Europe’s Cybersecurity Depends on the United States

The Cybersecurity Ecosystem Depends on the United States

American companies and the US government play a central role in the global cybersecu­rity ecosystem. Five aspects are particularly significant.

US companies dominate the market for cybersecurity applications. US-based com­panies dominate the European market for cybersecurity software, which is particularly important for individuals and the private sector. The applications include:

• Antivirus software;

• Firewalls, which block unwanted net­work traffic;

• Endpoint Detection and Response (EDR) services, which monitor endpoints (such as computers or mobile phones); and

• Security Information and Event Manage­ment (SIEM) systems, which consolidate information about incidents across an organization’s network.

European users of these products rely primarily on US suppliers such as Broadcom, Cloudflare, IBM, and Microsoft. While there are also suppliers outside the United States offering such applications, switching would require significant resources.

US companies dominate the market for information about cyber threats. In order to protect their own systems and devices from cyber threats, IT professionals need appropriate software applications and in­formation about vulnerabilities (described below) as well as information about current and potential threats (cyber threat intelligence, or CTI). CTI allows them to assess the current threat landscape and allocate pro­tective measures accordingly.

The market for CTI is also dominated by US companies, including CrowdStrike, IBM, Google (Mandiant), and Recorded Future. Large companies that also offer other cyber­security products – especially those that collect data on incidents, such as EDR and SIEM – can more easily provide CTI. The market therefore favors vertically integrated companies. Although there are CTI pro­viders based outside the United States, they tend to have small market shares or be excluded for political reasons, as in the case of the Russian company Kaspersky.

Without CTI from leading US companies, European IT professionals would lose access to information about particularly advanced threat actors. This would leave them with­out the data required to allocate their cyber­security resources.

US armed forces gather intelligence on cyber threats. The US military also gener­ates CTI. Specifically, US Cyber Command conducts so-called “hunt forward” operations, in which members of the US military are invited to search for threats in the net­works of partner countries.

European countries benefit from this intel­ligence in various ways. First, Cyber Com­mand may take direct action against adversarial infrastructure and US suppliers of cybersecurity applications improve their products on the basis of the gathered infor­mation. Second, previous “hunt forward” operations have focused on Europe, espe­cially the Baltic states and Southeast Europe, thus directly providing European countries with valuable CTI. Third, the US military has shared information obtained through its operations with European allies and published some of it. Such intelligence is presumably a valuable source of informa­tion for European defense.

The US government funds vulnerability databases. Due to the sheer number of soft­ware products and their vulnerabilities, it is important that the same problem is not recorded multiple times and that all parties involved in fixing vulnerabilities can easily communicate with each other. This requires a global system for identifying and naming vulnerabilities. The Common Vulnerabilities and Exposures (CVE) database serves this purpose.

This database is operated by the US non-profit organization MITRE, which in turn is funded by the Cybersecurity and Infrastructure Security Agency (CISA), the US cyber­security authority within the Department of Homeland Security. When a vulnerability is discovered, an affiliated entity checks whether it was already known. If it was not, it is assigned a CVE number. Once the ven­dor has developed a software update or other mitigation measures, they publish a secu­rity advisory referring to the CVE number.

The US National Institute of Standards and Technology (NIST), the standardization authority within the Department of Com­merce, operates the National Vulnerability Database (NVD). This database is based on the CVE numbers, which it enriches with additional information, such as the criti­cality and root causes of the respective vul­nerability. Many cybersecurity applications automatically distribute machine-readable NVD data to end users.

Loss of the CVE database would presumably slow the global process of closing soft­ware vulnerabilities. Threat actors could take advantage of such delays to carry out more cyberattacks and automated tools would be less reliable and produce errors. Similarly, without NVD data, certain cyber­security applications would cease to func­tion and cybersecurity teams would lose access to many automated workflows.

The US government supports the security of open source software. Open source soft­ware (OSS) is the foundation of the modern software ecosystem. Almost all software ap­plications contain OSS components. If a soft­ware product uses a component that has a vulnerability, this is highly likely to become a problem for the product’s end users, too. Thus, the security of critical OSS components is crucial for the security of many (open or proprietary) software applications.

Some of these widely used components are maintained by just one person in their spare time, and their resources for IT secu­rity are limited. The US government is work­ing to fill this capability gap by pro­viding financial support for securing impor­tant OSS projects. Funding comes from the interdepartmental Open Source Software Security Initiative (OS3I), CISA, the National Science Foundation (NSF, which supports foundational research), and the military research agency DARPA. Washington is thus contributing significantly to securing important OSS components.

Cybersecurity Dependencies as a Problem for Europe: Three Scenarios

Critical parts of the global cybersecurity eco­system – Europe included – are dependent on the United States. Given the current difficulties in the transatlantic relationship, these dependencies – which are intrinsic to a globalized world – could nevertheless become a problem for Europe. The most relevant risks are laid out in the following three scenarios. None of these sce­narios has been realized yet, but Washing­ton has already taken decisions that pave the way for the first two.

Scenario 1: Washington ceases financial support for cybersecurity projects. One likely scenario is that the US government might reduce or end its support for cyber­security projects. The Trump administration is committed to reviewing and cutting gov­ernment spending, specifically through the newly created Department of Government Efficiency (DOGE). CISA and the State Depart­ment’s cybersecurity units have already experienced significant cuts.

Without US government support, numer­ous OSS projects would lack the funds to secure their products and components. This would also indirectly impact all proprietary software products using the affected OSS components. The Trump administration took a first step in this direction in March 2025 when it withdrew funding from the Open Technology Fund (OTF). The OTF sup­ports OSS projects for secure communication and internet freedom, such as the en­crypted messenger app Signal. The fund took legal action against the cut and won its case, but it is still unclear whether the government has resumed payments.

Something similar happened with the CVE database. In April, MITRE announced that Washington would be discontinuing its financial support for the vulnerability database, which would therefore cease op­er­ating. Probably in response to the collec­tive outcry among the global cybersecurity community, the Trump administration back­tracked the following day and announced that funding would continue – but only for eleven months and on a limited basis.

In both cases, the cybersecurity ecosystem narrowly dodged a bullet. If the US gov­ernment were to cut its financial support for cybersecurity altogether, the effects would be felt worldwide – including in Europe. Such cuts would erode the security of OSS projects and tremendously complicate the processes for finding, reporting, and closing vulnerabilities.

Scenario 2: The US government changes its political priorities. It is also conceivable that the political leadership in Washington could change its political priorities, for exam­ple by focusing even more strongly on its rivalry with China. This could lead Washington to turn its back on Europe and, at the same time, to disregard Russian cyber threats.

In that event, Cyber Command’s “hunt forward” operations could shift from Europe to countries in China’s sphere of influence. That would mean Europe receiv­ing less information about Russian cyber activities. Commercial CTI could follow suit, as US government agencies are impor­tant customers for many vendors. If the latter no longer request information about Russian cyber activities, the supply will decline – much to the chagrin of European states, which will likely continue to face threat actors with links to Russian organized crime and the Russian government.

In March 2025, reports that such a sce­nario might be approaching caused a stir. US Secretary of War Pete Hegseth had reportedly instructed Cyber Command to suspend planning for cyber operations against Russia. In addition, CISA had appar­ently told its staff to stop pursuing infor­mation about Russian cyber threats. While subsequent denials by both organizations cast doubt on the accuracy of these reports, the ensuing discussions illustrate how easily Washington could shift its political priorities and how far-reaching the effects would be.

Scenario 3: The US government weapon­izes Europe’s dependencies. In the third scenario, Washington deliberately uses Europe’s dependencies as a weapon, for ex­ample to obtain concessions in other policy fields such as security and defense policy, or in the context of a fundamental deterio­ration in transatlantic relations. This sce­nario is less likely than the first two, but still conceivable in light of recent disputes.

In such a case, in addition to the points mentioned in scenario 2, Washington could leverage the market dominance of US cyber­security companies. For example, they could impose export restrictions to deny Europe access to relevant products. In the past, for example, Washington has severely restricted the export of encryption software, and in October President Trump announced con­trols on the export of “critical software” to China. If the same was applied to Europe, users there would have to look for new sup­pliers at short notice and would remain temporarily unprotected.

What Action Should German and European Policymakers Take?

European policymakers should not treat the aforementioned dependencies as immu­table. Instead, they can and should resolve many of them in order to be prepared for the scenarios outlined above. And even if these scenarios fail to materialize, assuming greater responsibility for the global cyber­security ecosystem would make European governments, businesses, and societies more secure. Three steps are crucial to achieving this.

Further Challenges

Europe has the potential to free itself from the dependencies mentioned above. More problematic is the fact that US companies dominate the market for cybersecurity appli­cations. Although smaller European players do exist in this field, their American rivals are likely to retain their dominant position due to network effects. This mar­ket constellation could become a problem for Europe if Washington’s political prior­ities changed or the US government chose to weaponize the dependency. In the long run, creating an environment conducive to the emergence of more European CTI com­panies will require policymakers to priori­tize promotion of OSS and support for a European tech ecosystem.

At the same time, however, Europe’s dependency on cybersecurity vendors could also be a source of leverage. To this end, European decision-makers should evaluate whether some of the dependencies are mutual – for example, large CTI providers rely heavily on their customers’ data on global cyber threats. In the event of a con­flict, Europe would therefore have addi­tional instruments at its disposal, such as market access restrictions.

Germany and Europe also face other challenges. First, their strong dependence on US companies is also problematic when the companies in question leave the market (for example, because they go bankrupt). European decision-makers and users should also consider this possibility.

Second, even though the current depend­ency debate focuses on the United States, Europe remains heavily reliant on China – for example in the area of rare earths for semiconductor production – which is even more problematic. Thirdly, this raises the question of who Europe would turn to if it were to turn away from the US and in the absence of a “EuroStack”. If software sup­pliers from China and Russia are not an option, the main options outside Europe vendors are based in Israel, Canada, Aus­tralia, and other Asian states.

Experience shows that reducing such de­pendencies requires political will, resources, and time. And even when these are in place, success is far from guaranteed, as the case of Chinese network infrastructure tech­nology shows. Political decision-makers in Berlin and Brussels should therefore act now to guarantee their future security.