the broader criminal infrastructure. Examples from the UK were also provided, where local council planning or licensing laws have been used to shut down commercial activities linked to money laundering and organised crime.

Building on this, the participant concluded that even underground banking systems have structures that can be targeted. However, as ever, the key remaining challenge is ensuring effective information collection, enabling authorities to design and apply sanctions more strategically. The potential is clearly there, but significant challenges remain, as representatives cautioned that sanctions must be implemented in a way that does not inadvertently hinder ongoing criminal investigations.

Emerging Policy Recommendations 

The overarching theme and main conclusion of the discussion were that both the public and private sectors already possess many of the required legal frameworks and policies needed to confront the financial dimension of the internal security threats faced by the EU, but that use of these tools falls short of what is needed. As one participant said, the EU and its member states have the necessary ‘do-it-yourself toolbox’, but it is not being used effectively, as institutions have not fully taken stock of the instruments available to them and are thus falling short of their maximum capability. 

Key recommendations put forward at the workshop included: 

• Develop horizontal thinking to break silos.

When responding to internal security threats, European and national institutions need to move beyond compartmentalised approaches and apply horizontal thinking. Applying a financial lens can create linkages between policy areas – such as organised crime, counterterrorism, sabotage and other hybrid threats – that can help break silos, identify communalities and ensure a more coherent response to those threats, led by the cross-cutting and common theme of finance. 

• Design sanctions that stick.

The introduction of new sanctions in response to internal security threats could be a valuable step, but sanctions that fail to bite are counterproductive. Policymakers must avoid adopting sanctions that cannot realistically be implemented, demonstrate impact or articulate a clear theory of change. Some EU member states have demonstrated effective enforcement capacity, while others face greater limitations. Future sanctions policy design should consider these differences in national capabilities and set sanctions goals that are realistic. 

• Target impact, not volume.

Current measures of success, such as the number of sanctions imposed or assets frozen, often prioritise quantity over impact. Success indicators should reflect strategic outcomes rather than outputs. For example, targeting the central enablers of criminality – notably, those that provide financial services – in coordination with third countries may yield more effective results than attempting to pursue all offenders at once. 

• Bring internal security into foreign policy.

In the case of Russia-related sanctions, specialist resources exist within government due to the international security importance of those sanctions. However, comparable expertise is lacking in the areas of illicit finance, serious organised crime and hybrid threats. Governments should develop similar, cross-border dedicated resources and expertise for these internal security challenges and integrate their activities into broader foreign policy goals. In this regard, the UK ‘illicit finance and serious organised crime network’ (IFSOCNet) is a model the EU might wish to explore. 

• Engage with third countries to help them raise their resilience.

Hostile actors continue to undermine democracy within the EU and its neighbourhood, often through active financial measures. Often, those countries do not have the necessary awareness, capacities and resources to counter these threats. For instance, in Moldova – one of the poorest European countries – traditional money-laundering techniques were repurposed to influence elections. The EEAS is already engaged in addressing these issues, but greater attention should be given to the financial dimension of such threats. Lessons from previous cases should be systematically shared with those currently facing similar challenges, to raise awareness and facilitate knowledge sharing in the European neighbourhood. 

• Make better use of open source intelligence (OSINT) to create an information-sharing loop.

Information that is already available is not being used to its full potential. OSINT should be systematically utilised to fill gaps in knowledge, guide enforcement efforts and support evidence-based policy action, especially in situations when government-collected information cannot be directly applied. Similarly, public awareness can serve as an indirect enforcement mechanism. Inserting verified information about criminal networks into media or public databases can trigger financial institutions’ alert systems, helping them to detect and report suspicious activity. Intelligence and law enforcement agencies should explore structured mechanisms to share relevant information with both the public and private sectors to strengthen collective resilience. 

• Think beyond the traditional deterrence paradigm. 

Participants highlighted the need to think beyond conventional approaches to deterrence. Sanctions remain a key instrument for influencing behaviour, but questions were raised about the EU’s appetite to act more assertively. While intelligence services already possess tools for deterrence, there is scope to explore additional measures beyond sanctions. The discussion encouraged policymakers to assess the political, legal and ethical boundaries of more proactive and muscular responses. Recent maritime incidents underline the new challenges that are being faced, and consequently the new approaches that are needed, beyond the traditional paradigm. 

Conclusion 

In summary, as part of its internal security strategy, the EU and member states need to develop ‘whole-of-system thinking, built on an illicit finance foundation’. EU strategy should place far greater emphasis on financial intelligence and information sharing, based on the cross-cutting nature of finance and its centrality to the range of threats faced by the EU. The EU should develop an illicit finance strategy as the leading element of response to internal security threats, not – as is often the case – an afterthought.