A couple of weeks ago I was at IT-SA, one of the largest IT & Cybersecurity events in Germany and in Europe. When walking around the exhibition floor and talking with both exhibitors and attendees, something that struck me was how much the “Buy European” mindset is taking over.

If you would compare IT-SA with, let’s say, RSA Conference in San Francisco, something would be clear: for every vendor booth mentioning AI in the latter, you will find one with a big “Made in EU” or “Made in Germany” label in the German one.

Not only that, many presentations in the official agenda were covering that topic, one way or another.

After 20 years building one of the largest European cybersecurity vendors in the world, I am personally involved in many activities to promote local cybersecurity vendors and solutions myself. However, I believe a big part of the current “sovereignty” push is mis-guided and will not help in the long run.

Take into account that this comes from someone that is part of an initiative to develop a European cybersecurity marketplace. I even presented it at IT-SA myself! 😀

In this article, I am going to explore how I see the overall situation and what I believe should be emphasised or done instead.

There are several initiatives that are looking into modifying procurement rules and processes to give preference to European solutions. Recently, the European Commission, through its Directorate-General for Digital Services, published a Cloud Sovereignty Framework that defines objectives and Sovereignty Effectiveness Assurance Level.

Another initiative is EuroStack, which proposes a “Buy European” Regulation of Strategic Digital Procurement framework. This would aim to redirect a significant portion of the current purchases towards European firms and define a “Sovereign European Provider” through a “rigorous, technical test of substantive control and operational autonomy”.

These initiatives are getting some momentum and as that happens, they show the many problems of the “Buy European” movement. For instance, there was some news breaking a couple of months ago that the European Commission was considering dropping Microsoft Azure and replacing it with the French OVHCloud provider.

Now, my question is, how does that change anything? Yes, OVHCloud (or any “sovereign cloud provider”) is headquartered in a European country, but the majority of the base software they use and provide to their customers is not European. Even a change in prices in Broadcom/VMWare licenses affected their financial results, last year.

When we review the Eurostack proposed framework, other issues arise. One of their pillars is the usage of “open-source” software. As they do point out to some extent, though, the vast majority of the key foundations behind those projects – like the Linux Foundation, Mozilla Foundation or the Apache Software Foundation – are incorporated in the U.S.

The other issue is the reliance of the proposal on a certification-like approach to validate if a provider is European.

There are enough certifications in Europe at the moment, at regional and local level, and in my opinion and personal experience, they are actually obstacles for innovative and disruptive new companies. There are too many already!

A young startup doesn’t have the resources to obtain internationally recognized certifications like SOC2 and ISO, plus the local ACN, ANSII, BSI, LINCE, etc. and on top of that, some regional ones to show they are European enough.

Some will point out that there are already efforts to harmonize the national schemes. However, has anyone noticed how long it takes to get anything like that done? Just give a look at the state of NIS2 transposition!

We are launching Scaling Cyber! The podcast where cybersecurity founders and leaders from all over the world share their journeys of growth, challenges, and global expansion. Subscribe now!

While we could point out other issues with some of the “Buy European” initiatives, let’s take a pause, and look towards the East for “inspiration”.

I have been in the cybersecurity industry for some time now, and I have seen the evolution of protectionism in countries like China and Russia. Both countries have had certification schemes in place for more than a decade, with rules that became stricter towards foreign providers year over year.

Their initiatives and certification processes have fared differently, and haven’t necessarily helped them to become fully sovereign nor global leaders.

Did you know that in Russia you need to have the source code manually reviewed by government officials in order to obtain certain certifications?

When it comes to cloud, China fares better than Russia, as the primary cloud service providers are local and some of them have regional presence.

Did you know that when China started to push for stricter regulations for foreign cybersecurity companies, Trend Micro sold their local subsidiary to AsiaInfo?

However, despite all their efforts, Microsoft Windows continues to be the primary operating system, and foreign software continues to be a reality at many levels, private and government, and even those Chinese cloud service providers need to offer non-Chinese software to their customers.

Rather than help, in my opinion, those initiatives create isolation and limit local companies to become true global market leaders.

After this diversion through the East, there is another challenge to the “Buy European” movement: who promotes, sells and implements software and cybersecurity products and services.

The vast majority of software and cybersecurity products are sold through third parties – service providers, system integrators, etc – in Europe and elsewhere.

While some of the pan-European providers have some sort of “sovereign portfolio” at the moment, they are actively promoting, selling, integrating and supporting non-european products and services for their european customers.

If you want to have more organizations buying European products and services, you need more of their suppliers offering them European options. Why don’t they?

All those procurement frameworks, certifications and regulations that we talked about before are not the only initiatives around. There are also some looking into increasing visibility and competitiveness.

The CyberHive Europe is a good example, not because I am part of it, but because of the reasons I joined when it was first pitched to me.

The platform is aiming at becoming a marketplace showcasing European cybersecurity solutions and it is built and maintained with the inputs from the community, which includes CISOs, vendors and investors. It’s not putting up neon signs about buying european, it’s giving potential customers a place to find alternatives.

In that same direction, there is a recently launched website called European Alternatives with a similar aim: a directory of regional options for those that want them.

Another good initiative is the Cybersecurity Made in Europe label, a simple and realistic tool for cybersecurity vendors to show where they come from. It doesn’t take a minimum of six months and tens of thousands of euros to obtain it like with many of the certifications I mentioned above, which makes it available for established companies as well as young startups.

Moreover, the European Cyber Security Organization has the aim to make Europe an equivalent to a seal of cybersecurity excellence, not through forced processes, but by a multitude of initiatives to promote European innovation and technology.

There are other initiatives that are good examples of what Europe needs to close the gap and become a global cybersecurity leader, aiming at removing obstacles and increasing opportunities:

• EU-Inc: a proposal to create a new pan-European legal entity, with one central registry, and standardized investment documents, EU-wide stock options and taxes and employment rules.

• The European Cybersecurity Investment Platform: set to be a fund-of-funds mechanism with a target size of at least 1 billion euros, as a response to the investment gap in the EU cybersecurity market.

The above are good examples of “Buy European” initiatives that don’t even need to use that tagline to help increase the chances of customers choosing local solutions. They are well in line with the needs outlined by the cybersecurity founders and leaders themselves.

The problem is not where technology is made, but how value is created and delivered to those that use it.

Speaking of customers, in my experience, everything starts with them. Their needs, pains and requirements.

If Europe wants to see the regional technology and cybersecurity industry grow and be adopted, these initiatives need to be laser-focused on what customers actually want, above anything else.

Last year I was in a panel discussion where a CISO said (I am paraphrasing): “If a European and an American solution are equal in terms of benefits, functionality, integrations, implementation time, support, pricing, etc., I would choose European.”

That couldn’t make more sense. We can’t force customers to choose a cybersecurity solution solely or primarily based on origin. Therefore, the focus needs to be on how european companies can solve real customer problems and do it better than anyone else.

The challenge is, though, that many young startups face obstacles to gain access to them. European cybersecurity professionals are generally more risk-averse than Americans, as Luigi Lenguito wisely said in a recent episode of Scaling Cyber.

There needs to be more initiatives to provide opportunities for young startups to present their solutions to potential buyers, and there needs to be more open-ness from European companies to give them some of their time.

Advice from end users, the opportunity to co-build a solution with an experienced CISO or practitioner, has an incredible value for startups and scaleups. As long as those end customers do want to see more European alternatives, this is a key initiative to pursue.

The reality is complex and defining what makes a company truly European is a challenge in itself. EuroStack provides a large set of requirements that I doubt many companies can fulfil.

Like theirs, many definitions of what a European company is are limited by reality.

A company I work with was recently not accepted in an exhibition as a European provider despite being a supplier for many EU-based defence organizations and despite their owners, leaders, most of their employees and most of their customers being in the EU. Why? Because their main legal entity is incorporated in the US.

Technically, that doesn’t make them “European”, but the reality is that they did that in order to receive investment they couldn’t get in Europe.

Another example: what happens with the large service providers and system integrators that are legally incorporated within the EU but the majority of their employees are in other countries due to cost and legal reasons?

That is not a hypothetical question. It is exactly what the main executive of a french cybersecurity service provider with tens of thousands of employees asked when their company was about to be excluded from a listing of European service providers. How many American companies are in exactly the same situation but they are considered US companies anyway?

Sovereign solutions don’t equal high quality ones. They also aren’t a guarantee of the necessary and expected business outcomes. They might not even be Europeans forever!

The whole debate around “Buy European” is too much focused on the symptoms. If there is a real desire (and need) for European solutions (however we define them), the goal should not be to force procurement processes and create even more regulation.

I am a proud and active member of organizations like the European Cyber Security Organization and the European Champions Alliance. I worked more than 20 years developing European cybersecurity companies globally, and I truly want to see more European companies succeed.

Success doesn’t mean government contracts, nor regulations that will only address symptoms.

Success means to deliver actual value to end customers, solve their problems, so they want to buy and use the solution.

I always say, jokingly, that revenue solves all problems. If you really want people to “Buy European”, help European companies to build excellent products and services. That is the way forward and nothing else.

Europe doesn’t need to buy European. It needs to build something the world wants to buy.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity & Business authored by Ignacio Sbampato. Read the original post at: https://cybersecandbiz.substack.com/p/why-protectionism-wont-make-europe-a-cybersecurity-leader