Forum Europe’s Annual Cybersecurity Conference returned to Brussels in September 2025, bringing together over 200 delegates from across Europe and beyond.

 

Marking its 12th edition, the event once again convened leading stakeholders to examine Europe’s evolving cybersecurity policy landscape and the operational realities shaping the continent’s digital resilience.

The Republic of Moldova's Doina Nistor delivers her keynote address at the 12th Annual European Cybersecurity Conference.

Amid accelerating digital transformation and increasingly sophisticated cyber threats, this year’s edition built on its strong legacy. Opening with a powerful keynote, Doina Nistor, Deputy Prime Minister and Minister of Economic Development and Digitalisation of the Republic of Moldova, set the tone with a clear message:

‘Cybersecurity is not only about data and systems. It is about democracy itself.’

She called for deeper collaboration with the European Union to build the tools, incentives, and funding mechanisms that support both practical compliance and long-term resilience.

'We don’t have the luxury of five to ten years. For us, the timeline is one to two years.'

Reframing Moldova’s role in the cybersecurity landscape, Nistor invited partners, investors, and innovators across Europe to consider Moldova a hub of innovation and resilience. Not just as a frontline state on Europe’s Eastern border. 

‘We are not just a cyber battlefield ‘but a playground for innovation. Together, we can turn Europe’s eastern frontline into a frontline of innovation — building a Europe that is not only digital and safe, but also connected and protected, modern and resilient.’

Ilias Chantzos, Broadcom, with the microphone in Session 1, 'EU Cybersecurity Policy at the Digital Decade’s Midpoint: Harmonisation, Implementation, Simplification and Future Directions.'

Titled 'EU Cybersecurity Policy at the Digital Decade’s Midpoint: Harmonisation, Implementation, Simplification and Future Directions', the day's opening panel marked a high-level examination of the EU's evolving cybersecurity frameworks.

Bringing together key stakeholders from across the ecosystem, the discussion examined the challenges, contradictions, and opportunities involved in harmonising complex legislation across all 27 Member States. Given the importance of this sentiment, it emerged as a defining theme that resonated throughout the conference.

Since the adoption of the first NIS Directive, the EU has introduced a cascade of new regulations: NIS2, DORA, the Cyber Resilience Act (CRA), the Cyber Solidarity Act, and more. These instruments are designed to create a structured, proactive approach to cybersecurity. But as the panel noted, turning legislation into action is not easy.

As in many other areas of EU policy, ambitions for harmonisation are often undermined by national differences. These divergences frequently manifest in varied legal frameworks, administrative traditions, and operational capacities across Member States. Or As Alfredo Veneziani, ACN, explained, ‘harmonisation is the goal,’ ‘but fragmentation is the reality.’

 

Cisco's Chris Gow speaks in Session 1, 'EU Cybersecurity Policy at the Digital Decade’s Midpoint: Harmonisation, Implementation, Simplification and Future Directions', at the 12th Annual European Cybersecurity Conference.

Moving beyond the earlier discussion, this session also featured Joanna Pawelek-Mendez of Poland’s Ministry of Foreign Affairs, who offered a thoughtful reflection on the role of sovereignty in the EU’s cybersecurity strategy. Rather than viewing sovereignty as a retreat into isolationism, she encouraged delegates to understand it as the freedom to make decisions independently.

With mixed reactions, her comments prompted wider discussion about how sovereignty can coalesce with our interconnected digital landscapes.

‘Sovereignty is about freedom. Sovereignty is about freedom of decision. And if I’m free to decide, and if I’m free to act, I’m sovereign.’
Joanna Pawelek-Mendez, Minister-Counsellor for International Aspects of Cyber Policy, Ministry of Foreign Affairs Poland

Chris Gow of Cisco responded by highlighting the practical implications of the sovereignty debate, particularly in relation to cloud infrastructure. He noted that while increasing control is valuable, it often involves trade-offs, including higher costs and reduced flexibility: ‘Let’s be surgical,' he advised. Indeed, for both Gow and Ilias Chantzos, Broadcom, sovereignty is best approached through careful risk assessment and context-specific decisions rather than through broad or prescriptive frameworks.

Session 2 at the 12th Annual European Cybersecurity Conference.

Into the second session, and as the European Union intensifies its efforts to build a more competitive and sovereign cybersecurity ecosystem, panellists tackled the complex interplay between investment, regulation, and European market dynamics. With a rich mix of voices from across industry, government, and civil society, this discussion addressed the essential question: how can Europe scale its cybersecurity market, and who gets to lead it?

Framed by rising geopolitical threats and fast-evolving technologies, the session delved into Europe’s regulatory and investment landscape, its fragmented internal market, and the balance between openness and control. While participants diverged on methods, they were unified in recognising the stakes: the EU must act decisively to ensure it can defend its digital infrastructure, empower domestic providers, and remain a global player in cybersecurity.

‘We made a mistake becoming so dependent on non-European cloud providers. Vendor lock-in, lack of switching mechanisms — now we’re paying the price.’
Danielle Jacobs, Beltug

Notably, this session also saw MEP Aura Salla call for the prioritisation of European firms in public contracts. Arguing that ‘we need to put European companies first when it comes to procurement’, she said that Europe’s over-regulation had stifled homegrown tech growth, urging reforms to the EU’s Capital Markets Union and insolvency laws.

‘Cybersecurity is a team sport.'
Jeremy Rollison, Microsoft

Session 3 exploring the so-called 'Human Factor in Cybersecurity.'

Long viewed as the weakest link in cybersecurity, the so-called ‘human factor’ in cybersecurity took centre stage in the final session before lunch. Focusing on two key areas, the panel reached a clear consensus on both the scale of work required and the central role individuals play in strengthening Europe’s overall cybersecurity.

The discussion first turned to the role of victim shaming and the stigma often attached to cyberattacks. Siggi Stefnisson, CTO of GEN Digital, offered a compelling case, sharing details of an incident with his own son. He highlighted the profound embarrassment and distress that often accompany victimhood, as well as the lasting impact such experiences can leave behind.

Moving to the session's second key theme, the conversation shifted to the importance of education and training. Drawing on initiatives at GEN Digital, Stefnisson outlined his proactive approach to talent development, stating, 'We don’t wait for talent. We build it.'

In lieu of this, the panel explored Europe's cybersecurity workforce shortage. With a staggering 299,000 unfilled roles across the continent, panelists acknowledged the progress of initiatives like the European Commission’s Cyber Skills Academy, but emphasised that current efforts fall short of what’s needed. To this end, the European Commission’s Anne-Sophie Diel called for cybersecurity education from birth. Highlighting the Commission’s commitment to this ambition, she underscored the demand for investment in training and skills development. 

 

Session 4, titled 'Understanding the Vulnerabilities and Opportunities of Digital Technologies in Cybersecurity.'

With speakers again representing the entire cybersecurity value chain, session four marked a comprehensive review of today’s complex and rapidly evolving cyber threat landscape.

Exploring this landscape, Noortje Henrichs, NCSC Netherlands, offered a detailed view of recent attacks in the Netherlands. Ranging from ransomware on healthcare data to advanced espionage, her key message was that attackers exploit the easiest vulnerabilities available rather than relying on sophisticated techniques.

‘Attackers that we see nowadays don't really need innovative technology. They use the strategies that takes them the least effort.’
Noortje Henrichs, NCSC Netherlands

Arguing that resilience must be built into infrastructure, operations, and policy frameworks, Roberto Cascella, European Cybersecurity Organisation, emphasised that cybersecurity must now go beyond protection. ‘It's important to prepare, to be really resilient,’ he explained. Given the level of digital transformation and the rise of gen. AI, he noted that we cannot expect ‘to stop all possible attacks.’

Preparing for 2035, what Cloudfare’s Christian Reilly called ‘Q-Day’ (the point at which quantum computers are capable of decrypting today’s encrypted data) also featured in this compelling session. Comparing it to Y2K, he noted that ‘history doesn't repeat, but it rhymes’, suggesting that traditional encryption protocols will become redundant through quantum computing.

Pointing to the risk of ‘harvest now, decrypt later’ attacks, he highlighted hybrid encryption as a practical transitional step, noting that organisations can already implement quantum-safe TLS 1.3 protocols.

Mark Vael, ESKO, in focus during the first thinking point, 'CxO’s perspectives: Cybersecurity in Practice – Operationalising Cybersecurity and Resilience.'

In the first of the agenda’s key discussion points, participants examined how cybersecurity and resilience are being implemented in practice across critical sectors. In a wide-ranging conversation, the discussion spanned areas including finance, hardware manufacturing, and software packaging, highlighting the varied approaches and challenges across industries.

Reframing cybersecurity and resilience as a mindset rather than an act of compliance, Aleksandra Kulikova of Euroclear opened the session with a clear message: cyber resilience is no 'tick-box exercise' but must instead be deeply embedded in an organisation’s DNA. She noted the challenge of balancing capacity-building work with the urgency required for emerging technologies like AI, IoT, and quantum computing. These, she explained, act as risk amplifiers with systemic implications for the system.

Again, as in other sessions, there was broad consensus that compliance and resilience must go hand in hand. Regulations such as DORA, NIS2, and the Cyber Resilience Act were seen as useful frameworks but not sufficient by themselves.

‘It takes a village to protect the ICT ecosystem.’
Skip Mann, Lenovo

The thinking point also took stock of the AI landscape, and its intersection with cybersecurity. Indeed, there was strong criticism of the so-called hype cycle surrounding AI, especially those lacking basic controls or frameworks.

In the second thinking point, a sit down with Lithuania’s Rocas Jonikas, he offered practical insights into how Lithuania, on the EU’s eastern frontier, operationalises cybersecurity amidst threats from state-sponsored actors.

Jonikas explained how Lithuania is rolling out the NIS2 Directive through a three-layer cybersecurity defence model, with Security Operation Centres (SOCs) forming the first line. ‘We are as strong as our weakest member,’ he explained to MLex’s Matthew Newman.

 

Rockas Jonikas, Lithuania's National Cybersecurity Centre, in conversation with MLex's Matthew Newman.

Deconstructing the day’s discussions, the final panel sought to explore the wider context, locating Europe's place in a borderless online world.

Given this, reflecting on the ‘UN norms of responsible state behaviour in cyberspace’ Manon Le Blanc, EEAS, emphasised the importance of international law and protocol. ‘We expect states to respect international law, as they do in the normal world’  she explained. Indeed, this statement was in answer to her own question: ’what are the rules for states to behave in cyberspace?’ A question which set the tone for the discussion to follow.

’What are the rules for states to behave in cyberspace?’
‘We expect states to respect international law, as they do in the normal world,
Manon Le Blanc, EEAS

Le Blanc too noted the recent creation of a permanent UN cyber mechanism, an EU-led effort, to support implementation and global coordination as an important step. A thought which prompted panellists to discuss the EU’s Cyber Diplomacy Toolbox, highlighted as a tool to both mark and respond to malicious behaviour.

Kristel-Amelie Aimre from Estonia emphasised how small states can have a global impact by leading in norm development, legal interpretation, and capacity building. Estonia was one of the first countries to publish a national position on how international law applies in cyberspace and recently co-authored a handbook for states on this issue.

Two recurring themes throughout the day, sovereignty and trust, also featured prominently in this final session. On the topic of sovereignty, Irina Michalowitz, Palo Alto Networks, urged caution in how the concept is applied in practice. She warned that approaches rooted in protectionism or excessive data localisation risk undermining trust, hindering the flow of threat intelligence across borders.

 

The day's final session: Global Cooperation in Cybersecurity: Strengthening Collective Resilience in a Borderless Digital World. 

Forum Europe extends its sincere thanks to all partners, sponsors, speakers, and attendees for making this year’s edition a success. Your insights, energy, and collaboration are what continue to push this agenda forward.

We now look ahead to the 13th Annual Cybersecurity Conference. For opportunities at the next edition: cyber@forum-europe.com

For updates on our upcoming events, sign up to our mailing list.

Stay informed with Forum Europe's Annual Cybersecurity Conference here.