From a Vilnius Warehouse to the Leipzig DHL Ramp: A Trial That Is Changing the View on the Protection of European Logistics Infrastructure

Anatomy of one parcel

The investigation was led by a Joint Investigation Team coordinated by Eurojust, bringing together Lithuania, Poland, Germany, the Netherlands and the United Kingdom, as well as Estonia, Latvia, the United States, Canada and Europol. Twenty-two persons were identified, and international arrest warrants were issued for a further five. The modus operandi was simple, and all the more dangerous for it. Recruitment through encrypted applications, the dispatch of test parcels to the United States and Canada, incendiary devices disguised as ordinary packages. In July 2024, two parcels ignited directly at the DHL air hub in Leipzig, others ended up in Poland and the United Kingdom, and two further parcels were found in Amsterdam.

The Vilnius trial does not stand alone. In March 2026, Latvia reported acts of arson on railway infrastructure. On 15 April 2026, Minister for Civil Defence Carl-Oskar Bohlin and the Swedish Security Service Säpo publicly confirmed that a pro-Russian group with links to Russian intelligence services had attempted in spring 2025 to carry out a destructive intrusion into the operational environment of a heating plant in western Sweden. The attack failed thanks to a built-in protective mechanism, but Bohlin described it as a shift by the Kremlin from symbolic DDoS actions to destructive OT operations. The Associated Press and Säpo record more than 150 incidents of a hybrid nature in the EU and NATO since February 2022.

Why this matters for Slovakia

Slovakia is part of the same aviation, road and courier geography as Leipzig. The Leipzig transit zone also handles consignments destined for the Slovak market, and Slovak airports and logistics centres share processes, and often the same operators, with their German counterparts. The transport sector is listed in Annex No. 1 to Act No. 367/2024 Coll. on Critical Infrastructure. The deadline of 17 July 2026, by which central bodies of state administration must identify critical entities, is an opportunity to broaden the scope beyond traditional facilities. The identification must also cover logistics hubs, courier companies, airport cargo operations and road corridors, not only power plants and waterworks.

Directive of the European Parliament and of the Council No. 2022/2557 on the resilience of critical entities, that is, the CER Directive, explicitly places physical resilience on the same footing as cyber resilience. An incendiary parcel at an air hub is not technically a cyber attack, but its impact on critical infrastructure is just as real as that of a ransomware attack. On the contrary, the physical and cyber layers of threats overlap. The joint advisory of eighteen agencies of 7 April 2026, which was co-signed by the National Security Authority of the Slovak Republic together with the Slovak Information Service and Military Intelligence, showed that the same GRU which had prepared the parcels for Leipzig is also running the cyber campaign APT28 against government networks in the Czech Republic, Poland, Lithuania and Slovakia.

The quiet people behind the scanners

In July 2024, when the first parcels caught fire at the Leipzig DHL hub, the response was provided not by politicians or generals, but by operators, technicians, the fire brigade and the security service of the air hub. Their rapid response limited the damage. This detail matters, because it is precisely such a capacity to absorb an incident without a visible impact on the end consumer that makes critical infrastructure resilient. Hundreds of people in equivalent positions work in Slovakia as well, in the energy sector, water management, transport and telecommunications, in the cargo operations of the Bratislava, Košice and Sliač airports, and in the logistics hubs of Žilina and Bratislava. The public rarely hears about their work, and that is paradoxically a sign that they are doing it well.

“The Vilnius trial reminds us that critical infrastructure is not only a power plant or a data centre. It is also the last mile of the courier and the conveyor belt at the air hub. If Slovakia fails to identify, by 17 July 2026, also logistics and air-cargo hubs as critical entities under Act No. 367 of 2024, it will react only when it is too late. The hybrid threat does not rely on a single technology; it relies on the gap between sectors that perceive themselves as separate from one another,” says Tibor Straka, President of the Critical Infrastructure Association of the Slovak Republic.

Looking ahead

For Slovak critical infrastructure, the Vilnius trial is a reason for preparedness rather than for concern. Slovakia has a functioning institutional environment, adopted laws and a framework of cooperation in place. Act No. 367/2024 Coll. introduces requirements for the resilience of critical entities, Act No. 366/2024 Coll. transposes the NIS 2 Directive and sets out specific security measures, and Decrees of the National Security Authority No. 226 and No. 227 of 2025 bring enforceable obligations. The National Cybersecurity Strategy for 2026 to 2030 provides this effort with a strategic framework.

What distinguishes prepared countries from those that are caught off guard is not a difference in the level of threat. That is currently fairly even across Europe. The difference lies in the speed with which operators recognise suspicious activity and respond to it before it becomes visible to the public. The Critical Infrastructure Association of the Slovak Republic (AKI SR), as a professional platform and a strategic partner of the National Security Authority, helps its members bridge the gap between legislative obligations and genuine operational preparedness in the energy, transport, logistics, healthcare and digital infrastructure sectors. The Vilnius trial has only just begun, but its strategic message is already unequivocal. The protection of critical infrastructure is also decided on the ramp of an air hub.