Main Topic 3: Europe at the Crossroads: Digital and Cyber Strategy 2030

13 May 2025 12:00h - 13:30h

Session at a glance

Summary

This discussion focused on Europe’s digital and cybersecurity strategy toward 2030, examining the challenges and opportunities for creating a secure, resilient digital infrastructure across the European continent. The session brought together perspectives from government regulators, network operators, and internet infrastructure organizations to address critical issues facing Europe’s digital sovereignty.

Augusto Fragoso from Portugal emphasized that digital resilience is fundamentally about economic resilience, highlighting the need for new submarine cable routes and infrastructure connections beyond traditional Europe-US pathways. He stressed the importance of creating alternative routes to Asia-Pacific and other regions to reduce dependency on vulnerable chokepoints like Egypt. A major concern raised was the significant skills shortage in AI and cybersecurity professionals, particularly in peripheral European countries that face brain drain to central European nations.

Christian von Stamm Jonasson from Deutsche Telekom acknowledged the regulatory complexity facing the industry, noting that cybersecurity professionals spend too much time on compliance rather than implementing actual security measures. He advocated for smarter, simplified regulation rather than additional layers of rules, emphasizing the need for public-private partnerships to build redundant capacity that may not be economically viable for private companies alone.

Alena Muravska from RIPE NCC highlighted the importance of maintaining open internet standards and avoiding regulatory fragmentation across EU member states. She warned that overly prescriptive regulations could harm smaller organizations and reduce market diversity, which is essential for internet resilience. The discussion emphasized that Ukraine’s internet resilience during wartime demonstrated the value of decentralized, diverse network infrastructure.

Participants agreed that Europe needs strategic investment in infrastructure, energy capacity, and human resources while balancing innovation with security requirements. The session concluded with three key messages: the need for integrated strategies covering economic resilience and human capacity; the importance of smarter rather than more regulation based on collaboration and existing standards; and the critical role of DNS security, encryption, and market decentralization in maintaining digital sovereignty.

Keypoints

## Overall Purpose/Goal

This discussion focused on Europe’s digital and cybersecurity strategy toward 2030, examining the challenges and opportunities for creating a secure, resilient digital infrastructure across the European continent. The session brought together perspectives from government regulators, network operators, and internet infrastructure organizations to discuss what needs to be accomplished by 2030 and how to implement necessary security regulations effectively.

## Major Discussion Points

– **Infrastructure Investment and Economic Resilience**: The need for massive investment (800 billion euros mentioned) to modernize Europe’s outdated network infrastructure, create new submarine cable routes for connectivity redundancy, and develop strategic inland routes. This includes addressing energy grid dependencies, as telecommunications and energy infrastructure are deeply interconnected and both require substantial upgrades to support AI and increased computing demands.

– **Skills Gap and Human Capital Crisis**: A critical shortage of skilled cybersecurity and AI professionals across Europe, with particular challenges for peripheral countries experiencing brain drain to central European nations and the US. The discussion emphasized that having advanced infrastructure is meaningless without qualified people to operate and secure it, and that university training timelines don’t match the urgent pace of technological implementation needs.

– **Regulatory Complexity and Harmonization**: Concerns about over-regulation and fragmented implementation of directives like NIS2 across 27 member states, creating compliance burdens especially for smaller organizations. Participants called for “smarter, faster regulation” based on existing international standards and protocols, with better coordination between EU-level and national requirements to avoid contradictory or overlapping rules.

– **Multi-stakeholder Collaboration and Global Standards**: The importance of maintaining open internet standards (IPv6, RPKI) and inclusive governance processes, while balancing European digital sovereignty with global interoperability. Discussion emphasized that cybersecurity threats are borderless and require international cooperation, not isolation or fragmentation of internet infrastructure.

– **Democratic Values vs. Security Imperatives**: Tension between implementing strong cybersecurity measures and maintaining European democratic principles, transparency, and human rights. Several participants stressed that security without democracy is meaningless for Europe, and that AI systems used for cybersecurity must remain transparent and accountable rather than creating opaque, authoritarian-style controls.

## Overall Tone

The discussion began with a somewhat technical and policy-focused tone, with speakers presenting structured perspectives from their respective sectors. As the session progressed, the tone became more urgent and concerned, particularly around issues of skills shortages, regulatory complexity, and Europe’s competitive position globally. The final portion shifted toward more collaborative problem-solving, with participants offering constructive criticism of proposed solutions and working together to refine key takeaway points. Throughout, there was an underlying tension between the desire for European digital sovereignty and the recognition that global cooperation and open standards remain essential for cybersecurity effectiveness.

Speakers

**Speakers from the provided list:**

– **JoÃ£o Pedro Martins** – Online moderator for Zoom participants

– **Karen Mulberry** – IEEE Standards Association, session moderator

– **Augusto Fragoso** – Government representative from Portugal, providing perspective on digital security from an edge country viewpoint

– **Christian von Stamm Jonasson** – Deutsche Telekom Brussels EU policy office representative, cybersecurity policy expert with 8 years experience in digital security policy

– **Alena Muravska** – RIPE NCC representative, non-profit membership organization responsible for Internet number resources allocation in Europe, Middle East, and parts of Central Asia

– **Isti Marta Sukma** – University of Warsaw

– **Wout de Natris** – Coordinator of the Denmark Coalition on Internet Standards, Security and Safety

– **MarÃlia Maciel** – Director for Digital Trade and Economic Security at Diplo

– **Maria Nefeli Chatziioannidou** – Member of Parliament from Greece and member of the Council of Europe, specialist in digital communities and digital innovation

– **Marijana Puljak** – Member of the Croatian Parliament and Parliamentary Assembly of the Council of Europe, IT background

– **Oksana Prykhodko** – Session summarizer

**Additional speakers:**

– **Peter Koch** – DENIC (German CCTLD registry), dealing with critical infrastructure and NIS2 regulation

– **Farhan Seto** – Director General of Ribbonova (French SME), coordinator of Alia Cluster platform

– **Alexander Shachuk** – Data protection expert from Ukraine

– **Sumayya** – UFX representative

– **Dariana Chmanska** – Independent researcher, cybersecurity analyst

– **Pavlos** – Digital World Summit Greece representative, Greek NRI for Internet Governance Forum

– **Simona** – Union Romani Voice (mentioned but intervention details not clear)

Full session report

# Europe’s Digital and Cybersecurity Strategy Toward 2030: A EuroDIG Session Report

## Executive Summary

This EuroDIG session examined Europe’s digital and cybersecurity strategy toward 2030, bringing together government regulators, network operators, internet infrastructure organizations, and civil society representatives. The discussion addressed critical challenges in creating secure, resilient digital infrastructure across Europe, with participants examining the balance between European digital sovereignty and global cooperation, regulatory effectiveness and innovation, and security imperatives with democratic values.

The session was moderated by Karen Mulberry and included both prepared presentations from key speakers and interventions from audience members, both in-person and online.

## Key Speaker Contributions

### Infrastructure Investment Challenges

Augusto Fragoso from Portugal highlighted massive infrastructure investment gaps, noting that Europe needs approximately 800 billion euros to renew obsolete electrical network infrastructure, while current EU allocations stand at â¬2.07 billion for CEP Digital and â¬5.84 billion for CEP Energy. He emphasized that energy and telecommunications networks are interdependent and must be planned together, particularly as both sectors require substantial upgrades to support AI and increased computing demands.

Fragoso also discussed Portugal’s strategic role as an EU Atlantic data gateway, with 25% of submarine cables connecting Europe to other continents passing through Portuguese waters. He mentioned concerning reports about Russian and Chinese vessels in Portuguese waters and stressed the need for new submarine cable routes and European data gateways to reduce dependency on vulnerable chokepoints.

### Business Perspective on Resilience

Christian von Stamm Jonasson from Deutsche Telekom provided crucial business insights, explaining: “As a business, we’re not geared to build redundancies. We build what is economically and financially viable. But having 20, 30, 40 percent extra capacity in our data centre, so if there is an outage somewhere, we can reroute the traffic… That is where we need the public-private partnership.”

He characterized Europe’s position in global technology as: “Usually we say that, or we were saying until recently, that US innovates, China copies, and Europe regulates. That’s not anymore true. Now China also innovates, and a lot, and it seems that we continue to regulate.” Von Stamm Jonasson advocated for smarter regulation rather than more regulation, citing Deutsche Telekom’s experience with an 85-page industry paper documenting regulatory overlaps and their T-Security department spending excessive time on compliance rather than implementing actual security measures.

### Technical Community Perspectives

Alena Muravska from RIPE NCC highlighted challenges with NIS2 directive implementation, noting that it “varies across 27 member states, creating compliance challenges for global operators.” She argued that digital sovereignty should build resilience through leadership in open Internet standards rather than isolation, emphasizing that cybersecurity threats are borderless and require international cooperation.

Muravska provided a compelling real-world example: “At the beginning of the Russian invasion on Ukraine, our researchers looked into the state of the Ukrainian Internet and they concluded that low market concentration and a very high number of independent networks helped to prevent systemic failure. Since there were no one point of failure, the Ukrainian Internet remained resilient until now.”

Peter Koch from DENIC emphasized the importance of routing systems security, later correcting the session’s summary points to focus on routing rather than DNS systems.

### Civil Society and Academic Perspectives

MarÃlia Maciel from Diplo questioned the push for “faster regulation,” asking what this means and expressing concern about potential compromises to accountability and consultation processes. She noted: “Normally, when we see things from a security perspective, governments act really fast, but without consulting anyone, without accountability.” Maciel emphasized that digital sovereignty must serve individuals and society, questioning “whose sovereignty are we seeking to promote in our digital sovereignty initiatives?”

Dariana Chmanska, an independent cybersecurity analyst, provided a pointed critique: “Security without capability is not sovereignty, and it’s just dependency with good branding… We praise NIS too, but small providers face a choice, comply or collapse. We promote digital sovereignty, but build it on foreign code, foreign chips, and foreign clouds. So, what are we really securing? Infrastructure or illusion?”

## Major Themes and Challenges

### Critical Skills Shortage

A recurring concern throughout the discussion was the shortage of skilled cybersecurity and AI professionals. Fragoso posed a fundamental question: “Who is implementing AI? With whom will I implement all this AI capacity that everyone is saying that we need to implement? Because in Portugal, I can’t find AI technicians that easy.”

The discussion revealed that this shortage is particularly acute in peripheral European countries, which face brain drain to central European nations and the United States. As Fragoso explained: “We have to compete to capture this kind of talent with other European countries and with the States… we are creating weak links all over Europe.”

Wout de Natris reinforced this concern, noting a “tremendous skills gap exists between industry demand and higher education offerings.” Karen Mulberry identified skilled people as “probably the most important thing” needed for digital infrastructure.

### Regulatory Complexity and Fragmentation

Multiple speakers addressed challenges created by regulatory complexity across the EU. The discussion revealed tensions between the need for harmonized regulation and the reality of implementation across 27 member states with different approaches and capabilities.

Von Stamm Jonasson advocated for simplified overlapping requirements, while Muravska warned that overly prescriptive regulations could harm smaller organizations and reduce market diversity. However, Maciel cautioned against rushing regulatory processes at the expense of democratic consultation and accountability.

### Infrastructure Interdependence and Resilience

The discussion emphasized that telecommunications and energy networks are deeply interconnected. Speakers noted the need for substantial infrastructure investments, including considerations like the 7 billion cubic meters of water needed to cool data centers, and the strategic importance of submarine cable routes.

The Ukrainian example provided by Muravska demonstrated how network diversity and decentralization contribute to resilience, challenging conventional thinking about efficiency through consolidation.

## Areas of Agreement and Disagreement

### Consensus Points

Participants generally agreed on:

– The critical nature of the skills shortage across Europe

– The need for public-private partnerships for strategic infrastructure investments

– The importance of multi-stakeholder collaboration for addressing global cybersecurity challenges

– The value of diversity and decentralization for network resilience

### Key Disagreements

Significant tensions emerged around:

– **Regulatory approach**: Efficiency versus democratic accountability in regulation development

– **Digital sovereignty focus**: State-level strategic autonomy versus individual and societal benefits

– **Implementation priorities**: Different emphasis on technical systems and approaches

## Session Conclusions and Next Steps

The session concluded with an attempt to develop summary points, though these remained works in progress rather than agreed conclusions. The draft points focused on:

1. Internet resiliency strategy including economic resiliency, new infrastructure geometry, and human capacity development

2. Smarter, collaborative regulation based on multi-stakeholder approaches and existing standards

3. Technical implementation requiring secure routing systems, market decentralization, and innovation focus

Peter Koch specifically corrected the emphasis from DNS to routing systems, illustrating the ongoing nature of these discussions.

Participants noted the European Commission’s public consultation on international digital policy strategy running until May 21st as an opportunity for community input.

## Key Takeaways

The discussion revealed that Europe’s digital security strategy for 2030 faces fundamental challenges that extend beyond technical solutions or regulatory frameworks. The critical shortage of skilled professionals, massive infrastructure investment needs, and complex regulatory environment require integrated approaches that balance sovereignty aspirations with practical dependencies and global cooperation requirements.

The session demonstrated that achieving digital resilience requires diversity in networks and providers, adequate human capital, and regulatory frameworks that support rather than hinder innovation and security implementation. However, significant questions remain about financing mechanisms, skills development strategies, and the balance between efficiency and democratic governance in policy development.

The unresolved nature of many issues discussed reflects the complexity of the challenges facing Europe’s digital future and the need for continued multi-stakeholder dialogue to develop effective solutions.

Session transcript

JoÃ£o Pedro Martins: Hello everyone, I’m JoÃ£o Pedro, I’m the online moderator. So for those joining on Zoom, just make sure that when you want to address the audience, you raise your hand. If you’re joining Zoom while you’re inside the room, please connect it muted and with your speaker sound disabled. Thank you. And now I give the floor to the moderator of the session.

Karen Mulberry: Thank you very much. I’m Karen Mulberry. I’m with the IEEE Standards Association, and I want to welcome you to today’s main session. Our topic is Europe at the Crossroads, Digital and Cyberstrategy 2030. Sounds rather ominous, but I do think it’s something that’s been a critical discussion in many areas in terms of what is security and cybersecurity strategy in light of emerging technology and all the activities that are occurring today. I mean, it’s a very evolving landscape. There’s lots of changes. It’s moving rapidly. And we hope to have a dialogue on that around the critical issues. What does it mean? What’s the infrastructure? What are the regulations? And how does that apply both within a country and across the European continent? What are the options that you should look out for? And what is being planned to get to 2030 and implement all of the regulation that’s been adopted in security? who are the networks within Europe. So to get started, we don’t necessarily have keynote speakers for this session, but we have a lot of key contributors, each offering a different perspective on the topic of security and digital security and what that means. We have a large operator within Europe. We have a regulator and we have a network operator. So they’ll each provide some perspective on what digital security and getting to 2030 means for them. So to get started, I will turn it over to our key participants. And first off, it is Augusto from Portugal who introduced himself because I’m not sure I can pronounce your last name, so I apologize, and talk a little bit from the government perspective on what they’re looking at, what they’re thinking about and how they’re going to get to that 2030 and beyond date. So Augusto, please.

Augusto Fragoso: Good afternoon, all. First of all, I would like to thank Eurodig for this opportunity. It’s always very important to share our perspectives and especially our experiences, hoping that that can bring something up for everybody else. When I was asked to have a contribution, like was said, I thought in bringing either one that more or less everyone is discussing or maybe a perspective from on the edge country. So I would say that we are looking to Europe at the crossroads, but from an edge perspective. As edge country, we have a special role, which is to be a frontier, both in geographical, physical terms as in digital terms. When we talk about resilience, we are talking, as always and first of all, about economical resilience and, of course, as well, it’s everything about the money. So, basically, we are talking about how infrastructures, how the means that we use to protect them assure that our economy flows and relates with our economy’s bringing value. To understand a bit more about this, I usually use a very simple analogy. I call it the digital day, which is basically following what everyone does digitally since we wake up until we go to bed again. And if you follow that digital day, you can find yourself crossing with several companies, several pieces of technology, and we also can understand where they are actually based and how the flow of economy from the usage of each one of those applications, apps, goes. So, basically, when you do so, you see that there is a very clear correlation between that economical digital flow and the infrastructures that are laid beneath it, namely international connection infrastructures like submarine cables. Basically, in the last years, the advancement of technology has been at a pace that is very difficult to follow, both for the market and especially for people like us, regulators. We have to have oversight of everything that is happening and trying to identify risks and potential that can be used to create. So basically, we usually say that, or we were saying until recently, that US innovates, China copies, and Europe regulates. That’s not anymore true. Now China also innovates, and a lot, and it seems that we continue to regulate. Usually just as a joke, I say that we are trying to acting through it, because we have produced just in the last two years huge numbers of acts that are difficult to cope with, both for the market and the companies that have to implement them, as for us as regulators, to make sure that they make sense, to analyze the impact that they might have in the market, and of course to use supervision to go with it in an efficient manner. But it seems that we all understood that by now, AI is critical to do all these, not only for market development, but also for supervision and regulation, and a couple of technologies that we would call sovereignty technologies are also absolutely necessary to support the continuous growth of the digital market, as we intend to do with the digital single market. Basically, quantum tech, the chips that are necessary to support the capacity to build devices, introducing it in our technology, in our society. Nuclear energy is being discussed again, and of course networks, both telecommunication networks and energy networks. So when we think about how these things relate with the flows, the economical flows that we can see, we have to assure that the old ones are still usable, we can secure the flows that are over our infrastructures, and we have to assure as well that new ones will come to place, because it’s every time more obvious when we look to the dimension of economical flow between geographical areas, you can see that basically the biggest one still is between Europe and the US, and I’m not sure if the direction is the one that’s supposed to be. And it is obvious that we have to increase the other ones so we, to obtain resilient markets, are not totally dependent on only one of these connections. Basically, we have to think about new routes connecting Europe, the Asia-Pacific area, Africa and the Middle East. Basically, it means that Europe strategically, in terms of resilience, has to increase the number of connections to other countries through internet or, in this case, subsea infrastructures. Basically, supporting what was stated in 2021 as European data gateways, creating the necessary and resilient connections in at least these four areas that we have here, the North Sea, Arctic, Atlantic, Baltic and Mediterranean. And let me tell you that the Nordic Sea and Arctic are of tremendous importance for the new growth that we need in terms of economy connecting us to Asia-Pacific. Because the routes that were used before were not resilient enough and they are fully dependent on the passage in Egypt, for instance, and all the situations that we have been testifying in that region allows us to say that it is a very high-risk route. So, resilience here means to create other routes to go to Asia-Pacific that will bring us also capacity to protect those same routes. But it’s not only between geographical regions or countries that we need to increase, overseas countries that we need to increase that capacity. We also need to do it internally in lands through more strategic inland routes because the flat system that was supporting our economy is now, with the bringing of AI, the idea is outdated. So, before we were thinking about huge big data centers in the flat cities, now we are thinking that that doesn’t work anymore. We need to provide other routes and necessarily much more edge points of computing to support AI. locally and the local economies. So edge computing as broad needs to rethink the overall infrastructure of Europe. And with it, of course, we have to think if we have energy and water enough to support all these demand for data centers. Very recently in Portugal and in Spain, unfortunately, we had an event that blacked us out for almost one day. And we understood in our flesh, as we say, what that means to be blacked out from communications and from electricity. And it was just for a period of one day. The thing is, when we think about network infrastructure and cybersecurity to protect that network or any aspect of security to secure those networks, we must think also about energy grids. Energy grids and data centers are fully correlated in terms of capacity and in terms of cost necessity. The energy grid needs telecommunications for command and control. Telecommunications needs energy to work. So basically, when we look at the European panorama, we have the need of investing of 800 billion euros just to renew the network that is mostly outdated for what’s necessary in the future in terms of data centers. We need 20 percent more computing capacity than we were thinking before just in three years because of AI. We need 7 billion cubic meters of water to cool data centers. I’ve been hearing reports of some data centers where the demand is such that the local authorities sometimes have to decide if they feed energy to the data center or to the local populations. So when we talk about resilience, we have to integrate both the strategy for networks and the strategy for energy. They cannot be taken in two different pathways. They have to be fully integrated. Basically, the Portuguese contribution on this edge point of view that I was referring has been mostly acting as the EU Atlantic data gateway, which means that we are now having several very important for Europe subsea cables connecting Europe to South America, to North America, to Africa. In that sense, we have been supporting the idea of creating a kind of European ring or loop concept that would augment the resilience of the network around all Europe. Going from there with the connections to the other geographical regions. This is also meant for the internal or inland capacity in terms of network. Here, I have to say that we still have some work to do and big investments to go with. When I look to my panel colleagues, I think that we have a lot of thinking about these new routes and new geometry of the network because this geometry is not based on demand. Some of these connections will not be made or should not be made because there is consuming demand at this moment, but should be made to provide, for instance, resilient connections through alternative routing. That means that this does not connect with the necessary interest of the private operators in investing in something that is much bigger than themselves. We will have some thinking to do about how to finance these strategic necessities that for sure we are and we will be having in the near future. Basically, another aspect is, as I told you, we have a lot of submarine cables landing in Portugal and through our waters, 25% of all submarine cables’ capacity landing on Portugal or not are passing. This means that when we talk about security, both for cyber purposes or just for security and resilience purposes, the question is, we… We have 4 billion square kilometers of water in the Portuguese sovereignty area that needs to be surveyed, that needs to be protected, or to protect these critical infrastructures. And the question is, how can we do it? Because our Navy, for sure, doesn’t have that capacity. We don’t have enough men to do all that job. Of course, we are aiming and looking for unmanned vehicles, smaller vehicles in bigger numbers. Surveillance electronic surveillance means, which means sea coverage that we are working on, but that doesn’t exist in 5G, for instance, at this point. But here, when we are talking about protecting this area, we are also talking about protecting the maritime traffic, where most of the north-south routes pass in this area. So basically, we are talking about the need to, in place in this area, capacity, protective capacity to protect these critical infrastructures that, at this point, doesn’t exist as it should. You for sure heard reports about hundreds of Russian and Chinese vessels, scientific vessels, just going up and down our waters, maybe trying to find some different kind of fish. I don’t know. But the thing is, this is happening, and we have to have the capacity to protect our critical infrastructures. Basically, when we talk about infrastructure resilience, we are talking about all those aspects like the submarine technologies, but we are also talking about human capacity. And the question is, if we understood that for doing whatever we want to do in the future, the response is AI, to have a better regulation, to have a better observation. for suppliers in the sky or operators to have their operations more both secure and efficient. We need AI. The question that usually I do is, okay, so who is implementing AI? With whom will I implement all this AI capacity that everyone is saying that we need to implement? Because in Portugal, I can’t find AI technicians that easy. Can you find in your countries the enough number of AI people or tech engineers to do all this work that has to be done? I mean, so basically, in the overall scenario, we know that in terms of cyber security, for instance, we will work in a chain and the chain is as weak as the weakest link. And the thing is, when we talk about that now is the vision of a peripheral country, what I know is the few engineers that we form, and we form some good ones, Portugal is having good universities, usually they go to work someplace else. So there is in Europe, even in Europe, I’m not talking even in the States, where the brain drain from Europe to the States is also ongoing. But in Europe, we have to compete to capture this kind of talent with other European countries and with the States. So the question is, we are one of the links of the European Union chain, as other peripheral countries are. And what we have seen is, usually this brain drain happens from peripheral countries, from the Eastern from the western part of Europe, from the southern part of Europe, to central countries like Germany, France, Norway, Sweden. And the question is, so we are draining these countries from the capacity to implement these new technological objectives, and we are not being able to do it as we would like because we don’t have enough human resources and we don’t form them fast enough. You know that the university course is at least three years, and we are having projects that are intended to start in one year, and we have all these dreams of building very fast digital single markets. But the thing is, if we are weakening each one of the countries, putting this brain capacity only in the central countries, then we are creating weak links all over Europe. And the question is, what of these countries who intend to produce attacks into central Europe, will use what countries, the ones that are reinforced or the ones that are weak in terms of cyber security? So, we have to think that if we want to actually have a coherent chain of security and cyber security and resilience, I have to strengthen all the links in the chain, and I have to think how can I maintain these capacities in the peripheral countries as well. Basically, then when we look to the investment necessary to do all these that we know that is needed to achieve this digital single market goal, we are confronted, for instance, in terms of investments and set funds, It’s something that I would consider a paradox because we say that digital economy, cyber security, it’s actually one of the main, if not the biggest, goal of Europe at this point. But when we see the investments that are available in CEP, for instance, we see that CEP Transport is having 25.8 billion, CEP Digital only 2.07, and CEP Energy only 5.84. As I told you, to renew the entire obsolete electrical network of Europe, we need 800 billions. So, the question is, are these investment bases coherent what we actually need, especially in the peripheral countries. Even CEP Digital, for instance, granted 250 million last year, in the last call, but 1,000 million of projects that were very important were actually not accepted. So all these projects were a way to achieve faster many of the goals that we were discussing before. So basically, I would end by stating that all the links in the chain need to have the same capacity, otherwise the chain will be as weak as the weakest link, and we need it at the same time. And Europe, in several velocities, will not work. So if we want to obtain resilience and security capacity over our infrastructures, our critical infrastructures, I think we have to work better together, involving all the stakeholders, actually understanding that these investments will have to be public-private investments, and they have to be strong, and they have to be released fast. Thank you.

Karen Mulberry: Thank you. All right, for our next speaker, I’d like to invite Christian to come up and speak a little bit from the network operator’s perspective on what he sees today and in the future.

Christian von Stamm Jonasson: Yes. Thank you, Karen, and thank you, everybody. for being here today in the room and presumably online. And for the organizers, we need dialogue now more than ever. So first off, just very briefly on who I am, my name is Christian and I represent Deutsche Telekom with our Brussels EU policy office. I’ve worked in digital security policy and cybersecurity policy for the past eight years, starting off in Danish government and the OECD working group for security and privacy in the digital economy, moving on to an industry association, the Danish Chamber of Commerce, then taking my trade to Brussels, joining a local consultancy where I worked with finance, telecoms and IT corporations as cybersecurity policy lead. And then finally, a few months ago, I joined the Deutsche Telekom outfit in Brussels. So I have seen the way we do cyber policy, both at the national, at the EU level, evolve quite a bit. When I first started out, it was recognized that the way to do cyber policy was through incentives. This whole idea about strict requirements, how do you set up a good cybersecurity policy, a good resilience plan, all these things were thought to be the prerogative of those businesses that had to live with and implement the plans because they knew the risks and they know the risk appetite and they have to decide how they want to mitigate this. And obviously, this is no longer the case. I had a nice slide with all the regulations. I mean, we regulate the product security through the CRA, we regulate both the critical infrastructure but also the essential services through the NIST2 directive. We have the Cybersecurity Act that sets out our European cybersecurity agency and we have, on the verge, a Cloud and AI Development Act that will set out the barriers or the framework for sovereign cloud solutions. So there is a large swath of legislation that companies need to take into consideration in their work. And before I go further into the topic, I just wanted to say that most of you, many of you, have probably heard of Deutsche Telekom. So in Europe, we have subsidiaries, telecommunications companies that offer mobile services. and similar, both B2B and B2C, countries like Austria, Croatia, Czech Republic, Greece, obviously Germany. In the U.S. we have T-Mobile, which after acquiring one of the local competitors is now the leading telecommunications service operator in the U.S. But what most people don’t know is that we actually do quite a bit more than that. We don’t have any sub-T cables anymore. We built a very large one connecting the U.S. and the EU. But when it decommissioned, we went over to just purchasing capacity on other networks. But what we do is advance cloud services for businesses. So we have 50 operating countries from Seoul and Tokyo to South America where we offer cloud solutions. And on the forefront on emerging technologies, we are consortia leaders. So there’s the Copernicus project where we take data from satellites to make a comprehensive Earth observation data repository. We have the Nostradamus project, which is a post-quantum cryptography consortium where we, along with French and other European companies, try to make quantum safe encryption protocols so that in the future we will still be able to transmit and store data safely from those that use quantum computers to break standard RSA encryption. So Deutsche Telekom is a little more than just mobiles and SMS. We do a little bit of everything. And what we, of course, do very much is security. Because we don’t only have to keep our network secure from all those malicious actors who either for the sake of financial gain or for the sake of geopolitical rivalry want to breach our connections, to make connectivity services unavailable for citizens, for businesses, but also for our military services. And on the other hand. to spy on our data and our state secrets. And then, I mean, basically, there’s a malicious actor, state-sponsored actor, but there are also people that would do it just for the money, because cybercrime is very big business these days. So, the industry’s perspective on where do we want to go towards 2030, do we want to go towards more regulation? Possibly. But do we want to at least see how we can regulate smarter? Because just at the moment, we’re doing a very big exercise with the Commission for the Digital Omnibus. We’re trying to see, okay, where can we simplify? Where can we remove overlapping regulation? And I think at last look, our internal industry paper on possible overlaps and simplification measures was already 85 pages long. And that’s not because the people in the European Commission or in the national member states don’t do their homework. It’s not because they do bad work. It’s because it’s very technical. It’s very complicated. And because it’s been a relatively short timeframe where the necessity, the imperative for us to regulate this has become apparent, this has also meant that they’ve tried to do a lot at the same time. And when you do a lot of things at the same time, a lot of things are very difficult, a lot of things are very complicated, you are bound to maybe not realize the full impact that these regulations are going to have and see how they might overlap or have contradictions in them. So that’s what we’re going to work on with this commission is to simplify. And that is what we will believe that the European cybersecurity framework should be come towards 2030. It should be simple to become more effective because one of the issues, Agatha, you mentioned the lack of skills. That’s definitely something we also see both in Deutsche Telekom and all the countries that we operate, cybersecurity skills. I mean, don’t forget about quantum technology because finding someone who both has a degree in quantum physics And those technology and software programming, those people are not in the thousands or in the millions. So one of the issues we have currently is that we have too many of my colleagues from T-Security spend too much of their time with compliance, trying to figure out what does this regulation mean. And when we have this regulation and this regulation, what should we do? Instead of actually spending their time implementing security measures that make sure that our networks are secure. Because we have a whole department. I’m looking forward to go visit them in a couple of weeks. They cannot come here for security reasons. They cannot bring their gear anywhere outside our headquarters. But we have a few thousand colleagues in T-Sec that not only secure our networks, but also make sure that those top-of-the-line security solutions we apply to our networks are also available to our B2B customers. So now I’ve focused a little bit on, at the EU level, how the regulation looks. The thing is telecommunications is one of the most, with energy and finance, I would say those three are the most critical infrastructure for our societal coherence. Which means we are heavily, heavily regulated at the EU level. But also each member state usually have requirements because their digital infrastructure, their connectivity is of such importance that very many member states will regulate in their own way. And that’s one of the issues that we have to deal with because security is inherently a national competence in the current European framework. So there is no legal basis for the Commission to come and say that national governments cannot do things to increase their own security and safety. Which makes sense. I mean, which country would like to be told that they are not allowed to implement those measures they think are important? Because if you are on the border of Russia or other parts of, let’s say, the Baltic or in Finland, you have a very, very different threat perspective than you have in Portugal. There are also issues in Portugal, but it’s a very different kind of risk. So you wouldn’t want to be told as a sovereign nation what you can and cannot do. I am just checking if I forgot something. I think I would round up with this. I mean, we do live in interesting times. Interesting for some, terrible for others. And with a very, very aggressive superpower on one hand, and a very, very unstable superpower on the other side of the Atlantic, what we need to do now is make sure that Europe can function in its own right. And that’s why I want to come back to what you said, Augusto, because it’s true when it comes to subsea cables or any kind of infrastructure. As a business, we’re not geared to build redundancies. We build what is economically and financially viable. But having 20, 30, 40 percent extra capacity in our data center, so if there is an outage somewhere, we can reroute the traffic and still have a functioning digital economy. That is where we need the public-private partnership, and that is where we need to make sure that we as a European Union and as a continent can deliver and can make our digital economies and societies work in our own right with our own sovereign technological solutions. Thank you.

Karen Mulberry: Thank you very much. Now for our last key participant to provide a different perspective in terms of the Internet and the Internet infrastructure and how it’s looking at security in the future. Alena, please.

Alena Muravska: Thank you, Karin. Good afternoon, everyone, and I thank everyone for this opportunity to contribute to this very important discussion. My name is Alena Murawska, and I represent the RIPE FCC. We are a non-profit membership organization with more than 20,000 members in Europe, the Middle East, and parts of Central Asia. Our members span a very large diversity of different organizations like network operators, academia, government, civil society and private sector. Also Deutsche Telekom is one of our members. I’ll definitely repeat some of the points that have already been mentioned by my colleague. As one of the five authoritative regional Internet registries, the RIPE NCC is responsible for the allocation of Internet number resources like IP addresses and autonomous system numbers. And by that we ensure that Internet remains global. Our perspective today is shaped by our commitment to promoting open standards as IPv6 and RPKI, to inclusive and transparent policy development and bottom-up community engagement. So, the current discussion on the future of the European digital strategy and European sovereignty is very important and timely, and especially in the context of the NIS2 directive that will broadly impact the digital infrastructure providers. And we follow it very closely because many of them are our members, as I already mentioned. So, the first point I would like to make will be about collaboration and multi-stakeholder approach. So, the Internet, as you all know, is a globally interconnected network of independent networks. And it has thrived for more than four decades on the principles of open standards, like I mentioned already IPv4 and IPv6, IPv4 and RPKI, interoperability and permissionless innovation. So, cybersecurity threats are borderless, and therefore the resilience and security can only be built through the cooperation. In that regard, digital sovereignty should be not about excluding yourself, but about building resilience through leadership in supporting open Internet security standards and innovation, but also in fostering the culture of collaboration. So, in this context, it is also important to note that complete self-sufficiency in digital matters is neither feasible or desirable, and that the way forward should be about building strategic partnerships and advancing a shared vision for the common interest. So, now as Europe looks at its international digital policy strategy, we have as a multi-stakeholder community here a great opportunity. to reaffirm their vision. So, the European Commission just launched a public consultation on this topic. It runs until 21st of May, so quite short time frame. And this is touching on digital diplomacy, cyber security and Internet governance. So, this strategy will also define the European role at global forum like This Is But 20 and the Internet Governance Forum. So, yesterday at the session, in the morning, Steve Sanz, the head of Internet Governance sector at DigiConnect, mentioned that Europe will be leading the This Is process. And today, also in the session dedicated to the This Is process, Tybalt Kleiner, director of Future Networks, also mentioned that they will be following the This Is But 20 review. And we as RIPE NCC and our community, we fully support and we are looking forward to see how EU will contribute to these processes. My second point is about regulatory harmonization, also what was mentioned today. And I will focus on NIS2 directive as an example. So, RIPE NCC, we fully support the main goal of NIS2, that is to improve cyber security across the EU. But the implementation of the directive, as we know, is not without challenges, especially the divergence in how 27 member states are interpreting and implementing the rules. So, this is especially complicated to organizations that operate globally, like just we heard from our colleague, and serve customers in different countries. Another aspect is that requirements under NIS2 may pose challenges and constitute disproportional charges, especially for small and medium-sized organizations and entities. Many of them are also our members and we know very well what these challenges are. So, they cannot afford having large teams only dealing with reporting in the framework of NIS2. So, overly prescriptive and fragmented rules can increase the burden on the smaller companies and drive unintended market consequences. Instead, we need the frameworks that will apply a risk-based approach and define goals clearly, but not the path how to achieve them. So, also, complicated legislation risks concentrating the market power in the hands of large providers, and this will, as we believe, undermine resilience. Because diversity of routes, networks, and providers is essential for stable Internet. It might be about cables, as also was mentioned by my other colleague from Portugal, or about the networks themselves. To give you an example, at the beginning of the Russian invasion on Ukraine, our researchers looked into the state of the Ukrainian Internet and they concluded that low market concentration and a very high number of independent networks helped to prevent systemic failure. Since there were no one point of failure, the Ukrainian Internet remained resilient until now. And if you want to learn more about resilience, I reallyâ¦ I’d like to refer to the presentation that was held yesterday at the RIPE meeting in Lisbon at the Best Current Operational Practices Working Group that we at the RIPE NCC support. So there was a case study done that showed that this diversification is indeed a key for resilience. So I believe that this kind of research is especially important for the policymakers that have to learn from the already existing cases. Also another aspect which I cannot not mention is DNS, because a large part of the stability of the DNS system comes from the extremely high distribution and diversification of operators. So if regulatory requirements, compliance costs and oversight that are applied in a way that makes it too demanding, they also might risk that non-commercial DNS operators may decide to withdraw the operations or to leave the EU. That will also potentially lead to a more centralized market and undermine stability of the whole system. So also here we need a proportional level of implementation and of the enforcement of the legislation. My next point is standardization. So to achieve the harmonious cyber security space, as we all agreed, it’s very important to have overall high level of cyber security in Europe. So it’s crucial to leverage on well-established international standards. At the RIPE NCC we advise the European authorities and national authorities to align national guidelines and frameworks with already globally recognized standards and information risk management, such as ISO 2701. So this approach will definitely provide assurance and facilitate compliance for many organizations, while also promoting a greater harmonization across the EU countries and globally. So here I’d like to mention a positive example of such approach. In the first implementing regulation under NAS2 adopted by the European Commission in last October, calls for transition, and I’ll quote it now, The transition towards latest generation networks layer communication protocols, and I’ll just give you a hint, it implies IPv6. Second, the deployment of internationally agreed and interoperable modern email communication standards and the application of best practices for DNS security and for Internet routing security. That kind of implies RPKI. So the Commission recognized challenges regarding the identification of these best practices and standards and deployment techniques. And with the assistance of ENISA and collaboration with a large group of stakeholders like competent authorities, industry and other stakeholders is establishing a multi-stakeholder forum to identify the best available standards and techniques. So this is a good example of European leadership through cooperation in this industry stakeholder. And by respecting technical expertise and existing industry standards and protocols to avoid overprescription and stagnation of innovation in the end. So at the RIPE NCC we also support this broader implementation of protocols such as IPv6 and RPKI through training, exchange of best practices and engagement with the community. We’re also actively contributing to capacity building and standard promotion through partnerships with different organizations and governments as well. And I’d like to conclude by bringing attention to organizations that are responsible for the administration of technical coordination of the global Internet. Such as RIRs. RIPE NCC is one of the RIRs as I mentioned. ICANN and ITF. These organizations should remain in the lead for developing technical standards, protocols and procedures for governing the Internet’s core functionality. So these functions… are fundamental to the technical coordination and underpin and secure a globally interoperable Internet. So, recognition of the role of these organizations by the policy makers at the European level and supporting their open, transparent and inclusive processes is critical to create the connected, secure and innovative digital environment for Europe. I will stop here and thank you very much for the attention. Thank you very much.

Karen Mulberry: Now we’ve set the stage for our discussion. We’ve heard about the challenges and opportunities for addressing the digital security in Europe. We’ve heard some of the needs and wants and the requirements to get to 2030. So, now is your opportunity to ask a question. What would it be? What do you want to know more about? Both from our experts that were speaking today as well as the experts that I see that are participating in the room. I mean, you know, one question that came to my mind. So, if we’re going to get to 2030 and we’re going to have a secure network throughout the EU, throughout the European continent, what’s the most important thing that’s needed? Is it the network infrastructure? Is it the supporting needs for energy and capacity to enable the network to function? Is it the people? So, what do you think? We have no thoughts at all. Actually, in my mind, if I was going to answer my own question here, I would say probably the most important thing that I got from the discussion was the need for skilled people. Because you can’t operate the network, you can’t prepare for the future, unless you’ve got the people that are actually going to be addressing the work and doing some of the planning. Having all the infrastructure that you need isn’t going to work unless you have somebody that can run it. Just like building capacity, as Christian noted, right now you build capacity for the functions that you project for today, but you don’t have people to manage capacity if you’re building for the future. So how do you address all of those needs? And fundamentally, if you’re going to train people and have more people involved, there’s an investment that comes along with that. Who is going to provide the support and partner on the investment needs to train the people and to help build out the network? Because that’s always a challenge. Old telecommunications network engineer. So understand the band-aids that you can put on things, and the band-aids you probably shouldn’t put on things, because you should do it better the first time, and you should do it right the first time. Got a question over there. Yes, sir.

Panelist: That seems to work. So hi, my name is Peter Koch, I work for DINIC, which is the German CCTLD registry. And we are critical infrastructure, we have to deal with NIH2 and all the other regulation. I wanted to follow up to both, Karen, your response to your own questions in a way, and then maybe also follow up to what Elena said. My response would probably have been that all of the above, and it’s a mesh and a network of issues, and there is probably a certain difficulty connected to singly. one of them out. But let’s take for example your choice that the people and the skilled people are important. I would completely subscribe to that and agree with that. But then these skilled people need to be able to work in a regulatory environment where they can actually exploit their talents and contribute to the regulation and at any level. Especially in Europe with the NIS2 for example. We have the paradox situation that say the commission is applauding multi-stakeholder approaches all over the planet. We heard very helpful statements say at the Sao Paulo meeting with the results of Sao Paulo guidelines for multi-stakeholderism. We see all this. There were consultations about the NIS2 but the paradox is here when it comes to the level of detail that Alena was alluding to in a way. When it comes to implementing acts and similar sub-legal regulation there is less multi-stakeholder the closer we get to the wire. And that means that the technical community and we should keep in mind that technical community and technical experts are two different things. All the communities have technical experts. Technical community is that part that community that has the strategic and operational responsibility for running the core parts of the internet. And the contribution of that part of the community is very important but it’s more important in weight when it comes to closer to the wire regulation. And I think there is very much room for improvement. Thank you.

Karen Mulberry: We have an online question please.

JoÃ£o Pedro Martins: I will ask Farhan Saito to unmute. He was also listed to the main session statements but if you can intervene he is ready to speak. Thank you very much. I hope you can hear me well. Yes we can hear you. Loud and clear.

Karen Mulberry: Now we can hear you, yes.

JoÃ£o Pedro Martins: I’m enabling your microphone.

Karen Mulberry: Yeah. No, you’re still muted. Yep. I see you. Yes.

JoÃ£o Pedro Martins: Perfect.

Karen Mulberry: Now you’re okay. Because I’m joining from two different platforms. Okay.

Panelist: So I’m Farhan Seto. I’m the Director General of Ribbonova. It’s a French SME actively involved in our EU projects focusing on AI governance, digital trust, and also cybersecurity. So we believe that as Europe defines its digital and cybersecurity 2030, we must ensure that our strategic ambitions are grounded in the operational reality. And we believe that regulation alone will not be enough. We need to have an inclusive ecosystem where policymakers, researchers, civil society work together to anticipate threats, develop trusted technologies, and uphold democratic values. But to make this vision a reality, as you mentioned already, we also need skilled people, individuals with technical, ethical, legal expertise to navigate complex digital environments. And we believe that the EU Commission projects are already playing a critical role in this area by serving as a platform for training, upskilling, and knowledge transfer, especially among cyber professionals, researchers, SMEs, etc. And strengthening Europe’s cyber resilience means expanding and investing in this ecosystem. So I just would like to notify that at Ribbonova. We coordinate Alia Cluster, a European-wide platform that connects over 40 EU Commission projects with dozens of cyber professionals and technical people. This initiative facilitates structured collaboration, ethical dialogue, and knowledge exchange between security professionals and policy stakeholders. So we believe that this is not a binary choice overall between innovation and rights. What we need is a governance framework that brings in the right stakeholder, those who are already working on the ground, who understand both the opportunities and the risks. So this is my statement on behalf of Priya Banoba. Thank you very much.

Karen Mulberry: Thank you for your statement. This is relatively new for EuroDIG, but they did have people sign up to make interventions during our session. So I’d like to recognize a couple of those as we move even further into the discussion on what’s important and what’s relevant for a resilient Europe in 2030. So I have our ISTI, Maria, online I believe.

Isti Marta Sukma: Up there. I’m here. Okay, thank you. My name is Isti Marta. I’m from the University of Warsaw. So to begin answering the question regarding collective cybersecurity, I believe one of the core obstacles is the hesitation to collaborate with external actors and emerging regions such as the Indo-Pacific. So this hesitation is often amplified by emerging global narratives, such as the binary framing of democratic tech versus authoritarian tech, which risks deepening division and also hindering constructive cooperation, especially in cybersecurity where threats are transnational and interdependent. The EU and the Indo-Pacific share key features. Fast-growing economies, especially with cybersecurity and digital policy landscapes, which has a mutual interest in securing digital infrastructure. So, I believe that instead of reinforcing dichotomies or overemphasizing technology-based rivalries, we must prioritize inclusive and cooperative solutions with two most crucial tangible multi-stakeholder areas. First, PPP, or public-private partnership, and also, second one, agreeing to two of our speakers today, which is global collaboration in internet governance. So, I urge EU to fully integrate in the Pacific region, especially ASEAN member states, into the EU cybersecurity strategy 2030 across all four pillars, skills, digital transformation of businesses, secure and sustainable digital infrastructure, and digitalization of public services. I believe that strengthening collective cybersecurity requires bridging divides, not hardening them. Thank you.

Karen Mulberry: Thank you very much for that statement. I’d also like to recognize Mariella from the Diplo Foundation, who has signed up to make an intervention as well. Please, go ahead.

Panelist: Do you think Europe has come too late to the game in terms of innovation to realistically achieve full digital sovereignty? China built its own digital infrastructure years ago. At the time, we criticized it as authoritarian and sensory, but decades later, we find ourselves unable to fully rely on our allies, and we begin to describe similar measures as digital sovereignty. Instead of further fragmenting the internet by pushing for isolated national platforms, shouldn’t we focus on decentralized solutions for information governance, such as community-based fact-checking and open transparent systems of accountability? Couldn’t this offer a more democratic and resilient model, aligned with the idea of a multipolar world inspired by systems like Bitcoin, where power is distributed rather than concentrated? Thank you.

Karen Mulberry: Thank you very much. Any questions based on the statements that were just recently made? Any other comments that someone would like to provide? Yes, sir.

Wout de Natris: Thank you, Karen. My name is Wout de Natris. I’m a coordinator of the Denmark Coalition on Internet Standards, Security and Safety. I don’t know if Janice Richardson is in the room, she’s here, but she conducted a research into education and skills for cyber security, and what the main outcome was is that there are tremendous skills gap between the demand made by industry and the offer made by higher education. And the biggest question, probably the 64 million dollar question, is how do we bridge that gap, and who do we need to bridge that gap? And that is something that we have been trying to address, but not too successfully, unfortunately, because there’s no follow-up to the report. But it’s something that we’re interested to do as a dynamic coalition of the IGF, and bring the stakeholders together that you need to start bridging the gap and identify what the main issues are, and that part of that is that our youth are doing the wrong sort of studies, because they’re not into the technical part of things. And how do you change that? There’s a challenge we’ve been discussing for 30 years, and it’s got to be solved also. But let me stop there, but I think that knowing that the skills gap is there is the beginning of a solution to things.

Karen Mulberry: Yeah, thank you. And we’ve got others that have also signed up to make interventions, so let me recognize several of those as we continue our discussion. I have Simona from the union Romani Voice. Is she present to make her intervention? I have the RPIF director. Yes, please make your intervention.

Panelist: I have a short remark. Alexander Shachuk from data protection experts from Ukraine. In the 21st century, it’s very important to find the balance between the one side, the Internet of Things, the artificial intelligence, the innovations, and from other side, the democracy, the rule of law, and human rights, such as data protection. It’s very important to strengthen the democracy and cyber security in European Union and Council of European States, because the 21st century is a century of fighting democracy against outer terrorism. And we must consolidate the legal and institutional instruments in cyber security, in data protection, like GDPR, and to consolidate the efforts of each country of European Union to make strengthens the framework that we have now, because it’s very important for us to find such a balance between the new technologies, informational communication system, and the human rights and rule of law that we have now. Thank you.

Karen Mulberry: Thank you very much. Do we have any comments in the room? If not, I can continue to go down. Yes, please.

Panelist: Hello, I’m Sumayya from UFX. So, I just wanted to add briefly to what’s already been said. So, during UFX, we looked at many of these challenges, actually, and noticed how the complexity of digital regulation often slows down implementation. And I think it’s very important and noticed how the complexity of digital regulation often slows down implementation. So, not only for policymakers, but even for technical experts, one of our key takeaways was the idea of a two-tiered approach to regulation. So, basically, a comprehensive legal version and a simplified one for experts, so they don’t have to spend a lot of time on understanding it. And the second point was about the digital skills gap. So, it’s clear that there’s a shortage, but from a youth perspective, it’s not just about needing more skills, people. It’s also about making the field more accessible. I think that means clearer pathways, more practical opportunities, and involving young people from the start. So, I think the interest is there. It’s just that the structures to support it are still catching up. Thank you very much.

Karen Mulberry: Thank you. All right. I’ll go down my list. I have a gentleman from the Council of Europe who had signed up to make an intervention. All right. Dariana â I’m sorry, I’m not going to pronounce your last name â who’s an independent researcher, was going to make an intervention. Yes, please.

Panelist: I’m Dariana Chmanska, cyber security analyst, and let me start with a thought. I think security without capability is not sovereignty, and it’s just dependency with good branding. And if we talk about resilience, we should not have critical systems outside the EU. We praise NIS too, but small providers face a choice, comply or collapse. We promote digital sovereignty, but build it on foreign code, foreign chips, and foreign clouds. So, what are we really securing? Infrastructure or illusion? And do we want a Europe that is secure or strategically strong? Because France means friction, it means speed, and 2030 isn’t a target. It’s, I think, a deadline. Thank you.

Karen Mulberry: Thank you. Any comments? All right, we’re moving right along. I have Theodore Hemel from the EPIS Think Tank. Are you participating? Torsten Krauss, are you here today? Let’s see. Pablopos from the Digital World Summit Greece. Please.

Panelist: Thank you very much. So, yes, I am Pavlos, and I am coming from the Digital World Summit Greece, which is the Greek NRI, the Initiative for the Internet Governance Forum in Greece. And I would like to quickly take the lead from when other speakers also, what they mentioned about securing a secure Europe, but not just a strategically strong one. But also, what we would like to highlight is the fact that security is nothing without democracy for Europe, because all this narrative about ensuring security and cyber security in Europe would be nothing if Europe is not consistent with its democratic values and the protection of rule of law. So, this is why I believe that not only ensuring security by design is crucial, but most important is securing transparency by design, especially now that AI systems are being implemented for cyber security purposes. If we take, for example, the EU AI Act, we can just realize that Europe’s commitment to innovation is done through regulation and through preserving human rights and civil liberties, and also rule of law, which is in the core of European values. Effective policy frameworks, especially for cyber security, must therefore do three things. Ensure transparency and explainability of AI systems when they are deployed, protect personal data and citizens’ rights, and, of course, demand secure by design systems, both from developers as well as from public authorities, especially now that more and more public authorities are using AI systems. So, these AI systems should not be opaque and expose all the infrastructure that is being used by public authorities to cyber threats. Thank you.

Karen Mulberry: Thank you very much. Any questions in the room? If not, okay, I’ll continue to go down my list of people who have signed up to make interventions. Let’s see. Simona from, no, my list is not very clear. Theodore Hemel from the EPIS, no. How about from Albania. Okay. Someone from the University of Warsaw. Yeah, that was you. Okay. I have a poor copy of a spreadsheet. It was put on a piece of paper. So, let’s see. Have I missed anyone that signed up? 101. Okay. Please.

MarÃlia Maciel : Thank you. My name is Marilia Maciel. I am Director for Digital Trade and Economic Security at Diplo. We had a very interesting session this morning on digital sovereignty, moderated by Karen, and I’d like to bring forward some of the ideas that were shared there. I think, first of all, we should recognize that discussions on digital sovereignty are happening in a very difficult context at the moment. The political project of liberalism is being overridden by a new mercantilist political agenda, which puts the interests of the state above the interests of economic actors. Nevertheless, in the present context, the state is not necessarily being strengthened to cater to social needs or to protect the weaker, as an European value-centered digital project has proposed for years. The precedence that is being given to the state at this moment is seen as a necessary condition to hedge against external threats and promote national security in a world that is increasingly being seen as threatening. And this also happens in a context of democratic backsliding, marked by the erosion of democratic pillars and the advancing of the extreme right parties. So how can Europe assert digital sovereignty while staying open and innovative? This was one of the questions. At the governance level, it’s important that decision-making and the governance of initiatives being adopted under the banner of digital sovereignty must be socially anchored and socially driven. And this means actively creating governance arrangements to ensure that sovereignty does not only benefit the state or our domestic champions, and that decision-making remains transparent and accountable. We need to ask ourselves whose sovereignty are we seeking to promote. For example, in our race to develop and adopt sovereign AI solutions, individuals must be skilled to become agents and not test subjects for the latest untested technology released in the market. We must demystify artificial intelligence, which after all boils down to pattern and probability. And this belief has led Diplo to create an AI apprenticeship program in which we are building the capacity of staff from international organizations in Geneva to develop their own AI solutions in-house. Just to conclude, a project of digital sovereignty must contribute to the autonomy and empowerment of individuals and to the sustainability of our planet, fulfilling present needs and the needs of future generations as well.

Karen Mulberry: Thank you. Thank you very much. Any other questions or comments? Yes, please.

Maria Nefeli Chatziioannidou: I had registered for intervention and my name is Maria Nefeli Chatziioannidou. I’m an MP from Greece and a member of the Council of Europe. As someone that is new into politics, but my specialty is in digital communities and digital innovation, I can tell you that we are facing a huge gap of how actually legislations can be applied first in EU and then forced into and applied into the member states. This is for me the most crucial challenge that we have to face because whatever we discuss here, until it will reach the end person, the citizens, and every citizen around EU is really challenging. I believe that cyber security depends on sovereignty a lot. I believe that cyber security is about our democracy. I believe that cyber security has to do with social justice and finally I believe that ethics must be embedded by design, not as an afterthought. We have a lot to do and I believe that it’s a crucial point for us, 2030, not to be another point of reflection, but to actually do everything possible to create a democratic digital environment that is based on our vision, our values, and it will definitely have to be human-centric. Thank you.

Karen Mulberry: Thank you for those comments. I think that’s a great way to wrap up our dialogue here. Oh, I’ve got another hand up there, please. I’ll get right there. You see I had a hand up back there, please. I will in a minute. I’ve got one someone, someone who has an intervention, please.

Marijana Puljak: Okay. Oh, thank you. If it’s okay to continue. I’m Marijana Puljak, a member of the Croatian Parliament and Parliamentary Assembly of the Council of Europe, and with my IT background I’m especially interested in this digital transition and digital era, and I would like to echo the concerns raised about fragmentation and over-regulation. Yesterday I spoke here about the sentence behind you, balancing regulation and innovation, and I said that the balance is very important, but as a member of Parliament I often witness how a growing number of EU-level acts combined with additional national roles creates a really illegal maze, especially for smaller digital service providers. The result of that is almost, I would say, the patchwork that prevents the companies from scaling across borders, which should be a core strength of the EU single market. We talk about digital sovereignty, but we must be honest, sovereignty without capability is meaningless. So, if our innovators are fleeing to less regulated markets, and you can see the Draghi report that says that, if operating across member states is nearly impossible, we are not protecting sovereignty, but we are undermining it. So, at the same time we are entering a new technological phase where AI is shifting infrastructure. We talked about centralized data centers to more distributed and local computing, and this demands huge investments, energy, flexibility, and with these new frameworks and regulations, while important for security, often places this appropriate burden on providers, especially in less wealthy states, member states without adequate support. So, that’s my point, that how can we better coordinate within the member states and on EU level this and reduce this regulatory fragmentation.

Karen Mulberry: Thank you very much for those comments. Actually, well, we need to wrap up here shortly. If you can make your statement very quickly, please. Can you turn on your microphone, please?

JoÃ£o Pedro Martins: Yeah, it’s not on because I think it’s programmed until we reach a certain point to move to the messages. I’m sorry.

Karen Mulberry: You can’t override that, please? Not from here. No, okay. I’m sorry. We’re now at that point in our session where we actually have to summarize and agree on what are the key points that we discussed today. So, I’d like to invite Oksana to kind of cover what our key points are.

Oksana Prykhodko: Thank you very much. Oksana Prykhodko. The first point is strategy for internet resiliency has to include strategy for economic resiliency to ensure adequate investment in development, new geometry of interconnections based on demand, new strategy for energy and water supply, strategy for human capacity, including specialists on AI. Have I to wait for response?

Karen Mulberry: No, you say it. We’ll take those one point at a time. Any comments on that as a summary of some of the key points in the discussion today? Oh, yeah. Sorry.

Panelist: Okay. Just to add that it’s not based on demand. It’s also based on demand, but necessarily having sovereignty interests on that based strategy.

Karen Mulberry: Based on demand and sovereignty? Yes. Okay. Thank you very much. Found any other comments on the first point? The second point, then, please.

Oksana Prykhodko: The second point, Europe demands not more regulations, but smarter, faster regulations based on the experience of private companies, on collaboration and multi-stakeholder approach, on strategic partnership in common interest, on harmonization and standardization, and balance between new technology and human rights. Europe has to find its own way has to find its own secure place between two superpowers.

Karen Mulberry: Any comment on that summary point? Yes, please.

Panelist: I’d like to add to that. Sorry, it was too loud. Point about based on the, can I see the statement? Instead of my face. Based on the experience of private companies, on collaboration, and so I would add based on the existing protocols and standards, so we don’t invent anything new, but we utilize what we already have developed.

Oksana Prykhodko: And standardization, it’s not about protocols.

Panelist: Just asking. No, I would add it because it’s not clear. Based on existing protocols. Yeah, because it’s not clear if we’re using existing protocols and standards. Okay, a little bit.

Karen Mulberry: Any other comments on point number two? Yes, please.

MarÃlia Maciel : It feels to me that when we say Europe demands not more regulation, there’s an intrinsic bias against regulation as if regulation was something negative, but we are at the same time. dealing with emerging technologies. So who knows what’s going to emerge tomorrow and if regulation is going to be needed. And I also don’t understand what faster regulation means. And that scares me a little bit. Normally, when we see things from a security perspective, governments act really fast, but without consulting anyone, without accountability, because it’s a matter of national security. So I would not feel very comfortable with the faster unless you mean something else and I’m misunderstanding.

Karen Mulberry: Okay, I can say we can clarify that point then. Let’s move on to point number three.

Oksana Prykhodko: Number three, some elements of successful strategies, security of the NS system, reliable encryption to avoid political, economical, malicious military risks, market decentralization, which can help even under military aggression, focus on innovation.

Karen Mulberry: Any comments on the third summary point? Yes, please.

Panelist: This is Peter again, I am a bit surprised to see this strong emphasis on the DNS system because what I heard was strong advocacy or strong mentioning of the routing system. What’s in the minutes here in the message isn’t necessarily wrong, I just don’t think it reflects the part of the discussion, thank you.

Karen Mulberry: Thank you, Peter, I think the discussion was really on the networks and the infrastructure and it didn’t point out anything very specific in terms of routing technology. It was the network itself, which encompasses many things. So we will make a correction to that as well. I mean, this is in essence the summary of what we talked about today, our key points. I do think there was a lot of interest in addressing the skills gap, so we probably need to look at not only successful strategy, but looking at adding the need for skilled people to help support the work moving forward. Yes, I have a comment up there, please.

Panelist: Sorry, if I may comment on. And the second point, because like two of our key speakers today have mentioned on global collaboration. So maybe it’s better to emphasize global collaboration on the like first sentence. And also, I think instead of based on experience of private companies, I think it’s better to emphasize PPPs, like public private partnerships. So like equally together. So thank you.

Karen Mulberry: All right. Do we have any other comments on kind of a summary of our discussion today? Yes, please.

Oksana Prykhodko: Excuse me, please, about multi-stakeholder approach and PPP. Maybe it will interfere or not?

Karen Mulberry: I mean, I tend to think that they’re similar, but they’re also different approaches. So I don’t know what term we would rather use. The multi-stakeholder approach?

Panelist: I think it’s important to mention too, because multi-stakeholder approach is more like a global discussion. And as one of the speakers mentioned that the more they go into implementation, the less it becomes multi-stakeholder. And this is when also this public private cooperation has a prominent role in every particular country. So I think it’s fair to mention both, because somehow these processes take a bit on a different for us, even though that implies a dialogue between different stakeholders.

Karen Mulberry: Yes. OK. So we’ll work on making some modifications to those three statements. Also know that after we provided some editorial work based on your comments today, these will all be posted as well. So you have some time to think about them. And provide your editorial input at that point, too. Oh, I didn’t see you back there, please.

Panelist: Hi. I must admit that I have a bit of a problem with the first sentence of the. second statement saying that Europe’s demand not more regulation, but smarter, faster regulation. So we demand no more regulation, but by regulating. I see really the Europe regulating in this sentence. So I must say that I really have big difficulties with this sentence. Maybe to rephrase or to find another way to say that.

Karen Mulberry: Okay, I mean, I know that there is a balance between the need for regulation to provide that uniform approach to something and to provide those ensure safety and protections. But there’s also in that balance considerations that need to be made for allowing innovation, allowing networks to thrive in different ways, and addressing some of those complexities on the technology side of things that regulation may or may not be able to really, one, catch up with, and two, address in a way that doesn’t create unintended consequences. So, I mean, I think that’s part of the collaboration that’s needed and the balance that needs to be considered as we move forward. Yes, we have a comment up there, please.

Panelist: Thank you. I would like to clarify the last sentence of the second point. Europe has to find its own secure place between two superpowers. I mean, Europe is already an organizational structure that has already determined where it is and how it should react to difficulties, even the ones that are related to technical advancements. Therefore, maybe it doesn’t, we shouldn’t mention that it has to find, maybe it has to define or underline the way or difficult approaches that will help the development of those two superpowers and even protect the human rights. Thank you.

Karen Mulberry: Okay, thank you. And maybe we don’t necessarily need to even mention Europe between two superpowers because the focus is on what Europe is doing and what Europe is considering. Yes, our final comment here.

JoÃ£o Pedro Martins: Yeah, we are by the half an hour, so I think only yours will be open for you.

Karen Mulberry: Only mine, okay. Well, I have lots of power, it seems. Anyway, we’re at our time, so that’sâthey’ve programmed some nice, delightful insights into our session for us in terms of letting microphones work and what we are able to do, so I apologize for that. But I do appreciate everyone participating, providing your insights, providing your comments, and actually working towards developing how do we get to 2030, and how do we secure things, and what can we do to make Europe and the EU better at what it’s needed to protect what it has. So thank you very much. I appreciate you participating.

Augusto Fragoso

Speech speed

122 words per minute

Speech length

2582 words

Speech time

1261 seconds

Need for new submarine cable routes and European data gateways to reduce dependency on single connections

Explanation

Europe must create new routes connecting to Asia-Pacific, Africa and the Middle East to avoid over-dependence on existing connections. The current routes are not resilient enough and depend heavily on passages like Egypt, which pose high risks due to regional instability.

Evidence

Major discussion point

Investment and Financing Challenges

Topics

Economic | Infrastructure

Agreed with

– Christian von Stamm Jonasson
– Panelist

Agreed on

Need for public-private partnerships for strategic infrastructure investments

Christian von Stamm Jonasson

Speech speed

145 words per minute

Speech length

1570 words

Speech time

648 seconds

Europe needs smarter regulation rather than more regulation, with simplified overlapping requirements

Explanation

The current regulatory framework has become overly complex with overlapping requirements that are difficult for companies to navigate. The focus should be on simplifying and making regulation more effective rather than adding more layers of regulation.

Evidence

Internal industry paper on possible overlaps and simplification measures was already 85 pages long. Too many cybersecurity colleagues spend time on compliance trying to figure out regulations instead of implementing actual security measures.

Major discussion point

Regulatory Framework and Harmonization

Topics

Legal and regulatory | Cybersecurity

Agreed with

– Alena Muravska
– Marijana Puljak
– Panelist

Agreed on

Regulatory complexity and fragmentation undermines effectiveness

Disagreed with

– MarÃlia Maciel

Disagreed on

Approach to regulation – more vs. smarter regulation

Public-private partnerships needed for building redundant capacity that isn’t economically viable for private operators alone

Explanation

Businesses are not designed to build redundancies that aren’t economically viable, but having extra capacity for rerouting during outages is essential for digital economy resilience. This requires public-private partnerships to fund strategic infrastructure that goes beyond commercial viability.

Evidence

As a business, Deutsche Telekom builds what is economically and financially viable. Having 20, 30, 40 percent extra capacity in data centers for rerouting traffic during outages requires public-private partnership for sovereign technological solutions.

Major discussion point

Infrastructure and Network Resilience

Topics

Economic | Infrastructure

Agreed with

– Augusto Fragoso
– Panelist

Agreed on

Need for public-private partnerships for strategic infrastructure investments

Alena Muravska

Speech speed

129 words per minute

Speech length

1463 words

Speech time

677 seconds

Digital sovereignty should build resilience through leadership in open Internet standards rather than isolation

Explanation

Digital sovereignty should not be about excluding external actors but about building resilience through leadership in supporting open Internet security standards and fostering collaboration. Complete self-sufficiency in digital matters is neither feasible nor desirable.

Evidence

The Internet has thrived for more than four decades on principles of open standards like IPv4, IPv6, and RPKI, interoperability and permissionless innovation. Cybersecurity threats are borderless, so resilience can only be built through cooperation.

Major discussion point

Digital Sovereignty and Security

Topics

Infrastructure | Cybersecurity

Agreed with

– Isti Marta Sukma
– Panelist

Agreed on

Importance of multi-stakeholder collaboration and open standards

NIS2 directive implementation varies across 27 member states, creating compliance challenges for global operators

Explanation

The divergence in how member states interpret and implement NIS2 rules creates complications for organizations operating globally and serving customers in different countries. This fragmentation undermines the directive’s effectiveness.

Evidence

Agreed with

– Isti Marta Sukma
– Panelist

Agreed on

Importance of multi-stakeholder collaboration and open standards

Support broader implementation of protocols like IPv6 and RPKI through training and best practices

Explanation

The European Commission has recognized the need for transition to latest generation network protocols and modern communication standards. This requires supporting broader implementation through training, best practices exchange, and community engagement.

Evidence

First implementing regulation under NIS2 calls for transition towards latest generation networks layer communication protocols (IPv6) and deployment of internationally agreed interoperable modern email communication standards and DNS security best practices (RPKI).

Major discussion point

Technology Standards and Protocols

Topics

Infrastructure | Development

Recognition needed for organizations responsible for Internet’s technical coordination like RIRs and ICANN

Explanation

Organizations like Regional Internet Registries, ICANN, and IETF should remain in the lead for developing technical standards and procedures for governing Internet’s core functionality. Recognition and support of their open, transparent processes is critical for secure and innovative digital environment.

Evidence

These organizations are fundamental to technical coordination and underpin and secure a globally interoperable Internet. Their functions are critical to create connected, secure and innovative digital environment for Europe.

Major discussion point

Multi-stakeholder Collaboration and Governance

Topics

Infrastructure | Legal and regulatory

Wout de Natris

Speech speed

155 words per minute

Speech length

227 words

Speech time

87 seconds

Tremendous skills gap exists between industry demand and higher education offerings

Explanation

Research conducted shows there is a significant mismatch between what industry demands in cybersecurity skills and what higher education institutions are providing. This creates a fundamental challenge in building cybersecurity capacity.

Evidence

Janice Richardson conducted research into education and skills for cybersecurity, finding tremendous skills gap between industry demand and higher education offer. Youth are doing wrong sort of studies, not focusing on technical aspects.

Major discussion point

Skills Gap and Human Resources

Topics

Development | Cybersecurity

Agreed with

– Augusto Fragoso
– Karen Mulberry
– Panelist

Agreed on

Critical skills shortage in cybersecurity and AI professionals across Europe

Isti Marta Sukma

Speech speed

129 words per minute

Speech length

217 words

Speech time

100 seconds

Global collaboration essential as cybersecurity threats are borderless and transnational

Explanation

Cybersecurity threats are transnational and interdependent, requiring inclusive and cooperative solutions rather than reinforcing divisions. The EU should integrate regions like the Indo-Pacific into its cybersecurity strategy through public-private partnerships and global collaboration in Internet governance.

Evidence

The EU and Indo-Pacific share key features: fast-growing economies with cybersecurity and digital policy landscapes, and mutual interest in securing digital infrastructure. Binary framing of democratic vs authoritarian tech risks deepening division and hindering cooperation.

Major discussion point

Multi-stakeholder Collaboration and Governance

Topics

Cybersecurity | Development

Agreed with

– Alena Muravska
– Panelist

Agreed on

Importance of multi-stakeholder collaboration and open standards

Panelist

Speech speed

136 words per minute

Speech length

1944 words

Speech time

856 seconds

Technical community contribution becomes more important at detailed implementation levels but receives less input

Explanation

While the European Commission supports multi-stakeholder approaches globally, there is a paradox where technical community input decreases as regulations get more detailed and closer to implementation. The technical community’s strategic and operational responsibility for running core Internet parts makes their contribution especially important at detailed regulatory levels.

Evidence

Commission applauds multi-stakeholder approaches globally and there were consultations about NIS2, but when it comes to implementing acts and sub-legal regulation, there is less multi-stakeholder involvement the closer we get to implementation.

Major discussion point

Multi-stakeholder Collaboration and Governance

Topics

Legal and regulatory | Infrastructure

Agreed with

– Christian von Stamm Jonasson
– Alena Muravska
– Marijana Puljak

Agreed on

Regulatory complexity and fragmentation undermines effectiveness

Disagreed with

– Oksana Prykhodko
– Peter Koch

Disagreed on

Technical system priorities – DNS vs. routing systems

Inclusive ecosystem needed where policymakers, researchers, and civil society work together

Explanation

To make Europe’s digital and cybersecurity 2030 vision a reality, an inclusive ecosystem is needed where different stakeholders collaborate to anticipate threats, develop trusted technologies, and uphold democratic values. This requires platforms for training, upskilling, and knowledge transfer.

Evidence

Topics

Cybersecurity | Human rights

Karen Mulberry

Speech speed

131 words per minute

Speech length

1892 words

Speech time

861 seconds

Skilled people are fundamental requirement as infrastructure cannot function without operators

Explanation

Having all the necessary infrastructure and building capacity for the future is meaningless without people who can actually operate, manage, and plan the systems. The most important element for achieving a secure network by 2030 is having skilled people to address the work.

Evidence

You can’t operate the network, you can’t prepare for the future, unless you’ve got people that are actually going to be addressing the work and doing planning. Having all the infrastructure you need isn’t going to work unless you have somebody that can run it.

Major discussion point

Skills Gap and Human Resources

Topics

Development | Infrastructure

Agreed with

– Augusto Fragoso
– Wout de Natris
– Panelist

Agreed on

Critical skills shortage in cybersecurity and AI professionals across Europe

Marília Maciel

Speech speed

0 words per minute

Speech length

Digital Sovereignty and Security

Topics

Human rights | Development

Disagreed with

– Augusto Fragoso

Disagreed on

Focus of digital sovereignty – state interests vs. individual empowerment

Caution needed regarding ‘faster regulation’ as it may compromise accountability and consultation

Explanation

The concept of ‘faster regulation’ is concerning because when governments act quickly from a security perspective, they often do so without proper consultation or accountability mechanisms. This approach can undermine democratic processes and stakeholder engagement that are essential for effective regulation.

Evidence

Maria Nefeli Chatziioannidou

Speech speed

124 words per minute

Speech length

207 words

Speech time

100 seconds

Cybersecurity depends on sovereignty and is fundamental to democracy and social justice

Explanation

Cybersecurity is not just a technical issue but is fundamentally connected to sovereignty, democracy, and social justice. Ethics must be embedded by design in cybersecurity approaches, not added as an afterthought, and the focus must remain human-centric.

Evidence

As an MP from Greece specializing in digital communities and digital innovation, emphasizes that cybersecurity has to do with social justice and democracy, requiring human-centric approach with ethics embedded by design.

Major discussion point

Digital Sovereignty and Security

Topics

Human rights | Cybersecurity

Marijana Puljak

Speech speed

121 words per minute

Speech length

279 words

Speech time

137 seconds

Growing regulatory complexity creates legal maze especially for smaller digital service providers

Explanation

The combination of EU-level acts with additional national rules creates a complex legal maze that prevents companies from scaling across borders, which should be a core strength of the EU single market. This particularly affects smaller digital service providers who cannot navigate the complexity.

Evidence

As Croatian Parliament member with IT background, witnesses how growing number of EU-level acts combined with additional national roles creates illegal maze. Draghi report shows innovators are fleeing to less regulated markets.

Major discussion point

Regulatory Framework and Harmonization

Topics

Legal and regulatory | Economic

Agreed with

– Christian von Stamm Jonasson
– Alena Muravska
– Panelist

Agreed on

Regulatory complexity and fragmentation undermines effectiveness

Balance needed between regulation and innovation to avoid undermining digital sovereignty

Explanation

While regulation is important for security, sovereignty without capability is meaningless. If innovators flee to less regulated markets and operating across member states becomes nearly impossible, Europe is undermining rather than protecting its sovereignty.

Evidence

If innovators are fleeing to less regulated markets and operating across member states is nearly impossible, we are not protecting sovereignty but undermining it. New technological phase with AI shifting infrastructure demands huge investments, energy, and flexibility.

Major discussion point

Regulatory Framework and Harmonization

Topics

Legal and regulatory | Economic

Oksana Prykhodko

Speech speed

101 words per minute

Speech length

Infrastructure and Network Resilience

Topics

Cybersecurity | Infrastructure

Disagreed with

– Peter Koch

Disagreed on

Technical system priorities – DNS vs. routing systems

João Pedro Martins

Speech speed

163 words per minute

Speech length

153 words

Speech time

56 seconds

Technical coordination and moderation essential for effective multi-stakeholder dialogue

Explanation

Effective online and hybrid participation in cybersecurity discussions requires proper technical coordination, including managing microphone access, ensuring muted connections for in-room Zoom participants, and facilitating orderly interventions. This technical infrastructure is fundamental to enabling meaningful multi-stakeholder dialogue on complex cybersecurity issues.

Evidence

For those joining on Zoom, just make sure that when you want to address the audience, you raise your hand. If you’re joining Zoom while you’re inside the room, please connect it muted and with your speaker sound disabled.

Major discussion point

Multi-stakeholder Collaboration and Governance

Topics

Infrastructure | Development

Agreements

Agreement points

Critical skills shortage in cybersecurity and AI professionals across Europe

Speakers

– Augusto Fragoso
– Wout de Natris
– Karen Mulberry
– Panelist

Arguments

Critical shortage of AI technicians and cybersecurity professionals across Europe

Tremendous skills gap exists between industry demand and higher education offerings

Skilled people are fundamental requirement as infrastructure cannot function without operators

Need for clearer pathways and more practical opportunities to make cybersecurity field accessible to youth

Summary

All speakers agree that Europe faces a fundamental shortage of skilled cybersecurity and AI professionals, with a significant gap between industry needs and educational output. This skills shortage is seen as a critical bottleneck for achieving digital sovereignty and cybersecurity goals.

Topics

Development | Cybersecurity

Need for public-private partnerships for strategic infrastructure investments

Speakers

– Augusto Fragoso
– Christian von Stamm Jonasson
– Panelist

Arguments

Strategic infrastructure investments require public-private partnerships due to scale beyond private operators

Public-private partnerships needed for building redundant capacity that isn’t economically viable for private operators alone

Inclusive ecosystem needed where policymakers, researchers, and civil society work together

Summary

Speakers consistently argue that strategic digital infrastructure requires public-private partnerships because the scale and strategic nature of investments needed goes beyond what private operators can justify economically, particularly for redundant capacity and resilience measures.

Topics

Economic | Infrastructure

Regulatory complexity and fragmentation undermines effectiveness

Speakers

– Christian von Stamm Jonasson
– Alena Muravska
– Marijana Puljak
– Panelist

Arguments

Europe needs smarter regulation rather than more regulation, with simplified overlapping requirements

NIS2 directive implementation varies across 27 member states, creating compliance challenges for global operators

Growing regulatory complexity creates legal maze especially for smaller digital service providers

Technical community contribution becomes more important at detailed implementation levels but receives less input

Summary

Multiple speakers agree that the current regulatory approach creates excessive complexity and fragmentation, particularly affecting smaller organizations and global operators. They advocate for smarter, more harmonized regulation rather than additional layers of requirements.

Topics

Legal and regulatory | Economic

Importance of multi-stakeholder collaboration and open standards

Speakers

– Alena Muravska
– Isti Marta Sukma
– Panelist

Arguments

Digital sovereignty should build resilience through leadership in open Internet standards rather than isolation

Global collaboration essential as cybersecurity threats are borderless and transnational

Leverage well-established international standards like ISO 27001 for cybersecurity harmonization

Summary

Speakers emphasize that cybersecurity challenges are inherently global and require collaborative approaches based on open standards and multi-stakeholder engagement rather than isolationist policies.

Topics

Infrastructure | Cybersecurity

Similar viewpoints

Both speakers recognize that critical infrastructure planning must be integrated and that strategic investments require collaboration between public and private sectors due to the scale and strategic nature of requirements that go beyond commercial viability.

Speakers

– Augusto Fragoso
– Christian von Stamm Jonasson

Arguments

Energy and telecommunications networks are interdependent and must be planned together

Public-private partnerships needed for building redundant capacity that isn’t economically viable for private operators alone

Topics

Infrastructure | Economic

Both advocate for regulatory approaches that leverage existing proven standards and protocols while providing flexibility in implementation rather than creating new prescriptive requirements.

Speakers

– Alena Muravska
– Panelist

Arguments

Regulatory frameworks should be risk-based and define goals clearly without prescribing specific paths

Utilize existing protocols and standards rather than inventing new ones

Topics

Legal and regulatory | Infrastructure

These speakers share a human rights-centered approach to digital sovereignty, emphasizing that cybersecurity and digital policies must serve democratic values and individual empowerment rather than just state or corporate interests.

Speakers

– MarÃlia Maciel
– Maria Nefeli Chatziioannidou
– Panelist

Arguments

Digital sovereignty governance must be socially anchored and transparent to benefit individuals

Cybersecurity depends on sovereignty and is fundamental to democracy and social justice

Transparency and explainability required for AI systems deployed in cybersecurity

Topics

Human rights | Cybersecurity

Unexpected consensus

Brain drain from peripheral to central European countries weakens overall security

Speakers

– Augusto Fragoso
– Isti Marta Sukma

Arguments

Brain drain from peripheral countries to central European countries weakens overall security chain

Global collaboration essential as cybersecurity threats are borderless and transnational

Explanation

Unexpectedly, both a government representative from a peripheral EU country and an academic from outside Europe identified the same structural problem: that concentrating talent in central European countries actually weakens overall European cybersecurity by creating weak links in peripheral countries that adversaries can exploit.

Topics

Development | Cybersecurity

Diversity and decentralization as key to resilience

Speakers

– Alena Muravska
– Oksana Prykhodko
– Panelist

Arguments

Diversity of routes, networks, and providers is essential for Internet stability

Successful cybersecurity strategy requires DNS system security and market decentralization

Security without capability is dependency with good branding, not true sovereignty

Explanation

There was unexpected consensus across different stakeholder types that market concentration and centralization actually undermines security, with the Ukrainian conflict example demonstrating how diversity prevents systemic failure. This challenges conventional thinking about efficiency through consolidation.

Topics

Infrastructure | Cybersecurity

Overall assessment

Summary

Strong consensus emerged around four main areas: the critical skills shortage across Europe, the need for public-private partnerships for strategic infrastructure, the counterproductive nature of regulatory complexity and fragmentation, and the importance of multi-stakeholder collaboration based on open standards. There was also unexpected agreement on how centralization and brain drain actually weaken overall European cybersecurity.

Consensus level

High level of consensus on fundamental challenges, with broad agreement that current approaches to regulation and skills development are insufficient. The consensus suggests a shared understanding that Europe’s digital sovereignty requires more collaborative, flexible, and inclusive approaches rather than top-down regulatory solutions. This has significant implications for policy development, suggesting that stakeholders are aligned on the need for fundamental changes in how Europe approaches cybersecurity and digital infrastructure planning.

Differences

Infrastructure | Cybersecurity

Unexpected differences

Arguments

Energy and telecommunications networks are interdependent and must be planned together

Public-private partnerships needed for building redundant capacity that isn’t economically viable for private operators alone

Topics

Infrastructure | Economic

Both advocate for regulatory approaches that leverage existing proven standards and protocols while providing flexibility in implementation rather than creating new prescriptive requirements.

Speakers

– Alena Muravska
– Panelist

Arguments

Regulatory frameworks should be risk-based and define goals clearly without prescribing specific paths

Utilize existing protocols and standards rather than inventing new ones

Topics

Legal and regulatory | Infrastructure

These speakers share a human rights-centered approach to digital sovereignty, emphasizing that cybersecurity and digital policies must serve democratic values and individual empowerment rather than just state or corporate interests.

Speakers

– MarÃlia Maciel
– Maria Nefeli Chatziioannidou
– Panelist

Arguments

Digital sovereignty governance must be socially anchored and transparent to benefit individuals

Cybersecurity depends on sovereignty and is fundamental to democracy and social justice

Transparency and explainability required for AI systems deployed in cybersecurity

Topics

Human rights | Cybersecurity

Takeaways

Key takeaways

Europe’s digital security strategy for 2030 requires integrated planning of telecommunications and energy networks, as they are interdependent and cannot be addressed separately

A critical skills shortage exists across Europe in AI, cybersecurity, and quantum technologies, with brain drain from peripheral to central countries weakening the overall security chain

Europe needs smarter regulation rather than more regulation, with better harmonization across 27 member states to reduce compliance complexity and fragmentation

Digital sovereignty requires building resilience through leadership in open Internet standards and global collaboration, not isolation or complete self-sufficiency

Infrastructure resilience demands new submarine cable routes, strategic inland connections, and edge computing capacity, requiring public-private partnerships for investments beyond private sector viability

Multi-stakeholder collaboration is essential but decreases at implementation levels where technical community input is most needed

Regulatory frameworks should be risk-based, define clear goals without prescribing specific paths, and leverage existing international standards rather than creating new ones

Resolutions and action items

Three key summary points were developed for further editorial refinement: 1) Strategy for internet resiliency must include economic resiliency, new infrastructure geometry, and human capacity development, 2) Europe needs smarter, collaborative regulation based on multi-stakeholder approaches and existing standards, 3) Successful strategies require secure DNS/routing systems, market decentralization, and innovation focus

Participants agreed to provide additional editorial input on the summary statements after the session

Recognition that the European Commission’s public consultation on international digital policy strategy (running until May 21st) provides an opportunity for community input

Unresolved issues

How to finance strategic infrastructure investments that exceed private sector economic viability, particularly the 800 billion euros needed for electrical network renewal

How to address the skills gap and prevent brain drain from peripheral to central European countries while maintaining security chain strength

How to balance the need for regulation with innovation requirements without creating unintended market consequences

How to ensure adequate technical community input at detailed implementation levels of regulation

How to protect critical submarine cable infrastructure across vast maritime areas with limited surveillance capacity

How to achieve regulatory harmonization across 27 member states while respecting national security competences

Whether Europe has come too late to achieve meaningful digital sovereignty given existing dependencies

Suggested compromises

Adopt a two-tiered regulatory approach with comprehensive legal versions and simplified versions for technical experts to reduce compliance burden

Implement risk-based regulatory frameworks that define goals clearly but allow flexibility in implementation methods

Strengthen both multi-stakeholder approaches for global discussions and public-private partnerships for national implementation

Focus on leveraging existing international standards and protocols rather than creating new European-specific requirements

This comment challenges the emerging consensus against regulation by highlighting the democratic and accountability implications of ‘faster’ regulatory approaches, introducing important considerations about process and participation.

Impact

This intervention forced the group to reconsider their summary statements and highlighted tensions between efficiency and democratic governance. It led to modifications in the final summary and ensured that concerns about regulatory process and stakeholder engagement remained part of the discussion.

Overall assessment

Explanation

This seeks clarification on how to balance the need for timely regulatory responses with proper democratic processes and stakeholder engagement

Disclaimer: This is not an official session record. DiploAI generates these resources from audiovisual recordings, and they are presented as-is, including potential errors. Due to logistical challenges, such as discrepancies in audio/video or transcripts, names may be misspelled. We strive for accuracy to the best of our ability.