Europe's Procurement Paradox: A System That Buys Safety, Not Security

Europe wants digital sovereignty. It says so in NIS2, in the Cyber Resilience Act, in the EUCS certification scheme, in countless strategy papers and keynotes. But when it comes time to actually buy the cybersecurity that sovereignty requires, the system reaches for what it already knows. Not because decision-makers lack ambition, but because the procurement rules they operate under were never designed for innovation.

Optimized for the Wrong Thing

European public procurement, implemented in Germany through the Vergaberecht, is a sophisticated system. It ensures fairness, transparency, and legal certainty. These are good things. But they come with a structural side effect: the process is optimized for risk avoidance, not for finding better solutions. This is not a uniquely German problem. The EU procurement directives that underpin national laws across all member states share the same structural logic.

When a public agency drafts a tender, the goal is to define requirements so precisely that any bid can be objectively evaluated and legally defended. That precision, however, demands that you already know what you want. And if you already know exactly what you want, you are, by definition, not looking for something new.

The result is predictable. The government buys what’s proven, not what’s better. In procurement terms, that’s a feature. In cybersecurity terms, it’s a vulnerability.

Innovation Needs Problem Spaces, Not Specifications

The core tension is architectural. Traditional procurement starts with a detailed specification: what the solution must do, how it must work, which standards it must meet. Vendors respond to that specification. The best match wins.

This works well for office supplies. It works reasonably well for established IT infrastructure. It fails for cybersecurity.

In cybersecurity, the threat landscape shifts weekly. A specification written today may describe yesterday’s problem. What agencies actually need is the ability to describe a problem space, then evaluate how different providers approach it. That requires dialogue, iteration, and a willingness to be surprised by the answer. The current system offers none of that at scale.

There is a deeper problem still. Much of the real innovation in cybersecurity comes directly from research, from universities and applied research institutions working on problems that don’t have commercial solutions yet. By definition, state-of-the-art research is not a product. It has no reference deployments, no revenue history, no certifications. A procurement system that requires all of these before a solution can even be considered is structurally blind to the very place where the next generation of defenses is being built.

Formats like the innovation partnership or competitive dialogue exist in EU procurement law, but they are rarely used. They are perceived as legally risky, procedurally complex, and slow. So agencies default to what they know: open procedures with rigid specifications.

The Invisible Barrier for New Providers

Even when a startup has a better solution, getting through the door is a challenge of its own. Tenders routinely require three to five years of references in comparable projects, minimum annual revenue thresholds, and certifications that take years to obtain.

These requirements make sense as proxies for reliability. But they also function as structural filters that favor incumbents. A company that has delivered the same legacy solution for a decade will always outperform a two-year-old startup on reference checks, regardless of whether its technology is still the right answer.

The numbers tell the story. According to the Deutscher Startup Monitor 2025, only 7% of startup revenue comes from public contracts, up from just 4% in 2019. Only 15% of startups have ever won a public contract at all, while two-thirds of tech startups don’t even apply. The Startup-Verband’s Innovation Agenda 2030 demands that at least 5% of public contracts go to startups by the end of the decade, a target that shows how low the bar currently is. This isn’t because startups aren’t interested. It’s because the system wasn’t built with them in mind.

In cybersecurity, where the most consequential innovations often come from small, specialized teams, this exclusion has real costs. The agencies that need cutting-edge threat intelligence, automated compliance tooling, or AI-driven analysis are structurally steered toward vendors whose primary advantage is familiarity, not capability.

This is where the sovereignty question becomes concrete. Europe invests heavily in cybersecurity research through programs like Horizon Europe and the European Cybersecurity Competence Centre. It produces world-class research and builds promising startups. But when those results need to cross the bridge from lab to deployment in the public sector, the procurement system favors the large, established players, often non-European, who can check every box on the tender form. The result: Europe funds the research, then buys the product from someone else.

Speed as a Security Requirement

Then there’s the question of time. A typical public procurement process in Germany takes six to eighteen months from publication to contract award. Complex IT procurements can stretch even longer when legal challenges or re-tenders are involved.

Consider what has changed in cybersecurity during a single procurement cycle. At the end of 2024, the AI landscape in security was dominated by LLM wrappers: chatbots that could summarize threat reports or draft policy documents, useful but limited. Eighteen months later, we are dealing with agentic AI systems that autonomously develop exploits, crack credentials, and infiltrate infrastructure with minimal human oversight. In September 2025, Anthropic documented the first large-scale cyberattack executed almost entirely by an AI agent, targeting thirty organizations across tech, finance, and government. The AI performed 80-90% of the campaign, making thousands of requests per second, an attack velocity no human team could match. Meanwhile, VulnCheck reported that nearly 29% of vulnerabilities in 2025 were exploited on or before the day of public disclosure, up from 24% in 2024.

That is the pace of change on the attacker side. A procurement system that measures timelines in years is not operating in the same reality.

The BSI’s 2024 report on the state of IT security documented an average of 78 new vulnerabilities per day. One year later, the 2025 report puts that number at 119, a 24% increase in a single year. Threat actors, now augmented by autonomous AI, don’t wait for procurement cycles. They exploit the gap between when a vulnerability is discovered and when it’s addressed.

A system that takes a year to onboard a new security tool is not a system that takes speed seriously. And in cybersecurity, speed is not a convenience. It is a security requirement.

The Procurement Gap

None of this is about blaming procurement officers or dismissing the legal framework. The system does what it was designed to do. The problem is that what it was designed to do is not what cybersecurity demands, and not what digital sovereignty requires.

We see this tension firsthand at Serify. We build automated compliance and threat intelligence tooling for organizations navigating NIS2, DORA, and the Cyber Resilience Act. The problems we solve are urgent, evolving, and poorly served by static specifications. And yet the procurement system that governs how public agencies could adopt tools like ours was built for a world where requirements don’t change between the tender and the delivery.

If Europe is serious about digital sovereignty, it cannot stop at regulation and research funding. If Germany wants to become the Cybernation it talks about in keynotes, the procurement system needs to keep pace. That doesn’t mean abandoning fairness or transparency. It means creating pathways where European innovation can actually compete: faster timelines, problem-oriented tenders, and qualification criteria that measure capability, not just track record.

If Europe wants sovereignty, it must also be able to procure it.