From Cyber Hygiene to Cyber Sovereignty: a turning point for European industry

While global attention remains focused on geopolitical tensions and energy markets, another transformation is quietly reshaping Europe’s economic landscape: cybersecurity. No longer a technical issue confined to IT departments, it has become a core factor of economic security, competitiveness and strategic autonomy for European businesses.

The European Commission’s proposal to revise the Cybersecurity Act reflects this shift to move the European Union from a model of “cyber hygiene” towards one of cyber sovereignty. For employers across Europe, the implications are profound.

European industry today operates in an environment where cyber threats are constant and increasingly sophisticated. Ransomware attacks, supply chain vulnerabilities and disruptions to critical infrastructure are no longer exceptional events but part of daily operational risk. In such a context, cybersecurity is directly linked to business continuity, investment decisions and trust in the Single Market.

The proposed revision of the Cybersecurity Act seeks to address these challenges by strengthening the EU’s institutional capacity, notably through an expanded role for European Union Agency for Cybersecurity (ENISA), and by introducing a more structured approach to ICT supply chain security. 

From the Employers’ Group perspective, this direction is broadly supported. A more coherent and operational European cybersecurity framework can reduce fragmentation, improve legal certainty and create a more predictable environment for companies operating across borders. This is particularly important for sectors such as telecommunications, energy, manufacturing and digital services, where regulatory divergence translates directly into higher costs and complexity.

However, the key question is not whether cybersecurity should be strengthened, but how.

European employers consistently stress that increased security must not come at the expense of competitiveness. The EESC clearly underlines that any new obligations must remain proportionate, avoid duplication and reduce - not increase - administrative burdens. Cybersecurity certification, for example, should function as a genuine compliance tool, enabling companies to “certify once and operate across the EU”, rather than creating additional layers of audits and reporting.

The same applies to supply chain security. Reducing dependencies on high-risk suppliers is a legitimate and necessary objective. Yet such measures must be based on transparent, risk-based criteria and accompanied by realistic transition plans. Sudden restrictions without viable alternatives risk disrupting operations, increasing costs and undermining investment certainty, particularly for SMEs.

Another critical dimension is implementation capacity. The proposal significantly expands ENISA’s role, moving it closer to an operational hub for cybersecurity coordination. This is a positive step, but it must be matched with adequate financial and human resources. Otherwise, there is a real risk of creating an “unfunded mandate” that weakens, rather than strengthens, Europe’s cyber resilience. 

Beyond regulation, EU employers stress that cybersecurity is ultimately a matter of skills and organisational capacity. Without sufficient investment in workforce development, training and cyber literacy, even the most advanced regulatory framework will remain ineffective. This is particularly relevant for smaller companies, which often lack the resources to implement complex security requirements.

What emerges from the current debate is a broader shift in thinking. Cybersecurity is no longer just about protection, it is about control. Control over infrastructure, over data, over supply chains. In other words, it is becoming a central pillar of Europe’s economic sovereignty.

For European businesses, this transition presents both risks and opportunities. On the one hand, stricter requirements and supply chain adjustments may increase short-term costs. On the other hand, a more secure and integrated digital environment can enhance trust, enable innovation and strengthen the global competitiveness of European industry.

The challenge for policymakers is to strike the right balance: to build a robust cybersecurity framework that protects Europe without overburdening its businesses.

If done correctly, the shift from cyber hygiene to cyber sovereignty can become not just a defensive measure, but a competitive advantage for Europe.

By Eitvydas Bajarunas, EESC Employers' Group member and Study Group member of Opinion INT/1109 Cybersecurity Act.