Money, Money, Money

Resilience in the digital space is now at the top of Europe’s cybersecurity agenda, with EU institutions endeavouring to support Member States’ digital transition, encourage common standardisation of cybersecurity products and practices, and promote capacity building across the Union. Achieving a higher level of cybersecurity in the EU will require a substantial financial effort.

Defining common priorities

Defining common priorities among Member States (MS) remains a major challenge to increasing the EU’s cyber resilience. Consultation at national level is a first essential step, followed by alignment among EU MS. Only a coordinated response and the promotion of cooperation will increase cybersecurity across the continent. The EU has an important role to play in coordinating among MS, but also among actors from different sectors, and among public and private sector organisations. European actors must align their priorities to focus efforts in a common direction and facilitate the development of relevant solutions.

EU-level initiatives have been launched to develop common priorities, such as the newly-created European Cyber Security Competence Centre and Network (ECCC) in Bucharest. This entity will better organise a coordinated network of cybersecurity professionals across the EU and provide a space for them to jointly define priorities, starting with cybersecurity investment priorities.

The EU must however work closer to the ground, ensuring support, if indirectly, to SMEs at local and regional level. It must ensure that its actions and funding programmes complement what is done by national governments and private investors, to avoid duplication and maximise return on investment.

From priorities to funding

The EU has developed an extensive body of cybersecurity funding schemes to develop « A Europe fit for the digital age ». The Digital Europe Programme (DEP) for 2021-2027, will invest €1.9 billion in cybersecurity capabilities, infrastructure and tools across the EU for the public and private sectors as well as for citizens. The new Connecting Europe Facility (CEF2) will allocate €1.7 billion to develop and support cyber capabilities in the Union, with funding for digital connectivity infrastructure. Horizon Europe, the EU’s research framework programme, will allocate around €13.5 billion to cybersecurity R&D.

In complement to providing funding, the EU continues to regulate the cybersecurity sector. The imminent NIS2 builds on the original NISD (Network and Information Security Directive which provides legal measures to improve the EU’s level of cybersecurity) to further increase the level of cybersecurity in MS by focusing on preparedness and increasing requirements for the protection of critical infrastructure. Leveraging the Cybersecurity Act (2019), which strengthened the mandate of the European Cyber Security Agency (ENISA) as well as the provisions of the NIS, the EU has launched a certification mechanism for European ICT products. As such, ENISA is working on certification schemes that will establish a harmonised standard for cybersecurity products in the EU. Meanwhile, the EU Cybersecurity Strategy (2020) reinforced the provisions of the Cybersecurity Act, and a new European Cybersecurity Resilience Act is being drafted and expected to be voted in 2022. Other key regulations include the Digital Services Act and the Digital Market Act, a set of rules which aim to ensure a safer and more open digital space protecting citizens’ fundamental rights while fostering innovation, growth and competitiveness. The EU was a pioneer and remains a world leader in data protection and privacy, with the enactment of the GDPR in 2016 and its current work on a new ePrivacy Regulation.

This body of regulations creates costly obligations and a compliance burden. They also create countless opportunities for growth, as new solutions will need to be developed to help organisations and businesses achieve compliance and ultimately, a higher level of cybersecurity.

Towards concrete actions

The total amount invested in cybersecurity companies in Europe in 2021 was €2 billion, 2.5 times more than in 2020[1]. This however represents only 10% of the global total. The average cybersecurity transaction** in Europe is €10 million, compared to €40 million in the US and €20 million in Israel… Europe can catch up but must give itself the means, funding and infrastructure to do so. It must also learn from these global leaders to become and remain competitive.

This means investing in education. The EU suffers from a severe skills shortage, which impacts its R&D and the growth of its cybersecurity sector. The cybersecurity job market remains less attractive than that of others such as the US. Talent must be fostered and retained in the EU, a key to the continent’s digital sovereignty. Suitable, highly specialised and well-marketed products must be developed, encouraging companies in their shift from technology to products. The EU must foster the entire spectrum of cybersecurity skills, adding financial, marketing or management expertise to technical know-how.

** Fundraising, money poured in a company to grow, not to buy out shareholders