Cybersec Europe 2026: Brussels Confronts the Mythos AI Challenge
As MEPs in Strasbourg debate the European Union’s cyber resilience capabilities this week, the European cybersecurity community is gathering in Brussels for Cybersec Europe 2026, the continent’s flagship industry event taking place on 20 and 21 May. The timing is no accident: the two events together encapsulate the present moment in EU cybersecurity policy, in which the regulatory architecture constructed over the past five years now faces a generation of advanced artificial intelligence systems that the original frameworks did not anticipate.
Why Mythos changed the conversation
At the centre of the renewed urgency lies Mythos, the advanced AI system whose emergence in recent months has reframed European thinking about AI-related cyber risks. Mythos and comparable systems have demonstrated capabilities that exceed the assumptions embedded in the EU’s existing cybersecurity legislation – the Network and Information Security Directive 2 (NIS2), the Cyber Resilience Act (CRA), and the Cybersecurity Act establishing ENISA.
Renew Europe was the political group that requested the plenary debate, arguing that the EU requires a dedicated cybersecurity strategy for advanced AI, full NIS2 implementation, and reduced dependence on non-European providers of cloud infrastructure, AI capabilities and semiconductors. The argument has resonated across the political spectrum.
The Tech Sovereignty package on 27 May
The political timing has been carefully calibrated. On 27 May, the European Commission is scheduled to present its Tech Sovereignty package, comprising the Cloud and AI Development Act and the Chips Act 2. The package is intended to provide the Union with both the regulatory tools and the industrial policy levers to compete in a technology landscape dominated by US and Chinese providers.
The Cloud and AI Development Act addresses what has emerged as one of the structural weaknesses of European competitiveness: dependence on a small number of non-European hyperscalers for cloud infrastructure, and the absence of large-scale European training capacity for frontier AI models. The Chips Act 2 builds on the 2023 Chips Act, with a stronger emphasis on advanced node fabrication and on the supply chain for AI accelerators.
NIS2 enforcement: still the unfinished business
Cybersec Europe 2026 returns repeatedly to NIS2 enforcement, which remains uneven across member states despite the transposition deadline having passed. National competent authorities are at very different stages of operational readiness, and the practical reality is that many entities subject to NIS2 – particularly mid-sized companies in covered sectors – are still building the security posture the directive requires.
The Cyber Resilience Act adds another layer. Reporting obligations under Article 14 take effect on 11 September 2026, with full applicability of CRA requirements from 11 December 2027. For manufacturers, importers and distributors of products with digital elements, this is no longer a theoretical compliance project: hardware on shelves in 2028 must already embed the security-by-design requirements of the regulation.
The geography of the threat
The Brussels conference programme reflects the changed threat geography. State-sponsored campaigns from Russia, China, North Korea and Iran continue to target European critical infrastructure. Criminal ransomware operators, increasingly equipped with AI-augmented tools, target both private companies and public services. And the rise of advanced AI systems creates entirely new risk surfaces – from autonomous reconnaissance and exploitation to deepfake-enabled social engineering at scale.
What businesses are watching
For European businesses, the practical question is how to operationalise an increasingly dense regulatory stack whilst protecting against an evolving threat. NIS2, CRA, the AI Act, the Digital Operational Resilience Act (DORA) for financial entities, and sector-specific cybersecurity requirements all interact. The challenge of compliance is matched by the challenge of capability: many organisations still struggle to recruit and retain cybersecurity specialists.
The Strasbourg debate and the Brussels conference, together, set the scene for the Tech Sovereignty package next week. The decisions taken in Brussels between now and the end of the spring will shape the European cybersecurity environment for the rest of the decade.
