Subscribe
An objective skills gap to fill
In recent years, cybersecurity has become one of the main concerns of the European Union. The growing complexity of cyber threats and the vulnerability of critical infrastructures require an ever greater commitment to ensure the digital resilience of the continent. However, one of the main obstacles to overcome is the skills gap in the cybersecurity sector, which limits the ability of Member States to respond effectively to cyber threats.
The EU has adopted several legislative measures to strengthen the cybersecurity of its critical infrastructures. Among the most relevant regulations we find:
Regulation (EU) 2019/881 – Cybersecurity Act: introduces a certification framework for ICT products, services and processes, strengthening the role of the European Agency for Cybersecurity (ENISA).
Regulation (EU) 2022/2554 – DORA: regulates the operational resilience of digital infrastructures in the financial sector.
Directive (EU) 2022/2555 – NIS2 Directive: expands and strengthens the cybersecurity measures introduced by the first NIS Directive.
Directive (EU) 2022/2557 – CER Directive: establishes resilience requirements for critical sectors that are essential for the economy and society.
Regulation (EU) 2024/2847 – Cyber Resilience Act: introduces more stringent standards for the security of devices and software connected to the EU market.
These regulations represent a major step forward in protecting critical infrastructure, but their effectiveness largely depends on the availability of qualified professionals capable of implementing and managing them. Despite the importance of cybersecurity, the sector suffers from a significant shortage of specialized professionals. According to the European Union Agency for Cybersecurity (ENISA), the skills gap is one of the main emerging challenges and, if not adequately addressed, could become the second most critical cybersecurity threat by 2030.
This shortage particularly affects the management of security for critical infrastructures, which requires advanced skills in IT, Operational Technology (OT) and Industrial Control Systems (ICS). In addition, cybersecurity professionals need to have a thorough knowledge of European regulations, which include specific requirements for regulatory compliance and risk management. The challenge is further compounded by the fact that many small and medium-sized enterprises (SMEs), which form the backbone of the European economy, do not have the resources to adequately train their staff in cybersecurity. This makes them particularly vulnerable to cyberattacks.
To address this issue, the EU needs to invest in multidisciplinary training programmes that combine technical, strategic and legal skills. Cybersecurity is no longer just a technology issue, but also concerns regulatory, economic and strategic aspects. For example, a cybersecurity professional must be able to assess not only the technical risks of a cyberattack, but also the legal implications and economic consequences for the affected company or entity. In some cases, the immediate application of standard security protocols could have negative consequences. For example, disabling a compromised telecommunications network to contain a malware attack could hinder emergency communications from authorities. Similarly, interrupting the operation of a healthcare system under attack could put patients’ lives at risk.
For this reason, training must include realistic crisis scenarios, in which professionals can learn how to balance cyber protection with business continuity and national interest. To respond to this challenge, the EU has promoted several initiatives to incentivize the training of cybersecurity experts. These include:
EU-funded programs
The European Parliament has called for the creation of accessible training programs, funded by European funds, to develop skills in emerging areas of cybersecurity.
Cyberhubs
An EU-funded initiative that aims to improve the ecosystem of professional skills in the cybersecurity sector, through partnerships between universities, businesses and institutions.
Public-private cooperation
The European Commission has encouraged the creation of innovation hubs that can foster collaboration between companies and research institutions to develop new skills.
Launch of the European Cybersecurity Skills Academy
An initiative to provide continuous and specialized training for professionals in the sector, improving access to advanced learning paths.
Cybersecurity of critical infrastructures is a priority for the European Union, but to ensure effective protection it is necessary to invest in a highly skilled workforce. Skills shortages are one of the EU’s main vulnerabilities in the context of cybersecurity and must be urgently addressed through targeted and multidisciplinary training programmes. Europe has already taken significant measures to strengthen its digital resilience, but without adequately trained professionals, the effectiveness of these policies remains limited. Investing in the training of cybersecurity experts is not only a current necessity, but a key element to ensure the competitiveness and security of the continent in the long term.
Alessandro Fiorentino