Cybersec Europe 2026: Brussels Confronts the Mythos AI Challenge

While MEPs in Strasbourg debate the European Union’s cyber resilience capabilities this week, the European cybersecurity community gathers in Brussels for Cybersec Europe 2026, the continent’s flagship industry event running on 20 and 21 May. The combination is deliberate: the two events together capture the present moment in EU cybersecurity policy, where the regulatory architecture built over the past five years now confronts a generation of advanced artificial intelligence systems that the original frameworks did not anticipate.

Why Mythos changed the conversation

At the centre of the renewed urgency is Mythos, the advanced AI system whose emergence over recent months has reframed European thinking about AI-related cyber risks. Mythos and comparable systems have demonstrated capabilities that go beyond the assumptions baked into the EU’s existing cybersecurity legislation – the Network and Information Security Directive 2 (NIS2), the Cyber Resilience Act (CRA), and the Cybersecurity Act establishing ENISA.

Renew Europe was the political group that requested the plenary debate, arguing that the EU needs a dedicated cybersecurity strategy for advanced AI, full NIS2 implementation, and reduced dependence on non-European providers of cloud infrastructure, AI capabilities and semiconductors. The framing has resonated across the political spectrum.

The Tech Sovereignty package on 27 May

The political timing is calibrated. On 27 May, the European Commission is scheduled to present its Tech Sovereignty package, comprising the Cloud and AI Development Act and the Chips Act 2. The package is designed to give the Union both the regulatory tools and the industrial policy levers to compete in a technology landscape dominated by US and Chinese providers.

The Cloud and AI Development Act addresses what has emerged as one of the structural weaknesses of European competitiveness: the dependency on a small number of non-European hyperscalers for cloud infrastructure, and the absence of large-scale European training capacity for frontier AI models. The Chips Act 2 builds on the 2023 Chips Act, with a stronger focus on advanced node fabrication and on the supply chain for AI accelerators.

NIS2 enforcement: still the unfinished business

Cybersec Europe 2026 returns repeatedly to NIS2 enforcement, which remains uneven across Member States despite the transposition deadline having passed. National competent authorities are at very different stages of operational readiness, and the practical reality is that many entities subject to NIS2 – particularly mid-sized companies in covered sectors – are still building the security posture the directive requires.

The Cyber Resilience Act adds another layer. Reporting obligations under Article 14 take effect on 11 September 2026, with full applicability of CRA requirements from 11 December 2027. For manufacturers, importers and distributors of products with digital elements, this is no longer a theoretical compliance project: hardware on shelves in 2028 must already embed the security-by-design requirements of the Regulation.

The geography of the threat

The Brussels conference programme reflects the changed threat geography. State-sponsored campaigns from Russia, China, North Korea and Iran continue to target European critical infrastructure. Criminal ransomware operators, increasingly equipped with AI-augmented tools, target both private companies and public services. And the rise of advanced AI systems creates entirely new risk surfaces – from autonomous reconnaissance and exploitation to deepfake-enabled social engineering at scale.

What businesses are watching

For European businesses, the practical question is how to operationalise an increasingly dense regulatory stack while protecting against an evolving threat. NIS2, CRA, the AI Act, the Digital Operational Resilience Act (DORA) for financial entities, and sector-specific cybersecurity requirements all interact. The challenge of compliance is matched by the challenge of capability: many organisations still struggle to recruit and retain cybersecurity specialists.

The Strasbourg debate and the Brussels conference, together, set the scene for the Tech Sovereignty package next week. The decisions taken in Brussels between now and the end of the spring will shape the European cybersecurity environment for the rest of the decade.