The single most consequential paragraph in a European cybersecurity tender is the one asking the vendor where the data sits and who can subpoena it. EU-headquartered vendors with a clean answer to that paragraph almost never appear on the next shortlist slide.

Someone recently told me this is because Europe doesn't have any cybersecurity companies. That they're "just implementers." That European procurement teams looking for a sovereign alternative are stuck either choosing a foreign incumbent or accepting that the option does not exist.

I disagreed strongly enough to start counting.

The point of this article is not that CrowdStrike, Okta, Palo Alto, Wiz, Fortinet, Splunk, Cisco and the rest of the foreign cybersecurity stack should not be used. Many of them are excellent and European buyers will continue to use them. The point is that the framing "Europe does not have cybersecurity vendors" is a measurable claim, and when you measure it, it does not hold up. Every major product category that buyers procure has credible EU-headquartered options. Stormshield in France. ESET in Slovakia. Bitdefender in Romania. WALLIX, TEHTRIS, Sekoia.io, HarfangLab in France. Genua, Beta Systems, Rohde & Schwarz in Germany. Logpoint, Omada, Heimdal in Denmark. Clavister, Outpost24, Curity in Sweden. WithSecure, Ubisecure in Finland. And many more. The companies exist. The depth of the field is real.

The shortage is not in the market. The shortage is in what gets seen.

The directory at /directory/eu is our working list. It is curated, not complete. We add vendors as we verify them, and we know we are missing many. If the question is "are there enough EU cybersecurity vendors in your category to populate an evaluation shortlist", the answer is yes in every category we have looked at.

What the field actually looks like

The vendors we have catalogued so far split across the categories that buyers actually procure. None of these are emerging niches. They are the line items on a mid-sized organisation's annual security budget. Multiple EU vendors are active in each.

Category Example EU-headquartered vendors Replaces
IAM & SSO Ubisecure FI, Evidian FR, Nexus Group SE, OneWelcome NL, Curity SE Okta, Microsoft Entra ID, Ping Identity
EDR & XDR ESET SK, Bitdefender RO, WithSecure FI, TEHTRIS FR, HarfangLab FR, Heimdal DK, Dectar IE CrowdStrike, SentinelOne, Microsoft Defender
Email security LibraCyber IT, Retarus DE, Tuta DE, Mailfence BE Proofpoint, Mimecast, Abnormal Security
SIEM & observability Logpoint DK, CrowdSec FR, Sekoia.io FR, SecureVisio PL Splunk, Microsoft Sentinel, IBM QRadar
IGA & PAM Omada DK, WALLIX FR, IDEE DE, Beta Systems DE SailPoint, CyberArk, Saviynt
Firewall & NGFW Stormshield FR, Clavister SE, genua DE, Rohde & Schwarz Cybersecurity DE Palo Alto Networks, Fortinet, Cisco
Cloud security (CSPM / CNAPP) Aikido Security BE, Patrowl FR, Outpost24 SE Wiz, Palo Alto Prisma Cloud, Lacework
Data loss prevention CoSoSys RO, Safetica CZ, Cryptshare DE Symantec (Broadcom), Microsoft Purview, Forcepoint
MDR & managed SOC Orange Cyberdefense FR, Eviden FR, Telefónica Tech ES Arctic Wolf, Expel, Red Canary
VPN & remote access Defguard PL, Stormshield SSL VPN FR, plus the VPN modules built into the firewall vendors above Cisco AnyConnect, Palo Alto GlobalProtect, Zscaler ZPA

Geographically, the field is broader than the "Berlin and Paris only" mental model implies. France and Germany account for the most listings, but credible vendors operate from Sweden, Denmark, Finland, Romania, Belgium, the Netherlands, Italy, Spain, Slovakia and the Czech Republic. That is a field spread across more than half the EU, not a concentrated cluster around two capital cities.

The age distribution surprised me. The directory includes vendors with continuous operating histories going back decades. Rohde & Schwarz operates a dedicated cybersecurity business inside a group founded in 1933. Beta Systems has been doing identity governance from Berlin since 1983. ESET has shipped endpoint products from Bratislava since 1992. Bitdefender came out of Bucharest in 2001. WithSecure has continuity back to F-Secure's 1988 founding. None of these are startups, and none of them are "implementers."

At the same time, the directory includes vendors founded in the last decade that have already qualified for ANSSI, BSI and Common Criteria certifications. HarfangLab (founded 2018) is ANSSI-qualified. Sekoia.io (2016) holds ANSSI, ISO 27001 and HDS. Aikido Security (2022) ships ISO 27001 and SOC 2 Type II. The new generation is real, and it is shipping qualified product, not slides.

Capital structure is mixed in the way you'd expect from a real industry. WALLIX is listed on Euronext Growth. Omada trades on Nasdaq Copenhagen. Beta Systems is listed in Frankfurt. OneWelcome was acquired by Thales in 2023. There are private-equity-backed mid-market vendors, venture-backed scale-ups, and founder-owned independents. The "tiny bootstrapped outfit" mental model the "implementers only" framing relies on describes some of the field, but not most of it.

So why does the perception persist

This is where the article becomes opinionated, because no clean dataset settles it. But four explanations recur when I talk to people who work in European procurement and at EU cybersecurity vendors.

One: marketing budget asymmetry. A US cybersecurity unicorn's annual brand-awareness spend often exceeds the entire revenue of a mid-sized EU vendor. Visibility is bought, not earned by product quality alone. When a procurement lead opens G2 or Capterra, the listings at the top of the category are not necessarily the best products. They are the products whose vendors had the resources to engage with G2's listing optimisation programme. EU vendors with strong products and weaker marketing operations do not show up in those rankings, not because the rankings are corrupt, but because they reward a kind of engagement that costs money.

Two: procurement defaults follow analyst coverage. The Gartner Magic Quadrant is the single most consequential document in enterprise security procurement, and Gartner's category coverage skews toward vendors that engage with analyst relations programmes. An analyst-relations function costs about one full-time hire. Vendors below a revenue threshold can't afford that hire. They are absent from the analyst landscape, which means buyers do not see them, which means they remain below the revenue threshold.

This is a coordination failure, not a quality failure.

Three: search results don't represent the field. Queries like "European IAM vendors" or "EU SIEM alternatives" return G2 listicles, Capterra category pages, and a small number of consultancy blog posts. Most of these are written by content marketers in San Francisco or Bengaluru. EU vendors do not rank for queries about themselves, in part because their own SEO operations are smaller, and in part because they often publish primarily in their national language. A French IAM vendor that ranks well for "fournisseur IAM français" will not appear for the English query an international buyer uses.

Four: the mental model is from 2008. The "European tech is implementer-only" framing was reasonable a decade and a half ago, when the European startup ecosystem was genuinely thinner. It is less reasonable now. The field includes vendors founded in every decade from the 1980s through the 2020s, products in every major category, and a mix of capital structures. Updating the mental model takes deliberate effort, and most procurement processes are not designed to do that update.

What this means for European buyers

If you sit in a procurement or security architecture seat at a European organisation, three things follow.

The first is practical. When your next renewal comes up, or your next greenfield evaluation begins, the "evaluate alternatives" line in your tender process should not default to the same three foreign incumbents (typically some combination of CrowdStrike, Okta, Palo Alto, Splunk, or Wiz depending on the category) that appeared on the previous evaluation. The EU-headquartered field is broad enough that at least one credible alternative exists in every major category. Whether you select an EU vendor in the end is a separate question. Making sure they appear in the evaluation is the bar.

The second is regulatory. NIS2, DORA, and the various national data residency requirements all introduce constraints on third-party ICT risk that are easier to satisfy with an EU-resident vendor on a European MSA than with a foreign hyperscaler. None of these regulations require choosing an EU vendor. All of them make the EU-vendor option meaningfully simpler from a contracting, audit, and disclosure standpoint. Procurement teams that ignore this end up doing more compliance work later than they would have done by including EU alternatives in the original evaluation.

The third is structural. If European procurement teams continue to default to foreign vendors in categories where credible EU alternatives exist, the EU vendors will not reach the revenue thresholds that fund analyst relations, marketing presence, and the next generation of products. The "implementers only" framing is a self-fulfilling prophecy.

Breaking it requires buyers to include EU vendors in evaluations even when their first instinct is to go with the familiar incumbent. This is not charity. It is industrial strategy at the level of the individual procurement decision.

The argument restated

Europe has a working cybersecurity industry across every major product category that buyers procure. The field includes vendors founded in every decade from the 1930s through the 2020s, with capital structures ranging from founder-owned to publicly listed, headquartered across more than half the EU member states. The claim that Europe does not have a cybersecurity industry, or that the industry is "implementer-only", is not supported by what is actually on the ground.

The vendors above are not a complete list. They are a starting point for the next person who has to evaluate an EU alternative and was told there were none.

Method note

The directory at /directory/eu is a working list, not a complete inventory. We add vendors as we verify them. There are credible EU-headquartered vendors we have not yet catalogued; the gap between our directory and the full field is real and we know it. Anyone who runs or knows an EU-headquartered cybersecurity vendor that should be there can email hello@ciphercue.com and we will add them.

The inclusion criterion is strict: the vendor must have been founded in an EU member state or be currently headquartered in an EU member state. EFTA-resident vendors (Norway, Switzerland, Iceland), UK vendors, and global vendors with an EU office but a non-EU corporate headquarters are excluded. This is narrower than the working definition used by some other "European cybersecurity" lists, which is part of why our count is more conservative than figures circulated by trade bodies.

Vendor metadata (HQ city, founding year, employee band, key products, certifications, ownership) is assembled from publicly available sources: vendor websites, LinkedIn company pages, public stock-exchange filings, and press releases. Where confidence was low we left fields blank rather than guess. Vendors are welcome to correct their entries.

Categories are derived from the categorisation used in CipherCue's tech directory. The qualitative claims in this article ("multiple vendors per category", "more than half the EU member states", "vendors founded in every decade from the 1980s") all hold for the working list as of the most recent review. They will hold more strongly as we add to it.

One thing to do

If you sit in a procurement, security architecture, or CISO seat at a European organisation, browse the directory by category for whichever line item you are renewing next. Read 3 vendor profiles. Add one to your evaluation shortlist. That is the entire ask. The directory is free, indexed, and built to be linked. Share it with anyone running an evaluation.