European private equity flows into cybersecurity as AI threats reshape critical infrastructure defence
Firms including Eurazeo and PSG Equity target defence and infrastructure protection as EU commits €1.3 billion to digital resilience
Private equity investors are significantly increasing capital allocation to European cybersecurity firms, a shift driven by artificial intelligence-enabled threats to critical national infrastructure. The UK government’s Energy Sector Cyber Security Strategy, issued last month, warned that hacktivist groups and high-capability state actors are increasingly targeting these systems for political effect. This heightened threat landscape has created mandatory spending obligations across the continent, prompting firms such as Eurazeo and PSG Equity to target companies providing defence and infrastructure protection.
Eurazeo, a Paris-based private equity firm, recently invested in Nextron Systems, a Frankfurt-based cybersecurity group specialising in threat intelligence and cyber forensics. Nextron derives 60 per cent of its revenue from critical infrastructure, public sector, and defence clients. The firm has also previously backed the merger of Bridewell, a UK company focused on national infrastructure, with French specialists I-Tracing, alongside partners Oakley Capital and Sagard.
Other investors in the space include Boston-based PSG Equity, which backed Glasswall, a UK group using patented technology to rebuild files and eliminate malware and ransomware risks. These services are utilised by government intelligence, defence, and financial services clients. Jan Haase, managing director at Eurazeo, noted that the interest in cybersecurity for critical infrastructure corresponds to a structural shift in the threat landscape.
The barrier to entry in this sector remains high, requiring years to obtain security clearances and local trust. However, this complexity creates a durable competitive advantage for portfolio companies. Mark Smith, managing director at Houlihan Lokey, observed that critical infrastructure clients are less price-sensitive because they prioritise the best available technology over cost. The fragmented nature of European languages and regulatory regimes further entrenches these positions.
Regulatory pressure is now a primary driver of sustained, non-discretionary spending. The EU has committed €1.3 billion to the sector between 2025 and 2027 through the Digital Europe Programme. This funding accompanies the NIS2 Directive and the Digital Operational Resilience Act, which came into force in late 2024 and early 2025, making cybersecurity investment a legal obligation across energy, transport, and financial services.
Houlihan Lokey’s Q4 2025 Cybersecurity Quarterly Update highlights the scale of the identity management challenge, reporting that non-human identities now outnumber human identities in the average enterprise by 144 to one in the first half of 2025, up from 92 to one a year earlier. Cecilie Oerting of Greenbrook noted that AI has transformed attacks from opportunistic efforts into highly engineered operations, resulting in more frequent incidents across private equity portfolio companies.
