"There Are No European Cybersecurity Vendors." Wrong. | CipherCue - CipherCue
Directory<br>EU Vendors<br>Docs<br>Pricing<br>Blog<br>Log in
Book a demo<br>Sign up free
analysis<br>"There Are No European Cybersecurity Vendors." Wrong.
30 June 2026 · 10 min read<br>· By Chris McCabe
The single most consequential paragraph in a European cybersecurity tender is the one asking the vendor where the data sits and who can subpoena it. EU-headquartered vendors with a clean answer to that paragraph almost never appear on the next shortlist slide.
Someone recently told me this is because Europe doesn't have any cybersecurity companies. That they're "just implementers." That European procurement teams looking for a sovereign alternative are stuck either choosing a foreign incumbent or accepting that the option does not exist.
I disagreed strongly enough to start counting.
The point of this article is not that CrowdStrike, Okta, Palo Alto, Wiz, Fortinet, Splunk, Cisco and the rest of the foreign cybersecurity stack should not be used. Many of them are excellent and European buyers will continue to use them. The point is that the framing "Europe does not have cybersecurity vendors" is a measurable claim, and when you measure it, it does not hold up. Every major product category that buyers procure has credible EU-headquartered options. Stormshield in France. ESET in Slovakia. Bitdefender in Romania. WALLIX, TEHTRIS, Sekoia.io, HarfangLab in France. Genua, Beta Systems, Rohde & Schwarz in Germany. Logpoint, Omada, Heimdal in Denmark. Clavister, Outpost24, Curity in Sweden. WithSecure, Ubisecure in Finland. And many more. The companies exist. The depth of the field is real.
The shortage is not in the market. The shortage is in what gets seen.
The directory at /directory/eu is our working list. It is curated, not complete. We add vendors as we verify them, and we know we are missing many. If the question is "are there enough EU cybersecurity vendors in your category to populate an evaluation shortlist", the answer is yes in every category we have looked at.
What the field actually looks like
The vendors we have catalogued so far split across the categories that buyers actually procure. None of these are emerging niches. They are the line items on a mid-sized organisation's annual security budget. Multiple EU vendors are active in each.
Category<br>Example EU-headquartered vendors<br>Replaces
IAM & SSO<br>Ubisecure FI, Evidian FR, Nexus Group SE, OneWelcome NL, Curity SE<br>Okta, Microsoft Entra ID, Ping Identity
EDR & XDR<br>ESET SK, Bitdefender RO, WithSecure FI, TEHTRIS FR, HarfangLab FR, Heimdal DK, Dectar IE<br>CrowdStrike, SentinelOne, Microsoft Defender
Email security<br>LibraCyber IT, Retarus DE, Tuta DE, Mailfence BE<br>Proofpoint, Mimecast, Abnormal Security
SIEM & observability<br>Logpoint DK, CrowdSec FR, Sekoia.io FR, SecureVisio PL<br>Splunk, Microsoft Sentinel, IBM QRadar
IGA & PAM<br>Omada DK, WALLIX FR, IDEE DE, Beta Systems DE<br>SailPoint, CyberArk, Saviynt
Firewall & NGFW<br>Stormshield FR, Clavister SE, genua DE, Rohde & Schwarz Cybersecurity DE<br>Palo Alto Networks, Fortinet, Cisco
Cloud security (CSPM / CNAPP)<br>Aikido Security BE, Patrowl FR, Outpost24 SE<br>Wiz, Palo Alto Prisma Cloud, Lacework
Data loss prevention<br>CoSoSys RO, Safetica CZ, Cryptshare DE<br>Symantec (Broadcom), Microsoft Purview, Forcepoint
MDR & managed SOC<br>Orange Cyberdefense FR, Eviden FR, Telefónica Tech ES<br>Arctic Wolf, Expel, Red Canary
VPN & remote access<br>Defguard PL, Stormshield SSL VPN FR, plus the VPN modules built into the firewall vendors above<br>Cisco AnyConnect, Palo Alto GlobalProtect, Zscaler ZPA
Geographically, the field is broader than the "Berlin and Paris only" mental model implies. France and Germany account for the most listings, but credible vendors operate from Sweden, Denmark, Finland, Romania, Belgium, the Netherlands, Italy, Spain, Slovakia and the Czech Republic. That is a field spread across more than half the EU, not a concentrated cluster around two capital cities.
The age distribution surprised me. The directory includes vendors with continuous operating histories going back decades. Rohde & Schwarz operates a dedicated cybersecurity business inside a group founded in 1933. Beta Systems has been doing identity governance from Berlin since 1983. ESET has shipped endpoint products from Bratislava since 1992. Bitdefender came out of Bucharest in 2001. WithSecure has continuity back to F-Secure's 1988 founding. None of these are startups, and none of them are "implementers."
At the same time, the directory includes vendors founded in the last decade that have already qualified for ANSSI, BSI and Common Criteria certifications. HarfangLab (founded 2018) is ANSSI-qualified. Sekoia.io (2016) holds ANSSI, ISO 27001 and HDS. Aikido Security (2022) ships ISO 27001 and SOC 2 Type II. The new generation is real, and it is shipping qualified product, not slides.
Capital structure is mixed in the way you'd expect from a real industry. WALLIX is...