Decoding the world of cybersecurity

EU warns digital gaps threaten 2030 targets

The Commission’s 2026 Digital Decade report says Europe has made progress, but structural gaps in infrastructure, skills, public services, and business digitalisation remain.

EU warns digital gaps threaten 2030 targets
Summary
  • The European Commission says Europe has progressed towards 2030 digital targets but must close structural gaps at scale and speed.
  • The report covers secure infrastructure, digital public services, business digitalisation, skills, competitiveness, and sovereignty.
  • The cyber exposure sits in dependency, infrastructure resilience, public-sector digitisation, cloud and AI adoption, and secure transformation funding.

The European Commission has warned that Europe still faces structural gaps in its 2030 digital transformation agenda, including secure infrastructure, digital public services, skills, business adoption, and consistent delivery across member states.

The Commission’s 2026 State of the Digital Decade package monitors progress against Europe’s digital targets and sets out recommendations to member states. The accompanying material says Europe has made progress on secure and sustainable digital infrastructure and the digitalisation of public services, while calling for greater scale, speed, and consistency.

The report is not a cybersecurity assessment in the narrow sense. Its relevance comes from the systems it covers. Digital infrastructure, public-sector platforms, cloud services, AI adoption, data sharing, and skills all shape how resilient European organisations can become. Security depends on the quality of the systems being built, the suppliers behind them, and the investment available to maintain and defend them.

Europe is trying to advance several digital priorities at once. The EU wants stronger digital sovereignty, wider AI adoption, more capable public services, better connectivity, improved skills, and greater competitiveness. At the same time, regulated organisations face rising security and resilience obligations under NIS2, DORA, the Cyber Resilience Act, and sector-specific rules.

Capacity is the limiting factor. A public body can be instructed to digitise services, but weak architecture, limited procurement expertise, poor cloud governance, thin security staffing, and unclear risk ownership can turn digital expansion into a larger attack surface. A smaller manufacturer may be encouraged to adopt connected systems and AI, while also becoming more dependent on external suppliers, cloud platforms, identity services, and software it cannot easily inspect.

The Commission’s emphasis on structural gaps therefore has direct cyber consequences. Gaps in secure connectivity can affect critical services. Weak public-sector digital maturity can leave services difficult to defend and recover. Skills shortages can push organisations further towards suppliers without enough internal assurance. Uneven business adoption can create a split economy in which larger enterprises mature their controls while smaller suppliers remain exposed inside wider operational chains.

The EU’s security and resilience frameworks are becoming more demanding. NIS2 expands the number of essential and important entities subject to cybersecurity obligations. DORA imposes operational resilience requirements on financial entities and their technology providers. The Cyber Resilience Act will push security obligations into connected products. Each framework raises expectations, while also exposing the distance between legal requirements and practical implementation.

The Digital Decade report shows that cyber resilience is partly an economic and infrastructure problem. Organisations need secure connectivity, skilled staff, modern architecture, interoperable systems, mature suppliers, and predictable investment. Security teams cannot indefinitely compensate for legacy systems, weak data governance, unsupported platforms, and procurement decisions that make exit or recovery difficult.

The report also strengthens Europe’s sovereignty debate. Dependency on non-European cloud, AI, and software providers is not only a political concern. Concentrated dependency can become an operational resilience issue when governments and regulated sectors rely on platforms they cannot fully inspect, influence, or exit. Building credible European alternatives requires technical maturity, procurement demand, and sustained investment.

The next phase of the Digital Decade will depend on whether member states can align funding with security expectations. Secure infrastructure and digital public services will need to be designed together, with resilience treated as part of delivery rather than a control added after transformation has already expanded the risk surface.

×