Tariffs Aftershock: A Tough Awakening for the European Cybersecurity Industry

On the night of 2 to 3 April 2025, the US President unleashed a trade war with MAGA overtones that rudely awakened many decision-makers, including political representatives met by PAC analysts.

For decades, round tables and debates have rigorously tackled the critical question of how to establish a robust, independent, and sovereign European cybersecurity industry. How to ensure absolute protection for personal data, secure the confidentiality of corporate and administrative secrets, and fortify European digital activities against extraterritorial laws whether from the West or the East and intrusive legal proceedings. The answer was often, when not always: It is imperative that we take decisive action to build this essential framework for our digital future.

End of Round Table 1, now coffee break in the main lobby…

In light of the recent tariff announcements, numerous demand-side and end-user groups, alongside offer-side and industry groups, are raising urgent alarms: the European economy’s overreliance on digital technologies from the USA poses a significant threat. Should customs retaliation against major players like GAFAM occur, it would result in a catastrophic tariff disaster with far-reaching consequences.

Moreover, sovereign European alternatives, or at least more independent options, are woefully unprepared to compete in terms of functionality, robustness, global scale, and especially pricing. Currently, SAP stands as the only European tech giant, and there are no credible alternatives to giants like Microsoft, Google, or Apple.

This lack of competition is even more alarming in the realm of cybersecurity. The long-term viability and digital resilience of many European information systems, including sovereign, state, and security systems, are inextricably linked to American or US-based providers. Some of these companies’ CEOs were present at the inauguration of the new American president, underscoring this dire dependence.

The alternative to these American technologies is simply not ready, and the European cybersecurity industry is far from prepared to compete with US tech giants on functionality, market scale, and pricing. Tough awakening

On the cybersecurity market, a European association, European Champion Alliance, has organised a mapping of 100% European cybersecurity offerings, a work of depth and precision which reveals that the completeness of the cyber offering is within reach but that it is not (yet) coordinated and cannot replace other fully integrated cybersecurity offerings on a global scale and available 24/7/365.

A major country that taxes everything and risks unleashing a deadly response, that’s the 1st jolt. The second is the realisation that the alternative is not ready and that we will have to live for many years under this technical and political dependence, with or without desire.

The Europe of cybersecurity is not ready and is proving incapable of responding to the alternative challenge. Even less so in the face of the global technological threat posed by organised and structured criminal groups.

Does that mean she’s dead? Certainly not.

The mapping of the ECA’s offerings shows that the building blocks for solutions do exist, often at a multi-regional level. What is lacking is the impetus to bring together the different parts of the jigsaw, a fragmentation that is often maintained by states that are a little conservative in cyber matters and unwilling to ‘let go’ of their technologies in the name of their sovereignty, sometimes military sovereignty. Certes….

The impetus is not necessarily political, even if a VDL Plan (Van Der Layen), at least equivalent to the one launched for AI by EU, would not go amiss to fuel the consolidation project and the move to global scale.

The impetus could also come from the major public and private digital contractors, who spend several billion euros every year on cybersecurity solutions from the United States and would be well advised to start contributing to the consolidation of a European cybersecurity industry. At least in the name of their own independence and economic sovereignty.  A Cybersecurity Airbus-like financed by its customers is a plausible and well-controlled approach.

Politicians know how to provide a framework, sometimes finance, and often regulate appropriately. The project for a technical standard of trust for the Cloud EUCS is (still) on the drawing board. Under the pressure of current events, it will be brought up to date again. Debates on the High + level, inspired by the French SecNumCloud standard, have calmed down, and ENISA, which holds the pencil, is counting on a real rallying to a higher level of watertightness.

Rome wasn’t built in a day, but it burned in 6. It’s a bold comparison, but the situation is urgent.