Israel recorded about 4,800 hostile cyber incidents in June, three times the level reported a year earlier. The surge shows why a kinetic ceasefire cannot be treated as a digital ceasefire, and why European infrastructure, professional services and smaller suppliers must prepare for conflict-related cyber operations that continue below the threshold of war.

Hostile cyber activity against Israel nearly tripled during June, according to the head of the country’s National Cyber Directorate, offering a quantified warning that digital operations can intensify even as governments negotiate pauses in conventional fighting.

Director-General Yossi Karadi said Israel registered about 4,800 hostile cyber incidents in June 2026, compared with roughly 1,600 during June 2025. The figure was given in an interview with the German newspaper Die Welt and reported on 29 June. It represents the directorate’s own tally and has not been accompanied by a public breakdown separating serious intrusions from scanning, denial-of-service activity or lower-level attempts.

That caveat matters. Headline incident totals can mix very different events. The scale of the increase nevertheless supports a broader operational conclusion: cyber pressure moves with geopolitical escalation, but it does not necessarily stop when missiles and aircraft do.

A ceasefire does not close the digital front

Kinetic operations are visible and politically attributable. Aircraft return to base, missile launches stop and damage can be observed. Cyber operations are easier to continue or deny.

An intrusion may have begun before a ceasefire and remain undetected for months. Access can be preserved for intelligence collection or future disruption. Proxy groups and ideologically aligned hackers may continue operating even when a state wants to reduce military escalation. A government can also use cyber activity to maintain pressure while avoiding an attack likely to trigger an overt response.

This creates a dangerous asymmetry. Political leaders may announce de-escalation while network defenders experience no corresponding reduction in hostile activity. Organisations that relax monitoring after a ceasefire may do so at exactly the wrong moment.

The target set extends beyond government

Karadi identified law firms, accounting firms and smaller companies among the exposed organisations. These are not secondary targets. They often hold commercially sensitive data, privileged communications, identity records and access to larger clients.

A defence contractor may maintain sophisticated security while relying on a small legal adviser or software supplier with fewer resources. Attackers can compromise the weaker organisation, steal credentials or use a trusted connection to reach the primary target. The same logic applies to energy operators, hospitals, ports and government departments.

European critical infrastructure is therefore exposed through an ecosystem, not only through its central control room. The NIS2 Directive expands risk-management and reporting duties across essential and important sectors, but compliance does not guarantee operational readiness. Companies need tested recovery procedures, segmented networks, protected backups and visibility into their suppliers.

Europe is part of the regional attack surface

European organisations may be targeted because they support Israel, the United States or Gulf partners, enforce sanctions, provide technology, or simply offer a less protected route into a global network. Iran-linked actors have previously been accused of espionage, disruptive attacks and operations against political opponents abroad.

The EU has already used its cyber sanctions regime against Iranian-linked activity. Earlier this year, Brussels sanctioned an Iranian entity alongside Chinese actors over malicious operations affecting member states and partners. The latest Israeli figures suggest that attribution and sanctions must be accompanied by practical defensive preparation.

Europe also hosts infrastructure connected to the Middle East conflict: shipping companies, energy traders, airlines, financial institutions and diplomatic networks. A cyber operation against any of these sectors could create physical or economic effects far beyond the original political target.

Incident numbers need operational context

Governments have incentives to publicise high attack totals. The figures can support budget requests, demonstrate adversary hostility and show that defenders are active. They can also mislead if every automated probe is counted alongside a destructive intrusion.

European agencies should therefore ask several questions before using the 4,800 figure as a planning benchmark. How many incidents involved confirmed compromise? Which sectors were targeted? How many attacks were attributed to Iranian state bodies rather than independent or criminal groups? Were techniques changing, or did the increase mainly reflect greater volume?

The absence of those answers does not remove the warning. It changes the response from alarm to intelligence collection. Governments need shared indicators, common severity definitions and rapid exchange of technical evidence.

Resilience is more important than perfect prevention

No state can block every phishing message, exploit attempt or denial-of-service attack. The realistic objective is to prevent routine access from becoming strategic disruption and to recover quickly when defences fail.

For critical infrastructure, that means separating operational technology from ordinary corporate networks, restricting remote access, maintaining manual fallback procedures and exercising with public authorities. For smaller professional firms, priorities include multi-factor authentication, patching, secure backups and clear incident-reporting channels.

Defence Matters has previously examined how European cyber defence depends on shared training and situational awareness. The Iran-related surge adds urgency to that work. Cyber exercises should include geopolitical ceasefires in which hostile activity continues, attribution remains uncertain and private suppliers become the entry point.

The strategic lesson

Cyber operations allow adversaries to keep testing defences without crossing the same visible thresholds as a missile strike. They can steal information during negotiations, prepare access for a future crisis and impose costs while preserving plausible deniability.

Europe should therefore treat any Middle East pause as a change in the threat environment, not an end to it. Intelligence priorities may shift; hacktivist narratives may change; previously implanted access may become more valuable.

Israel’s 4,800 incidents do not predict an identical wave against Europe. They demonstrate how quickly hostile activity can scale when conflict begins and how broadly the target set can expand. The central warning is simple: a ceasefire may stop weapons in the air while leaving malicious access inside the network.