For nearly twenty years, Europe has developed recognized cybersecurity technologies without ever creating true world leaders capable of competing with the American giants. There was no shortage of innovations, nor of companies, but the market remained fragmented, funding dispersed and demand insufficiently homogeneous to allow the creation of platforms of continental scale.
The entry into force of the NIS2 directive could permanently modify this history, because behind its appearance as a regulatory text, it perhaps constitutes the first European industrial policy applied to cybersecurity. By significantly expanding security obligations to tens of thousands of organizations, it creates an internal market large enough to allow the emergence of new champions.
The debate now goes beyond regulatory compliance alone, and concerns Europe’s capacity to build its own digital resilience industry.
Europe excelled in technological building blocks, not in platforms
The contrast with the United States is striking, Europe has leading academic research, world-renowned experts in cryptography, companies specializing in the protection of critical infrastructure, threat intelligence, industrial systems or intrusion testing. It also trains a significant proportion of the best researchers and engineers in the sector. However, the most strategic layers of global cybersecurity remain largely dominated by American groups like Microsoft, CrowdStrike, Palo Alto Networks, Fortinet and SentinelOne.
This domination is not explained solely by the technological quality of their products. It results from a favorable economic environment: a large domestic market, considerable federal budgets devoted to defense and intelligence, abundant venture capital and relatively homogeneous regulation.
Conversely, Europe remained fragmented for a long time, with each country having its own requirements, national authorities, purchasing practices and industrial ecosystems. European publishers often developed cutting-edge technologies, but struggled to reach critical mass. This fragmentation is precisely what NIS2 begins to challenge.
Regulation that creates a market
The scope of NIS2 is often summarized as a tightening of security obligations, that is correct, but insufficient.
The directive significantly expands the number of entities concerned. In addition to the historical operators in critical sectors, there are now numerous companies in transport, energy, health, telecommunications, digital, industry, logistics, communities and even waste management. The suppliers of these organizations are also gradually entering the scope of vigilance.
This extension produces a major economic effect and today concerns thousands of European organizations which still considered cybersecurity as an essentially technical function and which must now implement risk governance, ensure continuous monitoring, have incident detection and response capabilities, document their procedures and directly involve their general management.
Cybersecurity ceases to be a one-time investment and becomes an ongoing obligation. It is this development that is profoundly transforming the structure of the market, and means that cyber spending is no longer solely a matter of discretionary decisions taken by IT departments, but must gradually be included in recurring budgets for compliance, risk management and business continuity.
NIS2’s real customers are not large groups
Large groups already have security operations centers, specialized teams, incident response capabilities and mature governance programs. They will strengthen their systems, but their transformation is well underway.
The real market is in mid-sized companies, communities, healthcare establishments, regional manufacturers, local service operators or critical suppliers.
These organizations will have to meet comparable requirements without having the necessary human resources. The massive recruitment of SOC analysts, incident response specialists or security managers is unrealistic in a context where these profiles remain rare. Their only alternative is to outsource a growing part of these functions to platforms capable of ensuring continuous protection.
The era of platforms succeeds that of tools
For two decades, cybersecurity was built through technological stacking, with companies successively purchasing a firewall, an antivirus, a backup solution, an EDR, a SIEM, an identity management tool or even a detection platform.
This logic is now reaching its limits, and regulatory obligations, the sophistication of attacks and the shortage of skills are leading companies to seek partners capable of supporting a complete resilience function. The objective is no longer to sell additional software but to sustainably operate a critical function.
This explains the success of platforms integrating 24-hour monitoring, incident response, threat intelligence, artificial intelligence automation, regulatory compliance, vulnerability management and sometimes even cyber insurance.
A new generation of European actors
Several European companies with different but converging trajectories are positioning themselves on the chessboard:
The Dutch Eye Security perfectly illustrates this evolution. Its recent fundraising of 60 million euros does not only finance commercial expansion. The company claims to be building a “sovereign European cybersecurity platform”, combining AI-assisted detection, permanently available SOC, incident response, cyber insurance and a “vendor agnostic” approach. Its ambition consists less of commercializing a technology than of becoming a European operator of digital resilience.
In France, ChapsVision follows a different logic but pursues a comparable ambition. Through a succession of acquisitions, the group is building a data intelligence platform integrating cybersecurity, data analysis, intelligence, artificial intelligence and software intended for government sectors, defense and critical infrastructure. Where Eye Security mainly targets companies subject to NIS2, ChapsVision seeks to build a sovereign capacity for processing strategic information.
Other players also occupy interesting positions.
Sekoia.io develops a threat detection and intelligence platform widely used by security operations centers and managed service providers.
HarfangLab is gradually establishing itself as one of the main European alternatives in the field of EDR, with a strong presence among administrations and sensitive operators.
In Germany, Hornetsecurity is gradually transforming its expertise around Microsoft 365 into a complete cloud security, backup and compliance platform intended for European SMEs.
Although these companies do not have the same customers or the same technologies, they share the same evolution: moving from the status of specialized publisher to that of trusted operator.
Sovereignty becomes a competitive advantage
Sovereignty is no longer just a political argument and is gradually becoming a criterion for economic decisions, which is considerably modifying commercial discourse.
Companies no longer only ask about the performance of a solution, they also want to know where their data is hosted, what jurisdiction applies, who operates the security operations center, what dependencies exist on foreign suppliers and under what conditions they will be able to change service provider.
This change is fueled as much by geopolitical tensions as by the multiplication of European regulations, from NIS2 to the Cyber Resilience Act, including DORA and the GDPR. European players are now seeking to transform this regulatory requirement into a commercial advantage.
Artificial Intelligence Accelerates Market Concentration
A dynamic boosted by AI, attackers automate their phishing campaigns, accelerate the search for vulnerabilities and industrialize their operations. In response, cybersecurity platforms use AI to correlate alerts, assist analysts, accelerate investigations, generate reports or automate response procedures.
This development mechanically favors players capable of investing massively in data, infrastructure and research teams.
Platforms with a large customer base will improve their models more quickly, attract more talent and strengthen their detection capabilities. As in other segments of artificial intelligence, scale effects become decisive.
The next challenge will be that of consolidation
The directive alone does not guarantee the emergence of European champions.
Several obstacles remain, the transposition of NIS2 remains largely national, with timetables and interpretations which differ between Member States. European companies continue to access less financing than their American competitors. A critical part of their infrastructure still relies on large US cloud and cybersecurity providers. Finally, the chronic skills shortage continues to limit the sector’s growth capacity.
So many constraints that make a new wave of consolidation likely.
The coming years could see the emergence of a few pan-European platforms capable of aggregating technologies, managed services, artificial intelligence, compliance and assurance, while the most successful specialists will become acquisition targets.