An interesting study by PwC Luxembourg conducted with the active support of CLUSIL, CNPD, and ILR
CISOs and DPOs are now more involved in major transformation projects, incident management, and governance discussions. This reflects their growing influence within organizations. According to PwC Luxembourg, which published the report “Out of the shadows: CISOs and DPOs in the spotlight,” we are at a turning point for these two roles.
From compliance roles to strategic facilitators… but not yet on equal footing. Legal, regulatory, compliance, and audit obligations are cited by 72% of CISOs and 83% of DPOs as the main catalysts for the creation of their roles. Regulatory pressure therefore remains the primary driver behind the establishment of these two roles.
As noted by PwC Luxembourg, regulation continues to expand responsibilities and reshape operational models. EU digital regulation remains a key factor in defining the responsibilities of CISOs and DPOs. Just over half (52%) of CISOs are subject to the DORA regulation, while 17% are not but take it into account because their clients subject to it require it. Among DPOs, these figures are 44% and 11%, respectively.
These figures alone, drawn from data (sample of 56 respondents; data collected via an online survey platform, ensuring the anonymity and confidentiality of responses), clearly indicate that we are at a pivotal moment.
Bridging the gap between expectations and reality to address regulatory and technological risks
The 2026 survey highlights how regulatory developments such as DORA, NIS2, the Data Governance Act, and the Data Act continue to increase responsibilities, while emerging technologies, particularly AI and cloud solutions, are redefining operational realities.
In July 2016, PwC launched the first edition of the survey “Stepping Out of the Shadows: CISOs in the Spotlight!”, followed by a second edition in 2018 (in collaboration with the CPSI) and a third edition in 2020, conducted in partnership with CLUSIL (Club de la Sécurité de l’Information – Luxembourg). PwC Luxembourg then decided to broaden the scope of the survey to include DPOs and to collaborate with the National Commission for Data Protection (CNPD) and the Luxembourg Institute for Regulation (ILR) to publish two surveys, one in 2022 and the other in 2024. The CSSF also contributed to the 2024 edition.
Lack of independence, insufficient resources
In fact, as the digital transformation of businesses accelerates, the roles of CISOs and DPOs have become essential for maintaining trust, resilience, and regulatory compliance. In Luxembourg, cyber risks, data protection requirements, and technological advancements are intensifying in tandem, placing CISOs and DPOs at the heart of strategic decisions.
That said, many CISOs are still attached to IT departments, raising questions of independence and potential conflicts of interest. Budget allocation remains uneven; internal silos continue to hinder effectiveness, and a lack of resources limits the ability to meet growing expectations. DPOs, for their part, must navigate increasing complexity, balancing regulatory obligations with limited technological and organizational support.
Opinions taken into account
Influence is growing, but resources remain insufficient, notes PwC Luxembourg. More than a quarter (26%) of CISOs believe their role is highly influential, and 48% consider it influential even if their opinions are not always taken into account. These figures stand at 29% and 47%, respectively, for DPOs. However, budgetary control remains limited: less than half (44%) of CISOs and nearly a quarter (24%) of DPOs have a dedicated budget.
At the same time, the survey highlights encouraging developments. Indeed, despite challenges related to independence, CISOs and DPOs are seeing their input increasingly taken into account in strategic discussions. Furthermore, awareness of cybersecurity and privacy risks is growing within organizations, as evidenced by increased involvement in resilience initiatives, data governance programs, and AI-related projects.
At the intersection of data protection, security, compliance, and strategic decision-making
Luxembourg’s very position explains a great deal. As noted by Maxime Pallez, Advisory Director, Cybersecurity PwC Luxembourg , “Luxembourg stands out as a pioneering jurisdiction in terms of its commitment to cybersecurity, thanks in particular to national initiatives such as the Luxembourg Cybersecurity House. ” At the same time, given the resurgence of cyberattacks and growing concerns regarding privacy protection, “it is urgent for organizations to adopt proactive and robust cybersecurity and data protection strategies across all sectors.”
For his part, Antonin Jakubse, Advisory Senior Manager, Privacy at PwC Luxembourg , emphasizes the expertise of CISOs and DPOs at the crucial intersection of data protection, security, compliance, and strategic decision-making. “This combination enables organizations to protect sensitive data, ensure compliance with constantly evolving regulatory and data protection requirements, and systematically integrate data protection considerations into strategic and operational decisions, thereby enabling the secure use of new technologies.”
The message is clear: strengthen governance and raise awareness among top executives regarding data protection and cyber risks. And implement robust safeguards that promote long-term operational stability and revenue growth.
