The Ecosystem: Europe’s cybersecurity investment platform comes out of stealth mode

In 2020, the European Cyber Security Organisation (ECSO) wrote to the European Commission calling for action to fill the venture funding gap for companies in its sector. Two years on, things are finally moving. October saw the publication of a report setting out options for a European Cybersecurity Investment Platform (ECIP), with decisions due soon on the format to be taken forward.

Following publication of the report by the Commission and the European Investment Bank (EIB), “The ball is in the court of the Commission and the EIB,” said Milda Kaklauskaitė, senior policy manager at ECSO. “There will be working meetings in the coming months to discuss how the platform should be structured, to choose between the options presented in the report, and to make the platform operational. It is important that private sector representatives, like investors and fund managers, sit at the table too, if we want to build the effectively functioning investment platform.”

The mood music from the EU institutions is also positive. “I am confident that this investment platform will mobilise considerable additional investments to retain cybersecurity companies in Europe, bringing about economic development and growth,” said EIB vice president Kris Peeters at the launch of the report. “We stand ready to support this sector with finance and technical assistance.”

But even with all this good will, estimates suggest it could be one to two years before the platform is up and running.

The Commission/EIB report begins by surveying the state of the European cybersecurity market. It estimates that the investment gap amounts to €1.75 billion per year, although it also warns that this figure should be treated with caution. The platform is intended both to help fill this gap and to send a positive signal to an often risk averse market that investors can put their confidence in the cybersecurity sector.

“The platform should show the EU’s commitment to cybersecurity, that the technology is important, and this should help to attract more private investments to the market,” said Kaklauskaitė. “It is not only about getting money, but also about building a stronger investment culture in Europe.”

The full fat version

Two broad options are set out for creating the ECIP. The first is a full-fat version that would see it provide a range of financial products, including equity investments, venture debt, and/or spending through existing programmes, and other services to the market, such as start-up and investor training, events and capacity building. This would have the biggest impact, but also take 12 to 18 months to set up, and require additional funding.

The skinny version of the platform would limit activities to equity investments, with the lower impact this would produce balanced by limited costs and the possibility of being up and running in 6 to 12 months.

ECSO’s preference is for a dedicated investment platform that will rapidly address the prevailing market failures, with any additional services and support considered further down the line. “It should focus on investments, due diligence, and swift investment decisions. This should be the key priority,” said Kaklauskaitė.

The other support and services under consideration are important and would be nice to have, eventually, as long as overlaps with other initiatives can be avoided. “The investment platform should address the investment gaps; it should not do jobs that other cybersecurity stakeholders are doing,” she said.

For example, there are already several accelerators in Europe focusing on cybersecurity, and organisations such as ECSO working on matchmaking investors and start-ups, awareness raising, skills and training, and other forms of start-up support.

A decision also needs to be made about how the platform invests. ECSO strongly favours the ‘fund of funds’ option set out in the report, which would see money invested directly in private funds already active in cybersecurity, or in new specialist funds that might emerge in future.

“You cannot become a cybersecurity investor overnight, just because you think it sounds trendy,” Kaklauskaitė said. “Due to the highly complex and competitive international cybersecurity market, start-up success largely depends not only on the cash contribution, but also on the value added and support that they get from investors.”

For this to happen, venture capital funds need to have experienced teams which can assess companies, carry out due diligence and make informed decisions. “The fund of funds option would also help the money reach the high-potential companies, so we don’t lose time or see the companies turn to foreign investors,” said Kaklauskaitė.

Routes to an exit

ECSO also argues that the requirements that come with ECIP financial backing should be minimal, and avoid restrictions commonly attached to publicly funded investments. These include requirements to keep company headquarters and activities in the EU for five years, or maintain a majority EU shareholding.

“Not only financial capital, but also market flexibility is needed to maximise the potential of the ECIP,” Kaklauskaitė said. She argues that attaching too many conditions could halt the development of the European cybersecurity market, even with extra financial capital available. “The most successful and attractive companies will not want to be limited in their growth and exit paths.”

This could prove to be a brake on further development of the ecosystem. For example, successful founders often start or support new companies soon after selling their current businesses, further reinforcing the ecosystem with their experience, knowledge and reputation. “Blocking investees from going to other markets and meeting potential buyers can have serious negative spill-over effects on the European market growth,” said Kaklauskaitė.

Instead of attaching conditions, ECSO would like to see ECIP deploy other strategies and incentives to keep companies anchored in Europe, even as they extend operations, sales and marketing to the US.

The full-fat version of ECIP would also stray into territory occupied by the European Cybersecurity Competence Centre (ECCC), which was set up in 2021 to work with national centres to increase Europe’s cybersecurity capacity and competitiveness, by channelling money from EU programmes including Horizon Europe and Digital Europe.

ECCC is expected to take a close interest in the creation of the investment platform, and for the moment the development of the two initiatives is closely linked. The Commission will take a leading role in determining the structure and function of the platform, along with the EIB. At the same time the Commission is running ECCC until the agency sets up its headquarters in Bucharest. Pending a full-time appointment, ECCC’s interim executive director is Miguel Gonzalez-Sancho, head of the Commission’s unit for cybersecurity technology and capacity building.

ECCC has begun its work, inviting national centres to apply for funding from Digital Europe to help foster national cybersecurity communities. Part of this funding is dedicated to projects in the €60,000 range that encourage the uptake of cybersecurity products from start-ups and SMEs. The EU contribution runs up to €1 million, and must be matched by member state contributions. In future, Digital Europe will mobilise funds for bigger projects to implement larger cybersecurity projects.

Other players expected to have a say in the shape of the investment platform are the national centres, which will feed in information about the state of their cybersecurity ecosystems and markets. Another seat at the table will be occupied by the EU Agency for Cybersecurity (ENISA), which works on common approaches to threat protection and also has an interest in building up the European industry.

Even though the ECIP looks like a nice fit with the ECCC’s other activities, the platform is likely to be operated by the EIB or the European Investment Fund, following the example of investment initiatives already under way in other sectors, such as space, and artificial intelligence and blockchain.

ECSO is positive about the role intended for the ECCC. “With the [EU] competence centre there will be more coordination of the market, between vendors and end users, and also universities and R&D,” Kaklauskaitė said.

It should also help Europe’s governments see the cybersecurity community more clearly. “At the private level, companies tend to find their way, but sometimes the member states don’t even know which their leading companies are, in certain cybersecurity areas. So, they tend to talk to the big companies, not to start-ups,” said Francesco Bordone, a junior policy manager at ECSO, who is following ECCC’s development.

This can be an issue when the big companies are based outside of Europe, and ECSO would like to see more weight given to Europe’s strategic autonomy in cybersecurity, for example through public procurement policies.

“In Europe there is an unfortunate tendency, especially by public institutions, to turn immediately to American providers of cybersecurity, without even looking at what our industry can produce,” Bordone said. “So, for the industry to grow, it is important to raise awareness of what we have here and the important results we can already deliver with what we have.”

Elsewhere in the Ecosystem…

• German start-up NVision Imaging Technologies has won the 2022 Innovation Radar prize, awarded by the European Commission for the most promising innovations to emerge from EU-funded projects. Based on spin physics research at Ulm University, the company has developed a hyperpolarisation platform that enhances the magnetic resonance imaging (MRI) signal of naturally occurring metabolites, enabling these safe molecules to be used as agents for imaging tumour metabolism via standard magnetic resonance scans. Meanwhile, Romanian start-up Svelte won in the purpose-driven & green category, Belgian start-up Innovation Sprint in the disruptive health, and the Polytechnic University of Madrid in the kick-starter category.
• The European Commission has approved Latvian government plans to pour €300 million into Altum, the country's development finance institution, and to enlarge its remit. In addition to supporting SMEs and start-ups, its new responsibilities include helping finance environmental protection, innovation and the development of technologies and the formation of venture capital.