Hybrid wars, disinformation, and the international legal framework Understanding legal risks and liability in times of hybrid conflicts

JUDr. Jakub Dohnal, Ph.D., LL.M.
JUDr. Jakub Dohnal, Ph.D., LL.M.
25.3.2026 | ARROWS law firm

Hybrid threats combine military and non-military means, from cyberattacks to disinformation. If you operate in Europe, you face systematic pressure that may not look like a military attack. Attorneys from ARROWS, a Prague-based law firm, can help you understand the legal risks and prepare an effective defence, because your company may be a target without even realising it.

The photograph shows a lawyer during a consultation regarding the legal risks of hybrid threats.

Quick summary

  • Hybrid threats are not only a military issue – they include disinformation campaigns, cyberattacks, and manipulation of public opinion that can destabilize your business and reputation.
  • The international legal framework is complex – while it prohibits military aggression, states may defend themselves under the self-defence regime. However, definitions of an “armed attack” in cyberspace remain subject to interpretation and evolving case law.
  • Czech and European legislation is strict – obligations under  (implemented in the new Cybersecurity Act),  and other regulations apply to a broad range of companies. There is a risk of high administrative penalties and direct liability of statutory bodies.
  • Preparation and legal protection are key – without strategic preparation and compliance, a disinformation attack or cyber incident can seriously damage your company, its reputation, and its financial value.

What hybrid threats are and why they should matter to you

Hybrid threats represent a complex type of security challenge that has long been recognised primarily by states and military strategists, but in practice is becoming a major issue for private companies. They involve a combination of military and civilian tools, information operations, cyberattacks, and economic pressure. These campaigns often operate “below the threshold” of what the international community would unequivocally consider armed aggression.

The attacker seeks to exploit the target’s weaknesses, conceal its activities, make events harder to interpret, and paralyse the decision-making process of the attacked party. For private companies, this means they may become a target without clear identification of the attacker and without the ability to immediately and easily prove who caused the damage.

Your company may not face a direct military attack, but it may be hit by an information attack, where lies about your product or the integrity of management appear on social media. 

Such campaigns may be financed from abroad and coordinated with cyberattacks. The attorneys at ARROWS advokátní kanceláře encounter such cases and can help you set up legal protection.

The DIMEFIL framework: how hybrid threats are carried out

To make it clear what you may face in a hybrid campaign, security practice uses the DIMEFIL concept. It is an acronym representing the key domains that a hybrid attacker typically combines. Understanding these dimensions will help you understand the risks to your company and the areas requiring legal protection.

The first dimension is Diplomacy and politics, the second is Information including social media, the third is Military means, and the fourth is the Economy in the form of sanctions or pressure. The fifth dimension is Finance and the sixth is Intelligence and Law, which includes abusing legal systems to weaken an opponent.

If your company is part of critical infrastructure or a “regulated service”, such as energy, healthcare, or banking, it is particularly vulnerable to a combination of these tools. It is therefore subject to strict regulatory requirements arising in particular from the Czech Cybersecurity Act.

Related questions on hybrid threats:

1. Who are the typical perpetrators of hybrid threats?
State actors (often associated with the Russian Federation, China, or Iran), but also non-state groups, hacktivists, and criminal organisations hired by states (so-called proxy actors). The attorneys at ARROWS advokátní kanceláře have experience in addressing the impacts of these attacks and in legally securing evidence for the purposes of damages claims or insurance.

2. How do I know I am a target of a hybrid threat?
Warning signs may include coordinated attacks on your reputation on social media, repeated and sophisticated cyber incidents (DDoS, phishing), negative articles in disinformation media without any real basis, or physical incidents at your facilities.

3. What legal steps can I take if I identify a hybrid attack?
That depends on the nature of the attack – cyber incidents must be reported to NÚKIB (under the Czech Cybersecurity Act) and, in the event of a personal data breach, to the ÚOOÚ. Disinformation can be addressed through civil-law remedies (reputation protection) or by filing a criminal complaint. ARROWS advokátní kancelář will provide you with comprehensive legal support and crisis management.

Disinformation as part of hybrid threats

In the hybrid logic, disinformation is not a random phenomenon but part of a strategic campaign. Disinformation is usually understood as verifiably false or misleading information created for economic gain or to deceive the public. It differs from so-called misinformation, which involves unintentional errors, whereas here it is a deliberate attack.

From a legal perspective, regulation of disinformation is encountered mainly in EU law and Czech law, where extreme forms are sanctioned through the Criminal Code. This includes, for example, spreading a false alarm or incitement to hatred, as well as the Civil Code and the protection of personality rights and the reputation of a legal entity.

Your company faces the risk that false information will be spread about it, affecting sales, reputation, and share value. The attorneys at ARROWS advokátní kanceláře handle such cases routinely and help clients with legal reputation protection and the effective use of “notice and action” mechanisms against online platforms.

How disinformation exploits algorithms and digital infrastructure

Large online platforms use algorithms that often privilege content that triggers strong emotions. The European Union therefore adopted the Digital Services Act (DSA), which will be fully effective in 2026 and requires large platforms to analyse the systemic risks of their services and adopt mitigating measures.

If your company faces a disinformation attack on social media, the attorneys at ARROWS advokátní kanceláře can use the tools offered by the DSA and Czech law. The aim is to enforce swift action against illegal content and protect the client’s interests.

Related questions on disinformation:

1. What legal tool can I use if a lie about my company is spreading on a social network?
You can rely on the protection of the name and reputation of a legal entity under Section 135 of Act No. 89/2012 Coll., the Civil Code, file a report to the platform (using the DSA mechanism), or seek a court preliminary injunction.

2. Can I sue the author of the disinformation?
Yes. If it concerns a natural person in the company’s management, it may constitute the criminal offence of defamation (Section 184 of the Criminal Code). In the case of a company, it is a civil action for protection of reputation, where you may seek removal of the unlawful situation, an apology, and adequate satisfaction (including monetary compensation). In serious cases, the perpetrator may face liability for spreading an alarmist false report (Section 357 of the Criminal Code).

3. What if the disinformation comes from abroad and I cannot identify the author?
Cross-border enforcement is complex, but possible. Our ARROWS International network can help you take legal steps in EU jurisdictions and beyond. However, it is often more effective to target the platforms hosting the content and use regulatory tools.

International legal framework: what it allows and prohibits

International law in the area of hybrid conflicts runs up against the limits of 20th-century definitions. The UN Charter (Article 2(4)) prohibits the threat or use of force against the territorial integrity or political independence of any state.

Article 51 of the UN Charter recognises states’ “inherent right of individual or collective self-defence”, but only if an armed attack occurs.

The problem in 2026 still lies in the fact that cyberattacks and disinformation campaigns often do not reach the intensity of a “kinetic” armed attack. They therefore cannot automatically be met with military force. Expert groups are trying to interpret these rules for cyberspace, but consensus among states is difficult to achieve.

The role of the UN Security Council and NATO

The UN Security Council is often paralysed on hybrid threats by the veto power of its permanent members. This is why NATO membership is crucial for the Czech Republic. The North Atlantic Alliance has acknowledged that a cyberattack or a hybrid campaign may, under certain circumstances, lead to the activation of Article 5 of the Washington Treaty. NATO has developed strategies, which provides the Czech Republic with a certain degree of institutional protection.

International humanitarian law

If a hybrid conflict escalates into an armed conflict, international humanitarian law applies. This also applies to cyber operations within the conflict, where attacks must not target civilian infrastructure or the civilian population. Attorneys at ARROWS address these issues in the context of sanctions regimes and compliance for companies trading in high-risk areas.

Czech and European legislation: what has changed for your company

In 2026, a new legislative framework for cybersecurity is fully established in the Czech Republic, based on EU Directive 2022/2555 (NIS2). This framework has significantly expanded the range of obliged entities and tightened sanctions. The Cybersecurity Act (ZKB) now applies to thousands of Czech companies.

If you operate in energy, transport, banking, or digital infrastructure, you likely fall under the regulatory regime as an essential or important entity.

A key change is the liability of top management. Statutory bodies are directly responsible for approving cyber risk management measures and overseeing their implementation. It is no longer possible to plead ignorance of IT. Inaction may be considered a breach of the duty of due managerial care under Czech law.

Sanctions and enforcement

The new Cybersecurity Act introduced high fines for non-compliance. For essential entities, the fine may reach up to EUR 10,000,000 or 2% of total worldwide annual turnover. For important entities, the cap is EUR 7,000,000 or 1.4% of turnover.

If remediation does not occur even after repeated requests from the authority, this may result in a temporary suspension of the validity of certification or a ban on performing a management function for a specific natural person.

Attorneys from ARROWS, a Prague-based law firm, carry out GAP analyses for clients, set internal policies, and prepare company management to comply with their statutory obligations. The aim is to ensure regulatory compliance and avoid these draconian penalties.

Incident reporting

In the event of a significant cyber incident, strict deadlines apply. The entity must submit the so-called early warning to NÚKIB within 24 hours from the moment the incident is detected, and then an incident report within 72 hours. If the incident involves a personal data breach, a parallel 72-hour deadline applies for reporting to the Czech Data Protection Authority (ÚOOÚ) under the GDPR.

Table of key risks: What your company faces and how ARROWS helps

Risks and sanctions

How ARROWS helps (office@arws.cz)

Failure to comply with obligations under the Cybersecurity Act (ZKB) (NIS2): Fine of up to EUR 10 million / 2% of turnover; for essential entities, theoretically even a temporary ban on holding office.

Compliance and GAP analysis: We conduct an audit, identify gaps, set policies, and ensure compliance with legislation, thereby protecting the company and its statutory bodies.

Cyber incident without reporting: Fine from NÚKIB; sanctions for GDPR breaches; liability for damages towards third parties.

Crisis management (Incident Response): Real-time legal support, drafting reports for NÚKIB/ÚOOÚ, coordination with IT forensic experts.

Disinformation attack on reputation: Loss of trust, decline in brand value, financial losses.

Reputation protection: Enforcement of rights under the Civil Code, notices to platforms (DSA mechanisms), lawsuits to protect the reputation of a legal entity.

Ransomware and extortion: Operational shutdown, data loss, legal risks associated with paying ransom (sanctions lists).

Negotiation and legal assessment: Legal assessment of the possibility of payment (from a sanctions perspective), communication with the police, handling the insurance claim.

Supplier failure (Supply Chain): Leakage of your data via a third party, contractual penalties.

Contracting: Review of supplier contracts, setting SLAs and cybersecurity liability throughout the contractual chain.

Readiness and prevention: What you need to do now

Hybrid threats target weak points. The first step is a risk analysis so you know which data and systems are critical for you. Attorneys at ARROWS can help you identify the legal obligations tied to these assets, such as the GDPR, trade secrets, or sector-specific regulations.

You must have a clear playbook on who to call, what to report, and how to communicate with the public to avoid damage to your good name. In a crisis, there is no time to read laws and look for procedures. An Incident Response Plan is therefore an essential part of preparedness.

The third layer is cyber risk insurance. Standard liability insurance often excludes cyber losses. ARROWS attorneys help clients review insurance terms so they cover real-world risks such as business interruption, data recovery costs, or legal representation.

Documented employee training is important evidence that management has fulfilled its duty of due managerial care. The human factor remains the most common attack vector, whether phishing or social engineering.

How disinformation can spread and how to respond

If you are targeted by disinformation, a fast and coordinated response is necessary:

  1. Legal steps: Use Section 135 of the Czech Civil Code (protection of a legal entity’s name) and file a claim seeking an injunction and removal of consequences. In the case of serious attacks, file a criminal complaint.
  2. Notice and Action: Use the mechanisms for reporting illegal content under the DSA Regulation with platform operators. If the content is manifestly illegal, the platform must act without undue delay; otherwise, it exposes itself to the risk of sanctions.
  3. Communication: Transparent, fact-based communication towards the public and business partners.

Attorneys from ARROWS, a Prague-based law firm, coordinate these steps to minimize the impact on the client. We have experience handling attacks in the digital environment as well as enforcing rights before Czech courts.

Cyberattacks and ransomware in the context of hybrid warfare

Ransomware has become the dominant threat, where attackers not only encrypt data but often also steal it and threaten to publish it. From a legal perspective, it is important to know that paying the ransom does not relieve management of liability for the incident.

Paying the ransom does not relieve management of liability for the incident and may be problematic under anti-money laundering rules or international sanctions. If the attacker is on an EU/US sanctions list, the payment may lead to serious legal consequences.

Attorneys from ARROWS, a Prague-based law firm, can help you assess the situation, communicate with the Police of the Czech Republic and NÚKIB (the Czech National Cyber and Information Security Agency), and evaluate the insurance claim. We will ensure that all steps are compliant with Czech law and do not expose the company to further penalties.

Hybrid threats are a reality in 2026. Legislation places high demands on companies and shifts responsibility directly onto statutory bodies. Ignoring these risks can lead to crippling fines and irreparable reputational damage.

We have experience implementing compliance programs, handling security incidents, and representing clients in proceedings before regulators. Attorneys from ARROWS, a Prague-based law firm, deal with these issues on a daily basis and work with dozens of major companies.

If you are unsure whether your company meets current legal requirements under Czech legislation, or you are facing a security incident, contact us. We offer legal certainty backed by professional liability insurance in the hundreds of millions of Czech crowns and a specialist team of experts.

Most common legal questions on hybrid warfare and cybersecurity

1. Does the Czech Republic have an obligation to defend itself against hybrid attacks?
Yes, protecting state security and critical infrastructure is a fundamental function of the state. The Czech Republic has a National Strategy for Countering Hybrid Threats in force. Critical infrastructure entities have statutory obligations to cooperate in ensuring security. If you are unsure about your classification, contact ARROWS at office@arws.cz.

2. Can I sue a company or person spreading disinformation about my company?
Yes, the Czech legal system allows you to defend yourself through a civil action to protect the reputation of a legal entity (Section 135 of the Czech Civil Code), and/or file a criminal complaint (defamation, spreading a false alarm). ARROWS attorneys can represent you in these disputes.

3. What has changed with the new Cybersecurity Act (NIS2)?
There has been a significant expansion of regulation to new sectors (waste management, manufacturing, food industry, etc.), the introduction of strict incident reporting deadlines (24/72 hours), increased fines (up to EUR 10 million / 2% of turnover), and the introduction of direct personal liability of management for cybersecurity.

4. How does a private company defend itself against a hybrid attack?
By combining technical measures (IT security), procedural measures (business continuity plans, training), and legal steps (contractual safeguards for suppliers, insurance, active legal defense against attacks). ARROWS, a Prague-based law firm, covers the legal and compliance aspects of this defense.

5. What are the sanctions for non-compliance with obligations under the Cybersecurity Act?
For essential entities, up to EUR 10,000,000 or 2% of total worldwide annual turnover. For important entities, up to EUR 7,000,000 or 1.4% of turnover. In extreme cases, essential entities may also face suspension from performing a managerial function.

6. Can I obtain cyber risk insurance without implemented measures?
Insurers today require evidence of a certain level of security (e.g., MFA, backups, an incident response plan) before concluding a contract. Without this, the policy is either unavailable or extremely expensive and subject to exclusions. ARROWS can help you set up processes so you are insurable.

Notice: The information contained in this article is of a general informational nature only and is intended for basic orientation in the topic based on the legal status as of 2026. Although we take the utmost care to ensure accuracy, legal regulations and their interpretation evolve over time. We are ARROWS advokátní kancelář, an entity registered with the Czech Bar Association (our supervisory authority), and for maximum client security we maintain professional liability insurance with a limit of CZK 400,000,000. To verify the current wording of regulations and their application to your specific situation, it is necessary to contact ARROWS advokátní kancelář directly (office@arws.cz). We accept no liability for any damage arising from the independent use of information from this article without prior individual legal consultation.

Read also: