Bridging Europe's Cybersecurity Divide Through Political Will

The observations presented in this article do not represent the official position of the European Cyber Security Organization (ECSO).

In the last decade, the European Union and its Member States have crafted strategies, enacted laws, and developed frameworks to improve cybersecurity across the Union. They have also established national authorities, carried out inspections, and assisted critical enterprises. While it is difficult to precisely assess whether all the work done has been effective – and well beyond the scope of this article – I would argue the ecosystem is moving in the right direction. Yet many actors across the spectrum remain dissatisfied with the current situation. The idea that we are building a complex, bureaucratic, inefficient system, where more resources are invested in compliance and legal staff than in engineers triaging incidents, has been raised countless times.

What should be done about it? Hard work is needed to harmonize and streamline regulations. However, the real challenge is political agreement rather than operational optimization. Europe can certainly build technological platforms and improve processes – this is not the main problem. If we want to achieve better harmonization and enhance the competitiveness of the European system against foreign competition, European and national institutions must negotiate and reach a compromise, both on the strategic direction and on smaller details. If we are not ready to take this further step, harmonization efforts will likely be slow and potentially more costly.

Regulate, deregulate, or streamline

The debate over cybersecurity regulation has been contentious in recent years, with strong positions on all sides. Europe has introduced multiple pieces of regulation, which has led to growing complaints about overlapping requirements and duplications. Which regulations apply to my company, among all existing ones? Which frameworks should I use to improve security and then demonstrate compliance? Which authorities should I report incidents to? Is there a standardized approach to managing and monitoring third parties?

Let’s look at each argument more closely. Some just dislike regulations, preferring a laissez-faire approach to cybersecurity. Their reasons differ, from innovation to free market, to national jurisdiction. First, the common saying is that, in the field of innovation, technologies change too fast to regulate them. Second, even if the policymaking cycle could keep up, regulation would hinder innovation, diverting resources from research to compliance. Third, although governments have been regulating enterprises for centuries, conservatives still argue against the government’s role in dictating what enterprises should do in a free market, especially to such a prescriptive level. This position becomes even more complex in the EU, with the relationship between national governments and the European Union.

While all these arguments are very relevant today, they have lost ground in cybersecurity over the last decade in Europe and beyond. The impact of countless incidents has given the upper hand to those advocating for more regulation. It has become clear that we need legally mandated ‘essential requirements’ to compensate for the negative externalities caused by a decade-long digital transformation that did not meet the appropriate security standards. This has led to landmark legislation in the EU, such as the NIS2 Directive, the Cyber Resilience Act (CRA), and the Digital Operational Resilience Act (DORA). Other geographies follow similar trends and impose or call for security requirements. Despite their need being warranted, these policies are often seen as overly burdensome.

In this context, the demand from all sides is clear: the European legislative system needs streamlining, addressing overlapping requirements, duplications, and inefficiencies. Academics have framed the problem; the commercial sector has lobbied for change; European politicians have campaigned on it; and the European institutions have adopted it as part of their manifesto for the 2024-2029 mandate. There is a broad consensus that cybersecurity regulatory requirements should be improved in Europe and beyond. We need to build an effective and efficient legislative framework for both functional and political reasons. On one hand, resources are limited and have to be allocated efficiently to meaningful security measures. On the other hand, frustration with redundant or unclear requirements risks undermining the achievements achieved so far, empowering those who oppose regulation entirely.

Harmonization: how should it be done?

The crucial question is: How should it be done? This is not due to a lack of ability but rather because these issues are deeply complex. Today, cybersecurity is regulated by hundreds of policies at the EU and national levels. Building a comprehensive overview that allows us to identify what should stay and what should be scrapped is a daunting task.

If we start with some concrete use cases, when you have to spend staff time interpreting misaligned compliance reporting – reporting incidents instead of triaging them or repeatedly answering vendor questionnaires before buying services – the suggestion could be to map out all security frameworks, build a unified reporting platform, and develop a third-party governance framework. However, solving these issues requires more than identifying operational tweaks and engineering efficiencies because streamlining regulation is more about politics than operational optimization.

The main obstacle is not technology

Let’s look at incident reporting, for example. If you are a company operating in multiple countries, including Europe and beyond, you may have to notify multiple authorities when you are a victim of an incident. Some reports are mandatory, others can be done out of good offices. Your incident response team will most likely have to liaise with the compliance and legal team before proceeding. While no evidence-based study has quantified the costs of these processes, stakeholders have been vocal about it. A clear public inventory of incident reporting obligations across jurisdictions, a unified reporting platform, and consistent data fields would greatly facilitate reporting as well as analysis. These seem reasonable expectations. We could begin work on these issues tomorrow. Europe has the systemic capacity to build such systems.

While these operations require time and resources, the main obstacle is not technology. The real challenge lies in negotiating and agreeing on what an efficient system looks like in terms of governance and minimum standards to follow. For incident reporting, for example, this implies agreeing on those data fields (i.e., which information is inputted in the reporting), data flows (i.e., where the data goes), access rights (i.e., who gets access to what data, once it is reported), data storage (i.e., where is the data saved and kept), and information sharing (i.e., who that data is shared with). To achieve this, both public and private entities need to come together and reach a viable agreement.

Operational tweaks won’t be enough without political will

Harmonization requires a mix of hard work and political commitment. Streamlining processes, aligning workflows, or opting for regulations instead of directives can reduce friction, but these measures do not necessarily address the root issues. The issue goes beyond drafting better policies alone. For example, fragmentation often stems from differing interpretations of rules, and addressing it requires political will across the Union – and beyond – to foster harmonization. It means sitting around the table, finding an acceptable compromise that satisfies all parties, and agreeing to withhold it in practice. These political negotiations among 27 countries are complex. That is why forward-looking member states should take the lead, despite all constraints and challenges, and regardless of whether every country is willing to join in today. Specifically, they could come together to form consortia and build consensus on each of the mentioned aspects for critical use cases requiring harmonization, setting an example for the rest of Europe. Non-European companies operate under different rules, advancing research and market dominance, often to the disadvantage of European players. Further delaying harmonization will only increase political and financial costs for the European continent in the future.