For years, the dominant story in cybersecurity has been simple: real companies are built in the US or Israel. Everywhere else is secondary.

But when you sit down with founders actually building cybersecurity startups and scaleups across Europe, a very different story emerges.

A story that mixes structural friction with forced creativity, full of hard choices and sometimes longer paths that can produce stronger companies.

In a recent article, we talk about how a focus on delivering real value – not protectionism – can transform the European cybersecurity landscape very positively.

The following piece is based on the views and experiences of founders from France, Ukraine, Belgium, Germany, Poland, Czechia, and Spain, who speak candidly about what they see as the real opportunities and challenges of building cyber companies in Europe and their relentless focus on creating solutions the world wants to buy .

What follows is not theory. It’s what they’ve lived.

One of the first patterns that emerges is this: Europe is not an easy place to build and sell European cybersecurity and that shapes products.

Simon Bauwens, co-founder of OutKept, explains how even something as “simple” as phishing simulation becomes radically more complex in Europe:

“If you write a phishing email in the Dutch that we use in Flanders, it’s very different from the Dutch in the Netherlands. The French in Wallonia is not the same as the French in France. A small change in wording is enough for people to immediately say: this doesn’t look credible.”

He goes on:

“If you’re a big global company, who is going to create phishing emails that refer to a local storm, a local election, or something that just happened in that region? Nobody does that. But that’s exactly the kind of phishing people actually fall for.”

This isn’t an isolated experience.

Andriy Kusyy, founder of LetsData, describes how disinformation campaigns now launch multilingual by default, not as an afterthought:

“Campaigns don’t start in English and then get translated anymore. They start multilingual from patient zero. If you’re only scanning English media space, you’re already late.”

For him, Europe’s linguistic and cultural fragmentation isn’t noise but signal:

“If a campaign starts in Romanian, then Russian, then Ukrainian, then comes back to Romanian, and finally targets Moldova, if you’re only looking at one country or one language, you will never understand it’s the same operation.”

The opportunity this creates is clear: European founders are forced to build products that work across complexity — languages, cultures, regulations — from day one.

The result? Products that are often more resilient globally once (and if) they break out.

Another shift founders consistently point to is trust. Not marketing trust but structural trust.

Pavel Rybczyk from Labyrinth Security puts it plainly:

“We are not saying: buy European just because it’s European. That would make no sense. But for critical things like access management, monitoring, early detection — customers are starting to ask where the technology comes from, who controls it, and where the data lives.”

He adds:

“It’s not realistic to switch everything to European vendors. But for strategic layers, it’s absolutely realistic, and customers are now open to that conversation.”

Richard Malovic, Co-Founder and CEO of Whalebone, sees the same dynamic in the vertical they target the most, telecommunications:

“We integrate directly into telco networks. This is critical infrastructure. Here, stability, long-term viability, and political alignment matter a lot.”

Richard went on to highlight how those values are what many consider European cultural pillars and they are natural for a company that is built in this region.

Therefore, for companies operating in government, telecom, finance, or national infrastructure, European origin is increasingly a qualifier, not a handicap.

Yet nearly every founder contrasts this opportunity with a harsh reality: Europe is slow to adopt new cybersecurity vendors.

Luigi Lenguito, founder of BforeAI, is blunt:

“In Europe, customers want proof before innovation. In the US, they buy the vision and expect you to get there. In Europe, you need to already be there.”

The result?

“You often need US customers to convince European ones. That’s the paradox.”

The Mitigant founders, a Cloud Attack Emulation vendor from Germany, who come directly from academia into the cyber industry, felt this immediately:

“In the US, you can sell the idea and iterate fast. In Europe, customers want a finished product, references, and long POCs before they even consider it.”

They add:

“That forces you to spend much more time educating your potential customers. Not just the security team, but management, procurement, legal. Everyone needs to understand why the tool exists.”

Nils Karn went further and quoted a study made in Germany that found out that from the billions spent in cybersecurity in the country, very little is actually dedicated to startups in their first years of life.

The challenge: European founders must survive longer sales cycles with less early revenue, while still competing against global incumbents.

Because of this friction, many founders independently converge on the same conclusion: Direct sales alone don’t scale well in Europe.

Lukasz Jesis from Xopero explains it simply:

“If you want to scale across Europe, you cannot sell country by country on your own. You need partners who already have trust, relationships, and distribution.”

Labyrinth designed its product around partners from day one:

“Multi-tenancy, MSSP support — this was in the product from the first version. We knew we could not scale commercially without partners.”

Whalebone took this logic even further by embedding itself inside telcos:

“We are not selling cybersecurity as a tool. We are helping telcos create a new revenue stream. That changes everything.”

The fragmented reality of the European market, with different languages, cultures and business practices, requires a different approach than what US & Israeli companies usually do. As Luigi Lenguito points out, if you go to the US first, you can go directly to customers, as they do.

The opportunity: Europe rewards founders who think in ecosystems — MSSPs, telcos, distributors — not just direct sales. If they listen to the channel, they can have an advantage that “foreign” entities might not.

One of the most honest reflections comes when founders talk about funding. Everybody knows that – with few exceptions – investment rounds in Europe are several orders of magnitude smaller than in the US.

That is an obvious obstacle but not the only one. Simon Bauwens describes a structural gap many European founders recognize immediately:

“We are missing that big middle layer. We have early-stage startups in Europe, and we have global giants — mostly from the US. But we don’t have enough large European tech companies that can acquire, fund, or help scale the next generation.”

Richard Malovic echoes this from a scaleup perspective:

“We need more European examples of companies that grow big and stay independent. Positive examples matter more than anything.”

Without that middle layer:

• exits happen earlier

• ambition is often externally constrained

• global scale sometimes requires leaving Europe behind

Very few European cybersecurity vendors have reached EUR 1 billion ARR. There’s only a handful that even got to half a billion euros in annual revenue. Europe is full of stories of strong cybersecurity companies that were acquired by American firms before they could become that middle layer, like Hornet Security.

Hornet Security, a successful german email security company acquired Vade Secure, a french player in the same sector. That looked like a successful story of european consolidation… until Proofpoint came and acquired them and fulfilled exactly what Simon and Richard mentioned above.

And yet, despite all this, something remarkable appears across these conversations: European founders are not pessimistic. They are patient. They talk less about blitzscaling and more about durability.

Richard Malovic describes it as crossing a mountain valley:

“You know you’re going forward. You’re not coming back. It’s hard, it’s cold, but you keep going.”

Simon Bauwens frames it differently:

“Competition becomes aggressive. People try to scare you, write legal letters, run ads against you. But you learn that if they bother, you must be doing something right.”

In a world where the speed of developing software is accelerating, that patience can become an advantage. Almog Ohayon from TandemTrace, who already went through a successful Israel-to-US founding journey and now is building out of Spain captures the moment we’re entering:

“With AI, small teams can now outperform big organizations. The advantage is shifting back to speed, focus, and clarity of vision.”

The new reality combined with European resilience can become a hidden strength for the local cybersecurity vendors.

A bit more than a year ago we discussed similar topics with other founders from Europe. Many of the challenges remain the same yet something seems to be shifting in the market as well as in the mindsets of the leaders of the European cybersecurity vendors.

The conversations we have now, taken together, reveal a deeper truth: Europe doesn’t produce fewer or worse cybersecurity companies.

It produces different ones that, while might have been built slower and taken longer to validate, are designed for complexity and could be more defensible long-term.

The stories of the companies we interviewed, as part of Scaling Cyber, provide us with a unique perspective on how cyber innovation is building up in Europe and that despite the challenges, there are strong opportunities ahead.

Europe needs to listen to the European founders. When that happens, a new generation of global cybersecurity leaders will not just emerge. They will be impossible to ignore.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity & Business authored by Ignacio Sbampato. Read the original post at: https://cybersecandbiz.substack.com/p/building-cybersecurity-companies