In July 2024, the NIS2 Directive's transposition deadline had passed, and member states were at varying stages of implementation. DORA — the Digital Operational Resilience Act for financial services — was in its implementation period ahead of its January 2025 application date. The European Cybersecurity Act had established ENISA as a permanent agency and created a framework for cybersecurity certification schemes. Regulation was catching up with the threat landscape. But there is a category of concern that regulation cannot directly address: the structural dependency of European enterprises and public institutions on security tooling built and operated by non-European companies, with data processed in non-European jurisdictions, under legal frameworks that do not provide the same protections as GDPR and the EU data processing rules.
The sovereignty concern in cybersecurity is not primarily about nationalism or industrial policy, though those considerations exist. It is about trust architecture. When a European critical infrastructure operator deploys a security operations platform that sends telemetry to a US-based cloud infrastructure, the trust chain for that telemetry runs through US legal jurisdiction — including potential CLOUD Act obligations that could require data disclosure to US law enforcement without the notification requirements European law would demand. When the security tooling underpinning a European financial institution's threat detection is operated by a company subject to a foreign government's compelled access regime, the security of the detection capability itself depends on an assumption about the political relationship between jurisdictions that may not hold indefinitely. We are not asserting that these risks are currently materialising at scale. We are saying that infrastructure as critical as security operations deserves the same sovereignty analysis that has been applied to cloud infrastructure, telecommunications, and semiconductor supply chains.
The practical case for a European security stack is also competitive: European regulatory requirements create product requirements that are easiest to meet by companies that understand those requirements as design inputs rather than compliance overhead. NIS2's incident reporting requirements — significant incidents must be notified to the competent authority within 24 hours of awareness, with a more detailed notification within 72 hours, and a comprehensive report within one month — create specific product requirements for security platforms around incident taxonomy, severity classification, and evidence preservation. DORA's ICT risk management framework requirements for financial entities create specific audit trail and third-party risk management product features. Companies that build these features because they are core to their product architecture, rather than adding them as a compliance module after the fact, will be better positioned to serve European regulated industries.
Our portfolio reflects this thesis with some precision. EclecticIQ is Amsterdam-based. Hadrian and Detectify are Dutch. Zivver, Eye Security — the pattern is deliberate: we look for technical depth first, but European operational context and regulatory design literacy are genuine evaluation factors when we choose between otherwise comparable companies. This is not a constraint on our investment universe — we will back a non-European company if the technology is differentiated enough and the European go-to-market case is clear. But our base expectation is that the companies best positioned to win in the European enterprise security market will be those that understand the European threat landscape and regulatory environment from the inside.
The sovereign security stack thesis also has a technical dimension that extends beyond regulatory compliance: post-quantum cryptography migration. ETSI and NIST's post-quantum cryptography standardisation processes (NIST finalised its first set of PQC standards in 2024) are producing migration requirements that will be mandated for European government systems and, likely, for critical infrastructure operators under NIS2 enforcement guidance. The migration from RSA and ECC to CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures requires not just library updates but re-evaluation of every protocol implementation in an organisation's stack. European companies building security infrastructure with post-quantum migration as a near-term product requirement — rather than a future consideration — will have a genuine differentiation advantage as this mandate propagates through regulated sectors.