At the Paris Cyber Summit, industry and government leaders from across the Atlantic alliance outlined fundamental transformations needed in Western cybersecurity strategy, with Sopra Steria's Defense & Security Director calling for a decisive break from reactive approaches.
Europe stands at a critical juncture in cybersecurity strategy. According to Benoît Chatelain, GICAT’s Board member and Defense & Security Director at Sopra Steria, the time has come for a fundamental strategic shift toward proactive resilience.
Speaking alongside Despina Spanou (Principal Advisor to the European Commission on Cyber Security Coordination), Jordan Zed (Canadian Privy Council), and David Lashway (Sydney Global Law Firm) at the Paris Cyber Summit panel on "How Western Defense Can Stand in the New International Dynamic," Chatelain painted a stark picture of Europe's current reality: "The battlefield is no longer physical, it's hybrid. Europe is the target every day of public attacks. We have to consider cyber campaigns against our critical entities and foreign information manipulation and interference as daily business."
The End of Hypothetical Threats
Benoît Chatelain's assessment aligned with broader themes articulated by his fellow panelists. Lashway characterized the current moment as "a critical inflection point" where "the post-war security order is being actively contested in every domain," while Spanou emphasized Europe's evolution toward a "new Pax Europeana for the 21st century."
According to Chatelain, the time for defensive thinking is over : "This is not a hypothetical future threat, but a permanent and declared conflict". For years, European cybersecurity policy focused on what Chatelain termed "reactive replenishment", essentially preparing to replace what had been damaged or compromised. This approach, embodied in traditional instruments like ASAP (A Secure and Prosperous Europe), concentrated on "replenishing stockpiles" rather than preventing attacks. The recently adopted SAFE instrument represents progress, but its treatment of cyber capabilities reveals persistent gaps in strategic thinking.
The Regulatory Paradox
While many industry leaders view European cybersecurity regulation as an obstacle, Chatelain offers a contrarian perspective. "Regarding regulation for us, it's finally a strategic opportunity," he stated, acknowledging that "it could be tricky to say this way, but we see it as an opportunity." This stance aligned with Spanou's emphasis on "implementation before enforcement." European cybersecurity frameworks like NIS-2 and the Cyber Resilience Act create what Chatelain describes as "a good way for us, at least in Europe, to facilitate cross-border cooperation."
However, Chatelain identified practical challenges that Spanou acknowledged in her call for regulatory simplification. The primary obstacle isn't the regulatory framework itself, but rather "the incident reporting obligation to reduce administrative burdens and foster compliance." These reporting requirements consume valuable time and resources, making it "difficult to be reactive and proactive regarding these aspects."
Data-Centric Security: protecting content, not containers
Central to Chatelain's vision is a fundamental shift in how organizations conceptualize security. Traditional approaches focus on securing infrastructure, the "containers" where data resides. Chatelain proposes another view: "Data is what we have to protect : it's about the content, not the container."
This data-centric approach, combined with zero trust architecture, represents one of two foundational pillars in what he calls "new doctrines from an industry perspective." The logic is compelling: "We don't care about storing clouds because the technologies come from outside Europe probably, and it makes no sense to use another technology. But if we securitize data, that's more efficient."
The second pillar addresses what Chatelain identifies as "cognitive warfare threats." Europe must develop indigenous capabilities to counter information manipulation and interference, threats that target human cognition rather than technical systems. This concern found echoes in Lashway's observation that "the information dominance the West preserved in the post-Cold War order is over."
The sovereignty dilemma
Perhaps no issue crystallizes the complexity of European cyber strategy more than technological sovereignty. Chatelain acknowledges his discomfort with the term "sovereignty," preferring "strategic autonomy”. But the underlying challenge remains: how can Europe maintain security while reducing dependence on foreign technologies?
His approach is nuanced rather than protectionist. "We can cooperate having U.S. technologies, but it's insurance to have European sovereign providers," he explained. This isn't about rejecting foreign technologies wholesale, but about ensuring Europe maintains viable alternatives.
The emergence of European companies that "use U.S. technologies and provide sovereign capability" illustrates this balanced approach. These hybrid models allow European organizations to benefit from global innovation while maintaining strategic independence.
Chatelain advocates extending the SAFE instrument beyond hardware to encompass "software to have more capabilities on data architectures and secure-by-design digital services." Without this European preference, he warns, “We will continue to buy foreign technologies."
Spanou provided institutional context for this balance: "We have excellence in Europe. There are certain parts of tech industry that have excellence in the U.S. We need to make it work together." However, she emphasized that "everybody also has to work for their own sovereignty."
The path towards strategic independence
Chatelain doesn't minimize the economic implications of pursuing strategic autonomy. "Why should you redevelop technologies that already exist for our own sovereignty?" he asks rhetorically, acknowledging efficiency arguments for purchasing existing solutions.
His answer reflects long-term strategic thinking: "That's quite important to do, even if it costs a bit more today." This willingness to accept short-term costs for long-term strategic benefits distinguishes mature cybersecurity strategy from purely cost-driven decision-making.
Despite sobering assessments of current threats, Chatelain concluded on a note of optimism "I'd just like to give you hope because there is no fatality, especially in cyber and digital areas," he stated, drawing on European experience in developing capabilities others deemed impossible.
His closing words, "impossible n'est pas français", capture both the challenge and opportunity facing European cyber defense. The continent has repeatedly demonstrated its ability to create innovative solutions to complex problems, from developing internet predecessor networks to establishing global privacy standards through GDPR.
As Europe faces an era of permanent digital conflict, Chatelain's perspective suggests that with proper strategic thinking, regulatory frameworks can become tools of competitive advantage rather than burdens, and Europe can chart a course toward genuine cyber resilience.