CORE: The EU Model
That Maps Every Hybrid Threat

The Board Is Already Responsible. Most Don’t Know It Yet.

On 8 May 2026, over 60 board professionals gathered in Helsinki for a joint event by Hybridiosaamiskeskus and Huoltovarmuusorganisaatio (National Emergency Supply Agency of Finland). The message was blunt:

“Tietämättömyys riskeistä ei vapauta hallitusta ja johtoa vastuusta.”
(Ignorance of risks does not exempt boards and management from responsibility.)

NIS2 made cyber risk a board-level legal duty. CER extended that duty to physical infrastructure. CSRD now requires disclosing the social impact of security failures. Three directives, one message: the board owns the risk, whether they understand it or not.

What CORE Actually Is

The Comprehensive Resilience Ecosystem (CORE) was developed by the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) in Helsinki together with the European Commission’s Joint Research Centre. It is a systemic map of democratic society — designed to show exactly where hybrid threat actors attack, how attacks cascade across sectors, and what resilience looks like at each layer.

CORE is not a checklist. It is a dart board. Threat actors pick a domain, apply a tool, and watch the cascade. Defenders use the same map to design countermeasures before the dart is thrown.

The 13 Domains: Shields or Entry Points

CORE organises society into 13 domains across three spaces. Each domain can act as a shield against attack — or as an entry point if resilience is weak.

Resilience Must Be Designed Systemically

The most important insight in CORE is not the list of domains. It is the interconnection map between them. Hybrid threat actors specifically exploit the connections — a disinformation campaign targets the Information domain, creates fear in Social/Societal, erodes Political trust, and ultimately destabilises the Economy. Four domains hit with one tool.

Building resilience in individual domains is not enough. A company that hardens its cyber infrastructure but ignores its information environment is still vulnerable. A board that approves a physical security plan but has no situational awareness process is still exposed.

“Trust in the democratic process makes dependencies and interdependencies strong and healthy. Hybrid threat actors seek to erode this trust.”
— Hybrid CoE, CORE Framework

From Dart Board to Decision Board

CORE’s creators call it a strategic design board: a tool for decision-makers to select which resources, tools, and measures to mobilise at EU, Member State, and operational levels. For an enterprise board, it translates directly to three questions:

1. Which domains does our business operate in? Infrastructure, Economy, Cyber, and Information are the most common entry points for commercial entities.
2. What are our cross-domain dependencies? A supply chain disruption in Economy affects Cyber capacity. An Information attack affects Social/Societal trust in your brand.
3. Have we designed resilience systemically — or just ticked NIS2 boxes? Box-ticking is compliance. Systemic design is resilience.

NIS2 Article 20 requires board members to approve cybersecurity risk measures and to oversee their implementation. Ignorance is no longer a defence. CER adds physical infrastructure to the same duty of care. CSRD requires disclosing when you’ve failed.

What This Means for Finnish Companies

Finland has a specific advantage in this space. The Hybrid CoE is headquartered in Helsinki. Huoltovarmuusorganisaatio (NESA) is one of the most mature national supply-chain resilience organisations in Europe. SUPO (Finnish Security and Intelligence Service) has been publishing hybrid threat analysis for over a decade.

Finnish companies operating in critical sectors — energy, logistics, manufacturing, healthcare, finance — are already inside the CORE model’s Services Space. The question is whether their boards know which domain they sit in and whether resilience has been designed, not assumed.