Key Takeaways from the EU Competition and Cyber Security Policy Roundtable

The roundtable followed the November 2025 publication of RUSI’s paper on ‘Combatting Cybercrime against Mobile Devices’. Drawing from a multistakeholder workshop, this paper found that ‘competition policy and consumer rights are perceived to be in tension with cyber security for mobile devices.’ This finding echoed the conclusion of ECIPE’s February 2025 paper, ‘Cybersecurity at Risk: How the EU’s Digital Markets Act Could Undermine Security across Mobile Operating Systems’. The focus of the March 2026 roundtable was therefore to further examine how competition policy (un)intentionally creates negative cyber security outcomes and how the EU’s simplification agenda shapes this interaction. 

The roundtable convened representatives from the European Parliament, member-states, civil society, private companies and industry representative bodies. Stakeholders from across the mobile ecosystem were included – operating system developers, telecommunications operators, app developers, manufacturers and others. The discussion was unclassified, off-the-record and nonattributable.

Below is an overview of key takeaways from the roundtable.

Roundtable participants agreed that the EU’s simplification agenda risks producing a regulatory picture that is tidier, but not coherent. The central problem is that legislative objectives – competition and cyber security – are being pursued in silos, sometimes producing contradictory, often unintended outcomes. Examples that were raised during the roundtable include:

• Digital Markets Act provisions requiring OS developers and app stores to make it easier to sideload applications including through unrestricted linkouts introducing more malware risks to users.
   
• Mandatory cyber threat information sharing under Cybersecurity Act reforms potentially conflicting with EU competition law, given restrictions on exchanges of commercially sensitive information between competitors.
   
• Technical solutions, such as Know Your Customer provisions or malware blocks, being potentially withheld from the European market based on concerns about the regulatory environment.

These examples illustrate tensions and trade-offs between openness/competition and cyber security. While these are inevitable to some extent, it should not always have to be a binary choice. As advocated by all participants, a coherent regulatory approach can support both competition and cyber security outcomes through establishing proper and predictable legal frameworks and processes. This will be essential to navigate the continued implementation of the Digital Markets and Digital Services Acts, reforms to the Cybersecurity Act and the full rollout of the Cyber Resilience Act.

RUSI’s 2025 paper found that many stakeholders in the mobile ecosystem assume that responsibility for mobile cyber security rests exclusively with manufacturers and OS developers. Participants at the March 2026 roundtable warned of a similar phenomenon where EU policymaking focuses on large or influential platforms, ignoring smaller players.

For example, participants at the roundtable representing independent app developers expressed that a trusted, controlled app marketplace was fundamental to their business model because the 'app economy is a trust economy'. Independent developers piggyback off the trust millions of users have in existing platforms and while they would always prefer better terms to list on marketplaces, they expressed more concern with ensuring the platforms remained trusted, rather than introducing significantly more competition.

A critical reflection therefore is that cyber security, competition and simplification priorities are contested and multi-faceted. The diverse stakeholders with equity in the mobile ecosystem are rarely represented in policymaking processes and instead many – especially SMEs, users and consumers – are weaponised in the arguments of others. It is crucial to ensure all relevant stakeholders are represented in these discussions.

One participant reflected that there is insufficient objective measurement of the impact of existing cyber security legislation. Ex-ante impact assessments have been conducted for both the Cyber Resilience and Cybersecurity Act, but the former has yet to come into force and the latter has had limited ex-poste evaluation. Supposedly, reforms to the Cybersecurity Act will account for learnings from implementation to date, but ahead of that evidence base becoming more clear participants expressed concern that lessons would be accounted for. 

Another participant raised the importance of sustained impact measurement to informing AI policymaking highlighting the example of integrating AI agents into mobile devices. Requiring full interoperability for any AI agent to operate across device systems and mobile systems layers could introduce significant risk.

Areas for further consideration identified through the workshop include:

• Include the European Union Agency for Cybersecurity (ENISA) in digital and competition policymaking. To avoid cyber security becoming a secondary concern, ENISA should be given an advisory function on the development in all digital policymaking. Otherwise, ENISA could be represented in the DMA’s High-Level Group.
   
• Inclusive engagement. Provide greater opportunities for smaller players within the mobile ecosystem to input directly on their priorities across competition and cyber security issues.
   
• Encourage de-siloing in parliamentary legislative processes. Consider the creation of a formal coordination mechanism on the diverse priorities – competition, sovereignty, cyber security – underpinning digital regulation to ensure coherence.