While the EU recognises the importance of cybersecurity policies, it continues to lag behind certain international counterparts in terms of creating a unified ecosystem and providing investment opportunities. One of the central problems hindering the EU is the fragmentation of its cybersecurity market, which impedes European cybersecurity companies from scaling up and forces them to look for alternative markets to develop their businesses. European cybersecurity cannot rely solely on the top-down approach of EU institutions creating regulatory frameworks and member states implementing laws.
European cybersecurity literature generally addresses two recurring themes: the lack of a universal definition of cybersecurity and the fragmentation of the EU’s cybersecurity ecosystem. As the first feeds into the second, the question emerges: how can the EU overcome its cybersecurity fragmentation? This post argues that the European approach to cybersecurity must be extended beyond top-down models: it must be holistic, multi-level and include European regional actors. Drawing from the lessons of the Interreg Europe CYBER program, it demonstrates European regions’ important unifying role in filling the gaps created by the EU’s top-down approach.
Different National Agendas
Unlike its Chinese and American counterparts, Europe’s cybersecurity market has natural divisions along the borders of the EU member states which contribute to its fragmentation. One element driving European fragmentation is the fact that highly digitalised countries do not necessarily have equally high performance on cybersecurity. For instance, the 2021 ESET European Cybersecurity Index highlighted that France, which is one of the most digitalised member states, underperformed on the categories for countering account hacking, fraud and malicious software, despite its high commitment to cybersecurity. Portugal, Lithuania and Slovakia scored best in those same categories. These differences in member states’ cyber capacities complicate Europe’s cyber framework by creating diverging objectives rather than a single common vision.
Europe’s cybersecurity market is further divided by the national agendas of member states, which have a two-fold impact. First, different national agendas encourage differing definitions of cybersecurity, which fragment the market by causing member states to interpret and implement legislation according to their own understandings. Second, an excessive focus on national needs hinders the growth of Digital Europe which depends upon member states pooling their sovereignty. While many recognise the value of a pan-European cybersecurity market, some believe cyber regulations encroach on sovereignty and national security, tying into broader EU debates about supranational vs. national issues. Consequently, the perceived borders of member states make it difficult to unite Europe’s cybersecurity market.
Challenges for SMEs
Cybersecurity market fragmentation occurs not only at the national level but also results from the difficulties small and medium enterprises (SMEs) face regarding cybersecurity, both as cybersecurity providers and/or as cybersecurity users.
A major issue for cybersecurity providers is access to resources that would allow them to scale up and remain in the European market. Cybersecurity in general requires constant and heavy R&D investment to cope with the rapid evolution (and complexification) of threats and technologies. Adding to European SMEs’ challenges are smaller markets with fewer economies of scale, complicating their ability to compete globally. In comparison, American SMEs tend to grow and scale fast enough to remain in their cybersecurity market and subsequently sustain their competitiveness. Additionally, difficulties scaling up limit the ability of European providers to diversify, fragmenting the supply structure by preventing larger actors from emerging. This results in European cybersecurity providers struggling to remain in the market, often leading to foreign acquisition.
Technical expertise is another non-negligible obstacle to account for regarding SMEs that are cybersecurity users. Many industries find participating in the cybersecurity market a challenge because its constantly evolving technology and complex socio-technical elements lead to a lack of easily available expertise. This can present a considerable cost to SMEs in terms of hiring/training employees and ensuring technology remains up to date, reinforcing reluctance to engage in cybersecurity. Moreover, transaction costs are increased by differing implementations of regulation, further complicating the task for European SMEs.
Subsequently, the challenges of engaging with cybersecurity complicate the development of home-grown industry and the consolidation of Europe’s cybersecurity market from the perspectives of both providers and users, especially because European SMEs may have fewer resources to begin with.
EU: A Cybersecurity Newcomer
Another element to highlight is that the EU remains a cybersecurity newcomer; only recently did it shift from being reactive to proactive on the issue. Its first “cross-cutting strategy” of 2013 marked a sudden change and strengthened the EU’s engagement on a whole set of issues, however, it fell short on elements like defining cybersecurity. The EU does not lack actors nor funding to strengthen and unify its cybersecurity market. The institutional landscape is quite dense: it includes ENISA, EDA, CERT-EU, European Commission Directorates (DG CONNECT, DG DIGIT, etc.) and various private stakeholders, amongst others. Meanwhile, the 2021-27 budgets show €7.5 billion dedicated to the Digital Europe Programme and €95.5 billion to Horizon Europe. Yet, EU actors work in cluttered and overarching manners that complicate strategic resource allocation and can limit the shift to Digital Europe.
Despite the tone shift, the EU has mainly developed relatively top-down approaches to cybersecurity, focused on legislation and expenditure. Although important, this approach only goes so far. For one, the ongoing 2021 amendments to legislation like the NIS-2 Directive and the EUiD Proposal demonstrate the limitations of regulatory frameworks, especially in the fast-moving space of cybersecurity. Furthermore, the implementation of a European Cybersecurity Competence Centre and Network, as well as the promotion of European Digital Innovation Hubs, highlight attempts to connect with cybersecurity beyond regulatory frameworks.
Overall, the EU’s top-down approach to legislation has included important steps towards creating a “coherent and harmonised” space but has failed to fully remedy fragmentation. Instead, it risks becoming scattered with contrasting approaches and systems that complicate the achievement of common ground on cybersecurity governance.
Role of the Regions: Interreg Europe CYBER
Achieving cooperation in the cybersecurity market will require updating the EU cybersecurity model to handle non-traditional cybersecurity threats. Cyberspace has distinctive features that make it a novel space of interaction and security: it diminishes the relevance of physical territory and demands strategies that are flexible, adaptable and multidisciplinary. This requires a structure that actively involves the private sector as well as different levels of society to achieve effective regulation and governance of cybersecurity. Therein lies the space for regions to drive change and consolidate the market. Regional organisations provide a highly effective crossroads for elements of the cybersecurity market, from civil society and public actors to the large private sector companies as well as SMEs. They are more accessible than national-level actors.
The Interreg Europe CYBER programme launched in 2018 offers various examples of projects encouraging information sharing and cooperation amongst European cybersecurity stakeholders. For example, Regione Toscana aims to improve “the coordination mechanisms of its cyber ecosystem” with a Technical Coordination Board and a Regional Cybersecurity Working Group that address digital transition, SMEs and training. Similarly, the Estonian Information System Authority (RIA) has made information exchange one of its action plan targets, focusing specifically upon essential providers in its water industry. These projects involve regional stakeholders like the public sector, companies, business associations and universities which all provide different perspectives on the European cybersecurity market and allow it to become more adaptable.
By including regions, a more inclusive and flexible model emerges that suits cybersecurity and the EU market. Moreover, as Interreg CYBER participants take inspiration from each other, cooperation develops within and across the member states, making it easier to build cyber resilience. This is demonstrated not only by the successful proliferation of common solutions throughout the different regional networks but also by the positive results shared by the Interreg CYBER participants in their Action Plans.
Beyond Top-Down Approaches
The EU has mainly developed top-down approaches to cybersecurity, conducting an important task in creating legislation and overarching frameworks like the NIS Directive and GDPR. However, cybersecurity cannot be addressed solely through top-down strategies attached to logics of governmental control. Bottom-up approaches can further unify Europe’s cybersecurity market by filling the gaps in top-down solutions. Currently, smaller actors like SMEs fall through the EU’s net due to their challenges in engaging with its cybersecurity market. Including side-lined actors through targeted solutions such as raising awareness and introducing cyber hygiene can advance market consolidation.
Additionally, while common EU standards are important, consolidating the cybersecurity market is not a simple short-term process; it requires multi-year programs and tailored solutions to help meet sector-specific needs. Such elements can be effectively handled through bottom-up approaches. For instance, RIA has presented critical Estonian water industry SMEs with tools such as penetration testing or automation processes to help simplify and advance the SMEs’ cybersecurity frameworks.
Furthermore, cybersecurity is about people and trust-based relationships, elements generally developed through bottom-up approaches. People are often the first point of entry in cyberattacks, yet the complexity of cybersecurity (and its legislation) deters individuals from engaging on cybersecurity and cyber hygiene. This makes it important to have trusted actors capable of evaluating and interacting with cybersecurity in a more hands-on manner. Regional organisations can provide perspectives that are not necessarily incorporated at the level of the EU Commission and legislators. Take, for example, Kosice IT Valley which, through Interreg CYBER, is surveying its stakeholders (SMEs, governmental bodies, academia) to identify their cybersecurity needs. In addition to conducting the survey, it is drawing inspiration from solutions implemented by other Interreg CYBER Partners, such as RIA, Digital Wallonia and the Chamber of Commerce and Industry of Slovenia. Targeted solutions can be applied to the different areas of the EU while still maintaining a transnational characteristic, unifying the market and increasing its effectiveness. Interreg CYBER has provided access to education and training in cybersecurity. In response to the need for expertise, initiatives have been set up, such as the CyberBreakfasts of Region Bretagne, to bring together local companies and experts to discuss cybersecurity, a practice adopted by RIA and Digital Wallonia. Interreg CYBER is both providing solutions and creating networks that allow for cooperation to develop further.
The fragmentation of the European cybersecurity market is not impossible to overcome but is an increasingly important challenge. The EU has always faced divisions due to its member states, but the transnational character of cybersecurity makes achieving coordination a pressing need. Similarly, the complexity of cybersecurity must be tackled to help SMEs and other actors participate in building a secure cyberspace in Europe. Cybersecurity can no longer be viewed from the confines of traditional national security: effective cyber resilience requires coordination through all levels of European society, including with regional organisations. The regional organisations complement the strategies already in place at the EU level and fill in gaps. Cybersecurity is a complex global issue – it is only through multilevel holistic frameworks that the EU will be able to move forward in a united manner.
About the Author
Clara Jammot is finishing her International Security Masters at Sciences Po Paris. Under the European Cyber Security Organisation (ECSO), she worked on the Interreg Europe CYBER Project and EU cyber policy. At the University of Warwick, she wrote a dissertation about the European perspective on American and Chinese cyber power and sovereignty. She draws on her international background, having studied in Hong Kong, Beijing and the UK, to develop her expertise on secure cyberspace, China as a cyber power, AI and the workforce, and trust in digital societies.