In September 2024, the Hungarian Presidency and the European Union Agency for Cybersecurity (ENISA) co-hosted the third annual edition of the European Skills Conference. At this high-level event, EU policymakers confirmed that the new European Commission will put more emphasis on cybersecurity skills, including initiatives to increase the number of qualified security professionals in the EU.
Considering the broader call for action to tackle skills shortages in the Draghi report, stakeholders should seize this opportunity and ensure the right amount of strategic thinking and resources are put into cyber competencies, which are vital for achieving the objectives of the Digital Decade.
Background
When I started researching the cybersecurity skills shortage in 2017, I vividly remember the lack of resources I could rely on to undertake a rigorous assessment of the issue and its solutions. Fortunately, seven years later, the situation in the EU has changed, with the last couple of years having been particularly eventful.
- In 2022, ENISA published the European Cybersecurity Skills Framework, which gave Europeans a common language to discuss cybersecurity skills and job profiles to gauge new market needs deriving from key legislation, such as NIS2 and the Cyber Resilience Act.
- In 2023, the Commission took a very important step with the establishment of the Cybersecurity Skills Academy, which aims to be a silver bullet in addressing the lack of information security experts.
- In 2024, the cyber skills discourse gained further momentum with other key international initiatives extending beyond EU borders, such as the International Coalition on Cybersecurity Workforces led by the UK.
These initiatives signal a growing understanding of the important roles that people and technology play in protecting our systems, networks, and data.
Three challenges
The ENISA conference showed that the EU can go much further in helping Europeans upskill their cyber competencies. There are three main challenges ahead:
1. Defining the problem at the EU level
A comprehensive analysis of the problem is still lacking. However, the EU Better Regulation Toolbox, the “EU bible” for effective policymaking, dictates that policy solutions should stem from a rigorous definition of the problem and its drivers. The cybersecurity skills shortage deserves the same treatment.
Fortunately, there are already useful examples of such comprehensive labour market analyses within European borders, including independent research by the CyberHubs project and by Member States such as the Netherlands. Outside the EU, notable cases include Australia, the UK, the US, and the research conducted by the OECD. These analyses provide significant examples of the type of applied research that could be used to better understand the difficulties in filling cybersecurity positions.
2. Risk of fragmentation
While the ENISA conference presented several programmes aimed at addressing the dearth of cybersecurity professionals, these would benefit from a more unified approach.
For example, the Cybersecurity Skills Academy has onboarded several organisations that have pledged to train thousands of European citizens. Impressively, Cisco, Microsoft, Fortinet, and SANS proposed projects that, combined, would provide cybersecurity training to almost half a million EU citizens by 2027. The EU also recently funded two projects, CADMUS and AKADIMOS, that will support the Cybersecurity Skills Coalition/EDIC, the main instrument responsible for achieving the Cybersecurity Skills Academy’s objectives.
ENISA continues to implement successful programmes, such as the European Cybersecurity Skills Challenge (which recently gathered 800 students from 40 countries in Turin), the European Cybersecurity Month, and the Cybersecurity Higher Education Database. In the meantime, the European Cybersecurity Competence Centre was established in 2021 to reinforce cybersecurity and technology skills and competence through research projects funded by the Horizon and Digital Europe Programmes.
While these initiatives are promising, the risk of fragmentation across a plethora of actors and projects is becoming increasingly evident as cybersecurity skills become more prominent on the political agenda. This risk is further compounded when data on project outcomes is unavailable.
3. Translating research into action
Preliminary results from an (unpublished) mapping found that approximately EUR 600 million has already been spent on cybersecurity skills projects. For example, the Concordia project produced important deliverables, such as new virtual courses, curricula development, and cyber ranges, while the REWIRE project created a cybersecurity job analyser able to assess job advertisements across Europe. These projects underscored the prowess of the European cybersecurity research community, whose results should be fully embraced by policymakers when developing an EU cybersecurity workforce.
Next steps
From a policy perspective, the three challenges outlined above can be tackled through the following response:
- Conducting a thorough cybersecurity labour market analysis at the EU level, including investigating whether one of the most pressing, yet understated, issues is the lack of entry-level positions for graduates.
- Adopting a solid governance structure with clear tasks and roles among EU institutions, academia, industry, and expected beneficiaries. This should be coupled with an appraisal of all the relevant initiatives at the EU level, including assessing the extent to which they address the root causes of the cyber skills shortage and linking problem drivers with policy measures.
- Assessing the outcomes of these initiatives and using them as an evidence base to develop a future-proof European cybersecurity skills strategy.
As this is such a multifaceted problem, the cybersecurity skills shortage can only be solved through an ambitious public-private partnership that effectively engages all relevant stakeholders. In this respect, the European Commission announced an initiative (launching in 2025) that will bring together academia and industry, which goes exactly in this direction.
Cybersecurity skills have strategic relevance and could sway countries’ economic development and national security. However, this depends on how they are mastered by our children, adults, and professionals. Over the next five years, EU stakeholders have a unique opportunity to use past lessons to place cybersecurity skills at the centre of this political cycle.
Tommaso De Zan is a Senior Policy Manager at Access Partnership, where he helps formulate public policy and business strategies by leveraging his insider perspective on cybersecurity policy and EU affairs. He has been involved in cybersecurity skills for the last six years, notably through his research at the University of Oxford and as an external expert for ENISA. If you are interested in developing a regulatory strategy in line with the existing EU cybersecurity policy framework, please contact [email protected].