Main Topic 3: Europe at the Crossroads: Digital and Cyber Strategy 2030

Summary

This discussion focused on Europe’s digital and cybersecurity strategy for 2030, addressing challenges and opportunities in creating a secure and resilient digital infrastructure. Experts highlighted the need for a comprehensive approach encompassing network infrastructure, energy supply, and human capacity development. A key point was the importance of skilled professionals, particularly in emerging fields like AI, to support technological advancements and security measures.

Participants emphasized the need for smarter, more harmonized regulations that balance innovation with security concerns. The discussion touched on the importance of public-private partnerships and multi-stakeholder approaches in developing effective strategies. There was a call for leveraging existing protocols and standards rather than reinventing them.

The conversation also addressed the challenges of implementing EU-wide regulations at the national level and the potential burden on smaller providers. Speakers stressed the importance of maintaining democratic values and transparency in the pursuit of digital sovereignty. The need for a decentralized and diverse digital ecosystem was highlighted as crucial for resilience.

Participants discussed the geopolitical context of Europe’s digital strategy, including the need to navigate between major global powers while asserting its own digital sovereignty. The discussion concluded with a recognition of the complex balance required between regulation, innovation, and the protection of human rights in the evolving digital landscape.

Keypoints

Major discussion points:

– The need for skilled cybersecurity professionals and addressing the skills gap in Europe

– Balancing regulation with innovation and avoiding over-regulation that stifles growth

– Improving collaboration between stakeholders, including public-private partnerships

– Strengthening digital infrastructure resilience through diversification and redundancy

– Aligning cybersecurity efforts with European values like democracy and human rights

The overall purpose of the discussion was to explore Europe’s digital and cybersecurity strategy leading up to 2030, examining challenges and opportunities for creating a secure, resilient, and innovative digital environment across the continent.

The tone of the discussion was largely constructive and forward-looking, with participants offering different perspectives on how to achieve digital resilience and sovereignty. There was general agreement on the importance of the issues, but some debate around specific approaches, particularly regarding regulation. The tone became slightly more critical towards the end as participants scrutinized the proposed summary points.

Speakers

– Christian von Stamm Jonasson – Director General of Ribbonova, represents Deutsche Telekom’s Brussels EU policy office

– Wout de Natris – Coordinator of the Denmark Coalition on Internet Standards, Security and Safety

– Marijana Puljak – Member of the Croatian Parliament and Parliamentary Assembly of the Council of Europe

– Alena Muravska – Represents the RIPE NCC

– Marília Maciel – Director for Digital Trade and Economic Security at Diplo

– Maria Nefeli Chatziioannidou – MP from Greece and member of the Council of Europe

– Isti Marta Sukma – From the University of Warsaw

– Karen Mulberry – From the IEEE Standards Association, session moderator

– Augusto Fragoso – Government perspective from Portugal

РJọo Pedro Martins РOnline moderator

– Oksana Prykhodko – Summarized key points

Additional speakers:

– Farhan Seto – Director General of Ribbonova

– Peter Koch – Works for DINIC, the German CCTLD registry

– Simona – From Union Romani Voice (mentioned but did not speak)

– Alexander Shachuk – Data protection expert from Ukraine

– Sumayya – From UFX

– Dariana Chmanska – Cybersecurity analyst

– Pavlos – From Digital World Summit Greece

– Unnamed panelists who provided additional comments

Europe’s Digital and Cybersecurity Strategy for 2030: Challenges and Opportunities

This comprehensive discussion at EuroDIG focused on Europe’s digital and cybersecurity strategy for 2030, addressing the challenges and opportunities in creating a secure and resilient digital infrastructure. Experts from various sectors, including government, industry, and academia, highlighted the need for a multifaceted approach encompassing network infrastructure, energy supply, and human capacity development.

Network Infrastructure and Energy Challenges

Augusto Fragoso, representing the Portuguese government perspective, emphasized the significant challenges in upgrading Europe’s digital infrastructure. He highlighted the often-overlooked resource requirements, such as the need for substantial amounts of water to cool data centers, underscoring the interconnection between digital infrastructure and energy resources.

Human Capacity and Skills Gap

A recurring theme throughout the discussion was the critical shortage of skilled cybersecurity professionals in Europe. Wout de Natris, Coordinator of the Denmark Coalition on Internet Standards, Security and Safety, emphasized the urgent need to address this skills gap. Sumayya from UFX raised the question of how to make the cybersecurity field more accessible to young people, highlighting the importance of ensuring a pipeline of future professionals.

Regulation, Innovation, and AI

The balance between regulation and innovation emerged as a contentious point in the discussion. Several speakers, including Christian von Stamm Jonasson, advocated for “smarter” rather than more regulation, arguing for simplifying and harmonizing regulations across EU member states to speed up implementation. The discussion also touched on the challenges of regulating AI in cybersecurity, with Pavlos from the Digital World Summit Greece emphasizing the need for transparency in AI systems used for cybersecurity purposes.

Marília Maciel, Director for Digital Trade and Economic Security at Diplo, cautioned against an inherent bias against regulation, arguing that it may be necessary for emerging technologies. This disagreement highlighted the complexity of balancing various interests and priorities in shaping Europe’s digital future.

Multi-stakeholder Approach and Public-Private Partnerships

The discussion emphasized the importance of a multi-stakeholder approach and public-private partnerships in addressing cybersecurity challenges. Speakers highlighted the need for collaboration between government, industry, and academia to develop effective solutions and policies.

Digital Sovereignty and Values

The concept of digital sovereignty was a central theme, with speakers emphasizing the need to balance security concerns with democratic values and human rights. Maria Nefeli Chatziioannidou, an MP from Greece, stressed the importance of embedding ethics by design in digital technologies and highlighted the challenges of implementing EU-level regulations at the national level.

Marília Maciel broadened the concept of digital sovereignty beyond state-level concerns, stating, “A project of digital sovereignty must contribute to the autonomy and empowerment of individuals and to the sustainability of our planet, fulfilling present needs and the needs of future generations as well.”

Dariana Chmanska, a cybersecurity analyst, offered a critical perspective on digital sovereignty, arguing, “Security without capability is not sovereignty, and it’s just dependency with good branding. And if we talk about resilience, we should not have critical systems outside the EU.” She also highlighted the potential negative impacts of the NIS2 directive on smaller providers, noting that they face a choice to “comply or collapse” under these regulations.

Technical Considerations and Global Standards

Alena Muravska, representing the RIPE NCC, emphasized the importance of leveraging well-established international standards to achieve a harmonious cybersecurity space in Europe. She specifically mentioned the significance of IPv6 adoption and RPKI (Resource Public Key Infrastructure) in enhancing network security and resilience.

Conclusion

The discussion highlighted the complex challenges facing Europe as it develops its digital and cybersecurity strategy for 2030. While there was broad agreement on the need for significant investment in infrastructure and skills, as well as the importance of maintaining democratic values in digital governance, disagreements emerged on the specific approaches to regulation and the balance between innovation and security.

The conversation underscored the need for a multifaceted approach that considers not only technical and regulatory aspects but also broader societal and environmental implications. As Europe moves forward, it will need to navigate the delicate balance between asserting digital sovereignty and fostering an open, innovative, and globally connected digital ecosystem while addressing the practical challenges of implementation at both EU and national levels.

João Pedro Martins: Hello everyone, I’m João Pedro, I’m the online moderator. So for those joining on Zoom, just make sure that when you want to address the audience, you raise your hand. If you’re joining Zoom while you’re inside the room, please connect it muted and with your speaker sound disabled. Thank you. And now I give the floor to the moderator of the session.

Karen Mulberry: Thank you very much. I’m Karen Mulberry. I’m with the IEEE Standards Association, and I want to welcome you to today’s main session. Our topic is Europe at the Crossroads, Digital and Cyberstrategy 2030. Sounds rather ominous, but I do think it’s something that’s been a critical discussion in many areas in terms of what is security and cybersecurity strategy in light of emerging technology and all the activities that are occurring today. I mean, it’s a very evolving landscape. There’s lots of changes. It’s moving rapidly. And we hope to have a dialogue on that around the critical issues. What does it mean? What’s the infrastructure? What are the regulations? And how does that apply both within a country and across the European continent? What are the options that you should look out for? And what is being planned to get to 2030 and implement all of the regulation that’s been adopted in security? who are the networks within Europe. So to get started, we don’t necessarily have keynote speakers for this session, but we have a lot of key contributors, each offering a different perspective on the topic of security and digital security and what that means. We have a large operator within Europe. We have a regulator and we have a network operator. So they’ll each provide some perspective on what digital security and getting to 2030 means for them. So to get started, I will turn it over to our key participants. And first off, it is Augusto from Portugal who introduced himself because I’m not sure I can pronounce your last name, so I apologize, and talk a little bit from the government perspective on what they’re looking at, what they’re thinking about and how they’re going to get to that 2030 and beyond date. So Augusto, please.

Augusto Fragoso: Good afternoon, all. First of all, I would like to thank Eurodig for this opportunity. It’s always very important to share our perspectives and especially our experiences, hoping that that can bring something up for everybody else. When I was asked to have a contribution, like was said, I thought in bringing either one that more or less everyone is discussing or maybe a perspective from on the edge country. So I would say that we are looking to Europe at the crossroads, but from an edge perspective. As edge country, we have a special role, which is to be a frontier, both in geographical, physical terms as in digital terms. When we talk about resilience, we are talking, as always and first of all, about economical resilience and, of course, as well, it’s everything about the money. So, basically, we are talking about how infrastructures, how the means that we use to protect them assure that our economy flows and relates with our economy’s bringing value. To understand a bit more about this, I usually use a very simple analogy. I call it the digital day, which is basically following what everyone does digitally since we wake up until we go to bed again. And if you follow that digital day, you can find yourself crossing with several companies, several pieces of technology, and we also can understand where they are actually based and how the flow of economy from the usage of each one of those applications, apps, goes. So, basically, when you do so, you see that there is a very clear correlation between that economical digital flow and the infrastructures that are laid beneath it, namely international connection infrastructures like submarine cables. Basically, in the last years, the advancement of technology has been at a pace that is very difficult to follow, both for the market and especially for people like us, regulators. We have to have oversight of everything that is happening and trying to identify risks and potential that can be used to create. So basically, we usually say that, or we were saying until recently, that US innovates, China copies, and Europe regulates. That’s not anymore true. Now China also innovates, and a lot, and it seems that we continue to regulate. Usually just as a joke, I say that we are trying to acting through it, because we have produced just in the last two years huge numbers of acts that are difficult to cope with, both for the market and the companies that have to implement them, as for us as regulators, to make sure that they make sense, to analyze the impact that they might have in the market, and of course to use supervision to go with it in an efficient manner. But it seems that we all understood that by now, AI is critical to do all these, not only for market development, but also for supervision and regulation, and a couple of technologies that we would call sovereignty technologies are also absolutely necessary to support the continuous growth of the digital market, as we intend to do with the digital single market. Basically, quantum tech, the chips that are necessary to support the capacity to build devices, introducing it in our technology, in our society. Nuclear energy is being discussed again, and of course networks, both telecommunication networks and energy networks. So when we think about how these things relate with the flows, the economical flows that we can see, we have to assure that the old ones are still usable, we can secure the flows that are over our infrastructures, and we have to assure as well that new ones will come to place, because it’s every time more obvious when we look to the dimension of economical flow between geographical areas, you can see that basically the biggest one still is between Europe and the US, and I’m not sure if the direction is the one that’s supposed to be. And it is obvious that we have to increase the other ones so we, to obtain resilient markets, are not totally dependent on only one of these connections. Basically, we have to think about new routes connecting Europe, the Asia-Pacific area, Africa and the Middle East. Basically, it means that Europe strategically, in terms of resilience, has to increase the number of connections to other countries through internet or, in this case, subsea infrastructures. Basically, supporting what was stated in 2021 as European data gateways, creating the necessary and resilient connections in at least these four areas that we have here, the North Sea, Arctic, Atlantic, Baltic and Mediterranean. And let me tell you that the Nordic Sea and Arctic are of tremendous importance for the new growth that we need in terms of economy connecting us to Asia-Pacific. Because the routes that were used before were not resilient enough and they are fully dependent on the passage in Egypt, for instance, and all the situations that we have been testifying in that region allows us to say that it is a very high-risk route. So, resilience here means to create other routes to go to Asia-Pacific that will bring us also capacity to protect those same routes. But it’s not only between geographical regions or countries that we need to increase, overseas countries that we need to increase that capacity. We also need to do it internally in lands through more strategic inland routes because the flat system that was supporting our economy is now, with the bringing of AI, the idea is outdated. So, before we were thinking about huge big data centers in the flat cities, now we are thinking that that doesn’t work anymore. We need to provide other routes and necessarily much more edge points of computing to support AI. locally and the local economies. So edge computing as broad needs to rethink the overall infrastructure of Europe. And with it, of course, we have to think if we have energy and water enough to support all these demand for data centers. Very recently in Portugal and in Spain, unfortunately, we had an event that blacked us out for almost one day. And we understood in our flesh, as we say, what that means to be blacked out from communications and from electricity. And it was just for a period of one day. The thing is, when we think about network infrastructure and cybersecurity to protect that network or any aspect of security to secure those networks, we must think also about energy grids. Energy grids and data centers are fully correlated in terms of capacity and in terms of cost necessity. The energy grid needs telecommunications for command and control. Telecommunications needs energy to work. So basically, when we look at the European panorama, we have the need of investing of 800 billion euros just to renew the network that is mostly outdated for what’s necessary in the future in terms of data centers. We need 20 percent more computing capacity than we were thinking before just in three years because of AI. We need 7 billion cubic meters of water to cool data centers. I’ve been hearing reports of some data centers where the demand is such that the local authorities sometimes have to decide if they feed energy to the data center or to the local populations. So when we talk about resilience, we have to integrate both the strategy for networks and the strategy for energy. They cannot be taken in two different pathways. They have to be fully integrated. Basically, the Portuguese contribution on this edge point of view that I was referring has been mostly acting as the EU Atlantic data gateway, which means that we are now having several very important for Europe subsea cables connecting Europe to South America, to North America, to Africa. In that sense, we have been supporting the idea of creating a kind of European ring or loop concept that would augment the resilience of the network around all Europe. Going from there with the connections to the other geographical regions. This is also meant for the internal or inland capacity in terms of network. Here, I have to say that we still have some work to do and big investments to go with. When I look to my panel colleagues, I think that we have a lot of thinking about these new routes and new geometry of the network because this geometry is not based on demand. Some of these connections will not be made or should not be made because there is consuming demand at this moment, but should be made to provide, for instance, resilient connections through alternative routing. That means that this does not connect with the necessary interest of the private operators in investing in something that is much bigger than themselves. We will have some thinking to do about how to finance these strategic necessities that for sure we are and we will be having in the near future. Basically, another aspect is, as I told you, we have a lot of submarine cables landing in Portugal and through our waters, 25% of all submarine cables’ capacity landing on Portugal or not are passing. This means that when we talk about security, both for cyber purposes or just for security and resilience purposes, the question is, we… We have 4 billion square kilometers of water in the Portuguese sovereignty area that needs to be surveyed, that needs to be protected, or to protect these critical infrastructures. And the question is, how can we do it? Because our Navy, for sure, doesn’t have that capacity. We don’t have enough men to do all that job. Of course, we are aiming and looking for unmanned vehicles, smaller vehicles in bigger numbers. Surveillance electronic surveillance means, which means sea coverage that we are working on, but that doesn’t exist in 5G, for instance, at this point. But here, when we are talking about protecting this area, we are also talking about protecting the maritime traffic, where most of the north-south routes pass in this area. So basically, we are talking about the need to, in place in this area, capacity, protective capacity to protect these critical infrastructures that, at this point, doesn’t exist as it should. You for sure heard reports about hundreds of Russian and Chinese vessels, scientific vessels, just going up and down our waters, maybe trying to find some different kind of fish. I don’t know. But the thing is, this is happening, and we have to have the capacity to protect our critical infrastructures. Basically, when we talk about infrastructure resilience, we are talking about all those aspects like the submarine technologies, but we are also talking about human capacity. And the question is, if we understood that for doing whatever we want to do in the future, the response is AI, to have a better regulation, to have a better observation. for suppliers in the sky or operators to have their operations more both secure and efficient. We need AI. The question that usually I do is, okay, so who is implementing AI? With whom will I implement all this AI capacity that everyone is saying that we need to implement? Because in Portugal, I can’t find AI technicians that easy. Can you find in your countries the enough number of AI people or tech engineers to do all this work that has to be done? I mean, so basically, in the overall scenario, we know that in terms of cyber security, for instance, we will work in a chain and the chain is as weak as the weakest link. And the thing is, when we talk about that now is the vision of a peripheral country, what I know is the few engineers that we form, and we form some good ones, Portugal is having good universities, usually they go to work someplace else. So there is in Europe, even in Europe, I’m not talking even in the States, where the brain drain from Europe to the States is also ongoing. But in Europe, we have to compete to capture this kind of talent with other European countries and with the States. So the question is, we are one of the links of the European Union chain, as other peripheral countries are. And what we have seen is, usually this brain drain happens from peripheral countries, from the Eastern from the western part of Europe, from the southern part of Europe, to central countries like Germany, France, Norway, Sweden. And the question is, so we are draining these countries from the capacity to implement these new technological objectives, and we are not being able to do it as we would like because we don’t have enough human resources and we don’t form them fast enough. You know that the university course is at least three years, and we are having projects that are intended to start in one year, and we have all these dreams of building very fast digital single markets. But the thing is, if we are weakening each one of the countries, putting this brain capacity only in the central countries, then we are creating weak links all over Europe. And the question is, what of these countries who intend to produce attacks into central Europe, will use what countries, the ones that are reinforced or the ones that are weak in terms of cyber security? So, we have to think that if we want to actually have a coherent chain of security and cyber security and resilience, I have to strengthen all the links in the chain, and I have to think how can I maintain these capacities in the peripheral countries as well. Basically, then when we look to the investment necessary to do all these that we know that is needed to achieve this digital single market goal, we are confronted, for instance, in terms of investments and set funds, It’s something that I would consider a paradox because we say that digital economy, cyber security, it’s actually one of the main, if not the biggest, goal of Europe at this point. But when we see the investments that are available in CEP, for instance, we see that CEP Transport is having 25.8 billion, CEP Digital only 2.07, and CEP Energy only 5.84. As I told you, to renew the entire obsolete electrical network of Europe, we need 800 billions. So, the question is, are these investment bases coherent what we actually need, especially in the peripheral countries. Even CEP Digital, for instance, granted 250 million last year, in the last call, but 1,000 million of projects that were very important were actually not accepted. So all these projects were a way to achieve faster many of the goals that we were discussing before. So basically, I would end by stating that all the links in the chain need to have the same capacity, otherwise the chain will be as weak as the weakest link, and we need it at the same time. And Europe, in several velocities, will not work. So if we want to obtain resilience and security capacity over our infrastructures, our critical infrastructures, I think we have to work better together, involving all the stakeholders, actually understanding that these investments will have to be public-private investments, and they have to be strong, and they have to be released fast. Thank you.

Karen Mulberry: Thank you. All right, for our next speaker, I’d like to invite Christian to come up and speak a little bit from the network operator’s perspective on what he sees today and in the future.

Christian von Stamm Jonasson: Yes. Thank you, Karen, and thank you, everybody. for being here today in the room and presumably online. And for the organizers, we need dialogue now more than ever. So first off, just very briefly on who I am, my name is Christian and I represent Deutsche Telekom with our Brussels EU policy office. I’ve worked in digital security policy and cybersecurity policy for the past eight years, starting off in Danish government and the OECD working group for security and privacy in the digital economy, moving on to an industry association, the Danish Chamber of Commerce, then taking my trade to Brussels, joining a local consultancy where I worked with finance, telecoms and IT corporations as cybersecurity policy lead. And then finally, a few months ago, I joined the Deutsche Telekom outfit in Brussels. So I have seen the way we do cyber policy, both at the national, at the EU level, evolve quite a bit. When I first started out, it was recognized that the way to do cyber policy was through incentives. This whole idea about strict requirements, how do you set up a good cybersecurity policy, a good resilience plan, all these things were thought to be the prerogative of those businesses that had to live with and implement the plans because they knew the risks and they know the risk appetite and they have to decide how they want to mitigate this. And obviously, this is no longer the case. I had a nice slide with all the regulations. I mean, we regulate the product security through the CRA, we regulate both the critical infrastructure but also the essential services through the NIST2 directive. We have the Cybersecurity Act that sets out our European cybersecurity agency and we have, on the verge, a Cloud and AI Development Act that will set out the barriers or the framework for sovereign cloud solutions. So there is a large swath of legislation that companies need to take into consideration in their work. And before I go further into the topic, I just wanted to say that most of you, many of you, have probably heard of Deutsche Telekom. So in Europe, we have subsidiaries, telecommunications companies that offer mobile services. and similar, both B2B and B2C, countries like Austria, Croatia, Czech Republic, Greece, obviously Germany. In the U.S. we have T-Mobile, which after acquiring one of the local competitors is now the leading telecommunications service operator in the U.S. But what most people don’t know is that we actually do quite a bit more than that. We don’t have any sub-T cables anymore. We built a very large one connecting the U.S. and the EU. But when it decommissioned, we went over to just purchasing capacity on other networks. But what we do is advance cloud services for businesses. So we have 50 operating countries from Seoul and Tokyo to South America where we offer cloud solutions. And on the forefront on emerging technologies, we are consortia leaders. So there’s the Copernicus project where we take data from satellites to make a comprehensive Earth observation data repository. We have the Nostradamus project, which is a post-quantum cryptography consortium where we, along with French and other European companies, try to make quantum safe encryption protocols so that in the future we will still be able to transmit and store data safely from those that use quantum computers to break standard RSA encryption. So Deutsche Telekom is a little more than just mobiles and SMS. We do a little bit of everything. And what we, of course, do very much is security. Because we don’t only have to keep our network secure from all those malicious actors who either for the sake of financial gain or for the sake of geopolitical rivalry want to breach our connections, to make connectivity services unavailable for citizens, for businesses, but also for our military services. And on the other hand. to spy on our data and our state secrets. And then, I mean, basically, there’s a malicious actor, state-sponsored actor, but there are also people that would do it just for the money, because cybercrime is very big business these days. So, the industry’s perspective on where do we want to go towards 2030, do we want to go towards more regulation? Possibly. But do we want to at least see how we can regulate smarter? Because just at the moment, we’re doing a very big exercise with the Commission for the Digital Omnibus. We’re trying to see, okay, where can we simplify? Where can we remove overlapping regulation? And I think at last look, our internal industry paper on possible overlaps and simplification measures was already 85 pages long. And that’s not because the people in the European Commission or in the national member states don’t do their homework. It’s not because they do bad work. It’s because it’s very technical. It’s very complicated. And because it’s been a relatively short timeframe where the necessity, the imperative for us to regulate this has become apparent, this has also meant that they’ve tried to do a lot at the same time. And when you do a lot of things at the same time, a lot of things are very difficult, a lot of things are very complicated, you are bound to maybe not realize the full impact that these regulations are going to have and see how they might overlap or have contradictions in them. So that’s what we’re going to work on with this commission is to simplify. And that is what we will believe that the European cybersecurity framework should be come towards 2030. It should be simple to become more effective because one of the issues, Agatha, you mentioned the lack of skills. That’s definitely something we also see both in Deutsche Telekom and all the countries that we operate, cybersecurity skills. I mean, don’t forget about quantum technology because finding someone who both has a degree in quantum physics And those technology and software programming, those people are not in the thousands or in the millions. So one of the issues we have currently is that we have too many of my colleagues from T-Security spend too much of their time with compliance, trying to figure out what does this regulation mean. And when we have this regulation and this regulation, what should we do? Instead of actually spending their time implementing security measures that make sure that our networks are secure. Because we have a whole department. I’m looking forward to go visit them in a couple of weeks. They cannot come here for security reasons. They cannot bring their gear anywhere outside our headquarters. But we have a few thousand colleagues in T-Sec that not only secure our networks, but also make sure that those top-of-the-line security solutions we apply to our networks are also available to our B2B customers. So now I’ve focused a little bit on, at the EU level, how the regulation looks. The thing is telecommunications is one of the most, with energy and finance, I would say those three are the most critical infrastructure for our societal coherence. Which means we are heavily, heavily regulated at the EU level. But also each member state usually have requirements because their digital infrastructure, their connectivity is of such importance that very many member states will regulate in their own way. And that’s one of the issues that we have to deal with because security is inherently a national competence in the current European framework. So there is no legal basis for the Commission to come and say that national governments cannot do things to increase their own security and safety. Which makes sense. I mean, which country would like to be told that they are not allowed to implement those measures they think are important? Because if you are on the border of Russia or other parts of, let’s say, the Baltic or in Finland, you have a very, very different threat perspective than you have in Portugal. There are also issues in Portugal, but it’s a very different kind of risk. So you wouldn’t want to be told as a sovereign nation what you can and cannot do. I am just checking if I forgot something. I think I would round up with this. I mean, we do live in interesting times. Interesting for some, terrible for others. And with a very, very aggressive superpower on one hand, and a very, very unstable superpower on the other side of the Atlantic, what we need to do now is make sure that Europe can function in its own right. And that’s why I want to come back to what you said, Augusto, because it’s true when it comes to subsea cables or any kind of infrastructure. As a business, we’re not geared to build redundancies. We build what is economically and financially viable. But having 20, 30, 40 percent extra capacity in our data center, so if there is an outage somewhere, we can reroute the traffic and still have a functioning digital economy. That is where we need the public-private partnership, and that is where we need to make sure that we as a European Union and as a continent can deliver and can make our digital economies and societies work in our own right with our own sovereign technological solutions. Thank you.

Karen Mulberry: Thank you very much. Now for our last key participant to provide a different perspective in terms of the Internet and the Internet infrastructure and how it’s looking at security in the future. Alena, please.

Alena Muravska: Thank you, Karin. Good afternoon, everyone, and I thank everyone for this opportunity to contribute to this very important discussion. My name is Alena Murawska, and I represent the RIPE FCC. We are a non-profit membership organization with more than 20,000 members in Europe, the Middle East, and parts of Central Asia. Our members span a very large diversity of different organizations like network operators, academia, government, civil society and private sector. Also Deutsche Telekom is one of our members. I’ll definitely repeat some of the points that have already been mentioned by my colleague. As one of the five authoritative regional Internet registries, the RIPE NCC is responsible for the allocation of Internet number resources like IP addresses and autonomous system numbers. And by that we ensure that Internet remains global. Our perspective today is shaped by our commitment to promoting open standards as IPv6 and RPKI, to inclusive and transparent policy development and bottom-up community engagement. So, the current discussion on the future of the European digital strategy and European sovereignty is very important and timely, and especially in the context of the NIS2 directive that will broadly impact the digital infrastructure providers. And we follow it very closely because many of them are our members, as I already mentioned. So, the first point I would like to make will be about collaboration and multi-stakeholder approach. So, the Internet, as you all know, is a globally interconnected network of independent networks. And it has thrived for more than four decades on the principles of open standards, like I mentioned already IPv4 and IPv6, IPv4 and RPKI, interoperability and permissionless innovation. So, cybersecurity threats are borderless, and therefore the resilience and security can only be built through the cooperation. In that regard, digital sovereignty should be not about excluding yourself, but about building resilience through leadership in supporting open Internet security standards and innovation, but also in fostering the culture of collaboration. So, in this context, it is also important to note that complete self-sufficiency in digital matters is neither feasible or desirable, and that the way forward should be about building strategic partnerships and advancing a shared vision for the common interest. So, now as Europe looks at its international digital policy strategy, we have as a multi-stakeholder community here a great opportunity. to reaffirm their vision. So, the European Commission just launched a public consultation on this topic. It runs until 21st of May, so quite short time frame. And this is touching on digital diplomacy, cyber security and Internet governance. So, this strategy will also define the European role at global forum like This Is But 20 and the Internet Governance Forum. So, yesterday at the session, in the morning, Steve Sanz, the head of Internet Governance sector at DigiConnect, mentioned that Europe will be leading the This Is process. And today, also in the session dedicated to the This Is process, Tybalt Kleiner, director of Future Networks, also mentioned that they will be following the This Is But 20 review. And we as RIPE NCC and our community, we fully support and we are looking forward to see how EU will contribute to these processes. My second point is about regulatory harmonization, also what was mentioned today. And I will focus on NIS2 directive as an example. So, RIPE NCC, we fully support the main goal of NIS2, that is to improve cyber security across the EU. But the implementation of the directive, as we know, is not without challenges, especially the divergence in how 27 member states are interpreting and implementing the rules. So, this is especially complicated to organizations that operate globally, like just we heard from our colleague, and serve customers in different countries. Another aspect is that requirements under NIS2 may pose challenges and constitute disproportional charges, especially for small and medium-sized organizations and entities. Many of them are also our members and we know very well what these challenges are. So, they cannot afford having large teams only dealing with reporting in the framework of NIS2. So, overly prescriptive and fragmented rules can increase the burden on the smaller companies and drive unintended market consequences. Instead, we need the frameworks that will apply a risk-based approach and define goals clearly, but not the path how to achieve them. So, also, complicated legislation risks concentrating the market power in the hands of large providers, and this will, as we believe, undermine resilience. Because diversity of routes, networks, and providers is essential for stable Internet. It might be about cables, as also was mentioned by my other colleague from Portugal, or about the networks themselves. To give you an example, at the beginning of the Russian invasion on Ukraine, our researchers looked into the state of the Ukrainian Internet and they concluded that low market concentration and a very high number of independent networks helped to prevent systemic failure. Since there were no one point of failure, the Ukrainian Internet remained resilient until now. And if you want to learn more about resilience, I really… I’d like to refer to the presentation that was held yesterday at the RIPE meeting in Lisbon at the Best Current Operational Practices Working Group that we at the RIPE NCC support. So there was a case study done that showed that this diversification is indeed a key for resilience. So I believe that this kind of research is especially important for the policymakers that have to learn from the already existing cases. Also another aspect which I cannot not mention is DNS, because a large part of the stability of the DNS system comes from the extremely high distribution and diversification of operators. So if regulatory requirements, compliance costs and oversight that are applied in a way that makes it too demanding, they also might risk that non-commercial DNS operators may decide to withdraw the operations or to leave the EU. That will also potentially lead to a more centralized market and undermine stability of the whole system. So also here we need a proportional level of implementation and of the enforcement of the legislation. My next point is standardization. So to achieve the harmonious cyber security space, as we all agreed, it’s very important to have overall high level of cyber security in Europe. So it’s crucial to leverage on well-established international standards. At the RIPE NCC we advise the European authorities and national authorities to align national guidelines and frameworks with already globally recognized standards and information risk management, such as ISO 2701. So this approach will definitely provide assurance and facilitate compliance for many organizations, while also promoting a greater harmonization across the EU countries and globally. So here I’d like to mention a positive example of such approach. In the first implementing regulation under NAS2 adopted by the European Commission in last October, calls for transition, and I’ll quote it now, The transition towards latest generation networks layer communication protocols, and I’ll just give you a hint, it implies IPv6. Second, the deployment of internationally agreed and interoperable modern email communication standards and the application of best practices for DNS security and for Internet routing security. That kind of implies RPKI. So the Commission recognized challenges regarding the identification of these best practices and standards and deployment techniques. And with the assistance of ENISA and collaboration with a large group of stakeholders like competent authorities, industry and other stakeholders is establishing a multi-stakeholder forum to identify the best available standards and techniques. So this is a good example of European leadership through cooperation in this industry stakeholder. And by respecting technical expertise and existing industry standards and protocols to avoid overprescription and stagnation of innovation in the end. So at the RIPE NCC we also support this broader implementation of protocols such as IPv6 and RPKI through training, exchange of best practices and engagement with the community. We’re also actively contributing to capacity building and standard promotion through partnerships with different organizations and governments as well. And I’d like to conclude by bringing attention to organizations that are responsible for the administration of technical coordination of the global Internet. Such as RIRs. RIPE NCC is one of the RIRs as I mentioned. ICANN and ITF. These organizations should remain in the lead for developing technical standards, protocols and procedures for governing the Internet’s core functionality. So these functions… are fundamental to the technical coordination and underpin and secure a globally interoperable Internet. So, recognition of the role of these organizations by the policy makers at the European level and supporting their open, transparent and inclusive processes is critical to create the connected, secure and innovative digital environment for Europe. I will stop here and thank you very much for the attention. Thank you very much.

Karen Mulberry: Now we’ve set the stage for our discussion. We’ve heard about the challenges and opportunities for addressing the digital security in Europe. We’ve heard some of the needs and wants and the requirements to get to 2030. So, now is your opportunity to ask a question. What would it be? What do you want to know more about? Both from our experts that were speaking today as well as the experts that I see that are participating in the room. I mean, you know, one question that came to my mind. So, if we’re going to get to 2030 and we’re going to have a secure network throughout the EU, throughout the European continent, what’s the most important thing that’s needed? Is it the network infrastructure? Is it the supporting needs for energy and capacity to enable the network to function? Is it the people? So, what do you think? We have no thoughts at all. Actually, in my mind, if I was going to answer my own question here, I would say probably the most important thing that I got from the discussion was the need for skilled people. Because you can’t operate the network, you can’t prepare for the future, unless you’ve got the people that are actually going to be addressing the work and doing some of the planning. Having all the infrastructure that you need isn’t going to work unless you have somebody that can run it. Just like building capacity, as Christian noted, right now you build capacity for the functions that you project for today, but you don’t have people to manage capacity if you’re building for the future. So how do you address all of those needs? And fundamentally, if you’re going to train people and have more people involved, there’s an investment that comes along with that. Who is going to provide the support and partner on the investment needs to train the people and to help build out the network? Because that’s always a challenge. Old telecommunications network engineer. So understand the band-aids that you can put on things, and the band-aids you probably shouldn’t put on things, because you should do it better the first time, and you should do it right the first time. Got a question over there. Yes, sir.

Panelist: That seems to work. So hi, my name is Peter Koch, I work for DINIC, which is the German CCTLD registry. And we are critical infrastructure, we have to deal with NIH2 and all the other regulation. I wanted to follow up to both, Karen, your response to your own questions in a way, and then maybe also follow up to what Elena said. My response would probably have been that all of the above, and it’s a mesh and a network of issues, and there is probably a certain difficulty connected to singly. one of them out. But let’s take for example your choice that the people and the skilled people are important. I would completely subscribe to that and agree with that. But then these skilled people need to be able to work in a regulatory environment where they can actually exploit their talents and contribute to the regulation and at any level. Especially in Europe with the NIS2 for example. We have the paradox situation that say the commission is applauding multi-stakeholder approaches all over the planet. We heard very helpful statements say at the Sao Paulo meeting with the results of Sao Paulo guidelines for multi-stakeholderism. We see all this. There were consultations about the NIS2 but the paradox is here when it comes to the level of detail that Alena was alluding to in a way. When it comes to implementing acts and similar sub-legal regulation there is less multi-stakeholder the closer we get to the wire. And that means that the technical community and we should keep in mind that technical community and technical experts are two different things. All the communities have technical experts. Technical community is that part that community that has the strategic and operational responsibility for running the core parts of the internet. And the contribution of that part of the community is very important but it’s more important in weight when it comes to closer to the wire regulation. And I think there is very much room for improvement. Thank you.

Karen Mulberry: We have an online question please.

João Pedro Martins: I will ask Farhan Saito to unmute. He was also listed to the main session statements but if you can intervene he is ready to speak. Thank you very much. I hope you can hear me well. Yes we can hear you. Loud and clear.

Karen Mulberry: Now we can hear you, yes.

João Pedro Martins: I’m enabling your microphone.

Karen Mulberry: Yeah. No, you’re still muted. Yep. I see you. Yes.

João Pedro Martins: Perfect.

Karen Mulberry: Now you’re okay. Because I’m joining from two different platforms. Okay.

Panelist: So I’m Farhan Seto. I’m the Director General of Ribbonova. It’s a French SME actively involved in our EU projects focusing on AI governance, digital trust, and also cybersecurity. So we believe that as Europe defines its digital and cybersecurity 2030, we must ensure that our strategic ambitions are grounded in the operational reality. And we believe that regulation alone will not be enough. We need to have an inclusive ecosystem where policymakers, researchers, civil society work together to anticipate threats, develop trusted technologies, and uphold democratic values. But to make this vision a reality, as you mentioned already, we also need skilled people, individuals with technical, ethical, legal expertise to navigate complex digital environments. And we believe that the EU Commission projects are already playing a critical role in this area by serving as a platform for training, upskilling, and knowledge transfer, especially among cyber professionals, researchers, SMEs, etc. And strengthening Europe’s cyber resilience means expanding and investing in this ecosystem. So I just would like to notify that at Ribbonova. We coordinate Alia Cluster, a European-wide platform that connects over 40 EU Commission projects with dozens of cyber professionals and technical people. This initiative facilitates structured collaboration, ethical dialogue, and knowledge exchange between security professionals and policy stakeholders. So we believe that this is not a binary choice overall between innovation and rights. What we need is a governance framework that brings in the right stakeholder, those who are already working on the ground, who understand both the opportunities and the risks. So this is my statement on behalf of Priya Banoba. Thank you very much.

Karen Mulberry: Thank you for your statement. This is relatively new for EuroDIG, but they did have people sign up to make interventions during our session. So I’d like to recognize a couple of those as we move even further into the discussion on what’s important and what’s relevant for a resilient Europe in 2030. So I have our ISTI, Maria, online I believe.

Isti Marta Sukma: Up there. I’m here. Okay, thank you. My name is Isti Marta. I’m from the University of Warsaw. So to begin answering the question regarding collective cybersecurity, I believe one of the core obstacles is the hesitation to collaborate with external actors and emerging regions such as the Indo-Pacific. So this hesitation is often amplified by emerging global narratives, such as the binary framing of democratic tech versus authoritarian tech, which risks deepening division and also hindering constructive cooperation, especially in cybersecurity where threats are transnational and interdependent. The EU and the Indo-Pacific share key features. Fast-growing economies, especially with cybersecurity and digital policy landscapes, which has a mutual interest in securing digital infrastructure. So, I believe that instead of reinforcing dichotomies or overemphasizing technology-based rivalries, we must prioritize inclusive and cooperative solutions with two most crucial tangible multi-stakeholder areas. First, PPP, or public-private partnership, and also, second one, agreeing to two of our speakers today, which is global collaboration in internet governance. So, I urge EU to fully integrate in the Pacific region, especially ASEAN member states, into the EU cybersecurity strategy 2030 across all four pillars, skills, digital transformation of businesses, secure and sustainable digital infrastructure, and digitalization of public services. I believe that strengthening collective cybersecurity requires bridging divides, not hardening them. Thank you.

Karen Mulberry: Thank you very much for that statement. I’d also like to recognize Mariella from the Diplo Foundation, who has signed up to make an intervention as well. Please, go ahead.

Panelist: Do you think Europe has come too late to the game in terms of innovation to realistically achieve full digital sovereignty? China built its own digital infrastructure years ago. At the time, we criticized it as authoritarian and sensory, but decades later, we find ourselves unable to fully rely on our allies, and we begin to describe similar measures as digital sovereignty. Instead of further fragmenting the internet by pushing for isolated national platforms, shouldn’t we focus on decentralized solutions for information governance, such as community-based fact-checking and open transparent systems of accountability? Couldn’t this offer a more democratic and resilient model, aligned with the idea of a multipolar world inspired by systems like Bitcoin, where power is distributed rather than concentrated? Thank you.

Karen Mulberry: Thank you very much. Any questions based on the statements that were just recently made? Any other comments that someone would like to provide? Yes, sir.

Wout de Natris: Thank you, Karen. My name is Wout de Natris. I’m a coordinator of the Denmark Coalition on Internet Standards, Security and Safety. I don’t know if Janice Richardson is in the room, she’s here, but she conducted a research into education and skills for cyber security, and what the main outcome was is that there are tremendous skills gap between the demand made by industry and the offer made by higher education. And the biggest question, probably the 64 million dollar question, is how do we bridge that gap, and who do we need to bridge that gap? And that is something that we have been trying to address, but not too successfully, unfortunately, because there’s no follow-up to the report. But it’s something that we’re interested to do as a dynamic coalition of the IGF, and bring the stakeholders together that you need to start bridging the gap and identify what the main issues are, and that part of that is that our youth are doing the wrong sort of studies, because they’re not into the technical part of things. And how do you change that? There’s a challenge we’ve been discussing for 30 years, and it’s got to be solved also. But let me stop there, but I think that knowing that the skills gap is there is the beginning of a solution to things.

Karen Mulberry: Yeah, thank you. And we’ve got others that have also signed up to make interventions, so let me recognize several of those as we continue our discussion. I have Simona from the union Romani Voice. Is she present to make her intervention? I have the RPIF director. Yes, please make your intervention.

Panelist: I have a short remark. Alexander Shachuk from data protection experts from Ukraine. In the 21st century, it’s very important to find the balance between the one side, the Internet of Things, the artificial intelligence, the innovations, and from other side, the democracy, the rule of law, and human rights, such as data protection. It’s very important to strengthen the democracy and cyber security in European Union and Council of European States, because the 21st century is a century of fighting democracy against outer terrorism. And we must consolidate the legal and institutional instruments in cyber security, in data protection, like GDPR, and to consolidate the efforts of each country of European Union to make strengthens the framework that we have now, because it’s very important for us to find such a balance between the new technologies, informational communication system, and the human rights and rule of law that we have now. Thank you.

Karen Mulberry: Thank you very much. Do we have any comments in the room? If not, I can continue to go down. Yes, please.

Panelist: Hello, I’m Sumayya from UFX. So, I just wanted to add briefly to what’s already been said. So, during UFX, we looked at many of these challenges, actually, and noticed how the complexity of digital regulation often slows down implementation. And I think it’s very important and noticed how the complexity of digital regulation often slows down implementation. So, not only for policymakers, but even for technical experts, one of our key takeaways was the idea of a two-tiered approach to regulation. So, basically, a comprehensive legal version and a simplified one for experts, so they don’t have to spend a lot of time on understanding it. And the second point was about the digital skills gap. So, it’s clear that there’s a shortage, but from a youth perspective, it’s not just about needing more skills, people. It’s also about making the field more accessible. I think that means clearer pathways, more practical opportunities, and involving young people from the start. So, I think the interest is there. It’s just that the structures to support it are still catching up. Thank you very much.

Karen Mulberry: Thank you. All right. I’ll go down my list. I have a gentleman from the Council of Europe who had signed up to make an intervention. All right. Dariana – I’m sorry, I’m not going to pronounce your last name – who’s an independent researcher, was going to make an intervention. Yes, please.

Panelist: I’m Dariana Chmanska, cyber security analyst, and let me start with a thought. I think security without capability is not sovereignty, and it’s just dependency with good branding. And if we talk about resilience, we should not have critical systems outside the EU. We praise NIS too, but small providers face a choice, comply or collapse. We promote digital sovereignty, but build it on foreign code, foreign chips, and foreign clouds. So, what are we really securing? Infrastructure or illusion? And do we want a Europe that is secure or strategically strong? Because France means friction, it means speed, and 2030 isn’t a target. It’s, I think, a deadline. Thank you.

Karen Mulberry: Thank you. Any comments? All right, we’re moving right along. I have Theodore Hemel from the EPIS Think Tank. Are you participating? Torsten Krauss, are you here today? Let’s see. Pablopos from the Digital World Summit Greece. Please.

Panelist: Thank you very much. So, yes, I am Pavlos, and I am coming from the Digital World Summit Greece, which is the Greek NRI, the Initiative for the Internet Governance Forum in Greece. And I would like to quickly take the lead from when other speakers also, what they mentioned about securing a secure Europe, but not just a strategically strong one. But also, what we would like to highlight is the fact that security is nothing without democracy for Europe, because all this narrative about ensuring security and cyber security in Europe would be nothing if Europe is not consistent with its democratic values and the protection of rule of law. So, this is why I believe that not only ensuring security by design is crucial, but most important is securing transparency by design, especially now that AI systems are being implemented for cyber security purposes. If we take, for example, the EU AI Act, we can just realize that Europe’s commitment to innovation is done through regulation and through preserving human rights and civil liberties, and also rule of law, which is in the core of European values. Effective policy frameworks, especially for cyber security, must therefore do three things. Ensure transparency and explainability of AI systems when they are deployed, protect personal data and citizens’ rights, and, of course, demand secure by design systems, both from developers as well as from public authorities, especially now that more and more public authorities are using AI systems. So, these AI systems should not be opaque and expose all the infrastructure that is being used by public authorities to cyber threats. Thank you.

Karen Mulberry: Thank you very much. Any questions in the room? If not, okay, I’ll continue to go down my list of people who have signed up to make interventions. Let’s see. Simona from, no, my list is not very clear. Theodore Hemel from the EPIS, no. How about from Albania. Okay. Someone from the University of Warsaw. Yeah, that was you. Okay. I have a poor copy of a spreadsheet. It was put on a piece of paper. So, let’s see. Have I missed anyone that signed up? 101. Okay. Please.

Marília Maciel : Thank you. My name is Marilia Maciel. I am Director for Digital Trade and Economic Security at Diplo. We had a very interesting session this morning on digital sovereignty, moderated by Karen, and I’d like to bring forward some of the ideas that were shared there. I think, first of all, we should recognize that discussions on digital sovereignty are happening in a very difficult context at the moment. The political project of liberalism is being overridden by a new mercantilist political agenda, which puts the interests of the state above the interests of economic actors. Nevertheless, in the present context, the state is not necessarily being strengthened to cater to social needs or to protect the weaker, as an European value-centered digital project has proposed for years. The precedence that is being given to the state at this moment is seen as a necessary condition to hedge against external threats and promote national security in a world that is increasingly being seen as threatening. And this also happens in a context of democratic backsliding, marked by the erosion of democratic pillars and the advancing of the extreme right parties. So how can Europe assert digital sovereignty while staying open and innovative? This was one of the questions. At the governance level, it’s important that decision-making and the governance of initiatives being adopted under the banner of digital sovereignty must be socially anchored and socially driven. And this means actively creating governance arrangements to ensure that sovereignty does not only benefit the state or our domestic champions, and that decision-making remains transparent and accountable. We need to ask ourselves whose sovereignty are we seeking to promote. For example, in our race to develop and adopt sovereign AI solutions, individuals must be skilled to become agents and not test subjects for the latest untested technology released in the market. We must demystify artificial intelligence, which after all boils down to pattern and probability. And this belief has led Diplo to create an AI apprenticeship program in which we are building the capacity of staff from international organizations in Geneva to develop their own AI solutions in-house. Just to conclude, a project of digital sovereignty must contribute to the autonomy and empowerment of individuals and to the sustainability of our planet, fulfilling present needs and the needs of future generations as well.

Karen Mulberry: Thank you. Thank you very much. Any other questions or comments? Yes, please.

Maria Nefeli Chatziioannidou: I had registered for intervention and my name is Maria Nefeli Chatziioannidou. I’m an MP from Greece and a member of the Council of Europe. As someone that is new into politics, but my specialty is in digital communities and digital innovation, I can tell you that we are facing a huge gap of how actually legislations can be applied first in EU and then forced into and applied into the member states. This is for me the most crucial challenge that we have to face because whatever we discuss here, until it will reach the end person, the citizens, and every citizen around EU is really challenging. I believe that cyber security depends on sovereignty a lot. I believe that cyber security is about our democracy. I believe that cyber security has to do with social justice and finally I believe that ethics must be embedded by design, not as an afterthought. We have a lot to do and I believe that it’s a crucial point for us, 2030, not to be another point of reflection, but to actually do everything possible to create a democratic digital environment that is based on our vision, our values, and it will definitely have to be human-centric. Thank you.

Karen Mulberry: Thank you for those comments. I think that’s a great way to wrap up our dialogue here. Oh, I’ve got another hand up there, please. I’ll get right there. You see I had a hand up back there, please. I will in a minute. I’ve got one someone, someone who has an intervention, please.

Marijana Puljak: Okay. Oh, thank you. If it’s okay to continue. I’m Marijana Puljak, a member of the Croatian Parliament and Parliamentary Assembly of the Council of Europe, and with my IT background I’m especially interested in this digital transition and digital era, and I would like to echo the concerns raised about fragmentation and over-regulation. Yesterday I spoke here about the sentence behind you, balancing regulation and innovation, and I said that the balance is very important, but as a member of Parliament I often witness how a growing number of EU-level acts combined with additional national roles creates a really illegal maze, especially for smaller digital service providers. The result of that is almost, I would say, the patchwork that prevents the companies from scaling across borders, which should be a core strength of the EU single market. We talk about digital sovereignty, but we must be honest, sovereignty without capability is meaningless. So, if our innovators are fleeing to less regulated markets, and you can see the Draghi report that says that, if operating across member states is nearly impossible, we are not protecting sovereignty, but we are undermining it. So, at the same time we are entering a new technological phase where AI is shifting infrastructure. We talked about centralized data centers to more distributed and local computing, and this demands huge investments, energy, flexibility, and with these new frameworks and regulations, while important for security, often places this appropriate burden on providers, especially in less wealthy states, member states without adequate support. So, that’s my point, that how can we better coordinate within the member states and on EU level this and reduce this regulatory fragmentation.

Karen Mulberry: Thank you very much for those comments. Actually, well, we need to wrap up here shortly. If you can make your statement very quickly, please. Can you turn on your microphone, please?

João Pedro Martins: Yeah, it’s not on because I think it’s programmed until we reach a certain point to move to the messages. I’m sorry.

Karen Mulberry: You can’t override that, please? Not from here. No, okay. I’m sorry. We’re now at that point in our session where we actually have to summarize and agree on what are the key points that we discussed today. So, I’d like to invite Oksana to kind of cover what our key points are.

Oksana Prykhodko: Thank you very much. Oksana Prykhodko. The first point is strategy for internet resiliency has to include strategy for economic resiliency to ensure adequate investment in development, new geometry of interconnections based on demand, new strategy for energy and water supply, strategy for human capacity, including specialists on AI. Have I to wait for response?

Karen Mulberry: No, you say it. We’ll take those one point at a time. Any comments on that as a summary of some of the key points in the discussion today? Oh, yeah. Sorry.

Panelist: Okay. Just to add that it’s not based on demand. It’s also based on demand, but necessarily having sovereignty interests on that based strategy.

Karen Mulberry: Based on demand and sovereignty? Yes. Okay. Thank you very much. Found any other comments on the first point? The second point, then, please.

Oksana Prykhodko: The second point, Europe demands not more regulations, but smarter, faster regulations based on the experience of private companies, on collaboration and multi-stakeholder approach, on strategic partnership in common interest, on harmonization and standardization, and balance between new technology and human rights. Europe has to find its own way has to find its own secure place between two superpowers.

Karen Mulberry: Any comment on that summary point? Yes, please.

Panelist: I’d like to add to that. Sorry, it was too loud. Point about based on the, can I see the statement? Instead of my face. Based on the experience of private companies, on collaboration, and so I would add based on the existing protocols and standards, so we don’t invent anything new, but we utilize what we already have developed.

Oksana Prykhodko: And standardization, it’s not about protocols.

Panelist: Just asking. No, I would add it because it’s not clear. Based on existing protocols. Yeah, because it’s not clear if we’re using existing protocols and standards. Okay, a little bit.

Karen Mulberry: Any other comments on point number two? Yes, please.

Marília Maciel : It feels to me that when we say Europe demands not more regulation, there’s an intrinsic bias against regulation as if regulation was something negative, but we are at the same time. dealing with emerging technologies. So who knows what’s going to emerge tomorrow and if regulation is going to be needed. And I also don’t understand what faster regulation means. And that scares me a little bit. Normally, when we see things from a security perspective, governments act really fast, but without consulting anyone, without accountability, because it’s a matter of national security. So I would not feel very comfortable with the faster unless you mean something else and I’m misunderstanding.

Karen Mulberry: Okay, I can say we can clarify that point then. Let’s move on to point number three.

Oksana Prykhodko: Number three, some elements of successful strategies, security of the NS system, reliable encryption to avoid political, economical, malicious military risks, market decentralization, which can help even under military aggression, focus on innovation.

Karen Mulberry: Any comments on the third summary point? Yes, please.

Panelist: This is Peter again, I am a bit surprised to see this strong emphasis on the DNS system because what I heard was strong advocacy or strong mentioning of the routing system. What’s in the minutes here in the message isn’t necessarily wrong, I just don’t think it reflects the part of the discussion, thank you.

Karen Mulberry: Thank you, Peter, I think the discussion was really on the networks and the infrastructure and it didn’t point out anything very specific in terms of routing technology. It was the network itself, which encompasses many things. So we will make a correction to that as well. I mean, this is in essence the summary of what we talked about today, our key points. I do think there was a lot of interest in addressing the skills gap, so we probably need to look at not only successful strategy, but looking at adding the need for skilled people to help support the work moving forward. Yes, I have a comment up there, please.

Panelist: Sorry, if I may comment on. And the second point, because like two of our key speakers today have mentioned on global collaboration. So maybe it’s better to emphasize global collaboration on the like first sentence. And also, I think instead of based on experience of private companies, I think it’s better to emphasize PPPs, like public private partnerships. So like equally together. So thank you.

Karen Mulberry: All right. Do we have any other comments on kind of a summary of our discussion today? Yes, please.

Oksana Prykhodko: Excuse me, please, about multi-stakeholder approach and PPP. Maybe it will interfere or not?

Karen Mulberry: I mean, I tend to think that they’re similar, but they’re also different approaches. So I don’t know what term we would rather use. The multi-stakeholder approach?

Panelist: I think it’s important to mention too, because multi-stakeholder approach is more like a global discussion. And as one of the speakers mentioned that the more they go into implementation, the less it becomes multi-stakeholder. And this is when also this public private cooperation has a prominent role in every particular country. So I think it’s fair to mention both, because somehow these processes take a bit on a different for us, even though that implies a dialogue between different stakeholders.

Karen Mulberry: Yes. OK. So we’ll work on making some modifications to those three statements. Also know that after we provided some editorial work based on your comments today, these will all be posted as well. So you have some time to think about them. And provide your editorial input at that point, too. Oh, I didn’t see you back there, please.

Panelist: Hi. I must admit that I have a bit of a problem with the first sentence of the. second statement saying that Europe’s demand not more regulation, but smarter, faster regulation. So we demand no more regulation, but by regulating. I see really the Europe regulating in this sentence. So I must say that I really have big difficulties with this sentence. Maybe to rephrase or to find another way to say that.

Karen Mulberry: Okay, I mean, I know that there is a balance between the need for regulation to provide that uniform approach to something and to provide those ensure safety and protections. But there’s also in that balance considerations that need to be made for allowing innovation, allowing networks to thrive in different ways, and addressing some of those complexities on the technology side of things that regulation may or may not be able to really, one, catch up with, and two, address in a way that doesn’t create unintended consequences. So, I mean, I think that’s part of the collaboration that’s needed and the balance that needs to be considered as we move forward. Yes, we have a comment up there, please.

Panelist: Thank you. I would like to clarify the last sentence of the second point. Europe has to find its own secure place between two superpowers. I mean, Europe is already an organizational structure that has already determined where it is and how it should react to difficulties, even the ones that are related to technical advancements. Therefore, maybe it doesn’t, we shouldn’t mention that it has to find, maybe it has to define or underline the way or difficult approaches that will help the development of those two superpowers and even protect the human rights. Thank you.

Karen Mulberry: Okay, thank you. And maybe we don’t necessarily need to even mention Europe between two superpowers because the focus is on what Europe is doing and what Europe is considering. Yes, our final comment here.

João Pedro Martins: Yeah, we are by the half an hour, so I think only yours will be open for you.

Karen Mulberry: Only mine, okay. Well, I have lots of power, it seems. Anyway, we’re at our time, so that’s—they’ve programmed some nice, delightful insights into our session for us in terms of letting microphones work and what we are able to do, so I apologize for that. But I do appreciate everyone participating, providing your insights, providing your comments, and actually working towards developing how do we get to 2030, and how do we secure things, and what can we do to make Europe and the EU better at what it’s needed to protect what it has. So thank you very much. I appreciate you participating.

Agreement points

Need for investment in infrastructure and human capacity

Speakers

– Augusto Fragoso
– Christian von Stamm Jonasson
– Wout de Natris

Arguments

Need for investment in new network infrastructure and human capacity

Complexity of regulations slowing down implementation

Shortage of skilled cybersecurity professionals

Summary

Multiple speakers emphasized the need for significant investment in both digital infrastructure and human skills to achieve digital sovereignty and improve cybersecurity in Europe.

Balancing regulation with innovation

Speakers

– Christian von Stamm Jonasson
– Marijana Puljak
– Karen Mulberry

Arguments

Need for “smarter” rather than more regulation

Risk of overregulation stifling innovation and market competition

Balance between regulation and innovation

Summary

Several speakers argued for a balance between necessary regulation and the need to foster innovation, warning against overregulation that could stifle market competition and technological advancement.

Similar viewpoints

These speakers emphasized the importance of maintaining democratic values, human rights, and individual empowerment in the pursuit of digital sovereignty and cybersecurity.

Speakers

– Maria Nefeli Chatziioannidou
– Pavlos
– Marília Maciel

Arguments

Importance of balancing security with democratic values and human rights

Importance of transparency and accountability in AI governance

Ensuring digital sovereignty empowers individuals and sustainability

Unexpected consensus

Global collaboration in cybersecurity

Speakers

– Isti Marta Sukma
– Alena Muravska

Arguments

Strengthening public-private partnerships and global collaboration

Promoting open standards and multi-stakeholder governance

Explanation

Despite discussions on European digital sovereignty, there was unexpected consensus on the importance of global collaboration and open standards in improving cybersecurity, suggesting a nuanced approach to digital autonomy.

Overall assessment

Summary

The main areas of agreement included the need for investment in infrastructure and skills, balancing regulation with innovation, and maintaining democratic values in digital governance.

Consensus level

Moderate consensus was observed on key issues, with some divergence on specific approaches. This suggests a shared recognition of challenges but varied perspectives on solutions, which may lead to a multifaceted approach in developing Europe’s digital and cybersecurity strategy for 2030.

Different viewpoints

Approach to regulation

Speakers

– Christian von Stamm Jonasson
– Marijana Puljak
– Marília Maciel

Arguments

Need for “smarter” rather than more regulation

Risk of overregulation stifling innovation and market competition

Caution against bias against regulation

Summary

While Jonasson and Puljak argue for simplifying regulations and warn against overregulation, Maciel cautions against an inherent bias against regulation and argues that regulation may be necessary for emerging technologies.

Speed of regulation implementation

Speakers

– Christian von Stamm Jonasson
– Marília Maciel

Arguments

Simplifying and harmonizing regulations across EU member states

Caution against bias against regulation

Summary

Jonasson advocates for faster implementation of regulations through simplification, while Maciel expresses concern about ‘faster regulation’ without proper consultation and accountability.

Unexpected differences

Role of regulation in digital sovereignty

Speakers

– Christian von Stamm Jonasson
– Marília Maciel

Arguments

Need for “smarter” rather than more regulation

Caution against bias against regulation

Explanation

While both speakers are concerned with effective regulation, their perspectives on the role and approach to regulation in achieving digital sovereignty are unexpectedly divergent. This highlights the complexity of balancing regulation and innovation in the digital sphere.

Overall assessment

Summary

The main areas of disagreement revolve around the approach to regulation, the balance between innovation and security, and the specific strategies for achieving digital sovereignty and resilience.

Disagreement level

The level of disagreement is moderate, with speakers generally agreeing on broad goals but differing on specific approaches and priorities. This suggests that while there is a shared vision for Europe’s digital future, there are significant challenges in determining the best path forward. These disagreements highlight the complexity of balancing various interests and priorities in shaping Europe’s digital and cybersecurity strategy for 2030.

Partial agreements

Similar viewpoints

These speakers emphasized the importance of maintaining democratic values, human rights, and individual empowerment in the pursuit of digital sovereignty and cybersecurity.

Speakers

– Maria Nefeli Chatziioannidou
– Pavlos
– Marília Maciel

Arguments

Importance of balancing security with democratic values and human rights

Importance of transparency and accountability in AI governance

Ensuring digital sovereignty empowers individuals and sustainability

Key takeaways

Resolutions and action items

Unresolved issues

Suggested compromises

Basically, when we look to the European panorama, we have the need of investing of 800 billion euros just to renew the network that is mostly outdated for what’s necessary in the future in terms of data centers. We need 20 percent more computing capacity than we were thinking before just in three years because of AI. We need 7 billion cubic meters of water to cool data centers.

Speaker

Augusto Fragoso

Reason

This comment provides concrete figures that highlight the massive scale of investment and resources needed to upgrade Europe’s digital infrastructure, especially in light of AI advancements. It brings attention to often overlooked aspects like water requirements for cooling.

Impact

This shifted the discussion towards the practical challenges and resource requirements for achieving digital sovereignty, beyond just policy and regulation.

As a business, we’re not geared to build redundancies. We build what is economically and financially viable. But having 20, 30, 40 percent extra capacity in our data center, so if there is an outage somewhere, we can reroute the traffic and still have a functioning digital economy. That is where we need the public-private partnership

Speaker

Christian von Stamm Jonasson

Reason

This comment highlights the tension between business incentives and the need for resilience in critical infrastructure. It points to the necessity of public-private partnerships to address this gap.

Impact

This comment deepened the conversation by bringing in the perspective of private sector operators and the need for collaboration between public and private entities.

To achieve the harmonious cyber security space, as we all agreed, it’s very important to have overall high level of cyber security in Europe. So it’s crucial to leverage on well-established international standards.

Speaker

Alena Muravska

Reason

This comment emphasizes the importance of international cooperation and standardization in cybersecurity, rather than purely national or EU-centric approaches.

Impact

This broadened the discussion from focusing solely on EU regulations to considering global standards and cooperation.

I think security without capability is not sovereignty, and it’s just dependency with good branding. And if we talk about resilience, we should not have critical systems outside the EU. We praise NIS too, but small providers face a choice, comply or collapse.

Speaker

Dariana Chmanska

Reason

This comment succinctly challenges the notion of digital sovereignty without the underlying capabilities, and highlights the potential negative impacts of regulation on smaller providers.

Impact

This comment sparked a more critical examination of the concept of digital sovereignty and the potential downsides of regulation.

A project of digital sovereignty must contribute to the autonomy and empowerment of individuals and to the sustainability of our planet, fulfilling present needs and the needs of future generations as well.

Speaker

Marília Maciel

Reason

This comment broadens the concept of digital sovereignty beyond state-level concerns to include individual empowerment and environmental sustainability.

Impact

This comment helped shift the discussion towards considering the broader societal and environmental impacts of digital policies.

Overall assessment

These key comments shaped the discussion by broadening it beyond purely technical or regulatory concerns. They introduced considerations of resource requirements, public-private partnerships, global standards, impacts on smaller providers, and broader societal and environmental implications. This led to a more nuanced and multifaceted exploration of the challenges and opportunities in achieving European digital sovereignty and cybersecurity by 2030.

How can we bridge the skills gap between industry demand and higher education offerings in cybersecurity?

Speaker

Wout de Natris

Explanation

This is crucial for addressing the shortage of skilled cybersecurity professionals needed to implement and maintain digital security measures.

How can we make the cybersecurity field more accessible to young people?

Speaker

Sumayya from UFX

Explanation

This is important for addressing the digital skills gap and ensuring a pipeline of future cybersecurity professionals.

How can we better coordinate within member states and at the EU level to reduce regulatory fragmentation?

Speaker

Marijana Puljak

Explanation

This is crucial for creating a more unified and effective approach to digital security across the EU.

How can Europe assert digital sovereignty while staying open and innovative?

Speaker

Marília Maciel

Explanation

This is important for balancing the need for security with the desire for technological advancement and economic growth.

How can we ensure that AI systems used for cybersecurity purposes are transparent and explainable?

Speaker

Pavlos from Digital World Summit Greece

Explanation

This is crucial for maintaining democratic values and protecting citizens’ rights as AI is increasingly used in cybersecurity.

How can we create governance arrangements to ensure that digital sovereignty benefits all of society, not just the state or domestic champions?

Speaker

Marília Maciel

Explanation

This is important for ensuring that digital sovereignty initiatives are socially anchored and democratically accountable.

How can we develop new strategic routes for network infrastructure that balance both demand and sovereignty interests?

Speaker

Augusto Fragoso

Explanation

This is crucial for enhancing Europe’s digital resilience and reducing dependence on single points of failure.