2. The demand for cyber security professionals in Europe

In Europe, as in other parts of the world, the reliance on digital technologies within organisations has surged, underlining the critical importance of robust cyber security measures. Increased interconnectedness and use of digital technologies do not only bring economic advantages but are accompanied by heightened cyber risk. This susceptibility necessitates a strategic focus on cyber security, demanding a proficient workforce which is capable of identifying, analysing, and responding to potential threats.

Within this context, there is increasing evidence of a shortage of trained workers in the cyber security sector across the world. According to estimates from (ISC)² (2023[1]) there exists a deficit of over 347 000 cyber security professionals throughout Europe. In France for instance, a shortage of nearly 60 000 cyber security experts was reported in 2023. This news prompted the then-director of the French cyber security agency (ANSSI) to identify “this human resources challenge as the most significant constraint for the future of cyber security in France” (Pollet, 2022[2]). Additionally, organisations such as ENISA (the European Union Agency for Cybersecurity) have issued warnings regarding the shortage of cyber security skills in the broader labour market, not just a shortage of cyber security professionals (ENISA, 2021[3]).

Effectively tracking the evolution of cyber security labour demand and skill requirements is critical to be able to address current and future shortages. To accomplish this objective, timely and detailed information is necessary to shed light on the evolving skill demands in the rapidly changing cyber security landscape. Different data sources can provide valuable insights into the skills required in the cyber security sector. Traditional data sources such as labour force surveys or national accounting data are able to provide information on how many people are working in a certain profession and the contribution of a certain sector to GDP. Using online job postings (OJPs) as a data source offers numerous advantages over traditional methods (Box 2.1). OJPs provide a timely means to track the emergence of skill demands, given their daily collection from online job listings. Additionally, they offer exceptionally detailed insights into the specific technologies and skills that are in high demand within the cyber security field. However, it is worth noting that OJPs may not comprehensively cover all occupations and sectors, particularly those not typically advertised on line, as highlighted by OECD (2021[4]) and Cammeraat and Squicciarini (2021[5]). These limitations, however, are likely to be small in the current study as this investigates a specific part of the labour market demand that is typically channelled through OJPs.

This chapter monitors the evolution of the demand for cyber security professionals from January 2018 to June 2023 in three European countries: France, Germany, and Poland. It leverages the information contained around 80 million OJPs collected from the Internet by Lightcast.1 The remainder of this chapter is divided into two sections. The first section describes the context in which digital occupations are developing and afterwards examines the demand for cyber security professionals over the past five years, as measured by OJPs. This section also includes an overview of the demand for different types of cyber security roles and an analysis of where the demand is located. The second section delves into the education and skills that are demanded from cyber security professionals in the three European countries under examination, using information collected from the job descriptions provided by employers within job postings. Box 2.1 includes some methodological notes useful for interpreting the results.

The impact that the digital transition has on labour markets has garnered significant attention in recent years. A recent study by the OECD (2022[9]), for instance, highlighted the substantial increase in demand for digital professionals across various labour markets, underscoring the rapid integration of digital technologies in workplaces across diverse sectors and occupations. Global trends such as the digital transition and the creation of new technologies do not only propel the demand for cyber security professionals, but also affect the demand for related (digital) occupations. Employers are increasingly adopting cloud computing, artificial intelligence and making more use of data. While these developments lead to opportunities for economic growth, on the one hand, they also lead to more potential cyber security threats, which necessitates a skilled cyber security workforce.

Among the many digital occupations experiencing demand growth, cyber security professionals have stood out for the most rapid growth (OECD, 2023[6]; OECD, 2023[10]). By contrast, the demand for most digital, engineering and maths-related occupations have experienced a slower but more steady growth over time. In many cases, the development and integration of new technologies across sectors are accompanied by a more pressing need for cyber security personnel. For instance, the healthcare sector in France has been actively undergoing digital transformation efforts to improve patient care, streamline operations, and enhance efficiency. This transformation has involved various aspects, including the adoption of electronic health records (L’espace numérique de santé and le dossier médical partagé), telemedicine, and connected medical devices (CNIL, 2022[11]). Large projects like adopting electronic health records require professionals across different occupations to integrate digital solutions, from programmers, data analysts, and lawyers to cyber security experts.

Over recent years, the increasing reliance on technology and digital platforms in various sectors has fundamentally reshaped the nature of work and the skills that are in demand. As businesses and industries have integrated more digital tools and practices into their operations, there has been a surge in the need for professionals with digital expertise. These digital professionals encompass a wide range of roles – from software developers to data analysts. This section describes the context within which the demand for cyber security professionals has emerged, by looking into how digitalisation has impacted the labour market and pushed the demand for digital, engineering and maths-related professionals more broadly across countries. These types of professionals often operate in sectors which experience a relatively high cyber risk.

Results in this section focus on the demand for digital, engineering and maths-related roles by looking into the trend demand of 25 occupations, classified into five occupational groups. The choice of these occupational groups is based on the methodology used in (OECD, 2023[10]), and includes these five occupational groups: 1) Computer and data analysts/administrators; 2) Software developers and programmers; 3) ICT technicians 4) Maths-related professions; and 5) Engineers and technicians.2

The average share of OJPs for digital, engineering and maths-related jobs compared to all OJPs from January 2018 – July 2023 is 6.4% in France, 14.3% in Germany, and 11.7% in Poland.3 A notable observation is the variance in the leading occupational group across the three nations, as determined by the volume of OJPs. In France, computer and data analysts/administrators represent 36.1% of the digital, engineering, and maths-related OJPs. Meanwhile, in Germany, engineers and technicians lead with 37.7% of OJPs. In contrast, Poland sees the highest demand for software developers and programmers, accounting for 42.6% of OJPs (Figure 2.1).

The demand for computer and data analysts/administrators in France is linked to a particularly strong demand for systems analysts (ISCO 2511) and systems administrators (ISCO 2522). These two roles not only rank among the most highly demanded occupations but have also exhibited significant growth in the average number of OJPs per month in between January 2018 – February 2020 compared to March 2020 – June 2023. For instance, the demand for systems analysts nearly tripled, while that for systems administrators increased by 2.5 times. Additionally, data show a larger demand for both ICT technicians (13.6% of all digital, engineer and maths-related OJPs) and for maths-related jobs (12.5%) in France than in the other two countries. The share for ICT technicians is around twice as large compared to Germany, and four times as large as in Poland (Figure 2.1).

Both system administrators and ICT user support technicians are part of the information technology (IT) support ecosystem and contribute to ensuring that an organisation’s IT systems and services function effectively. Information communication technology (ICT) user support technicians are primarily responsible for providing technical assistance and support directly to end-users (ISCO-08). A high demand for these types of jobs can indicate that the use of digital technologies is becoming more integrated in France, which can also lead to an increased demand for cyber security professionals.

The share for maths-related jobs in France is 3.8 times larger than in Germany and nearly twice as large as that in Poland. Financial and investment advisers are the most highly sought-after maths-related role within France. For instance, on average there were around 4 706 OJPs looking to hire people for this role per month in between March 2020 and June 2023. Financial and investment advisers are tasked with developing financial plans for individuals and organisations and managing funds on their behalf (ISCO-08). The finance sector uses sensitive data, and financial institutions are often the target of cyberattacks. Moreover, the financial sector is becoming increasingly reliant on (big) data, heightening the need for cyber security specialists to achieve adequate data protection.

In Germany a significant volume of digital, engineering and maths-related OJPs is allocated to engineers and technicians, accounting for 37.7% of these OJPs compared to 22.8% in France and 25.2% in Poland. The engineering sector has historically been of key importance within the German economy with, for instance, 1.1 million employees working in mechanical engineering in 2021 and a total revenue of EUR 2 096 billion in the manufacturing industry in 2020 (German Federal Foreign Office, 2023[12]). Germany’s industrial landscape is currently undergoing a significant digital transformation, with companies increasingly relying on automation, digital technologies, and artificial intelligence to drive their operations (German Federal Foreign Office, 2023[12]). Companies in the different Germany industry sectors put an emphasis on innovation, with for instance investments of EUR 26 billion in the automotive industry, EUR 9 billion in the electrical industry, EUR 7.2 billion in mechanical engineering, and EUR 5.5 billion in the pharmaceutical industry and ICT in 2021 (Stifterverband, 2023[13]). A digital transformation can lead to increased cyber risks, which in turn increases the importance of having skilled cyber security personnel.

As can be seen from Figure 2.1, the share of OJPs for software developers and programmers is the largest in Poland. This share closely resembles what was observed in Chile and Mexico during the years 2021 and 2022 (OECD, 2023[10]). In Poland, France, and Germany, software developer positions account for 28%, 12%, and 20% of all digital, engineering, and maths-related OJPs, respectively. The relatively high demand for software developers in Poland is in part due to Poland being a highly sought-after “nearshoring” destination in Europe. Nearshoring involves outsourcing specific business operations to a neighbouring country with lower labour costs. While similar to offshoring, enterprises that make use of nearshoring specifically select nearby countries for these operations. Another reason for the high demand is that Poland holds a prominent position in the software development industry within Central Eastern Europe. Approximately 25% of the developer population in this region is located in Poland, constituting roughly 300 000 professional developers spread across various technology hubs within the country (CBI, 2022[14]). The prevalence of OJPs for software developer roles suggests a growing digitalisation in the Polish job market. As digitalisation advances, the likelihood of cyber threats rises, necessitating the development of a skilled cyber security workforce to address these emerging challenges.

Within the context of increased use of digital technologies and data, the need to have specialised cyber security personnel has grown as well. The cyber security profession encompasses a wide variety of different roles and jobs. Most cyber security professionals are in charge of securing data, systems, infrastructure and other cyber resources from failures, hazards and cyber threats that affect an organisation’s mission and operation (World Economic Forum, 2022[15]). This section focuses on tracking the demand for these professionals in France, Germany and Poland in between January 2018 and June 2023, using the information contained in OJPs. As mentioned, this report uses text mining techniques, by matching the text contained in job titles to certain expressions that are indicative of the cyber security sector, to determine which OJPs are looking for cyber security personnel (more details can be found in Annex 2.A).4

In recent years, many European countries have experienced a notable surge in the demand for cyber security professionals, something that is echoed across other regions of the world as well. For instance, (OECD, 2023[6]) shows that especially after 2020, the demand for cyber security professionals increased significantly in countries such as the United States, Canada, the United Kingdom or Australia and New Zealand. Another recent study, (OECD, 2023[10]) shows a strong increase in the demand for cyber security professionals in three Latin American countries in between 2021 and 2022.

Analysis carried out in this report for France, Germany and Poland also illustrates a pattern of increasing demand for cyber security experts from January 2018 to June 2023. Table 2.1 also underscores that the growth of the number of average monthly OJPs for cyber security professionals outpaced that of other occupations in all three countries, especially when comparing the pre-COVID period (January 2018 – February 2020) to the time after February 2020. This result likely reflects the expansion of remote working activities around the world, which imposed new technological challenges for enterprises that faced increased cyber security risk. Poland, in particular, stands out for having experienced a rapid growth after February 2020, with the demand for cyber security professionals having increased three times as fast as that for other occupations. Cyber OJPS in France and Germany, by contrast, saw 1.4 and 1.3 times the growth of other professions (Table 2.1).

Figure 2.2 provides insights regarding the size of the labour market for cyber security professionals. In 2018, job postings seeking cyber security professionals in Germany represented 0.36% of the total job postings. Notably, this figure was nearly twice as high as the share of postings in France and six times greater than that in Poland at that time. This suggests that Germany had already established a more developed cyber security labour market compared to the other two European countries by 2018. By 2023, the share of German cyber security job postings had increased to 0.4%, putting it on par with the figures seen in the United Kingdom in 2022 (OECD, 2023[6]).

Poland started with a smaller share of 0.09%, comparable to the overall share of cyber security job postings in New Zealand between January 2012 and June 2022 (OECD, 2023[6]). However, this share nearly tripled due to the substantial growth in the number of Polish cyber security job postings compared to other professions, placing it in between the levels observed in France and Germany. The shares of cyber OJPs in France and Poland in 2023 were similar to those of Australia and Canada in 2022 (OECD, 2023[6]).

Zooming in at the country level, the number of OJPs for cyber security professionals in France saw a stronger growth than that for non-cyber jobs in between 2018 and 2023, especially during and after the Covid-19 pandemic (Table 2.1).5 France faced labour shortages for high-skilled labour between 2020 and 2021 (OECD, 2021[16]), which is likely to have influenced the proliferation of job postings published on line, encompassing both cyber and non-cyber roles.6

When examining the dynamics of cyber security job postings in France, it becomes evident that specific factors underlie the rapid growth in this field, which has also been stronger than in the average labour market. To start with, the French Government has prioritised the cyber security sector for years, through various national strategies, plans, and investments but has invested even more strongly into this industry in 2021, 2022 and 2023. examples. (See Box 2.2 for more details about France’s national strategy.)

Furthermore, the country witnessed a significant surge in teleworking due to the pandemic, with large shares of French employees continuing to work remotely into 2021 and beyond. For instance, 27% of employees worked remotely in January 2021, compared to 4% in 2019, and 80% of these teleworkers said to want to continue working remotely in the future (Dares, 2022[17]). In 2022, as well, 38% of employees worked from home at least some of the time, and employees’ and employers’ attitudes towards working from home were mostly positive (République Française, 2023[18]). Increased use of working from home elevates the necessity for cyber security measures.

Unlike France and Poland, Germany experienced a more moderate increase in the average monthly number of OJPs for both cyber security and non-cyber security positions when comparing the periods before and after February 2020 (Table 2.1). The relatively slower growth of cyber security OJPs in Germany can be attributed, in part, to the size of the German cyber security market at the beginning of the period analysed, 2018, compared to that in the other countries under study. Similar to what was found in (OECD, 2023[6]) for the United States, a slower rate of growth in the demand for cyber security professionals may reflect an already more mature German cyber security labour market in which growth has perhaps started to slow down. Nonetheless, it is also important to notice that the German Government has had a strong focus on cyber security for years, with its first national cyber security strategy implemented in 2011, which was updated in 2016 and 2021 (CCDCOE, 2020[23]; Federal Ministry of the Interior and Community, 2021[24]). (See Box 2.3 for more information on the most recent German cyber security strategy).

More generally, just like France, Germany experienced a surge in the number of OJPs in both cyber security and non-cyber security jobs in 2020 during the height of the pandemic. However, unlike in France and Poland, the average number of monthly OJPs for both cyber and non-cyber positions decreased in 2021 (Figure 2.4) 7. It is noteworthy, however, that the decrease in average monthly OJPs for cyber security roles in 2021 was lower than that for non-cyber jobs (Table 2.1). Among some of the potential explanations for this result, the surge in teleworking and its accompanied cyber risk led to higher demand for cyber security professions than for other professions as the “SARS-CoV-2 Occupational Safety and Health Ordinance” instituted in January of 2021 obligated employers to offer teleworking opportunities “in the case of office work or comparable activities, unless there were compelling operational reasons to the contrary.” (Bundesministerium für Arbeit und Soziales, 2021[27])). This obligation was removed from the ordinance in March of 2022, but the share of employees that continued to work from home continued to be around 25% (IFO, 2022[28]).

The job market for cyber security roles, compared to non-cyber positions, has experienced the most substantial growth in Poland, as evident in Figure 2.3 and Table 2.1.8 Differences in the starting size of the cyber security market in Poland, France, and Germany are likely reasons for variations in recent growth rates, as shown in Figure 2.2. The German market is more mature, with a larger share and a lower growth rate, while the Polish cyber security market is more up-and-coming. The demand for cyber security specialists in Poland initially trailed behind as evidenced by the low share of cyber security vacancies, the share increased significantly in the last five years, raising to levels that are now higher than in France by 2023.

Moreover, the Polish Government has actively implemented a cyber security policy in 2017, while 2018 marked the year of the adoption of the “Act on the national cyber security system”, which created the legal and organisational basis for building a comprehensive cyber security system in Poland (Ministry of Digital Affairs, 2019[29]). The government developed a further national cyber security strategy in 2019 and made cyber security part of an integrated national security strategy which covered multiple domains (for more information see Box 2.4).

Additionally, Poland’s cyber infrastructure is increasingly targeted by cyber-attacks, especially following the 2022 Russian invasion of Ukraine (ITA, 2023[30]). This has heightened the nation’s risk awareness and likely driven an increased demand for cyber security experts. In 2022, Poland ranked 6th in Europe in terms of cyber threats, experiencing an average of 2 316 attacks per week on public institutions (ITA, 2023[30]).

OJPs can provide a detailed overview of the demand for specific cyber security professionals/roles within the cyber security landscape. This section leverages text mining techniques applied to the job titles used by employers in job postings with the aim to categorise them into different roles, following the approach applied in recent OECD work (OECD, 2023[6]; OECD, 2023[7])9. The analysis focuses on four major roles: cyber security analysts, architects and engineers, auditors and advisors, and managers.

Results in Figure 2.6 and Figure 2.7 show that the distribution of the demand across different cyber security roles in France, Germany and Poland follows a pattern similar to the one observed in the Anglophone countries analysed in OECD (OECD, 2023[6]) and to the one observed in Latin America (OECD, 2023[10]). In both of those cases analysts and architects/engineers represented the majority of the total OJPs for cyber security professionals as well.

Cyber security architects are primarily responsible for designing security solutions that address business needs. According to the NICE Cyber Security Framework by NIST, architects securely provision IT systems, emphasising the design and modelling of security solutions (NICCS, 2023[33]). Engineers, on the other hand, closely collaborate with architects and focus on the processes required for implementing security solutions and integrating them with other IT products, as outlined by the Joint Task Force Transformation Initiative (2018[34]). Both architects and engineers play essential roles in developing comprehensive security solutions, configuring infrastructure, and integrating security technologies, ensuring digital infrastructure resilience against cyberattacks, and incorporating security measures into system and application design.

Across all three countries, job postings for architects and engineers consistently represented the largest share from 2018 to 2023. However, data show that there have been notable changes in the composition of the cyber security demand within countries and over time. In France, for instance, the share of OJPs seeking architects and engineers decreased from 44.9% in 2018 to 38.3% in 2023, while in Germany this increased by approximately 5 percentage points over the same period (Figure 2.6). France instead experienced a substantial surge in demand for cyber security analysts over the same years. Germany also experienced an increase in demand for analysts but, concurrently, there was a significant decline in the proportion of OJPs for auditors, going from 18.1% to 15.5%. Shifts in the demand within the groups of cyber security professionals underscore the evolving dynamics of the cyber security job market which is likely to reflect the adoption of new technologies, processes and priorities of firms.

Similarly to results in (OECD, 2023[6]) and (OECD, 2023[10]) for most of the Anglophone and Latin American countries, cyber security analysts are the second most in-demand cyber security role in both Germany and Poland as well, with a large share of cyber OJPs seeking professionals in this role (Figure 2.6, Figure 2.7). Cyber security analysts play a pivotal role in the protection of digital assets and sensitive information. Their responsibilities involve extracting insights from diverse data sources to support the planning, operations, and maintenance of IT systems security (NICCS, 2022[35]). These professionals analyse and interpret security data, identify vulnerabilities, and implement measures to mitigate digital security risks. The NICE Cyber security Framework recognises their significance with a dedicated category, encompassing specialty areas like exploitation/vulnerability, language, and threat analysis (NICCS, 2023[36]).

In France, cyber security managers, which is the only managerial cyber role, instead is the second most highly sought after role within the cyber security labour market, with 15.7% of the total job postings in 2023 (Figure 2.6). According to the NICE Cyber security Framework, managers fall into the category of “oversee and govern,” which includes all positions in charge of providing leadership, management, and direction to cyber security teams in an organisation. Specifically, this classification defines cyber security managers as professionals overseeing the cyber security programme of an information system or network and managing information security implications within different areas of responsibility (NICCS, 2023[36]). The relatively high demand for cyber security managers suggests a shifting landscape in the French cyber security labour market, indicating a growing emphasis on leadership and governance to effectively address cyber risk, complementing the technical expertise offered by cyber security analysts and engineers.

It is worth noticing that, in addition to the methodology in the two earlier reports in this series, (OECD, 2023[6]) (OECD, 2023[10]), this report also uses keywords related to the general data protection regulation (GDPR) into the strategy to classify cyber security job postings (see Annex 2.A). Given the geographical scope of the analysis, the European Union’s (EU) General Data Protection Regulation (GDPR), for which compliance is obligatory for companies selling products/services in the European Union, becomes highly relevant. The GDPR sets forth guidelines for collecting, processing, and storing personal data for EU citizens (GDPR EU, 2022[37]). The EU’s GDPR and other data privacy regulations place stringent requirements on organisations regarding the protection of personal data (GDPR EU, 2022[37]). Failure to comply can result in substantial fines, making data protection a critical aspect of cyber security.

The inclusion of keywords that are associated with the GDPR into the classification, broadens the scope of cyber security roles to encompass positions like legal experts in GDPR compliance, experts in private data or data protection, and data protection consultants.10 Notably, the inclusion of this relevant aspect of cyber security in the EU has contributed to a large share of demand for auditors and advisors in Germany between January 2018 and June 2023. This group accounted for an average of 17.4% of the total demand for cyber security professionals, a share which is nearly five times larger than in Poland and 5.7 percentage points larger than in France. Cyber security auditors and advisors encompass professionals dedicated to providing both internal and external guidance on the efficiency and compliance of security solutions. A high demand for auditors and advisors means that organisations acknowledge that cyber security encompasses not only the implementation of preventive measures but also the regular evaluation and verification of their effectiveness, as well as effectively incorporating legal frameworks.

Job opportunities in the cyber sector are often geographically concentrated and it is worth examining the distribution of job opportunities for cyber security professionals by comparing the share of cyber security job postings in metropolitan cities to those in other regions. Previous research also indicates that job opportunities for cyber professionals are predominantly concentrated in larger cities (OECD, 2023[6]) (OECD, 2023[10]). In this analysis, metropolitan cities are defined as cities with a population of 250 000 inhabitants or more. According to the latest census data, there are 139 metropolitan cities in France11, 63 in Germany, and 11 in Poland, constituting 15%, 22%, and 17.6% of the population, respectively (INSEE, 2023[38]; Statistics Poland, 2023[39]; Statistische Ämter des Bundes und der Länder, 2023[40]).12

In all three countries, the proportion of cyber security OJPs in metropolitan cities significantly exceeds that of non-cyber OJPs, as illustrated in (Figure 2.8).13 This outcome aligns with expectations, as previous reports also found that cyber security is typically in high demand within major urban areas, where prominent enterprises and government agencies often have their headquarters (OECD, 2023[6]; OECD, 2023[7]). Within larger cities, financial, technological, industrial, governmental, and other sectors often have a large presence. These sectors necessitate secure IT services and infrastructure, along with a skilled workforce capable of safeguarding their operations. The disparity between cyber and non-cyber occupations is most pronounced in France, where the share of cyber security OJPs in metropolitan cities is 1.9 times larger than that of all OJPs. However, in Poland and Germany, the differences are similar, at 1.7 and 1.5 times, respectively. The French Government has recently invested greatly into cyber security in Paris specifically, by building a large cyber campus which opened in 2022 (see Box 2.5).

This section explores some of the characteristics that define the profile sought by enterprises in the cyber security labour market. Using a text mining approach, the analysis looks into the qualifications required by firms in different countries to fill cyber security positions. Additionally, utilising a machine learning approach, it identifies the essential professional and technical skills relevant to the field, with a particular emphasis on the latest emerging technologies demanded by enterprises.

Qualifications are among some of the key aspects that enterprises use to select qualified candidates in the cyber security job market. In order to analyse education requirements, this report employs text mining techniques applied to OJPs in the year 2022 (see Annex 2.C). It is worth noting that, while education requirements are not available for significant share of the OJPs considered in this report the available information is still of great help to characterise the cyber security workers’ profile by retrieving the typical educational degrees demanded by firms across labour markets over thousands of different job postings. The shares of OJPs without explicit education requirements range between 30% and 35% (Figure 2.9). This is likely due in part to employers increasingly focusing on experience and on informal forms of education to signal cyber security skills instead of requiring formal degrees.

Results indicate that across all three countries analysed in this study, enterprises typically look for cyber security workers with tertiary education (ranging between 73% and 99% of the job postings for which education requirements are published).

Figure 2.9 shows that bachelor’s degree is the most prevalent education requirement in both Germany and Poland. The different education levels in Figure 2.9 described in more detail in Box 2.6. In Poland, 87.1% of job postings specifying education requirements request a bachelor’s degree, with 11.8% requesting a master’s degree. In Germany, 68.4% of job postings require a bachelor’s degree, with an additional 4.4% seeking candidates with a master’s degree. This emphasis on bachelor’s degrees is a prevailing trend in these highly technical professions. A similar pattern was observed in English-speaking countries, with 83% of the job postings reflecting this trend (OECD, 2023[6]). Notably, (ISC)² characterises a cyber security professional as an individual with a strong educational background, with 86% of respondents holding at least a bachelor’s degree or higher ((ISC)2, 2021[45]).

By contrast, the majority (54.2%) of French employers that explicitly mention an educational requirement in their vacancies for cyber security professionals, request a master’s degree. Interestingly, the demand for master’s degrees in France is about 12 times larger than in Germany and 4.6 times larger than in Poland. At the same time, the share of job postings that seeks candidates with a bachelor’s degree is much lower in France than in Germany and Poland, accounting for just 13.8% of those with explicit requirements. As is shown in Chapter 3, enrolment in cyber security education is highly focused in higher education programmes including bachelor’s and master’s degrees. Most of the positions open to candidates with ISCED level 7 education advertise that candidates need to have “bac + 5” or have obtained a diploma from an engineering school (l'école d'ingénieurs). “Bac + 5” signifies five years of education following the acquisition of a high school diploma, which is equivalent to obtaining a master’s degree. Engineering schools in France provide education in technical subjects, like informatics and cyber security, at a master’s level and produce approximately 35 000 graduates every year (Government of France, 2018[46]).

Additionally, a significant share of job postings in France requests short-cycle tertiary education (28.1% of OJPs with explicit education requirements). In France, this type of education is more prevalent than in other countries, with 12% of individuals having obtained it (OECD, 2023[7]). In some countries, such as Poland programmes at the ISCED 4 and 5 levels do not exist. These educational paths lead to degrees known as “brevet de technicien supérieur” (BTS) or “Diplôme universitaire de technologie” (DUT) (Box 2.6). These types of qualifications are often offered at “university institutes of technology”. Most cyber security positions that specify this type of education are related to system administrator and technician positions. Short-cycle tertiary education is, instead, rare in Germany and Poland and only 0.4% and 0.1% of the German and Polish population respectively hold such degrees (OECD, 2023[7]).

Figure 2.9 shows that in contrast to France and Poland, a significant share of OJPs in Germany (20.2% of those with explicit education requirements) seek candidates with post-secondary non-tertiary education. Data for Germany show, for instance, that employers look for candidates who have completed an “Ausbildung,”, a vocational training programme, typically at a vocational school. This form of education is often pursued alongside employment with a company, resulting in both a diploma and valuable work experience. Cyber security OJPs requesting ISCED level 4 qualifications in Germany also commonly emphasise the importance of practical experience and sometimes even offer support in obtaining further qualifications.

The extensive adoption of digital technologies, along with the emergence of new cyber threats is reshaping the skill requirements for cyber security professionals. This dynamic and highly technical landscape presents challenges for both the demand and supply sides of the labour market, creating a shortage of skilled and qualified individuals in the job market who can effectively fulfil roles in cyber security and adequately address a variety of cyber threats. While shortages in the field have been well-documented over the years, they continue to have a significant impact on countries throughout Europe and worldwide (ENISA, 2021[3]). Within individual countries and specific sectors, these challenges can be even more pronounced due to intense competition for a limited number of security professionals. This often results in certain sectors, such as governments and central banks, struggling to attract highly skilled security professionals compared to other sectors, like the finance industry, which can offer more financially rewarding employment opportunities (ENISA, 2021[3]).

To formulate policies that effectively bridge the cyber security skills gap, there is a need for comprehensive data that accurately characterises the demand and supply of skills in this sector. Traditional labour market data, while valuable, often lack the granularity and timeliness needed to provide a nuanced understanding of this dynamic landscape. The analysis of online job postings can help foster such an understanding, equipping policy makers with insights into the precise skills that are in demand within the cyber security field. This, in turn, enables policy makers to tailor their capacity-building efforts, respond to evolving labour market needs, and foster a skilled workforce that can thrive in the dynamic cyber security landscape.

This section examines the specific skill requirements mentioned by employers in cyber security online job postings. In particular, the analysis presented in Figure 2.10 employs Natural Language Processing (NLP) techniques (see Box 2.7) to identify the most relevant technical and professional skills required by employers seeking cyber security professionals in each country analysed. Technical skills refer to specialised knowledge or expertise required to perform specific tasks within the profession, while professional/transversal skills encompass broader skills not limited to a particular job or discipline but applicable in various situations or work environments.14

Results in Figure 2.10 indicate that transversal skills are typically much less relevant than technical skills in cyber security job postings in Germany and Poland, while in France both types of skills often hold near equal significance. Professional skills have reportedly gained importance in the cyber security sector, for instance, a report on the state of the cyber security profession indicates that 54% of the surveyed managers report deficiencies in ‘soft’ skills among cyber professionals (ISACA, 2022[51]). This underscores the importance for cyber security professionals to possess both technical and professional skills in order to meet the requirements set up by employers.

This report has expanded which roles are classified as cyber security jobs, by including highly relevant keywords on data protection and GDPR. This has resulted in the emergence of a wider range within the important skills as depicted in Figure 2.10 than in (OECD, 2023[6]) (OECD, 2023[10]). For instance, the skills “managing IT security compliances” in France is highly relevant. In line with the notable presence of auditors and advisors in Germany, knowledge of ICT security legislation and standards, along with information security strategy skills, are even the three most relevant skills found in the OJPS for German cyber security professionals. These skills go beyond programming abilities or familiarity with certain software or tools, but instead encompass legal and regulatory aspects.

Programming and familiarity with software and digital tools is paramount in the three countries analysed. In Germany for instance, cloud technologies such as Microsoft Azure show high relevance for cyber security personnel in the demands of employers. In France and Poland, instead familiarity with the technology “Cisco” is often asked from cyber security professionals. In Poland, OJPs for cyber security personnel frequently use the keywords “cloud technologies” (without specifying a particular technology). This is in line with analyses by the (ISC)2 that emphasise cloud computing security among the most relevant skills for cyber security professionals ((ISC)2, 2021[45]).

Zooming in on France, cyber security personnel are often asked for knowledge on “applying operations in an ITIL based environment”. The Information Technology Infrastructure Library (ITIL) is a widely adopted framework for IT service management (Axelos, 2023[52]), which has five so-called service operations processes. Although ITIL does not have an emphasis on cyber security, it provides guidance for organisations in managing their IT services. By incorporating ITIL into their cyber security practices, organisations can establish robust incident/event management processes, ensure proper access management and align IT security management efforts with overall IT service management objectives (Coursera, 2023[53]).

In Poland, the most sought-after skills revolve around areas like ICT networking hardware, virtual private network implementation, and web programming. This aligns with the predominant demand for architects and engineers in the field, which accounted for an average of 45% of cyber-related OJPs between January 2018 and June 2023. This trend also likely reflects Poland’s focus on technical proficiency and infrastructure management in the realm of cyber security.

Overall, according to (ISC)², professionals within the cyber security market are expected to combine technical expertise (such as proficiency in programming, cloud computing, and IT infrastructures) with security strategy skills (including governance, risk assessment and compliance or threat intelligence) ((ISC)2, 2021[45]). This allows them to develop security systems that not only shield businesses from cyber threats but also ensure compliance with internal and external regulations. This multifaceted mix of skills can be found in cyber OJPs in France, Germany, and Poland as well.

When focusing the analysis on the demand for professional skills, instead of technical skills, OJPs in France and Germany primarily ask for conceptual thinking, proficiency in spreadsheets, and an understanding of business processes (Figure 2.10). Given the ever-evolving nature of cyber threats, professionals in this field need to continually adapt and evolve their techniques and approaches to tackle emerging challenges. Conceptual thinking forms a cornerstone for implementing technical solutions against cyber threats. Interestingly, in Poland, there is instead a more pronounced emphasis on self-reflection, vigilance, and public speaking.

In contrast to the findings presented in (OECD, 2023[10]), explicit demand for English language skills is not among the skills with the highest relevance in the European cyber OJPs, even though English is not the native language in any of the three countries. These European countries have generally achieved a good proficiency in English, with for instance Germany and Poland ranking among countries with very high proficiency, and France as moderate proficiency (EF, 2022[54]). That being said, despite being an implicit requirement in cyber security jobs in Europe, it is important to notice that proficiency in English language ensures that potential barriers to skill development are minimal, given that the majority of relevant training materials, industry standards, and certifications are predominantly available in this language.

Labour markets evolve rapidly, and the intensity of skill demands can change over time. While some skills may become more mainstream and demanded in a wider range of occupations, other skill demands may remain niche and concentrated in a specific set of occupations for a long time. Most cyber security-related skills are highly technical and it is interesting to see whether the demand for these is diffusing across the labour market more generally or whether the demand remains concentrated in more technical and cyber-related occupations.

The analysis in this section uses machine learning indicators (see Box 2.8, Annex 2.A and Annex 2.D) to evaluate the information contained in OJPs in between 2019 and 2022. This is done in order to assess whether the demand for different types of cyber security skills has been diffusing across an increasing number of non-technical/non-cyber occupations or whether, instead, these demands have become more concentrated in a narrower set of cyber and technical occupations.

Whether the demand for a certain skill becomes more mainstream (i.e. “more diffused across occupations”) or, instead, more specialised (i.e. “with fewer connections with other skill demands”) is likely to be determined by the complexity of the skill under consideration. For instance, while the demand for basic digital skills is likely to be spreading to a wider range of occupations at a fast pace (including non-technical occupations), other- more sophisticated - digital skills (such as the cyber security-related ones) may remain the domain of very technical occupations.

Table 2.2 highlights an interesting trend: data for both France and Germany show that the demand for cyber security skills15 has become increasingly more concentrated and specialised. In other words, the number of ‘connections’ (see Box 2.8) between cyber security skills and other skills across the whole database of OJPs has become smaller, signalling that keywords connected to cyber security skills are prevalently found in a narrow set of work contexts and occupations. This result holds also when comparing these connections with the average skill in the database, meaning that the majority of the cyber security skills have become more specialised and at a faster pace than the average skills in the examined economies.

While caveats apply to this analysis as time series used in this report are not very long, results show that the pace of change is most rapid in France, indicating that cyber security skills are becoming more concentrated at a significantly higher rate when compared to the average skill in the labour market. Furthermore, the data show that the skill “cyber security” is significantly less well-connected than the average skill in both 2019 and 2022, reinforcing the notion that it is only required within a limited and specific subset of jobs. In Germany, results also indicate that the demand for cyber security skills is increasingly becoming more targeted to a narrow set of OJPs, though to a lesser extent than in France.

Results for Poland show, instead, a different trend. The analysis shows that the skill keyword “cyber security” has become more connected over time, being used in a wider range of OJPs in different occupations and mentioned with a wider set of other skill keywords. This result is likely related to the fast expanding cyber-security sector in Poland which started very small (and very concentrated) at the beginning of the period and grew significantly in recent years to encompass a larger set of roles.


[1] (ISC)2 (2023), 2023 Cybersecurity Workforce Study, https://www.isc2.org/Research (accessed on 15 January 2024).

[45] (ISC)2 (2021), Cybersecurity Workforce Study 2021. A Resilient Cybersecurity Profession Charts the Path Forward, https://www.isc2.org/-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx.

[66] Adăscăliței, D. and T. Weber (2021), The pandemic aggravated labour shortages in some sectors; the problem is now emerging in others, http://eurofound.link/ef21082 (accessed on 18 September 2023).

[42] ANSSI (2021), Un Campus Dédie À La Cybersecurité, https://www.ssi.gouv.fr/agence/cybersecurite/un-campus-dedie-a-la-cybersecurite/ (accessed on 4 September 2023).

[19] ANSSI (2011), Information systems defence and security - France’s strategy, https://www.ssi.gouv.fr/presse/communiques-de-presse/ (accessed on 3 November 2023).

[52] Axelos (2023), ITIL® 4: the framework for the management of IT-enabled services, https://www.axelos.com/certifications/itil-service-management/ (accessed on 1 June 2023).

[55] Brin, S. and L. Page (2012), “Reprint of: The anatomy of a large-scale hypertextual web search engine”, Computer Networks, Vol. 56/18, pp. 3825-3833, https://doi.org/10.1016/j.comnet.2012.10.007.

[27] Bundesministerium für Arbeit und Soziales (2021), ARS-CoV-2-Arbeitsschutzverordnung (Corona-ArbSchV), https://www.bundesanzeiger.de/pub/publication/5QH1uegEXs2GTWXKeln/content/5QH1uegEXs2GTWXKeln/BAnz%20AT%2022.01.2021%20V1.pdf?inline (accessed on 4 September 2023).

[5] Cammeraat, E. and M. Squicciarini (2021), “Burning Glass Technologies’ data use in policy-relevant analysis: An occupation-level assessment”, OECD Science, Technology and Industry Working Papers, No. 2021/05, OECD Publishing, Paris, https://doi.org/10.1787/cd75c3e7-en.

[14] CBI (2022), The European market potential for software development services, https://www.cbi.eu/market-information/outsourcing-itobpo/software-development-services/market-potential (accessed on 4 October 2023).

[23] CCDCOE (2020), National Cybersecurity Organisation: Germany, https://ccdcoe.org/uploads/2020/12/Country_Report_DEU.pdf (accessed on 28 September 2023).

[11] CNIL (2022), L’espace numérique de santé (ENS ou Mon espace santé) et le dossier médical partagé (DMP) : questions-réponses, https://www.cnil.fr/fr/lespace-numerique-de-sante-ens-ou-mon-espace-sante-et-le-dossier-medical-partage-dmp-questions (accessed on 17 October 2023).

[53] Coursera (2023), What Is ITIL? A Beginner’s Guide to the ITIL Process, https://www.coursera.org/articles/what-is-itil (accessed on 5 May 2023).

[17] Dares (2022), Télétravail durant la crise sanitaire - Quelles pratiques en janvier 2021? Quels impacts sur le travail et la santé?, https://dares.travail-emploi.gouv.fr/sites/default/files/5171e9d0f2d214774c44afc82353563a/Dares-Analyses_Teletravail-durant-crise-sanitaire-Partiques-Impacts.pdf (accessed on 4 September 2023).

[44] Demagny, X. (2022), Qu’est-ce que le campus cyber, inauguré ce mardi à la Défense ?, https://www.radiofrance.fr/franceinter/qu-est-ce-que-le-campus-cyber-inaugure-ce-mardi-a-la-defense-8773053 (accessed on 19 September 2023).

[54] EF (2022), EF English Proficiency Index - 2022 Edition, https://www.ef.com/assetscdn/WIBIwq6RdJvcD9bc8RMd/cefcom-epi-site/reports/2022/ef-epi-2022-english.pdf (accessed on 17 October 2023).

[3] ENISA (2021), Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education, https://www.enisa.europa.eu/publications/addressing-skills-shortage-and-gap-through-higher-education/ (accessed on 4 September 2023).

[49] European Commission (2023), Germany - Secondary and post-secondary non-tertiary education, https://eurydice.eacea.ec.europa.eu/national-education-systems/germany/post-secondary-non-tertiary-education (accessed on 16 October 2023).

[50] European Commission (2023), Poland - Upper secondary and post-secondary non-tertiary education, https://eurydice.eacea.ec.europa.eu/national-education-systems/poland/upper-secondary-and-post-secondary-non-tertiary-education (accessed on 25 October 2023).

[48] European Commission (2022), France - Secondary andn post-secondary non-tertiary education, https://eurydice.eacea.ec.europa.eu/national-education-systems/france/secondary-and-post-secondary-non-tertiary-education (accessed on 16 October 2023).

[59] Fadic, M. et al. (2019), “Classifying small (TL3) regions based on metropolitan population, low density and remoteness”, OECD Regional Development Working Papers, No. 2019/06, OECD Publishing, Paris, https://doi.org/10.1787/b902cc00-en.

[26] Federal government of Germany (2023), Robust. Resilient. Sustainable. Integrated Security for Germany - National Security Strategy, https://www.nationalesicherheitsstrategie.de/National-Security-Strategy-EN.pdf (accessed on 18 November 2023).

[25] Federal government of Germany (2021), Cyber Security Strategy for Germany, https://www.bmi.bund.de/EN/topics/it-internet-policy/cyber-security-strategy/cyber-security-strategy-node.html (accessed on 6 November 2023).

[24] Federal Ministry of the Interior and Community (2021), Cyber Security Strategy for Germany, https://www.bmi.bund.de/EN/topics/it-internet-policy/cyber-security-strategy/cyber-security-strategy-node.html (accessed on 25 September 2023).

[22] French government (2023), Communique de Presse - France 2030 | Le Gouvernement lance une nouvelle vague de l’appel à projets pour, https://www.economie.gouv.fr/files/files/2023/communique_AAP_cybersecurite.pdf (accessed on 6 November 2023).

[21] French government (2023), Stratégie nationale « Cybersécurité » de France 2030 : deux nouveaux projets lancés dans le cadre du Programme de recherche (PEPR), https://www.gouvernement.fr/strategie-nationale-cybersecurite-de-france-2030-deux-nouveaux-projets-lances-dans-le-cadre-du (accessed on 16 November 2023).

[20] French government (2022), Stratégie nationale d’accélération pour la cybersécurité : les premières réalisations, https://www.economie.gouv.fr/strategie-nationale-acceleration-cybersecurite (accessed on 16 November 2023).

[37] GDPR EU (2022), Does the GDPR apply to companies outside of the EU?, https://gdpr.eu/companies-outside-of-europe/ (accessed on 15 May 2023).

[12] German Federal Foreign Office (2023), Industrieland Deutschland – die wichtigsten Fakten, https://www.deutschland.de/de/topic/wirtschaft/deutschlands-industrie-die-wichtigsten-zahlen-und-fakten (accessed on 30 October 2023).

[43] Gouvernement de la France (2021), Un plan à 1 milliard d’euros pour renforcer la cybersécurité, https://www.gouvernement.fr/actualite/un-plan-a-1-milliard-d-euros-pour-renforcer-la-cybersecurite (accessed on 16 September 2023).

[46] Government of France (2018), Les formations d’ingénieur, https://www.enseignementsup-recherche.gouv.fr/fr/les-formations-d-ingenieur-46426 (accessed on 30 October 2023).

[32] Government of Poland (2020), National Security Strategy of the Republic of Poland 2020, https://www.bbn.gov.pl/ftp/dokumenty/National_Security_Strategy_of_the_Republic_of_Poland_2020.pdf (accessed on 16 November 2023).

[28] IFO (2022), In Germany, Number of People Working from Home Barely Lower despite End of Remote-Working Obligation, https://www.ifo.de/en/press-release/2022-05-09/germany-number-people-working-home-barely-lower-despite-end-remote-working (accessed on 11 September 2023).

[63] INSEE (2023), Employment, Unemployment, Earned income 2022 Edition, https://www.insee.fr/en/statistiques/7455561?sommaire=7455576 (accessed on 16 October 2023).

[38] INSEE (2023), Évolution et structure de la population en 2020 - Commune - France hors Mayotte, https://www.insee.fr/fr/statistiques/7632446?sommaire=7632456#consulter (accessed on 4 September 2023).

[56] International Labour Organization (n.d.), Updating the International Standard Classification of Occupations (ISCO) - Draft ISCO-08 Group Definitions: Occupations in ICT, https://www.ilo.org/public/english/bureau/stat/isco/docs/d2434.pdf (accessed on 23 April 2023).

[51] ISACA (2022), State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations, https://www.isaca.org/go/state-of-cybersecurity-2022.

[30] ITA (2023), ICT Cyberattacks In Poland Take Place Every 9 Minutes, https://www.trade.gov/market-intelligence/poland-ict-cyberattacks-poland-take-place-every-9-minutes#:~:text=According%20to%20Noventiq%20analysts%2C%20today,week%20to%202316%20per%20week. (accessed on 4 September 2023).

[34] Joint Task Force Transformation Initiative (2018), Risk management framework for information systems and organizations:, National Institute of Standards and Technology, Gaithersburg, MD, https://doi.org/10.6028/nist.sp.800-37r2.

[41] L’institut Paris Region (2023), Paris Region Facts and Figures 2023, https://en.institutparisregion.fr/resources/publications/paris-region-facts-and-figures-2023/ (accessed on 4 September 2023).

[58] Manca, F. (2023), “Six questions about the demand for artificial intelligence skills in labour markets”, OECD Social, Employment and Migration Working Papers, No. 286, OECD Publishing, Paris, https://doi.org/10.1787/ac1bebf0-en.

[57] Microsoft (2022), Regular Expression Language - Quick Reference, https://learn.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference (accessed on 4 April 2023).

[61] Ministère de l’Enseignement Supérieur et de la Recherche (2023), État de l’Enseignement supérieur, de la Recherche et de l’Innovation en France n°12 - annexes, https://publication.enseignementsup-recherche.gouv.fr/eesr/FR/EESR12_Annexe_8/les_niveaux_de_formation/ (accessed on 30 October 2023).

[60] Ministère de l’Enseignement Supérieur et de la Recherche (2021), Nomenclature relative au niveau de diplôme, https://www.enseignementsup-recherche.gouv.fr/fr/nomenclature-relative-au-niveau-de-diplome-45785 (accessed on 23 October 2023).

[29] Ministry of Digital Affairs (2019), Cybersecurity strategy of the Republic of Poland for 2019-2024, https://digital-skills-jobs.europa.eu/en/actions/national-initiatives/national-strategies/poland-cybersecurity-strategy-republic-poland-2019 (accessed on 4 September 2023).

[31] Ministry of Digital Affairs (2017), National Framework Of Cybersecurity Policy Of The Republic Of Poland For 2017-2022, https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/Cybersecuritystrategy_PL.pdf (accessed on 16 November 2023).

[33] NICCS (2023), Systems Architecture: Security Architect, https://niccs.cisa.gov/workforce-development/nice-framework/specialty-areas/systems-architecture (accessed on 14 March 2023).

[36] NICCS (2023), Workforce Framework for Cybersecurity (NICE Framework), https://niccs.cisa.gov/workforce-development/nice-framework (accessed on 5 May 2023).

[35] NICCS (2022), NICE Cybersecurity Workforce Framework Work Roles, https://niccs.cisa.gov/workforce-development/nice-framework/work-roles/cyber-defense-analyst (accessed on 5 May 2023).

[6] OECD (2023), Building a Skilled Cyber Security Workforce in Five Countries: Insights from Australia, Canada, New Zealand, United Kingdom, and United States, OECD Skills Studies, OECD Publishing, Paris, https://doi.org/10.1787/5fd44e6c-en.

[10] OECD (2023), Building a Skilled Cyber Security Workforce in Latin America: Insights from Chile, Colombia and Mexico, OECD Skills Studies, OECD Publishing, Paris, https://doi.org/10.1787/9400ab5c-en.

[7] OECD (2023), OECD, https://gpseducation.oecd.org/Home (accessed on  October 2023).

[9] OECD (2022), Skills for the Digital Transition: Assessing Recent Trends Using Big Data, OECD Publishing, Paris, https://doi.org/10.1787/38c36777-en.

[16] OECD (2021), OECD Economic Surveys: France 2021, OECD Publishing, Paris, https://doi.org/10.1787/289a0a17-en.

[4] OECD (2021), OECD Skills Outlook 2021: Learning for Life, OECD Publishing, Paris, https://doi.org/10.1787/0ae365b4-en.

[2] Pollet, M. (2022), Cybersécurité : la pénurie de talents risque de « limiter » les efforts de l’Europe, https://www.euractiv.fr/section/economie/news/cybersecurite-la-penurie-de-talents-risque-de-limiter-les-efforts-de-leurope/?_ga=2.140043636.698086420.1694012923-1631724028.1692711101 (accessed on 18 September 2023).

[18] République Française (2023), 2023, l’année de la maturité pour la qualité de vie en télétravail ?, https://www.pole-emploi.org/accueil/actualites/2023/2023-lannee-de-la-maturite-pour-la-qualite-de-vie-en-teletravail.html?type=article (accessed on 4 September 2023).

[39] Statistics Poland (2023), Area and population in the territorial profile in 2023, https://stat.gov.pl/en/topics/population/population/area-and-population-in-the-territorial-profile-in-2023,4,17.html (accessed on 4 September 2023).

[40] Statistische Ämter des Bundes und der Länder (2023), Fortschreibung des Bevölkerungsstandes, Code 12411, https://www.regionalstatistik.de/genesis/online?operation=abruftabelleBearbeiten&levelindex=1&levelid=1693476532184&auswahloperation=abruftabelleAuspraegungAuswaehlen&auswahlverzeichnis=ordnungsstruktur&auswahlziel=werteabruf&code=12411-01-01-5&auswahltex (accessed on 29 September 2023).

[13] Stifterverband (2023), Forschung Und Entwicklung In Der Wirtschaft 2021, https://www.stifterverband.org/sites/default/files/2023-04/fue-facts_2021.pdf (accessed on 30 October 2023).

[64] The Local.de (2021), Germany ’desperately searching’ for skilled workers to plug shortage, https://www.thelocal.de/20210623/germany-desperately-searching-for-skilled-workers-to-plug-shortage (accessed on 30 October 2023).

[47] UNESCO (2018), International Standard Classification of Education - ISCED 2011, https://uis.unesco.org/en/topic/international-standard-classification-education-isced (accessed on 20 October 2023).

[62] UNESCO (2017), ISCED data mapping, https://isced.uis.unesco.org/data-mapping/ (accessed on 20 October 2023).

[8] UNESCO - UNEVOC (2023), UNESCO TVETipedia Glossary: Technical Skills, https://unevoc.unesco.org/home/TVETipedia+Glossary/lang=en/show=term/term=Technical+skills (accessed on 1 March 2023).

[65] Weber, E. and C. Röttger (2021), No Big Quit in Germany, https://blogs.lse.ac.uk/covid19/2021/11/24/no-big-quit-in-germany/ (accessed on 19 September 2023).

[15] World Economic Forum (2022), Global Cybersecurity Outlook 2022, https://www.weforum.org/reports/global-cybersecurity-outlook-2022/ (accessed on 1 March 2023).

The online job postings (OJPs) data provided by Lightcast for European countries are mapped to the International Standard Classifications of Occupations (ISCO-08), a four-digit hierarchical classification used to categorise each OJP in one of the several occupations contained in this structure. However, for the purpose of identifying cyber security job postings, the ISCO-08 lacks granularity. Within the two-digit group “ICT professionals” (25), the four-digit occupation “Database and network professionals not elsewhere classified” (2529) includes occupations performing some tasks related with the cyber security profession, such as “encrypting data transmissions and erecting firewalls”, “regulate access to safeguard information” or “performing risk assessments”, but it is not limited to this occupation (International Labour Organization, n.d.[56]).

In this context, leveraging the text available in the job titles contributes to obtaining a more precise classification of cyber security job postings. For this purpose, this report uses a classification strategy based on regular expressions. This concept refers to sequences of characters provided to an algorithm to match patterns in a text (Microsoft, 2022[57]).

The first four rows in Annex Table 2.A.1 show the regular expressions selected for classifying the OJPs. These expressions are firstly based on (OECD, 2023[10]), which, secondly, was complemented evaluating hundreds of the most frequent bigrams (all the possible combinations of two words) extracted from the job titles available in English, French, German and Polish. Thirdly, additional search terms which are representative of the cyber industry in France were added, with their translations into the other three languages. Lastly, for OJPs that matched the regular expression of “(?i)system(?=.*network)” or “(?i)network(?=.*system)”, the most highly demanded skills were evaluated per job posting, to see if in that particular case, the job could be viewed as a cyber job. After a manual review of the results for each country, additional expressions were necessary to exclude some jobs misclassified in the first stage, as shown in the second row in Annex Table 2.A.1.

Within the cyber security OJPs there is a variety of roles demanded by enterprises. Identifying these roles can be useful to characterise cyber security job markets with more detail than traditional labour markets’ data sources. Specifically, job titles are once again a rich source of information useful to extract this feature. This report uses an approach based on keywords matches to classify each online job posting in a given role.

Based on (OECD, 2023[6]) and (OECD, 2023[10]), four groups of roles are considered: analysts, architects and engineers, auditors and advisors, and managers. The approach assigns different keywords to each group that allows the algorithm to classify each OJP in the appropriate role. Annex Table 2.A.2 shows the keywords selected for each group, as well as a sample of the job titles classified on each of them. If not classified in one of the groups, job postings are assigned to the category “others”.

Recent developments in Natural Language Processing (NLP) are useful to leverage the semantic meaning of the information contained in the OJPs. Specifically, a word embedding approach is applied to generate a semantic representation of each word in an n-dimensional vector, where each dimension indicates a specific context item. This representation allows for the calculation of mathematical similarity measures to represent the similarity between different skills and professions/occupations. In particular, the approach taken in this report leverages ‘Word2Vec’, an NLP algorithm developed in 2013 by researchers in Google.

To obtain the most relevant skills for cyber security professionals, the analysis in this report creates a Semantic Skill Bundle Matrix (SSBM) by calculating the cosine similarity index between all possible combinations of skills and professions. The cosine similarity index is based on the cosine of the angle between vector representations of words. When a pair of words are closely related, the angle of their vectors is closed to 0 and the cosine is close to 1. Conversely, when the cosine is negative the words can be related but are opposite in meaning. Specifically, the calculation of the index for occupation A and skill B is:

CosSimA,B= (AB)AB

Applying this approach is, therefore, possible to assess whether the skill “Excel” is more relevant to the occupation “economist” or to “painter”, based on the semantic closeness of these words’ meanings extrapolated from millions of job postings. This is used, in turn, to generate indicators of the relevance of technical and professional skills for cyber security professionals based on the language/semantic analysis of the text contained in the OJPs in each country considered.

Recent OECD work (Manca, 2023[58]) validates the assumption by which semantic similarity scores derived from word embeddings can be used as a measure of skills relevance for each occupation. In particular, the report compares the results of the similarity scores with expert constructed scores available in the O*NET database. It shows that correlation between similarity scores and the O*NET values is positive, strong (0.62) and statistically significant across all possible combinations of occupations and skills.

The standard classification of a metropolitan region is a Territorial Level 3 (TL3) region for which more than 50% of its population live in a functional urban area (FUA) of at least 250 000 inhabitants. TL3 regions are smaller territorial regions that together make-up a region at the first administrative tier of subnational government (TL2). In case of France for instance, the TL2 regions are the régions, while the TL3 regions départements. FUAs consist of cities and their corresponding hinterlands, areas which are close to the cities. (Fadic et al., 2019[59]).

The current report, by contrast, uses even smaller regional areas, which are called metropolitan cities. This level is used to analyse where the demand for cyber security professionals is located. Cities are chosen as a reference point, due to the availability of the data on job postings in the Lightcast datasets. The datasets contain information on the level of “commune” in France, “gemeinde” in Germany, and “miasto” in Poland, but for ease of referencing these are all called cities in the report.

Cities with 250 000 inhabitants or more are designated as metropolitan cities. While metropolitan cities are part of metropolitan regions, a metropolitan region can encompass a larger area. According to the latest census data, there are 139 metropolitan cities in France, including the communes within Greater Paris or the “Métropole du Grand Paris”, 63 in Germany, and 11 in Poland, constituting 15%, 22%, and 17.6% of the population, respectively (INSEE, 2023[38]; Statistics Poland, 2023[39]; Statistische Ämter des Bundes und der Länder, 2023[40]).

The data provided by Lightcast include the original text posted online for advertising each vacancy. This piece of data is a valuable source of information that allows researchers to classify OJPs based on different features, such as education, experience, location, among others. In this case, leveraging the text available in the OJPs description contributes to obtaining a more precise and comparable classification of the level of education required in each country.

The approach implemented for classifying OJPs by minimum ISCED16 level required by employers implies two main steps. First, extracting chunks of text located around words related to education. The objective of this step is to frame the context for text classification and mitigate errors for words that can have different meanings depending on the context. This is the case, for instance, of the word licence in French which refers to a degree in the education context but can also be related to IT application licenses that are part of complementary requirements for the position or to tasks and responsibilities named in the job vacancy.

It is important to note that, in the case of France, nearly half of the OJPs posted in 2022 included the expression “BAC+X”. This expression provides a classification relative to the level baccalauréat, with X being the years of education required (after receiving the baccalauréat) to obtain a diploma (more information is available in Ministère de l'Enseignement Supérieur et de la Recherche (2021[60])). In this case, the X associated with each expression was extracted from the text and mapped to its corresponding ISCED level based on previous mappings made by official institutions (Ministère de l'Enseignement Supérieur et de la Recherche, 2023[61]). When an OJP includes more than one expression, an additional rule was applied to select the lower number extracted from the expressions.

The second step involves looking for specific keywords by country to identify the level of education required. The keywords selected (see Annex Table 2.C.1) are the result of reviewing the ISCED mapping available on the UNESCO web page (UNESCO, 2017[62]) and the chunks of text extracted from the OJPs description. By actively reviewing the text extracted from the job vacancies descriptions, this methodology maintains its data-driven approach allowing the use of words in English, as some of the descriptions in the OJPs were fully written in English, or more colloquial words used by employers, such as “m1” or “mba” or “fh” (referring to the fachhochschule in Germany). Additionally, this approach also allows the inclusion of other expressions that can indirectly reflect a minimum level of education. This is the case of formation supérieure in France, which can be assumed to signal the need for a qualification above the baccalauréat.

Since some OJPs can include different keywords associated with different ISCED levels, the classification starts by identifying those job vacancies including keywords linked to the lowest level (ISCED 3). Once these OJPs are classified, it continues looking for keywords for the next ISCED level (4 or 5) and in the remaining OJPs, and so on. This order ensures that the classification assigned to each OJP corresponds to the lowest level found.

Finally, this approach includes some limitations. Given that the classification relies on a list of keywords, it is possible that some specific words are missing and, therefore, some OJPs can be misclassified or not classified. To mitigate this risk, this approach implied a continuous check of the OJPs without classification looking for new keywords to introduce in the list. Additionally, different variations of the same words were introduced to account for possible mistakes in words with special characters. This is especially important in Poland. In that sense, OJPs not classified in any of the ISCED levels cannot be categorised as if they would not require an education or training qualification. Therefore, they are presented as “not classified”.

When using job postings to examine the influence of certain skills and technologies across labour markets, several previous studies have focused on counting the increase in the frequency with which the terms related to digital technologies have been mentioned across job postings.

Metrics based on the simple count of the frequency of skill mentions are, however, likely to miss whether such an increase has been concentrated in a small number of sectors/occupations or if, instead, technology and skill demands have actually spread across a wide variety of sectors and occupations, truly permeating labour markets.

In order to accurately capture the growth in the influence of cyber security skill demands across the labour market, this chapter uses machine learning techniques applied to the analysis of online job postings (OJPs) to examine to what extent cyber security skills are interconnected with other skills across job vacancies and in employers’ recruitment requirements.

A vector representation of skill keywords in a n-dimensional space is used to assess the connections across skills and, as such, the degree by which skills are pervasive in the online job market. The connections between a group of keywords can be represented by a so-called skill graph. In such a graph, the keywords extracted from online vacancies represent the vertices (also called nodes) which can be either connected when both vertices co-occur in a specific job vacancy or disconnected when both vertices never co-occur in the same vacancy.

An adjacency matrix can be built to represent these skill co-occurrences.17 Whenever a skill co-occurs with another skill in a certain job vacancy, the row corresponding to the skill “A”, and the column corresponding to the skill “B” will get the value 1. Note that the adjacency matrix is symmetric, meaning that the co-occurrence between skills is undirected and therefore commutative.

One can use this adjacency matrix to calculate the eigenvector centrality (EVC) for each skill. The power iteration algorithm is used to derive the relativity score for each vertex v in the network. Given a graph G, and adjacency matrix A, the relative centrality score of a certain skill v can be defined as:


This measure serves as an important indicator for contextual diversity and the importance of certain skills as compared to other skills in the network. In graph theory, the “eigenvector centrality” is a measure that is commonly used to assess the influence of a node in a network or, in other words, to measure the degree of connectedness of a keyword with the rest of words in the text under examination. Originally, these measures were developed by researchers in Google and used in the PageRank algorithm to quantify the importance of the connections among web pages based on the textual information contained in it (Brin and Page, 2012[55]). The same measure can, however, be used to capture the number of connections that a skill keyword has with other skills as well as the ‘quality’ of those connections, where higher quality connections are those with other skills that are also highly connected to the rest of the skills in the vector space. To only consider skills which have at least some influence, the lowest 10% of skills in terms of EVC in 2022 are removed from the analysis.

The measure of interest is the change in EVC between 2019 and 2022, compared to the average change in EVC across all skills in between those years. This is used in the analysis to measure the degree by which skills have become less influential in the labour market. This measure is computed for each skill keyword analysed in the database of OJPs. A loss of influence of a skill means a decrease of the connections of that particular skill with other skill demands across job postings, hence an indication of how much that skill is being more concentrated in the labour market in a smaller number of OJPs and occupations.


← 1. https://lightcast.io/.

← 2. The five groups consist of different jobs at the four-digit ISCO level, which were chosen because of their affinity with algorithms, digital skills and use of (big) data. For a list of all selected occupations and their groups selected see Annex 2.E.

← 3. However, it should be noted that all of these jobs are more likely to be advertised on line than jobs in other occupations as they are high-skill occupations (Cammeraat and Squicciarini, 2021[5]), which means that these shares might be an overrepresentation of the share over the total labour market demand.

← 4. A notable difference with the method expressed in (OECD, 2023[10]) is that keywords about the general data protection regulation (GDPR) have been included for every country, leading to a broader classification of jobs as cyber security jobs.

← 5. This growth unfolded within a context of fluctuating economic conditions. In particular, while the French GDP decreased significantly (-8%) in 2020 due to the pandemic, it rebounded by 6.8% in 2021 (OECD, 2021[16]). It is worth noting that the implementation of short-time work schemes during the pandemic played a crucial role in safeguarding employment, during this recession in 2020 (OECD, 2021[16]), which means that the employment numbers in France went from increased by 965 000 in 2021 after decreasing by 175 000 in 2020 (INSEE, 2023[63]), despite the steeper drop in GDP.

← 6. This is due to the tendency for high-skilled positions to be prominently featured in the digital job market, reflecting the changing landscape of job recruitment practices (Cammeraat and Squicciarini, 2021[5]).

← 7. The growth of OJPs in 2020 can partially be attributed to increased shortages in skilled labour during that year, for which decreased immigration from other European countries was a contributing factor (Adăscăliței and Weber, 2021[66]). Inward migration in Germany fell by around 25% in 2020 due travelling restrictions during the pandemic, which led to increased difficulties finding craftspeople, engineers, nurses, care workers, cooks and metal workers (The Local.de, 2021[64]). This diminished number of average monthly OJPs in 2021 was paired by a decrease in unemployment, but research showed that 56% of unemployed that found a job at the end of 2020 and the first two quarters of 2021 returned to their old job (Weber and Röttger, 2021[65]). It is unlikely that these positions were first advertised on line.

← 8. It should be noted, however, that the coverage of the OJPs in Poland is less extensive than for Germany and France.

← 9. For further details on the methodology, please see Box 2.1 and Annex 2.A. Figure 2.6 presents the number of OJPs (Panel A) and the shares (Panel B) in the demand of four cyber security roles: analysts, architects and engineers, auditors and advisors, and managers. Following the inclusion of keywords about the general data protection regulation (GDPR), a larger share of auditors and advisor roles are found among the cyber security jobs.

← 10. Examples of corresponding French, German and Polish job titles would be: Juriste Conformité - Compliance et RGPD, Juriste Protection des Données Personnelles, Consultant Datenschutz, Volljurist It- Und Datenschutzrecht, and Prawnik w Zespole TMT/IP & Data Protection.

← 11. Including the communes within Greater Paris or the “Métropole du Grand Paris”.

← 12. For further details on metropolitan cities, please refer to Annex 2.B.

← 13. The figure only includes those OJPs for which the location was known, 74% in France, 74.2% in Germany and 80.9% in Poland.

← 14. For instance, skills like communication, teamwork, planning, writing, project management, budget management, Excel, leadership and teaching can be seen as transversal, as they are demanded across a diverse set of occupations (OECD, 2021[4]).

← 15. The OJPs in the three countries under consideration do not all contain the same cyber security skills. The largest number of cyber skills can be found in Germany, followed by France. In Poland only one explicit cyber security skill is demanded across OJPs.

← 16. International Standard Classification of Education. It is the international reference for classifying education programmes and qualifications by levels.

← 17. The extracted skill graph forms an undirected acyclic graph, meaning that skills do not co-occur with themselves. As a result, the diagonal of the adjacency matrix is 0.

Legal and rights

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Extracts from publications may be subject to additional disclaimers, which are set out in the complete version of the publication, available at the link provided.

© OECD 2024

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at https://www.oecd.org/termsandconditions.