Prof Dr Dennis-Kenji Kipker: On the future of cyber security

About Prof. Dr. Dennis-Kenji Kipker

Prof. Dr. Dennis-Kenji Kipker is the scientific director of the cyberintelligence.institute in Frankfurt am Main and a visiting professor at the private Riga Graduate School of Law in Latvia, established by the Soros Foundation. His research focuses on issues at the intersection of law and technology in cybersecurity, corporate strategy, and digital resilience in the context of global crises, with a particular emphasis on Chinese and U.S. IT law. Kipker advises the German federal government and the European Commission. In the U.S., he volunteers with the World Justice Project.

Professor Dr. Dennis-Kenji Kipker, the Zukunftskongress calls you "one of the leading minds in cybersecurity in Germany." How would you describe your role?

Primarily, I aim to promote transparency, innovation, and education in digital resilience. We see every day how digital challenges are growing, not just for society but also for the state and the economy. And it’s not only about cyberattacks but also about networking and digitalization in general. What can we rely on? What are reliable sources of information? How do technology and threat landscapes evolve? Which product can I use?

In these central questions, there is still a lot of uncertainty, even among IT experts, because digital resilience is increasingly complex. From data protection to scalability, economic viability, technological sovereignty, supply chain security, and determining whether a product is truly cyber-secure – these are the intersections where I work with the cyberintelligence.institute to provide answers and explanations, using scientific methods in direct and practical cooperation with business, government, and society.

Companies and government institutions are striving to become more independent from non-European providers. How important is digital sovereignty for Europe from your perspective?

Digital sovereignty is definitely a future topic, not only in the EU but worldwide. Where we massively outsourced IT over the past 30 years, the goal now is to bring capabilities back to local regions. This shift has both economic and political / legal motivations. For example, U.S. data protection has repeatedly posed issues in the past, despite our heavy reliance on U.S. software and cloud services. This is evident in discussions around providers like Microsoft.

This issue extends further when we consider the digital supply chain in products and services, asking ourselves how dependent we are on certain companies and how vulnerable this supply chain has become in recent years. In IT, we need to consider how geopolitical conflicts affect the availability of raw materials and technology from specific regions. These questions played a much smaller role a few years ago.

The U.S. "CLOUD Act" is a frequent source of concern for companies in Europe. What legal risks exist for companies that rely on U.S. providers?

This is precisely one of the issues with digital sovereignty that we are discussing today. The fact is: U.S. data protection is essentially only on paper. After Safe Harbor and then Privacy Shield were struck down, it is realistic that the current agreement, the EU-U.S. Data Privacy Framework, could face a similar fate. Although some improvements have been made in the U.S., such as creating independent oversight and new data protection rights, this is still insufficient. In the U.S., data protection is not seen as a personal right in the same way as in the EU or Germany – instead, it is more about who can monetize my data and whether I can benefit from it.

The current data protection guarantees in the U.S. are based mainly on "Executive Orders," a kind of presidential decree, established by President Biden. In the case of an unfavorable election outcome with an "America First" stance, such an order could be repealed overnight, leaving many companies with immediate compliance issues. This is what I meant earlier – the IT landscape has become far more complex than it may initially appear.

How can Europe create a stronger basis of trust in its own technologies and compete with large global players?

We need to much more actively promote European innovation and expertise than in the past. Politically, this has perhaps been neglected because governments tend to think and plan only from one election to the next, which is quite short-sighted. We cannot simply undo this unfavorable situation overnight.

However, it’s also true that we in Germany and the EU are not as poorly positioned in terms of digital sovereignty as often portrayed in the media. We have European and national providers for many IT solutions – they may be slightly more expensive or offer fewer features, but much of this is a matter of habit in line with the old IT mantra "never touch a running system". Moving away from this approach may be uncomfortable at first and involve higher initial costs, but it will be necessary.

Companies are increasingly relying on cloud solutions, yet there are still concerns about data protection. What do you think are the biggest misconceptions about using cloud services?

One of the main misconceptions is that it’s still only about cost-efficiency and scalability. The concept of "cloud compliance" is becoming more critical, as risks in the digital supply chain increase regulatory demands on cloud usage. Companies cannot outsource indiscriminately without checking where and why.

However, there are too few incentives to ensure the security and trustworthiness of cloud providers. Yes, there are certifications like C5, but they are far from a comprehensive cloud cybersecurity standard. And at the European level, lobbying by major hyperscalers makes it difficult to establish uniform cloud security requirements. So, in short: the biggest misconception is thinking that with the cloud, you can hand over all IT responsibilities. It doesn’t work that way; there’s no "plug-and-play IT" unless you ignore the associated risks.

What should companies pay special attention to when choosing a cloud provider?

Data protection and cybersecurity – not just price and functionality. If I choose a provider that I know already meets European data protection and cybersecurity requirements, it becomes much easier to provide the necessary evidence to customers and authorities. Especially regarding the digital supply chain, it is becoming increasingly difficult to obtain and verify the required proofs.

One can draw an analogy with many other situations: if I choose a bank account at a regional bank, I do so to have a local contact person available if needed. If I buy a computer or a car nearby, it’s often to make it easier to claim warranty rights. The same principle applies to the cloud: as a user, I need the ability to quickly and easily contact a company I trust.

Some argue that the EU’s focus on data protection stifles innovation and international competitiveness. Can you understand this criticism?

This argument is often used because it sounds plausible at first glance and can be marketed polemically. However, the fact is that we see a massive increase in cybersecurity and data protection violations worldwide. We cannot simply digitize recklessly and then face data breaches afterward. And we are increasingly seeing that the trustworthiness of IT is crucial. This is a topic of daily political discussion on how to ensure such trustworthiness. Data protection and cybersecurity are constitutionally enshrined in the EU, and that is essential and correct in these times.

What do you see as the future of IT security law in the coming years? What new challenges will companies face?

IT security law began about ten years ago with protecting critical infrastructure, which was a very limited area. Back then, the BSI (German Federal Office for Information Security) was known only to experts, and cyber incidents were rarely covered by the media. Now, we can say with certainty that this situation has fundamentally changed. Cybersecurity has become a general requirement, even a prerequisite for entering the European single market.

This development is not over; it has just begun. Companies will face more demands on digital resilience but also on implementation. I see this as a major challenge because it requires funding, personnel, and possibly difficult decisions at the management level. All of this combined will not be an easy path.

We’d like to give you the final word: is there a topic or important message we haven’t discussed but that is close to your heart?

Absolutely! "Security by Design" will be the mantra of the IT future, as processes can only be as secure as the products on which they are based. As we have seen throughout this interview, product security often falls short. That’s why, during European Cybersecurity Month, the cyberintelligence.institute launched a new campaign to help establish greater cybersecurity from the outset. We are working with manufacturers and consultants to define joint standards for a secure, reliable, and sustainable IT future.