Centre For Disinformation Studies

Democracy and Disinformation, Part 2: The European Case

Democracies responding to disinformation face a structural problem. The same principles that define democratic governance, freedom of expression, political pluralism, and limits on state authority also constrain how governments can respond to information manipulation. Three constraints define this challenge: legality, what governments are actually permitted to do; legitimacy, to what extent those actions are deemed appropriate by the public; and speed, how quickly institutions can respond before harmful narratives take hold. Authoritarian actors are far less bound by these constraints, which makes the asymmetry stark.

This tension is especially visible in Europe. What makes the European Union (EU) case particularly interesting is not any single regulation or policy response but the fundamental shift in how disinformation itself is understood. It is no longer simply a problem of false information, but a security threat to democratic governance.

In many European states, this shift reflects a broader security environment shaped by Russia’s use of information activities alongside diplomatic, military, economic, and cyber instruments of power. Crimea’s annexation, subsequent interference campaigns, and the full-scale invasion of Ukraine reinforced the idea that information activities can influence political decision-making, undermine public confidence, and shape the strategic environment beyond the battlefield. The scale is significant: since 2015, the EU’s EUvsDisinfo database has tracked over 13,000 cases of pro-Kremlin disinformation targeting European societies.

Even when disinformation is understood as a security threat, democratic governments remain constrained in how they can respond. This is where legality becomes central: it determines what governments are actually permitted to do. Rather than pursuing direct control over the information environment, European institutions generally seek to address information threats through legal frameworks centred on transparency, accountability, and oversight. The result is a response that remains consistent with democratic principles and the rule of law, but one that may also be slower and less decisive than more centralized approaches that authoritarian actors can employ without the same constraint. 

In the EU, that has meant building regulatory architecture around platform accountability rather than seeking direct control of content. One of the most significant examples is the Digital Services Act (DSA), which requires large platforms to assess and mitigate risks to public discourse, submit to independent audits, and provide researchers with access to their data. Although not created specifically to address disinformation, the DSA represents a meaningful shift: rather than regulating content directly, it regulates the systems and incentives that allow disinformation to spread at large scale. When disinformation linked to TikTok appeared during Romania’s 2024 presidential election, the DSA provided European authorities with the legal grounds to investigate, compelling the platform to preserve data for scrutiny rather than pushing officials towards immediate political intervention without evidence. This distinction matters: direct state control over content raises immediate concerns about censorship, but targeting platform architecture, how content is amplified, how systems prioritize certain narratives, and what incentives platforms face is more democratically defensible. It is not, however, without controversy. 

That same case illustrates how delicate that balance can be: regulating the systems that distribute information inevitably influences which information gets heard and how loudly, raising concerns about indirect control over public discourse. The harder question is not what the law permits;  courts and government can settle that. It is what the public is willing to accept.

This is where legitimacy comes into play. Measures may be lawful, but questions remain about who exercises these powers, how they are applied, and whether they command public confidence. If legality determines what governments can do, legitimacy helps determine whether those actions are accepted as appropriate and justified.

Much of that legitimacy depends on how the threat itself is perceived. Foreign Information Manipulation and Interference (FIMI) is increasingly viewed as anti-democratic in nature, reflecting a broader shift in how information threats are understood in Europe: as a threat to democratic governance itself, a framing that considerably shifts the political calculus around counter-measures. That shift is reflected in the language used by European institutions: concepts such as FIMI, hybrid threats, democratic resilience, and information confrontation suggest a view of disinformation that extends beyond individual falsehoods or misleading narratives. Rather than focusing solely on the accuracy of information, the concern is increasingly centred on the cumulative effects that information activities can have on public trust, social cohesion, and democratic governance. In this context, Russian information activities are understood as part of a broader form of information confrontation intended to erode trust in public institutions, weaken social cohesion, and undermine confidence in democratic processes. When these activities are perceived as attacks on democracy itself, efforts to counter them gain greater legitimacy.

However, while perceptions of the threat may help justify action, legitimacy ultimately depends on how that action is exercised. As a result, these efforts can themselves become the subject of debate, particularly when they raise concerns about political influence, government overreach, or the perception that institutions are influencing public discourse. The question is not only whether such measures work, but whether they remain consistent with the democratic principles they are intended to defend. In other words, framing disinformation as a security threat makes it easier to act but harder to discern whether those actions are the right ones.

Speed, however, may be the most difficult constraint to manage. If legality determines what governments can do and legitimacy influences whether those actions are accepted, speed affects the ability of institutions to respond before harmful narratives gain too much traction. Yet, the EU approach suggests that responding faster is not always the only solution. Information threats can emerge and evolve far more quickly than democratic institutions can realistically respond. As a result, many European initiatives have focused less on rapid intervention and more on strengthening societal resilience, transparency, and public awareness. Finland has prioritized media literacy, teaching citizens from a young age to critically evaluate sources. Sweden has revived its Cold War-era concept of psychological defence, preparing the public to recognize information manipulation before it takes hold. France has created VIGINUM to monitor and expose foreign digital interference in real time, and in Lithuania, thousands of volunteers called Elves – people who work anonymously in their spare time – actively monitor and debunk pro-Kremlin disinformation online, a citizen-led complement to state efforts. Together, these illustrate different ways of addressing information threats before they escalate into crises. These measures may not prevent false narratives from spreading, but they can reduce their impact and lessen the need for immediate government action. Though different in method, these initiatives share a common logic: that resilience is built before the crisis, not during it, an idea that sits at the core of NATO’s whole-of-society approach.

Operating within the constraints of legality, legitimacy, and speed, the EU has found no perfect solution, but a distinct way of managing each. In dealing with legality, the EU has built regulatory architecture that targets platform systems rather than content – defensible but not without controversy. On legitimacy, it has reframed disinformation as a threat to democracy itself, which justifies stronger action but also raises harder questions about scrutiny and oversight. On speed, it has largely abandoned the idea of outpacing the threat, investing instead in societal resilience before crises emerge. In the end, the EU’s most consequential response to disinformation may not be the DSA, VIGINUM, or any media literacy programme. It is the recognition that disinformation is not merely an information problem; it is a democratic one.

Photo: “Democratic Resilience” (2026), generated by OpenAI based on author direction.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.

Author

  • Dominique Arseneau-Bruneau brings both academic and practitioner perspectives to contemporary security issues, with a particular focus on the information environment. She draws on 20 years of military experience, including operational deployments in the Middle East, Eastern Europe, and West Africa, and has worked in strategy and plans focused on contemporary conflict and multinational operations in the Middle East. She holds a Master’s degree in International Relations and is a non-resident fellow with the NATO Defense College.

    View all posts
Dominique Arseneau-Bruneau
Dominique Arseneau-Bruneau brings both academic and practitioner perspectives to contemporary security issues, with a particular focus on the information environment. She draws on 20 years of military experience, including operational deployments in the Middle East, Eastern Europe, and West Africa, and has worked in strategy and plans focused on contemporary conflict and multinational operations in the Middle East. She holds a Master’s degree in International Relations and is a non-resident fellow with the NATO Defense College.