European democracies are in the middle of a 24-month window of contested elections under industrial-scale information operations. By the time this is read, several have already happened. Several more are imminent. The pattern is consistent enough across countries that a defensible operational architecture exists -- and it can be stood up in 90 days, not 18 months.
This post describes what that architecture looks like in practice. It is the long-form companion to the briefing we give law-enforcement, election-commission, and government audiences at industry events.
The two failure modes that dominate today
Most election-integrity tooling falls into one of two patterns, and both leave the system incomplete.
Pattern one: analysis without action. Vendors detect synthetic media, score coordinated-inauthentic-behaviour clusters, map narrative escalation. You see the disinformation. You cannot do anything with it. The evidence chain stops at a dashboard.
Pattern two: takedown without evidence. Platform trust-and-safety relationships move accounts and posts off the public surface. The takedown happens. The chain of custody dies on the platform side, and the prosecutor's office has nothing usable in court six months later when the political pressure has moved on.
A 90-day stand-up has to close both gaps. Detection has to feed into a workflow that ends with a prosecutor-ready evidence package -- built to support admissibility -- handed to the election commission and the prosecutor's office. Anything less is theatre.
The four operational pillars
The architecture rests on four pillars. They are not equally hard.
1. Synthetic-media detection on candidate impersonation
The narrow scope -- candidate impersonation -- is what makes this tractable in 90 days. General-purpose deepfake detection across the whole internet is not a 90-day problem. Detection of impersonation against a known short list of candidates, party officials, and election-commission spokespersons is.
The pipeline:
- Reference-set capture: authenticated audio, video, and image samples of each protected individual, collected from official sources with explicit chain of custody.
- Continuous monitoring of public-facing platforms and indexed open sources for candidate likenesses.
- Ensemble detection: image, audio, video, metadata, processing-history, and narrative-context signals combined, with confidence scoring rather than a binary verdict.
- False-positive escalation path: every confidence-flagged item gets human review before it becomes an evidence record.
Detection is deployable on-premises and is detector-agnostic: an agency can run our detector, its own, or a European model -- the same bring-your-own posture we take on language models and keys. The honest constraint: generation outpaces detection on a 6-12 month cycle, and detector accuracy degrades sharply against generators it has not seen. The architecture has to assume some synthetic content will pass first-pass detection and rely on the next pillar to catch it via behavioural signal.
2. Coordinated-inauthentic-behaviour mapping
CIB mapping is where the platform distinction collapses. Coordination signal is invisible inside any single platform and obvious across platforms. The mapping has to span Telegram, TikTok, X, the domestic platform that matters in the host country, and the relevant forum infrastructure.
The discipline:
- Account-creation cohort clustering: when accounts were created, in what bursts, under what naming patterns.
- Posting-cadence alignment: synchronised posting windows that exceed organic plausibility.
- Cross-platform narrative propagation: the same talking points appearing on one channel at hour H, on a second platform at H+2, on a third at H+4. The lag profile is itself a signal -- though, on its own, a necessary not a sufficient one; it becomes evidentiary only when combined with network-topology analysis.
- Network-graph propagation: amplification patterns within follower graphs, repost chains, hashtag-coordination scoring.
- Funding and infrastructure overlay: where pattern-of-life from open sources suggests common operational origin -- shared hosting, shared payment intermediaries, shared procurement footprint.
CIB mapping is the pillar that genuinely scales: weak signal compounds into strong evidence when fused across enough sources. It is also the pillar most exposed to the false-positive problem, which is why every cluster has to be confidence-scored and human-reviewed before it leaves the system -- and why the system declines to label coordinated accounts inauthentic, automated, or sponsored on behavioural evidence alone. That refusal to over-attribute is deliberate.
3. Narrative-escalation tracking
This is the early-warning function. Not every narrative becomes a threat. Some do. The signal you want is the trajectory, not the volume.
- Velocity scoring: how fast a narrative crosses platform boundaries.
- Sentiment-shift detection: when a narrative pivots from criticism into calls for action against named individuals.
- Geographic concentration: where the narrative is taking hold offline as well as online, measurable via local-language amplification.
- Cross-reference to the electoral calendar: a narrative escalating 72 hours before a poll has different operational weight than the same narrative 72 days out.
This is the pillar that hands the election commission and law enforcement actionable warning rather than after-the-fact archaeology.
4. Evidence-preservation and prosecutor handoff
This is the pillar most vendors quietly skip. It is also the one that determines whether anything done in pillars 1-3 matters six months later.
A point of precision first: court admissibility is a determination made by a court, under the law of a specific jurisdiction. It is not a property a vendor can ship in a box -- and any vendor who tells you their output is "court-admissible" out of the box is overselling. What a platform can ship is the evidentiary discipline that supports admissibility:
- Chain-of-custody from collection through every transformation: who collected, when, from where, under what authority, with what tooling version.
- Cryptographic hashing of evidence records at the point of capture, not later.
- Audit trail covering every analyst action: query, annotation, classification, escalation.
- Export packages in formats the receiving office actually accepts. Most European prosecutor offices have a specific set of requirements, and most are not the formats that platforms produce natively.
- Lawful-collection-only discipline: every record traceable either to a public source under that source's terms of service, or to a properly authorised collection action with a documented legal basis.
- Qualified timestamping and signing: where eIDAS-qualified trust services are used, they are onboarded during the stand-up against the host jurisdiction's providers, not pre-baked into a generic product.
Done well, this is what separates an election-integrity operations centre from a social-listening dashboard: not a claim of admissibility, but an evidentiary discipline a prosecutor's office can actually build a case on.
The 90-day timeline
Stand-up is not deployment. Deployment is faster -- the platform brings OSINT collection live in 24 hours, with full deployment in weeks. Stand-up is the time required to take a national-level operations centre from no-process to ready-to-handoff-to-the-prosecutor. The work that takes 90 days is operational, not technical.
Days 0-30: scope and authority. The legal basis for collection, retention, and handoff has to be settled before any data moves. Memoranda between the election commission, the prosecutor's office, and the participating analyst team. Lawful-collection policy. Retention schedules under GDPR Article 6 and the relevant national derogations, and -- where the work is criminal-investigative -- under the Law Enforcement Directive rather than the GDPR. Reference-set capture for the protected-individual short list. Sovereign deployment configuration -- data residency, model provenance, bring-your-own-model where applicable, EU AI Act conformity assessment scoped.
Days 30-60: pipeline build and tabletop. The detection pipelines come online: synthetic-media reference matching, CIB cluster baselining, narrative-velocity scoring. The analyst team trains on the workflow. Critically, the workflow is tested in tabletop exercise against publicly-known historical interference campaigns from the 2024 European Parliament cycle and the 2025 national-election cycles. Tabletop is where the false-positive escalation paths get debugged before they matter.
Days 60-90: live operation under supervision. The centre runs against the live information environment, with every escalation reviewed by a designated supervisor before it leaves the building. Refinement of confidence thresholds. First test handoff packages drafted and reviewed by the prosecutor's office for procedural compliance, with no live case attached. By day 90, the centre is cleared to handle live incidents with the chain-of-custody and evidentiary discipline that survives scrutiny.
Sovereignty is not optional
Every component above sits inside a sovereignty boundary. European agencies in 2026 are not in a position to rely on tooling whose data, models, or infrastructure sit outside their jurisdiction. The architecture has to be:
- Data-resident in the host country or an EU-domiciled processor.
- Model-provenance-transparent: which models, trained on what data, retrained when, by whom.
- Bring-your-own-model-capable: the host agency can substitute its own large-language-model and detection providers where preferred, including domestic or EU-domiciled options.
- GDPR-native and LED-aware: data-subject rights, lawful basis, retention, and deletion designed in from the start -- under the GDPR for general processing and under the Law Enforcement Directive where the purpose is criminal investigation.
- NIS2-aligned: the operations centre itself functions as an essential entity under the directive; the platform has to meet its operational-security obligations.
- EU AI Act conformity-ready: depending on design, the synthetic-media detection and behavioural-scoring functions may fall within the regulated-AI-system category -- so we build to conformity (high-risk-ready documentation, transparency, human oversight, and, for a non-EU provider, an EU authorised representative) rather than assume an exemption. And a point sovereign buyers should note: the EU AI Act applies by where a system's output is used, not by where the system was built or trained. We build to the regime, not around it.
This is the load-bearing constraint. It is also the constraint that disqualifies most of the platforms in the market.
What 90 days does not buy you
Honesty matters here. A 90-day stand-up gets you a defensible operations centre for the specific election window it was built for. It does not give you:
- A permanent counter-disinformation capability. Operational continuity beyond the election window requires a separate funding and authority structure.
- Detection of every novel synthetic-media technique that emerges after day 90. The arms race is real; the architecture has to be refreshed quarterly.
- Cross-border attribution. Naming a foreign state as the originating actor is a separate intelligence-community function that this operations centre feeds into but does not replace.
- A substitute for platform-side action. Takedowns still happen via the platforms; the operations centre produces the evidence that justifies them.
What this is and what this is not
This is an architecture and a 90-day operating discipline for an election-integrity operations centre that detects synthetic-media impersonation, maps coordinated-inauthentic-behaviour across the platforms that matter in a European information environment, tracks narrative escalation, and produces a prosecutor-ready evidence package -- built to support admissibility under the host jurisdiction's law -- all under a sovereign, GDPR-native, EU-AI-Act-conformity-ready deployment pattern.
This is not an offensive-cyber capability, a takedown service, a content-moderation product, or a platform-relationship intermediary. It does not interdict. It detects, scores, evidences, and hands off. The action sits with the election commission, the prosecutor's office, and law enforcement -- where it belongs.