In today’s cyber threat landscape, allowing users / employees to freely download applications from the internet poses significant risks. If these applications have not been checked for security weaknesses prior to their publication, it is almost impossible for the user to verify whether or not the software is secure and trustworthy.
We often think of users as ‘a grandma’ or ‘a student’, but in 2024, about half of all 445 million persons in the EU were employees (197.6 million). Assuming half of these employees can access work-related data and applications on their mobile phones, the ‘users’ security is in fact business security. SMEs are particularly vulnerable to user security breaches, with less segregation between corporate and private device management.
Free downloads increase the chances of malware infections, data exfiltration, and shadow IT risks—where employees use unapproved software that can create security blind spots. The risk is so obvious, that we can even quantify it: Apps on external sites that are not currently vetted by GooglePlay are 19x more likely to contain malware than Play-distributed apps (according to Google).
In its March 2025 statement, the European Commission published a preliminary finding of a. possible breach of the Digital Markets’ Act, because ‘Alphabet does not effectively allow Android phone users to be told about or directed to cheaper offers from app developers outside the Google Play store’ (Teresa Ribera, Executive Vice-President for Clean, Just and Competitive Transition). Whilst this is a valid commercial argument, there is a valid user security reason for this limitation. It protects users. If there were no limitations whatsoever, a bad actor could simply distribute a safe app on any appstore, and then lure users to harmful, illegal or fake third party apps. While the user feels safe, being in a ‘vetted’ app made available by a known appstore, the link out of the app may not have been verified by anybody. Even trusted software can be compromised through updates or supply chain attacks. To make it worse, because the Android system is open, the bad actor could include a link to many and any app that is available on the open (insecure) Internet.
Google Play Protect alone scans over 200 billion apps every day to protect users from potential malicious software. While these measures are not foolproof, and malicious apps can pass through checks, security limitation measures are absolutely needed.
Without security measures in place, relying on user action or awareness will prove an ever less secure strategy. AI-generated content, code, and attack tactics have made cybersecurity even more complex and difficult to spot with a ‘naked eye’. AI is now being used to automate phishing campaigns, generate polymorphic malware that constantly evolves to evade detection, and create deepfake-based social engineering attacks. In this rapidly shifting environment, relying on human judgment alone is no longer sufficient—especially for SMEs in the EU that may lack dedicated security teams. Thus, ‘empowering’ the user is in fact putting unmanageable responsibility on the user, both for their own security and for the security of their organisation and networks.
Organizations rely on Google, Apple, and internal BYOD (Bring Your Own Device) security tools to vet applications. Official appstores provide a layer of protection many SMEs have no access to. The new cybersecurity regulations, including NIS2 and the Cyber Resilience Act place stricter cybersecurity obligations on businesses, increasing the need to control access to software and AI tools. And rightly so.
In fact, no security system is 100% effective, but a layered defense strategy—combining restrictive policies, controlled software distribution, and AI-powered security tools—significantly reduces the attack surface. As AI-generated threats become more sophisticated, SMEs cannot afford to rely on outdated security approaches or assume that human oversight alone will catch every risk. Restricting free downloads isn’t about limiting consumer choices or productivity—it’s about future-proofing businesses against an evolving, AI-driven threat landscape.
Ultimately, the EU wants to increase its security, as well as to support the uptake of SMEs’ cybersecurity. For this, encouraging and preserving all efforts to provide a security vetting or screening, even if it is by a tech company, should be cherished. All too often, convenience takes priority over security. Perhaps we have to yet again discuss: does security take priority over openess? Is an European Space for authenticated cybersecurity services and solutions needed?