Resilience & Sovereignty Convention 2026, on April 28 at the Sheraton Brussels Airport—the event marking this turning point
2026: The end of the transition period. Cybersecurity is evolving from a technical issue to a legal obligation to deliver results. A shift that will be central to the event Resilience & Sovereignty Convention 2026. Explanation by the organizer, François Vajda.
Just as with the GDPR back then, the new regulations now impose full traceability. Companies can no longer settle for protection; they must be able to demonstrate their resilience at any time, under penalty of severe sanctions. It is a paradigm shift, notes François Vajda, organizer of the Resilience & Sovereignty Convention 2026. “Compliance becomes continuous.”
2026, a turning point for cybersecurity within the member states of the European Union. Whether it concerns the NIS2 Directive, the CRA Regulations, the Data Act, or the AI Act, the threshold for heightened oversight, audits, procurement rules, and, likely, the first sanctions has been crossed.
An evidence-driven, ongoing obligation
For both CISOs and legal departments, the focus is shifting from policy implementation to actual operational obligations. “Compliance is no longer a theoretical concept: companies will have to provide tangible evidence of the measures implemented,” says François Vajda. Companies that can anticipate this will be best equipped to meet the imposed legal obligations. ”
The traditional model of annual audits and static policy frameworks is disappearing. The new regulations turn compliance into a continuous, evidence-based obligation. “It is no longer just a question of whether organizations are compliant; they must continuously prove it. In that respect, it is a paradigm shift!”
Responsibility extending to the board of directors
The proof of this is NIS2. The directive extends cybersecurity obligations to all sectors, particularly energy, healthcare, industry, and public administration. NIS2 introduces stricter requirements regarding risk management, monitoring, and logging obligations, as well as rules for incident reporting that extend responsibility all the way to the board of directors.
At the same time, DORA, the Digital Operational Resilience Act, which takes effect in January 2025, harmonizes how financial institutions manage information technology risks, test their resilience, and oversee their critical third-party service providers.
The AI Act, which is being phased in starting this year, adds a new dimension: organizations that design or implement high-risk AI systems must ensure documentation, human oversight, and traceability throughout the entire lifecycle of these systems.
Regulations themselves are also evolving
On November 19, 2025, the European Commission presented a major digital package to simplify and modernize the EU’s digital regulatory environment. This initiative includes a series of digital measures to streamline the rules on AI, cybersecurity, and data management.
Two strategic initiatives complement this package: a Data Union strategy, designed to facilitate access to high-quality datasets for AI innovation, and the European Digital Wallets, which will provide businesses with a unique digital identity to simplify their cross-border operations within the Member States of the European Union.
“Taken together, these developments reflect a desire to reduce fragmentation while simultaneously strengthening oversight; a delicate balance that will shape how businesses operate in Europe over the coming decade,” analyzes François Vajda. “Given that these developments have significant implications for organizations operating within the EU regulatory landscape, this topic will be explored in greater depth during our conference.”
AI is changing the threat landscape and the rules
In this transformation, AI is changing not only productivity but also cyber risk.
According to data from the World Economic Forum, the number of cyberattacks per organization has more than doubled in just four years. At the same time, new threat vectors are emerging within the AI technology stack: prompt injection, data breaches, AI-driven data mining bots, and increasingly sophisticated deepfakes…
This reflects a broader shift in mindset. Cyber resilience is no longer viewed as a simple static list of controls, continues François Vajda. « AI is becoming a continuously learning system that evolves at the same pace as the technologies it protects… »
Convergence of Compliance Frameworks
The EU’s Digital Omnibus initiative aims to streamline overlapping obligations across key regulatory frameworks, including the GDPR, the ePrivacy Directive, NIS2, DORA, and the AI Act. The proposed changes include uniform incident reporting procedures, simplified consent rules, browser-level default settings, and clearer rules regarding training data for AI. “Cybersecurity is no longer limited to the boundaries of a single organization!”
Under regulations such as DORA and NIS2, companies must increasingly assess and monitor the security posture of their suppliers, partners, and technology providers. Vulnerabilities related to third parties are now considered an integral part of the risks inherent to the organization.
Furthermore, a single European reporting portal should further reduce fragmentation, allowing organizations to report cyber incidents and data breaches through a single harmonized portal rather than having to navigate between various parallel schemes.
Sovereignty Takes on a New Status
This year, too, we will see that sovereignty is no longer an abstract principle. It is being incorporated into specifications and directly influences technological choices.
IT departments and security managers now view the value chain as a whole: component design, control over the software, update management, scalability of architectures, and the reliability of technology partners. The question is no longer just “what does the solution enable?”, but “under which jurisdiction does it fall and to what dependencies does it expose us?”.
In an international context characterized by the extraterritorial application of certain laws, managing data flows becomes a strategic challenge.
By 2026, multinationals will need to account for more detailed guidelines, stricter requirements, and a broader application of sovereignty principles, according to François Vajda.
Coherent data management and best practices in architecture will therefore be essential to meet these requirements without compromising operational productivity…
“The good news? Compliance has never been more accessible. The tools exist, best practices are documented, and the cost of compliance is infinitely lower than the cost of a penalty!”
