Do US-based Cybersecurity vendors listen to European customers?

One of my major interests these days lies in understanding the Cybersecurity landscape in Europe. This is due to my 20 years of experience at ESET, a global Endpoint Security vendor with headquarters in the region. I also believe there’s a large gap between what the region can produce in terms of innovation and the position the local vendors occupy in the global market.

As currently most industries are changing and evolving rapidly, companies looking to accelerate their growth in today’s competitive environment must focus more attention in understanding what customers need, as well as how the overall market landscape is developing.

As I wrote in a previous article, there’s no leader from the European Union in the 10 cybersecurity Gartner Magic Quadrants published between 2022 and 2023. This reflects the perception that the leaders in this industry are generally from the US and Israel, which is supported by the market share of held by EU vendors vs. the rest.

There are multiple reasons for the above that I explore in that article, and there are also very clear consequences of US vendors leading the market, especially on the opportunities that European customers have to select solutions that truly accommodate their needs and support their priorities, which are different than those from US customers.

In my quest to understand the real impact of the US dominance in Cybersecurity, I’ve approached CISOs from the European Union within my network, representing multiple countries, like Spain, France, Sweden, Poland, Czech Republic and Slovakia. I’ve asked them one question: "Do you think that American(*) vendors listen enough to European CISOs?"

Before posing that question, my opinion was that US-based vendors focus more on developing software and services that primarily address the needs of US customers, not giving enough relevance to the priorities of EU customers.

A good example is how US-based vendors have pushed for cloud-based solutions, even though many EU customers have continued to prefer Hybrid or On-prem solutions, concerned about several issues, like data sovereignty. Despite the preference of their European customers, many US-based vendors have completely discontinued their non-cloud solutions.

Majority of the answers from the consulted CISOs supported my hypothesis. Moreover, they enriched my view, as they provided clear examples of the issues, as well as their thoughts on why US vendors aren’t prioritising or listening enough to the needs of EU customers. Only one of the professionals I contacted disagreed, mentioning great experience with US-based vendors in the past, in multiple projects.

A glimpse into the EU CISO view on the matter

While their opinions vary slightly on the specifics, and they remark that not all US-based vendors and service providers are the same, there’s a general consensus among the consulted professionals that “American" vendors very often prioritise the “American" market, which leads to challenges to meet EU regulations and some of the European customer needs, especially in privacy and data sovereignty.

The European Union is a fierce regulator, as most of the large US companies have known over the years, facing anti-trust probes and fines. Microsoft, Apple, Google, Meta, X and Amazon, are some of the biggest, but not the only, US organisations that had issues with EU regulations in the past.

They also highlight that there are cultural and operational gaps, with US vendors employing different standards and best practices compared to the ones expected by European customers. There’s a cultural disconnect in many occasions, rooted in different business practices according to the consulted CISOs, and they’d welcome more effort from US vendors in meeting them half way when communicating.

The topic of privacy is often mentioned as an example of the above-mentioned differences, with the example of GDPR. While there are privacy regulations being introduced in the US (like CCPA), the overall sentiment towards privacy is very different between the two regions, and the EU regulations, including also the Digital Markets Act and the EU Cybersecurity Certification, are more comprehensive than the US ones.

An interesting finding is that some of the CISOs see logical that the US vendors focus more in a homogeneous large market like the United States, rather than in how to accommodate their solutions to the over-regulated and complex EU market. In the opinion of some, US vendors make a deliberate strategic choice by focusing on the US customers rather than the EU ones, and they deal with the issues later as they appear.

US companies generate 30 % from their income abroad, while firms in developed Europe generate 50 %, according to an article from The Economist.

This causes, on occasions, additional investment from EU organizations, according to one of the consulted professionals, as they need to, in many cases, accommodate their ways of working, practices and even terminology to the ones used by their US suppliers.

With NIS2 coming into effect soon in the EU, some of the consulted professionals are concerned about potential issues like the ones they faced in the past when GDPR was introduced, with several of their US suppliers not being ready to be fully compliant on time.

Even if GDPR went into effect in 2018, 95 % of US companies were still not fully compliant with the regulation 5 years later.

While several of them believe this can be partially addressed at the contractual phase, introducing clauses in the agreements with their service providers to ensure compliance and adherence to EU best practices and regulations, they highlight that this is generally not possible with the pure SaaS vendors. This is a matter of high concern for them, becoming unclear if and how those SaaS vendors will be addressing the issues that could arise due to their misalignment with the expectations from EU customers and authorities.

Transforming the Challenges into Opportunities

Despite these challenges, the European Union’s market landscape presents unique opportunities, even though it is generally perceived as more complex than others due to their comprehensive and extensive regulatory frameworks. The general consensus from the consulted professionals is that US vendors aren’t taking into consideration their needs and priorities, with exceptions, and those listening more to EU CISOs will be able to gain from this situation.

The challenge faced by EU CISOs presents opportunities for US-based vendors, if they improve their focus in the region’s needs, in consequence growing their positioning in the region, and also the satisfaction of their customers in Europe.

However, the biggest opportunity is for the EU-based vendors, who are closer, culturally speaking, to EU customers, and subject to the same regulatory and compliance frameworks. They can take advantage of local certifications, like the Cybersecurity Made in Europe or the already mentioned EU Cybersecurity Certification, and that way stand out from the crowd, showing their commitment to the region. This puts them in a unique position to satisfy their needs in a more adequate way than what the US-based vendors could.

In my opinion, the European Cybersecurity Landscape would welcome more competition between US and EU vendors, having more local leaders setting the pace and the agenda for the industry.

Capitalising in their inherent understanding of the EU market, the local vendors should use this opportunity as a differentiator in the region, and as a stepping stone to strengthen their offerings against non-EU vendors. How can they do that and reshape the cybersecurity landscape? Your thoughts and insights are invaluable.

(*) In general, I avoid the usage of the term “American" to describe US-based vendors, as due to my Latinamerican origin, I believe this term is wrongly used in the english language. Latinamericans are Americans too :)

Acknowledgements

I want to thank to all the professionals that provided me with inputs to prepare this article, like Martin Jartelius, Carlos Valderrama, Michal Gaplovsky, and several others CISOs that preferred not to be mentioned.