The cybersecurity of governments, companies, and individuals in Europe is heavily dependent on the United States. Specifically, US companies dominate the global markets for cybersecurity applications and information on cyber threats. The US military also plays a role in data-gathering. In addition, Washington provides financial support for vulnerability databases and the open source ecosystem. Taken together, these seemingly isolated technical issues mean that Europe’s ability to act in the field of cybersecurity is limited. This would even remain the case if Europe built its own “EuroStack.” These dependencies can become a problem for Europe in various situations – if the US government ends its financial support for cybersecurity, if it changes its political priorities, or if it openly weaponizes these dependencies in a conflict with Europe. German and European decision-makers should act now to reduce these dependencies and protect Europe’s cybersecurity in the long term.
Cybersecurity Dependencies as a Problem for Europe: Three Scenarios
Critical parts of the global cybersecurity ecosystem – Europe included – are dependent on the United States. Given the current difficulties in the transatlantic relationship, these dependencies – which are intrinsic to a globalized world – could nevertheless become a problem for Europe. The most relevant risks are laid out in the following three scenarios. None of these scenarios has been realized yet, but Washington has already taken decisions that pave the way for the first two.
Scenario 1: Washington ceases financial support for cybersecurity projects. One likely scenario is that the US government might reduce or end its support for cybersecurity projects. The Trump administration is committed to reviewing and cutting government spending, specifically through the newly created Department of Government Efficiency (DOGE). CISA and the State Department’s cybersecurity units have already experienced significant cuts.
Without US government support, numerous OSS projects would lack the funds to secure their products and components. This would also indirectly impact all proprietary software products using the affected OSS components. The Trump administration took a first step in this direction in March 2025 when it withdrew funding from the Open Technology Fund (OTF). The OTF supports OSS projects for secure communication and internet freedom, such as the encrypted messenger app Signal. The fund took legal action against the cut and won its case, but it is still unclear whether the government has resumed payments.
Something similar happened with the CVE database. In April, MITRE announced that Washington would be discontinuing its financial support for the vulnerability database, which would therefore cease operating. Probably in response to the collective outcry among the global cybersecurity community, the Trump administration backtracked the following day and announced that funding would continue – but only for eleven months and on a limited basis.
In both cases, the cybersecurity ecosystem narrowly dodged a bullet. If the US government were to cut its financial support for cybersecurity altogether, the effects would be felt worldwide – including in Europe. Such cuts would erode the security of OSS projects and tremendously complicate the processes for finding, reporting, and closing vulnerabilities.
Scenario 2: The US government changes its political priorities. It is also conceivable that the political leadership in Washington could change its political priorities, for example by focusing even more strongly on its rivalry with China. This could lead Washington to turn its back on Europe and, at the same time, to disregard Russian cyber threats.
In that event, Cyber Command’s “hunt forward” operations could shift from Europe to countries in China’s sphere of influence. That would mean Europe receiving less information about Russian cyber activities. Commercial CTI could follow suit, as US government agencies are important customers for many vendors. If the latter no longer request information about Russian cyber activities, the supply will decline – much to the chagrin of European states, which will likely continue to face threat actors with links to Russian organized crime and the Russian government.
In March 2025, reports that such a scenario might be approaching caused a stir. US Secretary of War Pete Hegseth had reportedly instructed Cyber Command to suspend planning for cyber operations against Russia. In addition, CISA had apparently told its staff to stop pursuing information about Russian cyber threats. While subsequent denials by both organizations cast doubt on the accuracy of these reports, the ensuing discussions illustrate how easily Washington could shift its political priorities and how far-reaching the effects would be.
Scenario 3: The US government weaponizes Europe’s dependencies. In the third scenario, Washington deliberately uses Europe’s dependencies as a weapon, for example to obtain concessions in other policy fields such as security and defense policy, or in the context of a fundamental deterioration in transatlantic relations. This scenario is less likely than the first two, but still conceivable in light of recent disputes.
In such a case, in addition to the points mentioned in scenario 2, Washington could leverage the market dominance of US cybersecurity companies. For example, they could impose export restrictions to deny Europe access to relevant products. In the past, for example, Washington has severely restricted the export of encryption software, and in October President Trump announced controls on the export of “critical software” to China. If the same was applied to Europe, users there would have to look for new suppliers at short notice and would remain temporarily unprotected.
Possible Effects
Any delay in closing vulnerabilities, reduction in OSS security, or loss of access to cybersecurity applications and information about the main threat actor would have significant consequences for Europe. Under such circumstances, cyber attacks would be much easier to carry out – whether by criminals or by adversarial state entities (intelligence services and militaries).
Even in the absence of such developments, the cybersecurity situation in Germany has been tense for years and security incidents are on the rise. This affects both private individuals and large and small companies, including critical infrastructure providers, such as airports. Furthermore, public administration and the Bundeswehr are regularly targeted. For example, ransomware incidents have paralyzed German municipalities for months, and cyber attacks on administrative bodies are increasing across Europe. Moreover, cyber operations for espionage purposes have targeted a university and suppliers of the German armed forces.
To protect organizations and users from such threats, IT staff across Europe rely on the aforementioned elements of the global cybersecurity ecosystem. If they no longer had access to these services and information, or if the ecosystem were to become successively less functional, more successful cyberattacks on European targets could follow. Accordingly, the threat exposure is expected to worsen significantly in all three scenarios.
What Action Should German and European Policymakers Take?
European policymakers should not treat the aforementioned dependencies as immutable. Instead, they can and should resolve many of them in order to be prepared for the scenarios outlined above. And even if these scenarios fail to materialize, assuming greater responsibility for the global cybersecurity ecosystem would make European governments, businesses, and societies more secure. Three steps are crucial to achieving this.
Gathering Information About Cyber Threats
To reduce Europe’s dependence on US CTI vendors, public procurement projects could, in accordance with the applicable rules, give preference to European CTI vendors. Alternatively, EU policymakers could create a legal framework for companies to share cybersecurity incident data with government agencies – similar to the US Cybersecurity Information Sharing Act (which expired in October). Even without legislation, European cybersecurity authorities could seek closer contact with CTI vendors and promote networking opportunities; they could also draw on research projects such as the European Repository of Cyber Incidents (EuRepoC, whose consortium includes the SWP).
To prepare for the possible discontinuation of US Cyber Command’s “hunt forward” operations in Europe, EU member states should carry out such operations themselves. The EU established a corresponding project, Cyber Rapid Response Teams and Mutual Assistance in Cyber Security (CRRT), in 2018. This is a so-called PESCO project, in which EU member states and partner countries collaborate in the field of security and defense. Lithuania leads this project, which includes eleven other states (Germany is not among them). However, it has only carried out two missions so far, in Moldova.
CRRT provides a framework for EU member states and partner countries to carry out protective cyber operations, also at the invitation of third countries. Germany should join the project in order to allow experts from the Federal Office for Information Security (BSI) to support it and contribute to the collection of CTI.
Creating Legal Protections for Security Researchers
In relation to the collection of CTI, the German government should also improve the legal situation of security researchers. In many countries, they face legal uncertainty if not outright criminalization. In Germany, reform proposals have been on the table for years. The last government had started preparing legislation, but the coalition collapsed before the bill was passed. The current government is pursuing no such plans, but it should do so in order to ensure that critical vulnerabilities in software products that are important for European users continue to be reported.
Investing in the Cybersecurity Ecosystem
Unlike the other dependencies, the vulnerability databases represent a crucial single point of failure – but one that is relatively easy to mitigate. They are currently financed by Washington, but Europe could easily take its place. The same is true of financial support for OSS security.
In concrete terms, the European Union Agency for Cybersecurity (ENISA) or the BSI could take over the financing of the CVE database, potentially in collaboration together with other national cybersecurity agencies in Europe. Additionally, the European Union Vulnerability Database (EUVD) was launched in May 2025. While ENISA is keen to present the initiative as complementary to the NVD, it could also replace the US database in the future. However, like the NVD, the EUVD is currently based on information from the CVE database, which makes it all the more urgent to secure the reliable functioning of the latter.
To cushion the blow of the US withdrawing its funding for the OSS ecosystem, Europe should launch its own financing vehicles to support the security of OSS projects. The Sovereign Tech Agency, which is supported by the German Federal Ministry for Economic Affairs and Energy, is an important model. However, with an annual budget of €17 million in 2024, its impact so far has been rather weak. It would be helpful if other EU countries were to join and support it or jointly set up a European counterpart.
If Washington were to discontinue its financial support for cybersecurity projects, European investments could mitigate the negative effects relatively easily. Such funding would also be useful in the other two scenarios outlined above and should therefore be prioritized.
About the author:
Dr Alexandra Paulus is working on cybersecurity policy, cyber diplomacy, military cyber defense, and emerging tech issues.