Europe Is Losing the Sea Cable Race
Find Threat Talks on
Europe Is Losing the Sea Cable Race, And Here’s What’s at Stake
Around 40 new submarine cables go live in 2026, and most won’t land in Europe. In this second part of our sea cables conversation, Peter Ernst talks with Ernst Noorman, the Netherlands’ Cyber Ambassador-at-Large and a member of the ITU Advisory Body on Submarine Cable Resilience, about what the redrawn cable map means for Europe.
They compare Amsterdam and Singapore, once described as the two toughest places in the world to build digital infrastructure. Singapore now has 32 cable landings, ten more in the pipeline, five years of zero cable faults, and a tender process that puts green energy first. The Netherlands built a world-leading position on decisions made 25–30 years ago, and now has to decide whether to keep investing.
The conversation moves up the stack from cables to the bigger question: the difference between sovereignty and autonomy, why “always the cheapest option” has quietly cost Europe, the EU Cyber Resilience Act and security by design, what NIS2 means for personally liable boards and CEOs, and why Europe should be far less modest about what it has already built, from ASML and Mistral to Airbus.
What you’ll learn
- Amsterdam was first, but first-mover advantage is not permanent. The Netherlands built its digital infrastructure on a thirty-year head start. That lead requires active investment to maintain, and other European countries are currently investing more.
- Singapore solved its crunch by changing the rules. A government-mandated pause on new data center approvals, followed by rewritten tender requirements that bundle green energy commitments with connectivity proposals, produced the most secure cable infrastructure in Southeast Asia.
- Sovereignty and autonomy are not interchangeable. Autonomy means freedom of choice, including the option to use European vendors alongside American ones. Sovereignty, in the harder sense, means control over your data and protection from foreign access. Both matter, and conflating them produces bad policy.
- The Cyber Resilience Act is a potential game changer. It requires security by design from software and hardware manufacturers and creates product liability for insecure products. The analogy: tap water is safe because regulation demands it. Software should be no different.
- NIS2 moved cybersecurity from the IT department to the boardroom. CEOs and boards are now personally accountable. A manual exists for boards who do not yet know what questions to ask their CISO. Companies are already organizing C-suite training around it.
- Europe has the components, but not yet the risk appetite. Talent, capital in pension funds, and European control over critical stack layers like ASML, Nokia, and Ericsson are all there. What is missing is the willingness to treat failure as a learning moment rather than a permanent mark.
Your cybersecurity experts
Peter van Burgel
CEO
AMS-IX
Ernst Noorman
Ambassador for Cyber Affairs
Dutch Ministry of Foreign Affairs
Episode details
The number that anchors the Amsterdam vs Singapore comparison is 32. That is how many submarine cable landings Singapore currently operates, with ten more in the pipeline and ambition for another ten within the next decade. Zero cable faults in the past five years. Cables buried 5 to 12 meters under the seabed, ships prohibited from anchoring nearby. Singapore paused new data center investments for roughly half a year, then rewrote its tender process to require full proposals including green energy commitments upfront. The result is a small city-state that functions as the connectivity hub for all of Southeast Asia and is now a model for the wider ASEAN region.
The contrast with the Netherlands is uncomfortable. Amsterdam received the first internet connection in Europe, CERN to AMS-IX, and built its digital infrastructure on that early-mover advantage. But that lead is not self-maintaining. Other European countries, some of them landlocked, are investing more heavily in data centers today. The hyperscalers building new cables are placing them where they want to put AI factories, not where legacy internet infrastructure already exists. Europe’s connectivity position is not yet in danger, but the directional trend in new cable landings points away from it.
Digital sovereignty is the organizing concept of this episode, but Ernst Noorman draws a careful distinction. Sovereignty, in the Chinese usage, implies hard control over data and the exclusion of foreign influence. Autonomy, the word he prefers, means freedom of choice: the ability to use European vendors, not the obligation to. ASML, Nokia, and Ericsson already represent European control over critical parts of the technology stack. The goal is to extend that to other layers, not to rebuild the entire stack from scratch.
NIS2 and the Cyber Resilience Act are the two regulatory levers receiving the most attention. NIS2 makes board members and CEOs personally accountable for cybersecurity posture, which has changed the quality of boardroom conversations faster than any awareness campaign. The Cyber Resilience Act goes further: it requires security by design at the point of product development, and holds software and hardware manufacturers liable if their products are later found to be insecure. The analogy offered is direct: tap water and medications are trusted because government-mandated safety standards exist. Software should be no different.
The harder problem is cultural. A room of 150 to 200 senior cybersecurity professionals, asked who has been involved in a breach in the past two years, produces three hesitant raised hands. The number is implausible. Confidential roundtables, organized under the Dutch Cybersecurity Council framework and through initiatives like Cyclotron, exist precisely to create a space where CISOs can speak honestly to each other without reputational exposure. The same logic applies between countries: the Netherlands organizes regional dialogues in the western Balkans, ASEAN, and southern Africa so that national CERTs can reach each other before a crisis rather than during one.
The episode closes on a question about Europe’s next three to five years. The Draghi report and the Peter Wennink agenda both set out what needs to happen. The components are in place: talent, ideas, strong pockets of the stack, and pension fund capital large enough to fund a serious European technology buildout. What is missing is risk appetite and execution. The cultural gap with the United States is not primarily about regulation. It is about what bankruptcy means. In the US it signals experience. In Europe it still closes doors. That attitude, more than any single policy choice, is the variable that determines whether Europe stays in the front tier or continues to slide.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
