When the CrowdStrike outage hit in 2024, the consequences were immediate and visible. Flights were delayed, hospital systems stalled, banking services went offline, and critical infrastructure across several countries was disrupted. For many people, it was a rare moment when the fragility of digital systems became impossible to ignore. What looked at first like a technical malfunction quickly revealed something much larger: modern societies now depend on digital security in the same way they depend on transport, healthcare, and energy.
Across Europe, cyberattacks are growing both in frequency and complexity. Hospitals have been targeted by ransomware, companies have suffered major data breaches, and public institutions are increasingly exposed to sophisticated digital threats. At the same time, governments are under pressure to strengthen law-enforcement powers in response to cybercrime, terrorism, and online exploitation. This has intensified debates around encryption, surveillance, and access to private communications.
The real question is no longer whether cybersecurity matters, but how it can be strengthened without compromising digital rights and public trust. My view is that weakening encryption is the wrong path. Instead, the European Union should focus on stronger institutional capacity, targeted investigations, and systems that are secure by design.
The Core Policy Dilemma: Security and Trust
Cybersecurity policy is often framed as a conflict between privacy and security. On the one hand, encryption protects communications, financial transactions, and sensitive infrastructure. On the other, law-enforcement agencies argue that strong encryption can restrict access to evidence in serious criminal cases.
This framing, however, misses an essential point: encryption is itself part of security. The protection of confidentiality, integrity, and availability in digital systems depends heavily on robust cryptographic safeguards. In other words, the same tools that protect privacy also protect cybersecurity.
This creates a central paradox. Measures introduced in the name of security can, if they weaken encryption, undermine the very foundations of secure digital systems.
The Risks of Weakening Encryption
One of the most controversial proposals in recent years has been the idea of lawful access to encrypted communications, whether through backdoors, exceptional-access mechanisms, or client-side scanning.
The technical problem is straightforward. Encryption cannot be weakened only for one actor. As per cybersecurity agencies, any intentional vulnerability created for state access also becomes a possible point of entry for malicious actors, whether cybercriminal groups or foreign intelligence services.
Recent incidents show how dangerous even unintended vulnerabilities can be. The 2023 MOVEit Transfer breach demonstrated how a single flaw in widely used software could affect hundreds of organizations around the world. If accidental weaknesses can cause damage on that scale, intentionally introducing access mechanisms into secure systems carries obvious risks. This is why many cybersecurity experts argue that there is no safe way to create exceptional access without increasing systemic vulnerability.
The Law-Enforcement Challenge
At the same time, the concerns raised by law-enforcement agencies should be taken seriously. End-to-end encryption can make investigations into terrorism, organized crime, child exploitation, and cybercrime more difficult. The issue is not whether authorities need effective investigative tools. They clearly do. The more important question is whether weakening encryption is the right tool.
I do not believe it is.
Compromising encryption exposes every user of a system to greater risk, while the investigative benefits remain uncertain and often limited. A stronger approach is to improve investigative capability without undermining the infrastructure on which everyone depends.
Alternative Approaches to Cybersecurity
Rather than pursuing broad scanning mandates or exceptional-access systems, the European Union should adopt measures that strengthen both security and law-enforcement effectiveness while preserving rights.
A first step is to rely on targeted investigative powers under judicial oversight. Instead of generalized scanning of private communications, access should be limited to suspect-specific investigations supported by reasonable suspicion and authorized through proper legal procedures. In practice, this can include device-level forensic access, warrant-based account seizure, and metadata analysis. Such measures preserve proportionality while avoiding system-wide vulnerabilities.
The EU should also invest far more in the technical capacity of Europol and national cybercrime units. Greater expertise in ransomware investigations, digital forensics, cryptocurrency tracing, malware reverse engineering, and cross-border evidence recovery would allow authorities to pursue criminals through evidence trails and coordinated operations rather than through broad access to private communications.
Another major priority should be better threat-intelligence sharing across member states. One of the persistent weaknesses in the current European framework is fragmentation. Real-time coordination between CERTs (Computer Emergency Response Teams: specialized groups that handle cybersecurity incidents), telecom providers, financial institutions, cloud services, and law-enforcement bodies would significantly improve resilience. Threat indicators identified in one country should be shared rapidly across the Union to reduce the risk of wider disruption.
The EU should also support privacy-preserving technologies that allow institutions to verify risks without exposing underlying data. Zero-knowledge proofs, secure multiparty computation, and homomorphic (a type of encryption that lets you perform computations on data while it is still encrypted) encryption offer practical ways to detect anomalies and verify signals while preserving confidentiality. These approaches are far more consistent with Europe’s legal and rights-based framework.
Finally, regulation should place greater emphasis on secure-by-design obligations for software vendors and critical infrastructure providers. Regular security audits, rapid patching requirements, vulnerability disclosure mechanisms, and supply-chain risk management are far more effective long-term safeguards than surveillance-based access systems.
Taken together, these measures offer a more credible balance between public safety and digital liberty.
Systemic Risk and the Limits of Access-Based Approaches
A recurring concern in cybersecurity governance is mission creep: tools introduced for narrowly defined purposes often expand in use over time. History shows that systems originally justified for serious criminal investigations can later be applied far more broadly.
This is why strong safeguards are essential. Judicial authorization, transparency requirements, and independent technical oversight should remain central to any framework involving access to digital systems.
It is also important to distinguish between traditional surveillance models and the reality of encrypted systems. In end-to-end encrypted environments, service providers do not themselves have access to message content. Traditional search-and-seizure approaches therefore cannot simply be transferred into the digital sphere without altering the architecture of the system itself.
That is precisely why systemic access mechanisms are uniquely problematic: they do not affect only specific suspects, but the security architecture used by everyone.
Conclusion: Security Through Better Design
Cybersecurity is not simply a matter of enforcement, it is fundamentally a matter of design. Weakening encryption may seem to offer short-term investigative advantages, but it creates long-term structural risks that erode public trust and expose entire digital ecosystems to harm.
A more sustainable approach is to build systems that are secure by design, combining strong encryption, targeted investigations, institutional accountability, and cross-border cooperation. The real choice is not between security and freedom. It is between reactive control and resilient design. In a free society, trust is not a byproduct of security. It is one of its essential conditions.
Photo Credit: Photo by Sasun Bughdaryan on Unsplash
Good reporting is cheaper than heavy-handed regulation. Support freedom and independent journalism by donating today.
This piece reflects the author’s views, not necessarily the entire magazine. We welcome a range of pro-liberty perspectives. Send us your pitch or draft.
