“Buy European”: Unlocking the Economic Potential of Europe’s Cybersecurity Sector

Promoting the European cybersecurity market and cooperation between the public and private sectors are among the core tasks of the European Cyber Security Organisation (ECSO). The non-profit organisation under Belgian law was founded in 2016. It is self-financing and was originally regarded as “the contractual counterpart to the European Commission in the implementation of the contractual public-private partnership for cyber security (cPPP)”. This was from the perspective of “supporting all types of initiatives or projects aimed at developing, promoting and supporting European cybersecurity”, as former Secretary General Luigi Rebuffi explained in an earlier interview with it-sa (LINK engl. Fassung). In an interview with us years ago (LINK2 engl. Fassung), he criticised the fact that the EU lacked a uniform IT security strategy. Since July, the ECSO has a new Secretary General: Joanna Swiatkowska. Digital sovereignty is important to her. In the following interview, she outlines her ideas and makes concrete demands.

How did you come into contact with the topic of cybersecurity and how did your career develop?

About 16 years ago, I started working for the Polish NGO – the Kosciuszko Institute, which deals with various security issues. I built up the cybersecurity focus there. In 2015, I founded the Cybersecurity Forum - one of the largest platforms for cybersecurity dialogue in this part of Europe. This was complemented by an academic career, which I completed with a doctorate. Over the years, I have collaborated with administrative and governmental organisations, including on the Advisory Council within the Polish Presidential National Bureau of Security. Before joining ECSO three years ago, I managed supply chain cybersecurity for a global financial organisation, so I have strong experience from the private sector too. I joined ECSO in 2022 and was elected as the new Secretary General this Summer.

Why is the ECSO important for Europe?

ECSO is very unique because we are a private-public organisation that truly brings together the entire European cybersecurity ecosystem. We currently have over 330 members, including major cybersecurity players, start-ups, representatives from academia, RTOs, and venture capitalists. Our membership also includes representatives from the public sector. This means we represent pretty much all the key stakeholders and take a comprehensive, end-to-end approach to cybersecurity.  We cover supply chain cybersecurity challenges, market analysis, regulatory aspects, skills, technologies and more.  This broad scope enables us to support a meaningful strategy for Europe’s cybersecurity development, which is what makes us unique.

You have been Secretary General of ECSO since July. Where do you see ECSO in a few years' time and how do you want to get there?

I want to build on the great work of my predecessor, whose focus on private-public collaboration has made us unique. My goal is for ECSO to become Europe's leading federation, helping to build European cybersecurity capabilities, strengthen cyber resilience, and elevate Europe's position on the international stage. This strategic vision covers three key areas. First, we aim to strengthen the European cybersecurity market. We will achieve this by helping to close the investment gap—for example, by supporting the creation of the first-ever fund of funds for cybersecurity. We will also unlock purchasing power by promoting a "buy-European" mindset to encourage the development and use of European solutions and by supporting a more harmonized regulatory framework across the continent.

Second, we want to ensure that Europe increases its cyber resilience. This means working closely with our CISO communities, which includes our network of more than 600 CISOs and eight national partners. This community provides a platform for members to support one another and gives us crucial, real-world insights. Strengthening resilience also involves securing critical infrastructure and expanding our work in cyber defense, a vital effort given the current geopolitical climate.

Thirdly, I would like to ensure that Europe plays a stronger role in cybersecurity worldwide.

How is Europe currently positioned in terms of cybersecurity, especially in comparison to the global power USA? Where are the advantages and where are the deficits?

Europe's cybersecurity market is dominated by third-party technologies, pri-marily from the US. We estimate that approximately 70 percent of the market is currently covered by non-European providers. This is a problem we need to address by improving our capabilities and raising our profile internationally. While many European suppliers offer excellent solutions, they are often little known. That is why it is crucial to raise awareness of European products and promote a "buy European" attitude, ensuring that European products are given greater consideration in procurement. To support this, ECSO built the pan-European marketplace for cybersecurity products and solutions, The Cyber HIVE.

Current market dynamic also leads to a significant loss of talent and companies. We are losing skilled professionals who move abroad, and our companies are being bought up by non-European, mainly US, players. For instance, in the first half of 2025 alone, an estimated 21.8 percent of the 78 mergers and acquisi-tions of European companies were made by non-EU players.

Additionally, the persistent venture capital investment gap prevents European companies from growing. Only 30 percent of EU seed-stage cybersecurity startups reach Series A funding. While the investment market is generally dom-inated by Series A and B rounds, Europe lacks the larger funding needed to support the growth of its cybersecurity companies. In many cases, European suppliers have very good solutions, but they are little known.

What dependencies are there on providers outside Europe, especially the USA, where most of the major IT companies are based?

The most significant dependency is on a small number of non-European, particularly US-based, cloud service providers. US-Hyperscalers dominate the market, holding a vast majority of the market share. This reliance creates several challenges, including concentration risk and potential vendor lock-in. From the cybersecurity market point of view – hyperscalers dominant position is linked with the platformisation. Tech giants offer a full stack of services—from compute resources and AI to embedded security solutions like SIEM (Security Information and Event Management) and IAM (Identity and Access Management). This integrated approach makes it extremely difficult for European cybersecurity companies, even the most innovative ones, to compete on equal footing.

Europe's dependency is also growing rapidly in the field of AI. The leading foundational models and AI platforms are mainly being developed by major tech companies outside of Europe. Given the increasing and strategic role AI will play in cybersecurity, Europe must urgently build its own capabilities in these critical areas.

Editor's note:
SIEM = Security Information and Event Management
IAM = Identity and Access Management

What can the EU Commission do to promote european independence?

We need a pro-growth cybersecurity industrial strategy to strengthen the European cybersecurity capabilities. As highlighted, this calls for increased investment—both public and private—guided by a long-term strategic vision. It also requires a shift in mindset around technology procurement, a more integrated and coherent internal market, and more consistent and coordinated implementation of existing regulations, such as NIS2. 
To build a strong and independent cybersecurity industry, Europe needs a highly skilled workforce. Without an environment that encourages talent to stay and thrive, skilled professionals will move to regions with better opportunities, higher salaries, and more cutting-edge projects. This talent drain weakens Europe's ability to innovate and compete, making it harder to develop and implement the technologies needed for its own security.