The European Cyber Crucible

Roberto Baratta Martinez, Director of Loss Prevention, Business Continuity and Security, ABANCA

Roberto Baratta Martinez, Director of Loss Prevention, Business Continuity and Security, ABANCA

With over 20 years of experience, Roberto leads the global Loss Prevention and Non-Financial Risk strategy at Abanca and its Corporate Group. He oversees security, fraud, and business continuity programs across Europe, US and Latam. An engineer, master’s graduate, lecturer, and current president of ISMS Forum, he is a speaker on risk and security.

Cybersecurity in Europe: Balancing Regulation, Risk, and Resilience

Europe has always been a crucible of contradictions, impulses, convulsions, and effervescences of all kinds—political, social, military, economic, and cultural. The Old Continent is only old in age, populated by generally well-off people compared to the global average, but it has always been youthful in its carousel of emotions and sentiments.

Today, it is a continent more isolated than ever and, at the same time, more interconnected and dependent than ever. And it is learning this the hard way. The regulatory whirlwind reflects these deeply European characteristics: a sharp sense of social protection and an attempt—so far, with little success—to control global domains and safeguard the interests of a union that, from time to time, does not seem very united.

One of the most active areas of regulation has been information management, its protection, cybersecurity, and digital resilience. In other words, the foundation of a digital economy and society, which is what Europe is or tends to become. And the foundation of a model that, from the outside, could be considered protectionist, as well as naïve and idealistic.

It was already complicated to develop complex regulatory models that protect a society based on fundamental rights—including privacy—within social and political systems heavily influenced by the protection of the individual, their uniqueness and the tensions this generates between majorities and minorities, which are so well-protected on this continent. This challenge grows even more when dependence on Big Tech companies becomes deeper and more embedded in economic sectors and more importantly, in personal and social life.

"Cybersecurity is no longer just a technical challenge—it is a fundamental pillar of Europe's digital society, economy, and governance. True resilience requires collective responsibility, strategic investment, and seamless integration across all organizational functions, from leadership to operations"

European-style data protection, cybersecurity maturity, the rise of artificial intelligence and the guarantee of supply chain resilience all send clear messages to major digital players, mostly from North America, which challenges vastly different models on both sides of the Atlantic. And this is without mentioning China’s incursion into the digital model, offering cloud and artificial intelligence services backed by state power and unprecedented capacity—services that do not adhere to the regulatory, oversight and even ethical standards expected in the EU.

The challenges of cybersecurity governance and data protection for companies, organizations, and governments within the EU remain the same as always: technical frenzy, constant need for updates, workforce shortages, high costs with complex efficiency considerations, and an extreme level of performance expectations. On top of this, an increasingly burdensome regulatory framework is being imposed—one driven not by sectoral regulators but by the European Commission itself. That is, a framework with a more political than technical origin, making it subject to the whims of negotiations between countries that are not always aligned, where regulations often serve as bargaining chips rather than genuine continental reforms.

And so, here we are, in a situation where cybersecurity professionals must develop, evolve, govern and manage risks as always—but now, with significant efforts directed at regulatory compliance. They are expected to achieve high levels of efficiency in their management, which is filled with solutions, tools, services and products.

Where is the balance? What can we say to those responsible for this function, as well as to their multiple and diverse teams? Where does it begin and where does it end?

Starting from three fundamental premises, perhaps observing the scenario from above might shed some light.

First, regulation is non-negotiable. The right to complain, to request, to plead, to demand coherence and cohesion, as well as reasonable applicability aligned with business, social and governmental objectives, will always exist. It is both healthy and appropriate to challenge its application and, in particular, its oversight, which is often excessive, biased and lacking corporate perspective.

Second, the demand for efficiency and effectiveness is undeniable. Cybersecurity must deliver and will need to continue improving its performance to the highest possible standards in each situation and environment. The risks remain immense and the threats are real and plausible. The geopolitical and geostrategic landscape does not help—it will only make things more complicated. We must continue to convince stakeholders that this is costly, that it will become even more expensive and that despite all efforts, risk will persist for a long time—a high-level risk by definition. However, we cannot continue on an exponential spending curve without linking it to risk, its cost, its impact and, ultimately, without fully aligning with resilience. That is, preparing for anything, anytime, anywhere, under any circumstances.

And third, the function itself. The mix of responsibilities, competencies, attributions and tasks assigned to cybersecurity and data protection leaders—regardless of their official titles—cannot be concentrated in a single role. It should be a collective effort rather than an individual burden. An extensive range of technical and digital capabilities, risk and process management, resource and personnel oversight, contract and service administration, legal and compliance matters,  training, and workforce development all fall within this domain. The fact that this field is so specialized, with its own language and extreme dynamism, does not mean that all these competencies should fall under a single function. Organizations must develop understanding, competencies, capacity, and, ultimately, execution within their functions, incorporating the key elements of cybersecurity into their domains. Legal, human resources, technology, procurement, marketing, communications, business lines and, of course, management and top leadership must take responsibility for their roles.

Otherwise, we will continue to fall short of integrating cybersecurity into what it should be in a digital society, economy and government: a quality attribute and a distinguishing element of our way of life.

Artificial Intelligence

Legal

Financial

Supply Chain

Business Continuity

Fraud

Marketing