Calling for memory safety incentives in EU cybersecurity policies

2025-12-17 Author: Hugo van de Pol announcement

Today we publish the statement "Improving Europe's cybersecurity posture through memory safety", calling on European and national policymakers to provide clear incentives and support for the large-scale adoption of memory-safe technology.

The statement is a joint effort by secure-by-design experts at leading organizations, including Siemens Mobility, Sovereign Tech Agency, OpenSSF, Google, the Linux Foundation, the Rust Foundation, and national cybersecurity committees.

It has been endorsed by European companies at the forefront of technology, such as Infineon Technologies AG, as well as industry and academic experts, including specialists at Signify, Volvo Cars, Radboud University, and Delft University of Technology.

Executive summary:

“The number of cybersecurity incidents that affect European citizens and businesses is rising at an alarming rate. 70% of the vulnerabilities in major digital systems built on decades-old technologies share the same root cause and can be prevented by using modern, memory-safe technology.

This technology is mature, perfectly fits Europe’s forthcoming secure-by-design approach to cybersecurity, and is the most effective way to protect Europe’s cybersecurity, to reduce cybersecurity costs, and to foster innovation.

However, its adoption rate is slow due to a lack of short-term economic incentives. We’ve now left the door wide open: attackers eagerly exploit vulnerabilities in our major digital systems.

The supporting organisations call on European and national policymakers to act, out of obligation as well as untapped opportunity: to provide clear incentives and support for the large-scale adoption of memory-safe technology.”

View or download the full statement here.

The time is now

We have established a lack of awareness among EU and national policymakers. This contrasts heavily to the proactive involvement of the Cybersecurity and Infrastructure Security Agency (CISA), among others, in the USA from 2023 onwards.

With the CRA on its way, now is the time for the EU to act.

Looking ahead

We're looking forward to presenting our point of view to EU and national policymakers, and to continuing to advocate for faster adoption of modern memory-safe technology in 2026. We're aiming to bring this statement to various events in 2026 and will keep you updated on where to find us.

Get involved

Our primary goal is to bring memory safety to the forefront of current policy discussions, and we need your help to do it.

If you are involved in relevant European or national policy making, or can put us in contact with someone who is, please reach out to Hugo van de Pol.

Supporting organisations

Supporting individuals

Leon Bouwmeester, director of engineering at Hue Connected, Signify
Julius Gustavsson, Expert System Architect, Volvo Cars
Till Kamppeter, lead of OpenPrinting
Mario Goffredo D'Andrea
Matthias Endler, Corrode
Bernard van Gastel, Radboud University
Frederic Ameye
Irakli Tabagari
Prof. Achim D. Brucker, University of Exeter (Chair in Cybersecurity)
Mathias Payer, Associate Professor at EPFL Alexios Voulimeneas, Assistant Professor at TU Delft
Prof. dr. Jaap-Henk Hoepman

Contributors

Contributions to this statement were made by:

Josh Aas, Internet Security Research Group
Rebecca Rumbul, Rust Foundation
Thomas Rooijakkers, TNO
Jeffrey Vander Stoep, Google
Benjamin Schilling
Christian (fukami) Horchert, CrabNebula Ltd.
prof. dr. H.J. Bos, Vrije Universiteit Amsterdam
Erik Poll, Radboud University
Harry van Haaren, Openchip,
Marius Gläß, Bundesamt für Sicherheit in der Informationstechnik
Joao Rebelo, S2E Systems B.V.

About the authors

Tara Tarakiyee is a Technologist at Sovereign Tech Agency, who works on designing supporting and mobilizing resources to encourage, sustain and maintain our open digital infrastructure.

Hugo van de Pol is Director at Tweede golf and Board member at Trifecta Tech Foundation, who has been advocating the use of memory-safe technologies like Rust for years.