Support the call for Memory Safety incentives in EU cybersecurity policies


2025-10-31 Author: Hugo van de Pol announcement

Improving Europe's cybersecurity posture through memory safety

With the upcoming Cyber Resilience Act in the EU mandating a secure-by-design development process, we urge organisations and individuals to support our statement "Improving Europe's cybersecurity posture through memory safety".

The statement is a joint effort by secure-by-design experts at leading organizations, including Siemens Mobility, Sovereign Tech Agency, OpenSSF, Google, the Linux Foundation, the Rust Foundation, and national cybersecurity committees.

See the How to show support section to add your name to the call.

Executive summary:

“The number of cybersecurity incidents that affect European citizens and businesses is rising at an alarming rate. 70% of the vulnerabilities in major digital systems built on decades-old technologies share the same root cause and can be prevented by using modern, memory-safe technology.

This technology is mature, perfectly fits Europe’s forthcoming secure-by-design approach to cybersecurity, and is the most effective way to protect Europe’s cybersecurity, to reduce cybersecurity costs, and to foster innovation.

However, its adoption rate is slow due to a lack of short-term economic incentives. We’ve now left the door wide open: attackers eagerly exploit vulnerabilities in our major digital systems.

The supporting organisations call on European and national policymakers to act, out of obligation as well as untapped opportunity: to provide clear incentives and support for the large-scale adoption of memory-safe technology.”

The full statement can be read here.

The time is now

Having established a lack of awareness from EU and national policy makers, Tara Tarakiyee and myself, Hugo van de Pol initiated and led joint discussions with security experts and industry stakeholders, and authored the statement as a result.

This lack of awareness contrasts heavily to the proactive involvement of the Cybersecurity and Infrastructure Security Agency (CISA), among others, in the USA from 2023 onwards. With the CRA on its way, and the examples of CISA et al at our disposal, now is the time for the EU to act.

How to show support

If you agree with our position that memory safety should be on the EU and national cybersecurity agendas, please consider adding your name to this statement to show your support. You can support the statement as an organisation or as an individual.

Having your name on the statement does not come with any further commitments; it is simply to indicate your agreement with the statement.

Indicating your support is easy: send an email to Hugo van de Pol in which you state the name of the supporting organisation, or your name and affiliation.

If you know someone who might do the same, please feel free to send them this web page and/or the PDF of the statement.

Contributors

Contributions to this statement were made by:

  • Josh Aas, Internet Security Research Group
  • Rebecca Rumbul, Rust Foundation
  • Thomas Rooijakkers, TNO
  • Jeffrey Vander Stoep, Google
  • Benjamin Schilling
  • Christian (fukami) Horchert, CrabNebula Ltd.
  • prof. dr. H.J. Bos, Vrije Universiteit Amsterdam
  • Erik Poll, Radboud University
  • Harry van Haaren, Openchip

List of participating individuals and organisations

Supporting organizations:

... more tba

Supporting individuals:

tba

About the authors

Tara Tarakiyee is a Technologist at Sovereign Tech Agency, who works on designing supporting and mobilizing resources to encourage, sustain and maintain our open digital infrastructure.

Hugo van de Pol is Director at Tweede golf and Board member at Trifecta Tech Foundation, who has been advocating the use of memory-safe technologies like Rust for years.



All news and blogs