Methodology

Peter Howitt is the editor of the European Geopolitical & Hybrid Threat Monitor — Asymmetric Intelligence, published at asym-intel.info. He writes and advises on geopolitical strategy, hybrid warfare, intelligence operations, and European strategic autonomy. Based in Gibraltar.

An item is included in any analytical dimension if and only if: (1) it is new within the 7-day window or materially updates a tracked trend; (2) a senior policymaker, intelligence professional, or strategic analyst in the target audience would need to know about it; (3) it carries a primary or Tier 1–3 source link; and (4) it is not duplicated by another item in the same reporting period. There are no arbitrary item caps. If a threat dimension yields six signal-quality incidents in a week, all six are documented.

Factual reporting (what was observed, documented, or officially attributed) is always distinguished from analytical assessment (what the pattern implies, what the risk trajectory suggests). Attribution confidence labels — Possible, Probable, Confirmed — are applied to every claim involving actor attribution. Assessment language is explicit: phrases such as "assessed as," "probable indication of," or "consistent with documented doctrine" flag the analytical layer. Claims lacking a source chain are not published.

The EGHTM operates a five-tier source hierarchy. Cross-referencing across tiers is standard practice: it exposes attribution gaps where institutional findings diverge from investigative ground truth. Where such gaps exist — for example, when investigative outlets name a perpetrator months before institutional bodies issue formal attribution — the gap itself is documented and analysed.

Tier	Category	Named Sources	Rule
T1	Institutional & Diplomatic	EEAS 4th FIMI Threat Report; NATO StratCom CoE Attribution Framework (IIAF); ENISA Threat Landscape; EU Hybrid Fusion Cell; European Commission policy documents; official national security assessments	Always use. Link directly to primary institutional source. Never cite press coverage of a document when the document itself is available.
T2	Real-Time Threat Data	ACLED Conflict Index; GDELT Analysis Service; EEAS FIMI Explorer (interactive incident dashboard); Ukrainian General Staff daily loss data; OSC/FBIS monitoring services	Use when no Tier 1 document covers the specific incident or metric. Cross-reference against T1 where possible.
T3	Investigative & Forensic	Vsquare; Lighthouse Reports; Bellingcat; Politico (EU edition); Byline Times; IJ4EU; Mediapart; EUvsDisinfo; DFRLab; OCCRP	Primary use for incident attribution ahead of institutional acknowledgement. Attribution lag between T3 findings and T1 formal attribution is itself tracked as a methodological signal.
T4	Infrastructure & Technical	NetBlocks Europe (internet disruption); MarineTraffic Baltic Sea monitoring; Mandiant M-Trends; CrowdStrike Global Threat Report; Shodan; national CERTs	Use for cyber, infrastructure sabotage, and technical attribution. Combined with T3 for full incident picture.
T5	Strategic Defence Research	Hybrid CoE (Helsinki); RUSI; DGAP; ECFR; IISS; Chatham House; Carnegie Europe; CIDOB (Barcelona); SWP; RAND Europe	Used for strategic framing, trend interpretation, and doctrine analysis. Named as T5 in citations. Not used as primary attribution for specific incidents.

The EEAS Foreign Information Manipulation and Interference (FIMI) framework — as operationalised in successive annual threat reports and the FIMI Explorer incident database — formally tracks Russia and China only. This constraint is institutional and political, not analytical. It reflects the diplomatic parameters under which the EEAS operates, not the actual threat landscape facing European democratic institutions.

The EGHTM explicitly monitors FIMI and hybrid operations across four state actors. CIDOB (Barcelona Centre for International Affairs) has formally identified the EU's two-actor limitation as a critical analytical gap in published research. This monitor operationalises the correction.

This monitor covers European-theatre operations by these four actors: interference in EU member state democratic processes, hybrid attacks on EU/NATO infrastructure, legislative and regulatory capture, economic coercion affecting European strategic autonomy, and narrative operations targeting European public opinion. For global FIMI campaign attribution across all six actors (including Iran and Gulf states), actor doctrine, commercial cognitive warfare operators, and cross-jurisdictional platform responses, see the Global FIMI & Cognitive Warfare Monitor — the dedicated hub monitor for FIMI intelligence across the asym-intel.info suite.

• S.01 Ukraine War Situation Front-line status, Russian military losses (Ukrainian General Staff primary source, cross-referenced ACLED), ceasefire framework tracking, NATO posture, nuclear doctrine signals. The Trump-Witkoff settlement framework is tracked as a European strategic risk event.
• S.02 FIMI Incident Tracking Cross-referenced to the EEAS 540-incident framework but expanded to cover all four actors. Each incident carries attribution confidence label and source tier. Incidents where T3 attribution precedes T1 formal acknowledgement are explicitly flagged.
• S.03 Election Threat Assessment Per-country risk ratings for EU member states with scheduled elections. Vectors assessed: FIMI operations, infrastructure attacks, financial flows to political actors, algorithmic amplification, and disinformation narrative seeding. Rating: Critical / High / Elevated / Monitored.
• S.04 State Capture Risk Tracked for six member states at elevated risk: HU (Hungary), GE (Georgia), SK (Slovakia), RS (Serbia), AT (Austria), CY (Cyprus). Dimensions: executive capture, judicial independence erosion, media control, foreign financial dependency, and veto leverage within EU institutions. Scoring model details are not published.
• S.05 Democratic Health Scoring 1–10 composite score per tracked member state. Drawn from V-Dem, Freedom House, Reporters Without Borders, and Hybrid CoE data, supplemented by original analysis. Scores are directional indicators, not precision measurements.
• S.06 Network & Infrastructure Analysis Hybrid attack networks: sabotage incidents, arson, subsea cable interference, cyberattacks on critical infrastructure. Baltic Sea monitoring (MarineTraffic). NetBlocks data for internet disruption events. CCD tracker: 151+ Russian-linked hybrid attacks across Europe since February 2022.
• S.07 EU Legislation Impact Impact scoring of major EU legislation (DSA, DMA, AI Act, NIS2, CER Directive, AI Liability Directive) across all four tracked actors. Assessed: compliance pressure, regulatory capture attempts, lobbying expenditure, and legal challenge vectors.
• S.08 Lagrange Point Framework Measures European strategic autonomy progress across five policy vectors: defence industrial base, energy independence, digital sovereignty, financial instruments, and diplomatic capability. Progress scored against threshold levels. Detailed weighting methodology is not published.
• S.09 Weekly Intelligence Brief Top 10 items selected by strategic significance across all dimensions. Ranking is editorial, not algorithmic. Each item carries source tier, attribution confidence (where applicable), and a one-sentence strategic significance statement. Published Sunday 20:00 Gibraltar time.
• S.10 Strategic Response Tracking EU institutional responses: European Defence Fund allocations, PESCO developments, ReArm Europe mechanism, FIMI Deterrence Playbook implementation, counter-hybrid operations. NATO posture and Article 5 trigger thresholds. Member state defence spending trajectories.

Every claim involving attribution of an operation, incident, or influence activity to a specific state actor carries an explicit confidence label. Labels reflect the evidentiary basis, not political sensitivity. An operation formally attributed by institutional sources may carry lower confidence than one with strong multi-source forensic documentation if the institutional attribution is itself contested or politically motivated.

Attribution labels are reviewed when new evidence emerges. Where a label is upgraded — for example, from Possible to Confirmed following a formal EEAS or Eurojust statement — the original assessment and the upgrading evidence are both retained in the record.

Geographic scope: European Union member states and candidate countries; NATO European members; European Economic Area. Operations by tracked actors that originate externally but target European populations, institutions, or infrastructure.

Temporal scope: Current coverage period is Q1 2026, with contextual references to earlier events where required for pattern analysis. The Ukraine war is tracked from February 2022 as the baseline strategic event. Update cadence is weekly; substantive breaking events trigger immediate annotation.

Actor scope: Russia (RU), China (CN), United States (US), Israel (IL). These four actors are tracked for European-theatre operations. Other actors (Iran, Gulf states, domestic far-right networks) are referenced where they intersect with tracked actors or EU institutions, but are not primary tracking subjects of this monitor. See the Global FIMI & Cognitive Warfare Monitor for full multi-actor coverage.

Open-source ceiling: This monitor uses exclusively open-source intelligence. Classified assessments from EU, NATO, or member state intelligence services are not available. Where classified products are referenced in published T1 sources (for example, the EU Hybrid Fusion Cell), the public summary is used.

US and IL attribution gap: Because neither the United States nor Israel is formally tracked by EEAS or equivalent EU bodies, attribution for their operations relies predominantly on T3 investigative journalism and T5 strategic research, rather than T1 institutional sources. This asymmetry is disclosed where it affects confidence levels.

Real-time data latency: The dashboard reflects the state of open-source data as of the most recent Sunday update cycle. Rapidly developing events (breaking military actions, major cyberattacks, election night interference incidents) may not be fully integrated until the following weekly update.

Scoring model opacity: The Democratic Health Score (1–10), Lagrange Point Progress assessments, and State Capture risk ratings are composite editorial judgements drawing on the sources listed. The detailed weighting models are not published in order to prevent gaming. Direction and magnitude of change are more reliable than absolute scores.

This is an open-source intelligence synthesis product, not a classified intelligence assessment, academic research output, or legal document. It does not carry the authority of an institutional attribution. Nothing in this monitor should be read as a finding of fact for legal or regulatory purposes. Users seeking institutional-grade attribution should consult the primary T1 sources cited.

The EGHTM is one of four monitors published under the Asymmetric Intelligence brand at asym-intel.info. Each monitor covers a distinct analytical domain; they cross-link where coverage intersects.