James Lamond is the Executive Director of Trusted Future, a Washington-based think tank focused on technology policy.
By any account, the transatlantic relationship appears to be at a low point. From trade and economics to matters of war and peace, the United States and Europe are in an apparent period of disunity not seen in decades.
However, there is one area where there appears to be more alignment than one might expect: cybersecurity.
Over the past couple months I have engaged in a series of conversations with American and European security experts and practitioners, including the Munich Security Conference and its sister conference, the Munich Cyber Security Conference. Behind the headlines and the talk of disagreement, there is actually a great deal of consensus among transatlantic experts on the state of the cyber threat and how to address it.
But there is work ahead for both the public and private sectors.
Where There Is Agreement
Throughout my conversations in Europe, there were clearly areas where participants from the United States and Europe agreed.
First, we are seeing an increase in cyber threats, especially from authoritarian countries. It seems that each year, there is an increasingly invasive attack on our digital infrastructure. In 2020, U.S. officials and cybersecurity analysts uncovered the hack involving Solar Winds, which was one of the worst cyberespionage incidents in history, with the hacker group Nobelium penetrating targets, including the U.S. government. A year later, the ransomware attack against Colonial Pipeline, also believed to have emanated from the Russian group DarkSide, shut down the fuel supply for much of the eastern seaboard. Last year, the European Parliament suffered a data breach just ahead of its elections, following a 2022 breach believed to have been from Russia. Then, just this year, two major campaigns, Volt Typhoon and Salt Typhoon, burrowed into U.S. critical infrastructure programs and penetrated telecommunications networks, allowing vast capabilities to spy on Americans. Meanwhile, a series of attacks on undersea cables in Northern and Eastern Europe have raised concerns that Russia is retaliating against countries for their support of Ukraine.
The second takeaway is that governments need to strike the right balance between regulation and encouraging innovation. There were concerns raised by Europeans that overly restrictive and excessive regulations coming out of Brussels were stifling innovation on the continent. For example, a 2023 analysis of regulations for the digital sector in the EU found there were 72 applicable laws, 25 in negotiation and another 9 planned initiatives, which contained many overlaps and contradictions. The result has been an EU that trails both the U.S. and China in innovation and economic growth.
Yet in the United States, the opposite is true. After years of effort, there is still not even a minimal standard for digital privacy protection. Striking the right balance will become even more important as the artificial intelligence industry (AI) continues to develop.
The third takeaway was that participants agreed on the need for a commitment to improving transatlantic collaboration on cybersecurity and technology governance. There was a clear recognition that the U.S. and Europe must work together to address threats proactively and that it was important to align policies across like-minded nations to counter growing digital threats. Again, the growth of the AI industry loomed largely in the conversation. Many saw the industry as likely to follow a “winner-takes-all” approach, and whether democratic states or authoritarian ones are the winners will have significant geopolitical implications, potentially shifting the balance of global politics. The conclusion was that democratic countries need to lead in innovation and technology and that requires an agile and strategic regulatory approach that supports innovation while addressing security concerns.
The Importance Of Public-Private Partnerships
In this environment, a key question is the role of the private sector. Governments alone cannot address cybersecurity threats and must leverage private sector expertise and ability to scale. Here, too, is an area where there was general agreement between both Europeans and Americans. In fact, both sides of the Atlantic have outlined this approach in key documents.
On the American side, the National Cyber Security Strategy has as one of its strategic objectives to scale public-private partnerships, noting that “private sector entities have made significant commitments to engage in collaborative defense efforts.” On the European side, late last year, former Finnish President Sauli Niinistö released a report on strengthening the European Union’s preparedness and readiness. One of the key recommendations was to “leverage the full potential of public-private partnerships.”
But to make this work, both the public sector and the private sector need to embrace security by design into their operations. The concept is simple: Embed cybersecurity into the life cycle of business and policy decisions. For business leaders, this means that C-suite leadership should keep cybersecurity as a standing agenda item and consider it in every strategic decision from product design to internal communications. For policymakers, it means considering the security implications of any new digital policy, or, as the Niinistö report recommends, conducting a “Security and Preparedness Check.”
Unfortunately, neither businesses nor governments appear to be doing this. PWC’s 2025 Global Digital Trust Insights found that only 2% of executives say their company has implemented cyber resilience actions across their organization. The survey of business and technology executives around the world found major gaps in preparedness, risk management and CISO involvement in major strategic decisions.
Policymakers can do better as well. Perhaps the most consequential technology policy change in recent years has been the European Union’s Digital Markets Act. One of the major concerns from security experts and industry alike has been regarding restrictions to app store screening for malicious software, which makes serious vulnerabilities more likely. This is something that could have easily been avoided had there been a security screening at the front end of the process.
Moving Forward
While there is a great deal of attention being paid to the disagreements in the transatlantic relationship, cybersecurity is an area where there is real potential for collaboration, agreement and progress. However, to do so, both sides need to take security more seriously.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
