.png){kind=logo}
Sep 2025
This article was originally published in Decoding, our monthly briefing on the latest trends in government technology. Sign up here to receive future editions directly in your inbox.
.png){kind=logo}
As governments across Europe double down on digital transformation, cybersecurity is moving from the basement to the boardroom. In this month’s Decoding, we explore why protecting digital infrastructure is a democratic and geopolitical imperative and not just a technical task.
Denmark ranks amongst the world’s most digitised nations, and high levels of societal trust have historically underpinned its digital transformation. While this enables smoother data sharing and cross-sector partnerships, it also makes cybersecurity a vital necessity.
Europe’s reliance on foreign platforms and use of big tech threatens stability and resilience. In our previous issue, we explored the digital sovereignty agenda. In this issue, we decode the approach to cybersecurity and how, in a time of geopolitical uncertainty, it has expanded beyond technical security to become a question of societal stability.
In this edition, you’ll learn:
Cybersecurity is no longer just a technical concern — it’s a question of Europe’s ability to function in the face of disruption. The prospect of a US “kill switch” on cloud services has brought a stark truth into focus: much of Europe’s critical infrastructure still depends heavily on US tech providers.
Three US companies — Microsoft, Google, and Amazon — together control approximately 72% of the European cloud infrastructure market. Local European cloud providers account for just 15% of the market, down from 29% in 2017. This concentration underscores the challenge for European companies: the U.S. hyperscalers benefit from massive, ongoing investments, estimated at around €10 billion per quarter, making it difficult for local players to catch up.
But the concentration also raises not only sovereignty concerns but also tangible cybersecurity risks. If services were interrupted, intentionally or not, hospitals, public authorities, and businesses across the continent could be immediately affected.
Those risks came into sharp focus in May, when the chief prosecutor at the International Criminal Court lost access to his Microsoft Outlook account after being sanctioned by the White House. While Microsoft stressed it never cut services directly, the episode highlighted just how easily essential systems can be disrupted by forces outside Europe’s control.
Across Europe, discussions are increasingly focused on interoperability standards, procurement rules, and shared frameworks to strengthen supply-chain security. The aim is not to isolate Europe, but to ensure that no single point of failure can compromise the continent’s digital backbone.
In an era where cyber threats are both geopolitical and technical, the EU's cybersecurity strategy focuses on resilience, technological sovereignty, and ensuring that essential digital services remain secure and under European control.
We asked Henna Virkkunen, Executive Vice-President of the European Commission, to share her insights on EU’s approach to digital sovereignty and strategic resilience.
“Achieving technological sovereignty is a must to preserve our competitiveness but also ensure our security and protect our democracy and values,” she stresses.
Virkkunen sees digital sovereignty not as isolation but as confidence built on trust in safe, secure, and values-driven technology. From AI and quantum “gigafactories” to European Digital Identity Wallets and the AI Act, her vision is about strengthening innovation, resilience, and democracy without copying Silicon Valley.
→ Dive into the full article to see how Europe plans to pull it off here.
In a digital economy, where trust is the most valuable asset, the EU Cybersecurity Act has emerged as a cornerstone of Europe’s defence against rising cyber threats. The regulation, first adopted in 2019, not only strengthened the EU Agency for Cybersecurity (ENISA) but also laid the groundwork for a European-wide certification framework for ICT products, services, and processes.
ENISA has a permanent mandate, expanded resources, and a key role in supporting Member States during cyber incidents while coordinating EU-level responses to large-scale cross-border attacks.
As the secretariat of the EU’s CSIRTs Network, ENISA acts as a bridge between national authorities, ensuring that Europe can react faster and more cohesively when crises hit.
Equally important is the certification framework. Instead of navigating a patchwork of national standards, companies can certify their ICT products or services once and see that recognition is extended across all EU Member States. This reduces costs, strengthens trust, and raises the bar for cybersecurity across the single market.
In January 2025, the EU adopted an amendment that enables certification for managed security services, ranging from penetration testing to incident response. These services are critical for helping organisations detect, respond to, and recover from cyber incidents. A public consultation launched in April 2025 signals the EU’s intention to refine the Act further, keeping pace with evolving risks.
The message is clear: cybersecurity in Europe is not just about defence. It’s about building resilience, trust, and a truly secure digital economy.
→ Read more here.
NIS 2 is the EU’s new cybersecurity directive. It replaces the first NIS Directive and sets higher, more uniform standards to protect essential services and critical sectors from cyber threats.
In Denmark, NIS 2 took effect on 1 July 2025. Entities that fall under the rules must register by 1 October 2025, with sector-specific authorities providing guidance and oversight.
Key changes compared to NIS 1:
Coverage is determined by sector, company size, and strategic importance. A first assessment on whether a company is covered can be done here.
→ Read more about NIS 2 here and here.
Denmark’s strength lies in combining high societal trust with close collaboration between public authorities, academia, and industry — a “triple helix” model that treats cybersecurity as a shared responsibility.
Security Tech Space (STS), a national centre in Aarhus, brings together over 80 partners, including companies, universities, local government, and the military. STS functions as a knowledge and innovation platform aimed at enhancing Denmark’s defence against cyber threats, not only for large entities but also for SMEs, which are often more vulnerable.
Aarhus already boasts a thriving IT security environment, led by Aarhus University and the Alexandra Institute. The region is renowned for its cooperative culture, making it a natural hub for national initiatives like STS that aim to build a cohesive cybersecurity ecosystem.
Denmark’s high level of societal trust – between citizens, institutions and businesses – has historically underpinned its digital transformation. This trust enables smoother data sharing, cross-sector partnerships, and helps foster a reputation for responsible digital practices.
One notable example is D-seal – the world’s first national labelling scheme for IT security and responsible data use. The scheme highlights which companies take cybersecurity and digital responsibility seriously, allowing customers and partners to make informed decisions. It aims to position digital accountability as a competitive differentiator, reinforcing Denmark’s international reputation for ethical digital services.
Business organisations are also pushing for a shift in mindset: cybersecurity should be viewed as a leadership issue, not just an IT function. Executives are encouraged to adopt security-by-design and privacy-by-default principles as core to product and service development.
→ Read more here.
When we talk about digital resilience, supply chains are often the hidden battleground. Large corporations usually take centre stage in discussions of cyber risk. But the reality is different. SMEs are equally vital players in Europe’s value chains. And increasingly, they are just as vulnerable.
Customers, regulators, and larger partners now expect SMEs to meet high security standards. At the same time, these firms are facing rising costs from cybercrime, making resilience not just a compliance issue but a business imperative. Yet for many SMEs, knowing where to start and how to keep pace remains a challenge.
That is where the Danish Industry Foundation’s project Cybersecurity in Supply Chains comes in. At its core is a qualitative study of 25 SMEs across Denmark, mapping how companies manage cyber risk in practice: who owns responsibility, what works, and where the gaps lie. These businesses also serve as testbeds for practical tools, guidelines, and best practices, ensuring that solutions are grounded in reality rather than theory.
The project doesn’t stop at research. Four workshops convene experts, corporates, and SMEs to exchange experiences and co-design approaches. Standards, certification schemes, and rating models are also examined for their role in strengthening trust across supply chains.
The ambition is clear: no weak links. By equipping SMEs with actionable tools and embedding resilience throughout the chain, Denmark aims to set a model for cyber-secure value chains—where security is not an afterthought, but a shared responsibility.
→ Read more here.
🇪🇺 EU: Cybersecurity Reserve launched to support member states
The European Commission and ENISA signed an agreement to operate the EU Cybersecurity Reserve, backed by €36M from the Digital Europe Programme. The reserve will provide incident response services for large-scale cyberattacks affecting EU states, institutions, and critical sectors like health and energy. ENISA will manage funding and service procurement over three years under the Cyber Solidarity Act.
🇩🇪 Germany: Consultation closes on AI data protection rules
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has closed the consultation on the data protection-compliant handling of personal data in AI models, focusing on large language models (LLMs). The consultation sought input on handling data subject rights and other relevant aspects of data protection in AI. The results will be published in a consultation report on the BfDI website.
🇸🇪 Sweden: New AI supercomputer aims to boost Swedish industry
Swedish industry leaders, including AstraZeneca, Ericsson, Saab, SEB, and Wallenberg Investments, have launched Sferical AI, a company operating a sovereign AI supercomputer in Linköping. The system, based on 1,152 NVIDIA GPUs, will provide high-performance computing for AI applications across Swedish industry. An associated NVIDIA AI Technology Centre will support skills development and tailored AI solutions.
🇬🇧 UK: Government passes sweeping data governance reform
The UK has passed a broad bill updating data governance, covering privacy, biometric data, electronic signatures, and health and social care information. Critics warn that without protections for UK creative content, the creative sector risks exploitation by largely US-based AI developers.
🇺🇦 Ukraine: Diia app expanded to EU electronic signature standards
Ukraine has expanded its Diia app to support all major EU electronic signature formats, enabling seamless cross-border use without extra configuration. The move, backed by EU projects DT4UA and EU4DigitalUA, marks another step in harmonising Ukraine’s digital infrastructure with European standards and strengthening digital integration with the EU
🇨🇱 Chile: Latam-GPT aims to create an open-source regional AI model
Latam-GPT is a new LLM being developed in and for Latin America. The project, led by the nonprofit Chilean National Center for Artificial Intelligence (CENIA), aims to help the region achieve technological independence by developing an open-source AI model trained on Latin American languages and contexts.
For questions, comments, or suggestions about this article, please get in touch with Emilia.
Enjoyed this edition of Decoding? Subscribe here to receive future insights on digital public services directly in your inbox.
.png){kind=logo}
