Europe cannot protect what it cannot see

On 1 December, our CEO Jaap van Etten addressed the Special Committee on the European Democracy Shield (with participation from SEDE, ITRE, and LIBE) during a public hearing on Foreign Threats to Strategic Infrastructure.

His remarks highlighted a widening visibility gap across Europe’s critical systems, a gap that foreign actors increasingly exploit. Drawing on open-source procurement data, case studies, and two decades of research on China’s industrial ecosystem, Jaap van Etten set out a clear message: Europe cannot protect its infrastructure if it cannot see who builds it.

A personal lesson in strategic autonomy

Jaap van Etten opened by revisiting China’s strategic decision in the mid-2000s to block the rollout of the superior European 3G standard (WCDMA) inside its borders. China accepted short-term technological disadvantages to guarantee long-term autonomy. A choice that ultimately secured its companies a seat at the global 4G and 5G standards table.

This example sets the stage for Europe: Europe’s infrastructure has accumulated foreign dependencies not by design, but through years of incremental decisions. Today, we face a moment, much like China did in 2005, where regaining resilience requires deliberate, strategic choices.

The expanding definition of strategic infrastructure

Traditional policy debates still focus on grids, telecoms, and transport. But as Jaap van Etten explained, modern infrastructure now includes far less visible layers:

• IoT devices, and IP cameras collecting continuous data at massive scale

• Social media platforms capable of shaping public opinion across Europe

• Games that use kernel-level anti-cheat tools gain deep system privileges on users’ devices,  and simultaneously collect spatial and physics-based data ideal for training embodied AI systems.

• Cloud platforms and app ecosystems operated from abroad

• Greenfield investments not subject to screening

These systems are gateways into Europe’s economy, security posture, and societal stability, yet they fall largely outside existing oversight mechanisms. The result is a widening asymmetry: foreign actors understand Europe’s digital and physical dependencies far better than Europe understands theirs.

A European grid asset with unmonitored defense ties

To demonstrate how quickly visibility can be lost, Jaap van Etten presented a real procurement example uncovered entirely through open public data.

A Central European grid operator tendered a battery energy-storage system, a critical asset for stabilizing renewables. The winning consortium combined a European engineering firm with a major Chinese manufacturer, fully compliant, transparent, and 40% below expected pricing.

When we ran the supplier’s Chinese registration number through our platform, the picture changed within minutes. The manufacturer, after winning the European contract, had also participated in several defense-sector procurements in China. Nobody was tracking this; it only became visible once procurement data was connected to broader industrial, research, and state-linked activity.

This does not imply wrongdoing. The risk lies in the architecture behind the product: firmware updates, diagnostic data, and remote-configuration functions for a European grid asset could flow through systems that also serve Chinese military applications. Not because of any violation, but because the same industrial group operates in both domains.

As Jaap van Etten noted, “The question isn’t only who a supplier was when they won the contract. It’s who they become while they are operating our infrastructure.”

Europe’s blind spot: the scale of China’s defense-linked ecosystem

One of the most striking visuals in the presentation showed three numbers: 1,500 companies on global control lists. If you include their majority-owned subsidiaries, that number rises to 25,000 entities. But the underlying ecosystem is far larger: roughly 500,000 Chinese companies are directly or indirectly embedded in the defense-industrial ecosystem.

This means that a single supplier can sit atop ownership chains, procurement networks, or research programs that connect into military activity, even when the entity entering Europe appears commercial, benign, or newly established. 

So, the case that we just described, one tender, one supplier, is one dot in a line of half a million companies.

Greenfield investments: a structural oversight gap

Jaap van Etten also described a second example: a Chinese greenfield company in Europe participating in autonomous driving research, including license plate scanning, a sensitive data function by any definition.

Yet no authority screened the company, because there was no legal requirement to do so. Subsequent analysis revealed that the entity had direct ties to the Chinese government.

This, he said, is Europe’s greenfield blind spot: new actors entering critical sectors without scrutiny, even when involved in data-rich domains such as LiDAR, charging infrastructure, or mobility systems.

Three recommendations to close the visibility gap

In his closing section, Jaap van Etten outlined three policy steps that Europe can take without sacrificing openness or innovation:

1. Establish an EU-level OSINT monitoring capability 

A systematic approach to integrating open-source industrial data like ownership structures, procurement patterns, research funding, defense links, and market footprints.

2. Require transparency from suppliers to strategic infrastructure

Including disclosure of parent groups, defense involvement, and remote-access functionalities, proportionate to the sensitivity of the asset.

3. Extend oversight to high-impact greenfield investments

Battery plants, data centers, autonomous driving R&D, and industrial software providers all shape Europe’s infrastructure for decades and should not bypass screening.

These measures, Jaap van Etten emphasized, are not about blocking investment: “It is about restoring information symmetry.”  

Concluding with the central message: Economic security and national security are no longer separate domains. They are the same domain. And openness without visibility creates structural vulnerabilities Europe can no longer afford.