At this year’s RSA Conference in San Francisco, the Center organized meetings with 19 governments and hosted 30 governments in total across our program of meetings, roundtables and tabletop exercises. This engagement is critical to our mission, offering the opportunity to exchange ideas and best practices directly with policymakers from across the globe. This blog series distills some of the key things that we learned from those engagements, starting with Europe.

In 2025, European policymakers have become increasingly concerned about the extent of their dependence on foreign technology providers for certain critical capabilities. In public discussions, this has chiefly centered around Europe’s dependence on U.S. companies for cloud services and satellite communications, and Chinese companies for terrestrial telecommunications infrastructure. 

This, in turn, has led to a realization among key officials in Brussels and Member State capitals that their hyper-regulatory approach - chiefly designed to exert control over foreign technology providers - had an unintended side effect: stifling the emergence of globally-competitive European technology providers. This, in turn, has perpetuated their dependence on foreign companies. 

While the whirlwind of statements and policy proposals gives the impression of a European drive towards autarky, or economic self-sufficiency, the reality is more nuanced. Policymakers largely remain committed to the concept of free trade, and leveraging the best available technology. Not doing so may undermine European competitiveness and introduce new security risks at a time when Europe is grappling with a war on its Eastern border. 

Rather, the goal is to:

• Better understand their technological dependencies;
• Explore any associated political risks;
• Catalyze a robust marketplace of vendors; and
• Where necessary, promote interoperability across vendors. 

In doing so, they hope to ensure that no dependency is so acute as to make them powerless to address a security risk.

One way they’re seeking to address this is by making the European market more amenable to fostering innovative companies. As a starting point, the Commission has launched a regulatory simplification initiative as part of the ongoing Cyber Security Act public consultation, something which has strong support in most Member State capitals. 

Following an intensive five-years of tech policymaking in which RED, DORA, CRA, NIS2, DSA, DMA, AI Act, and voluntary schemes such as EUCC all layered up to create a complex regulatory patchwork, significant deconfliction is required. Both the Coalition to Reduce Cyber Risk (CR2) and Cybersecurity Coalition intended to submit recommendations for how this can be achieved while maintaining a high level of cybersecurity.

Furthermore, European member states are beginning to explore opportunities for regulatory cooperation with international counterparts, something which CR2 has worked on extensively with governments around the world. 

As an importer of technology services, Europe had long viewed regulation as a way to condition foreign providers while imposing limited costs on domestic companies. For emerging European technology providers to become globally competitive, however, they cannot afford the cumulative economic and security costs of rearchitecting their products and services to meet divergent requirements in each market they enter. 

The harmonization of international cybersecurity requirements with international partners, mutual recognition of connected device security labels, and mutual recognition of conformance testing are thus key tools for enhancing European competitiveness. The good news is that European policymakers are beginning to proactively explore these opportunities. It must and can be achieved, however, while maintaining a rigorous level of cybersecurity. 

Finally, the importance of strong public-private engagement was a frequent theme of our conversations. The vast majority of critical infrastructure and the cybersecurity capabilities that secure it are privately owned and operated. A shared responsibility for ensuring its resilience in the face of rising cybersecurity threats remains the cornerstone of the Center’s activities and those of our members.

To that end, we extend our thanks to the many European government officials that took time out of their busy schedules to engage with us during RSA Conference 2025.