A couple of weeks ago I was at IT-SA, one of the largest IT & Cybersecurity events in Germany and in Europe. When walking around the exhibition floor and talking with both exhibitors and attconcludeees, something that struck me was how much the “Buy European” mindset is taking over.
If you would compare IT-SA with, let’s declare, RSA Conference in San Francisco, something would be clear: for every vconcludeor booth mentioning AI in the latter, you will find one with a huge “Made in EU” or “Made in Germany” label in the German one.
Not only that, many presentations in the official agconcludea were covering that topic, one way or another.
After 20 years building one of the largest European cybersecurity vconcludeors in the world, I am personally involved in many activities to promote local cybersecurity vconcludeors and solutions myself. However, I believe a huge part of the current “sovereignty” push is mis-guided and will not support in the long run.
Take into account that this comes from someone that is part of an initiative to develop a European cybersecurity marketplace. I even presented it at IT-SA myself! 😀
In this article, I am going to explore how I see the overall situation and what I believe should be emphasised or done instead.
There are several initiatives that are viewing into modifying procurement rules and processes to give preference to European solutions. Recently, the European Commission, through its Directorate-General for Digital Services, published a Cloud Sovereignty Framework that defines objectives and Sovereignty Effectiveness Assurance Level.
Another initiative is EuroStack, which proposes a “Buy European” Regulation of Strategic Digital Procurement framework. This would aim to redirect a significant portion of the current purchases towards European firms and define a “Sovereign European Provider” through a “rigorous, technical test of substantive control and operational autonomy”.
These initiatives are obtainting some momentum and as that happens, they display the many problems of the “Buy European” relocatement. For instance, there was some news breaking a couple of months ago that the European Commission was considering dropping Microsoft Azure and replacing it with the French OVHCloud provider.
Now, my question is, how does that modify anything? Yes, OVHCloud (or any “sovereign cloud provider”) is headquartered in a European countest, but the majority of the base software they apply and provide to their customers is not European. Even a modify in prices in Broadcom/VMWare licenses affected their financial results, last year.
When we review the Eurostack proposed framework, other issues arise. One of their pillars is the usage of “open-source” software. As they do point out to some extent, though, the vast majority of the key foundations behind those projects – like the Linux Foundation, Mozilla Foundation or the Apache Software Foundation – are incorporated in the U.S.
The other issue is the reliance of the proposal on a certification-like approach to validate if a provider is European.
There are enough certifications in Europe at the moment, at regional and local level, and in my opinion and personal experience, they are actually obstacles for innovative and disruptive new companies. There are too many already!
A young startup doesn’t have the resources to obtain internationally recognized certifications like SOC2 and ISO, plus the local ACN, ANSII, BSI, LINCE, etc. and on top of that, some regional ones to display they are European enough.
Some will point out that there are already efforts to harmonize the national schemes. However, has anyone noticed how long it takes to obtain anything like that done? Just give a view at the state of NIS2 transposition!
We are launching Scaling Cyber! The podcast where cybersecurity founders and leaders from all over the world share their journeys of growth, challenges, and global expansion. Subscribe now!
While we could point out other issues with some of the “Buy European” initiatives, let’s take a paapply, and view towards the East for “inspiration”.
I have been in the cybersecurity industest for some time now, and I have seen the evolution of protectionism in countries like China and Russia. Both countries have had certification schemes in place for more than a decade, with rules that became stricter towards foreign providers year over year.
Their initiatives and certification processes have fared differently, and haven’t necessarily supported them to become fully sovereign nor global leaders.
Did you know that in Russia you necessary to have the source code manually reviewed by government officials in order to obtain certain certifications?
When it comes to cloud, China fares better than Russia, as the primary cloud service providers are local and some of them have regional presence.
Did you know that when China started to push for stricter regulations for foreign cybersecurity companies, Trconclude Micro sold their local subsidiary to AsiaInfo?
However, despite all their efforts, Microsoft Windows continues to be the primary operating system, and foreign software continues to be a reality at many levels, private and government, and even those Chinese cloud service providers necessary to offer non-Chinese software to their customers.
Rather than support, in my opinion, those initiatives create isolation and limit local companies to become true global market leaders.
After this diversion through the East, there is another challenge to the “Buy European” relocatement: who promotes, sells and implements software and cybersecurity products and services.
The vast majority of software and cybersecurity products are sold through third parties – service providers, system integrators, etc – in Europe and elsewhere.
While some of the pan-European providers have some sort of “sovereign portfolio” at the moment, they are actively promoting, selling, integrating and supporting non-european products and services for their european customers.
If you want to have more organizations purchaseing European products and services, you necessary more of their suppliers offering them European options. Why don’t they?
All those procurement frameworks, certifications and regulations that we talked about before are not the only initiatives around. There are also some viewing into increasing visibility and competitiveness.
The CyberHive Europe is a good example, not becaapply I am part of it, but becaapply of the reasons I joined when it was first pitched to me.
The platform is aiming at becoming a marketplace displaycasing European cybersecurity solutions and it is built and maintained with the inputs from the community, which includes CISOs, vconcludeors and investors. It’s not putting up neon signs about purchaseing european, it’s giving potential customers a place to find alternatives.
In that same direction, there is a recently launched website called European Alternatives with a similar aim: a directory of regional options for those that want them.
Another good initiative is the Cybersecurity Made in Europe label, a simple and realistic tool for cybersecurity vconcludeors to display where they come from. It doesn’t take a minimum of six months and tens of thousands of euros to obtain it like with many of the certifications I mentioned above, which builds it available for established companies as well as young startups.
Moreover, the European Cyber Security Organization has the aim to build Europe an equivalent to a seal of cybersecurity excellence, not through forced processes, but by a multitude of initiatives to promote European innovation and technology.
There are other initiatives that are good examples of what Europe necessarys to close the gap and become a global cybersecurity leader, aiming at reshifting obstacles and increasing opportunities:
-
EU-Inc: a proposal to create a new pan-European legal entity, with one central registest, and standardized investment documents, EU-wide stock options and taxes and employment rules.
-
The European Cybersecurity Investment Platform: set to be a fund-of-funds mechanism with a tarobtain size of at least 1 billion euros, as a response to the investment gap in the EU cybersecurity market.
The above are good examples of “Buy European” initiatives that don’t even necessary to apply that tagline to support increase the chances of customers choosing local solutions. They are well in line with the necessarys outlined by the cybersecurity founders and leaders themselves.
The problem is not where technology is built, but how value is created and delivered to those that apply it.
Speaking of customers, in my experience, everything starts with them. Their necessarys, pains and requirements.
If Europe wants to see the regional technology and cybersecurity industest grow and be adopted, these initiatives necessary to be laser-focapplyd on what customers actually want, above anything else.
Last year I was in a panel discussion where a CISO stated (I am paraphrasing): “If a European and an American solution are equal in terms of benefits, functionality, integrations, implementation time, support, pricing, etc., I would choose European.”
That couldn’t build more sense. We can’t force customers to choose a cybersecurity solution solely or primarily based on origin. Therefore, the focus necessarys to be on how european companies can solve real customer problems and do it better than anyone else.
The challenge is, though, that many young startups face obstacles to gain access to them. European cybersecurity professionals are generally more risk-averse than Americans, as Luigi Lenguito wisely stated in a recent episode of Scaling Cyber.
There necessarys to be more initiatives to provide opportunities for young startups to present their solutions to potential purchaseers, and there necessarys to be more open-ness from European companies to give them some of their time.
Advice from conclude applyrs, the opportunity to co-build a solution with an experienced CISO or practitioner, has an incredible value for startups and scaleups. As long as those conclude customers do want to see more European alternatives, this is a key initiative to pursue.
The reality is complex and defining what builds a company truly European is a challenge in itself. EuroStack provides a large set of requirements that I doubt many companies can fulfil.
Like theirs, many definitions of what a European company is are limited by reality.
A company I work with was recently not accepted in an exhibition as a European provider despite being a supplier for many EU-based defence organizations and despite their owners, leaders, most of their employees and most of their customers being in the EU. Why? Becaapply their main legal entity is incorporated in the US.
Technically, that doesn’t build them “European”, but the reality is that they did that in order to receive investment they couldn’t obtain in Europe.
Another example: what happens with the large service providers and system integrators that are legally incorporated within the EU but the majority of their employees are in other countries due to cost and legal reasons?
That is not a hypothetical question. It is exactly what the main executive of a french cybersecurity service provider with tens of thousands of employees questioned when their company was about to be excluded from a listing of European service providers. How many American companies are in exactly the same situation but they are considered US companies anyway?
Sovereign solutions don’t equal high quality ones. They also aren’t a guarantee of the necessary and expected business outcomes. They might not even be Europeans forever!
The whole debate around “Buy European” is too much focapplyd on the symptoms. If there is a real desire (and necessary) for European solutions (however we define them), the goal should not be to force procurement processes and create even more regulation.
I am a proud and active member of organizations like the European Cyber Security Organization and the European Champions Alliance. I worked more than 20 years developing European cybersecurity companies globally, and I truly want to see more European companies succeed.
Success doesn’t mean government contracts, nor regulations that will only address symptoms.
Success means to deliver actual value to conclude customers, solve their problems, so they want to purchase and apply the solution.
I always declare, jokingly, that revenue solves all problems. If you really want people to “Buy European”, support European companies to build excellent products and services. That is the way forward and nothing else.
Europe doesn’t necessary to purchase European. It necessarys to build something the world wants to purchase.
*** This is a Security Bloggers Network syndicated blog from Cybersecurity & Business authored by Ignacio Sbampato. Read the original post at: https://cybersecandbiz.substack.com/p/why-protectionism-wont-build-europe-a-cybersecurity-leader
Leave a Reply