What does the word “security” mean to you? This simple, seven letter word can be broadly interpreted to embrace a wide variety of aspects including security at home, in communities, within businesses and, of course, within the borders of a country. It can refer to hardware, software and concepts beyond either of those. More than ever, the definition and relevance of the word “security” are expanding.
Security goods and services are bought for a range of purposes, from law enforcement agencies needing tools to analyse crime scenes to first responders using secure communications to provide relief in disaster areas. Organisations managing critical infrastructure require cybersecurity to ensure the continuity of essential services for individuals and industries, while citizens buy tools and education to protect themselves from fraud and misinformation.
However, despite such high demand, and the common need to keep citizens safe across the countries of the EU-27, there is presently no real Single Market for security in the European Union. While in the last 14 years the EU has funded over 700 research projects, to the tune of more than €3 billion, most security purchases ultimately have little or no connection to outcomes of this research, with decisions being taken from a national perspective, rather than a European one.
A big problem with too many small solutions
The fragmentation of Europe’s security market reflects the fact that security is a politically sensitive sphere and remains one of the sovereign prerogatives of each Member State. However, this state of affairs has in some cases led to national authorities buying cheaper off-the-shelf security products from outside Europe, such as security cameras or artificial intelligence (AI) algorithms. At a time of increased geopolitical uncertainty, this is curiously at odds with the interests of the EU-27 as a bloc. By putting cost considerations first, individual nation states are not only eroding ongoing efforts by European institutions to mitigate external cyber threats, but are also undermining the potential for interoperability and growth of EU-made security systems.
This fragmentation, in both public and private sectors, hampers the development of a truly European single market for security solutions that would otherwise have potential for significant scale and volume. It also hinders long-term capability planning that could lead to the research and development of common products and solutions and more strategic autonomy in the critical security sector.
Mending the security patchwork: what role for the EU?
To begin mending this fragmented market, a first step could be to address the issues recognised in two recent EU Directives, the Resilience of Critical Entities (RCE) Directive, aimed at strengthening the resilience of entities providing essential services, and the Network Information Systems (NIS2) Directive, aimed at setting high common cybersecurity standards. Both Directives note that the EU was taking “inconsistent” actions and that Member States measures “diverge from one another”. This divergence can be clearly seen in the context of cybersecurity: in 2020 the European Commission estimated that greater harmonisation in the prevention of and response to cyber-incidents could save the EU’s public and private actors some €11 billion over 10 years.
In response, the cybersecurity domain is being addressed through a number of EU regulatory initiatives and concrete industrial programmes. Extending the same vigorous approach to the security sector as a whole would bring enormous benefits. In this wider sphere, the same issues the Commission had clearly identified years ago still persist, namely a ‘high degree of segmentation’ afflicting ‘both the supply side (splintered across many industrial sub-sectors) and the demand side (huge diversity of end-user authorities, from local to European level)’ . This is why, as a second step, the EU could establish shared cooperation platforms to facilitate dialogue between EU institutions, industry and end-users.
A case study of such an approach bearing fruit is the Broadmap Platform, which studied the evolution of secure communications for public safety and disaster relief towards 5G. This helped bring down the mandatory common requirements of such networks across 16 Member States from 1500 to around 150, a lean number for such a complex domain. The platform also identified 20 top-level requirements for European interoperability in secure communications.
The Broadmap example shows that EU has the opportunity and the means to consolidate its patchwork of security systems. After all, in an increasingly volatile world, EU countries have shared security interests. At a time when threats to security are intensifying, when “open strategic autonomy” is the EU’s stated trade strategy and competitiveness is a must – now is the moment to collaborate to build a EU single market for security.