Luxembourg’s First GRC Summit Highlights Fragmented Approach to Cybersecurity

On Thursday 5 June 2025, Luxembourg’s first Governance, Risk and Compliance (GRC) summit took place at the Luxembourg Chamber of Commerce.

The summit, established to provide a platform to advance discussions, foster innovation and build a community for GRC professionals in Luxembourg, included a variety of panel discussions on subjects such as emerging risks and governance, the challenges of implementing the Cyber Resilience Act (CRA) for EU-based SMEs, the future of regulatory compliance in the digital domain and risk management strategies in cyber, defence and space ecosystems.

Founder and CEO of the Luxembourg House of Cybersecurity (LHC), Pascal Steichen, officially opened the summit by welcoming guests and speakers to the event. He then remarked on some key developments undertaken in Luxembourg over the past three decades, including Luxembourg’s first development of cybersecurity protocol in 2003, Luxembourg Government’s establishment of the Computer Incident Response Centre Luxembourg (CIRCLE) in 2007, the launch of the Interdisciplinary Centre for Security, Reliability and Trust (SnT) at Luxembourg University in 2009 and the establishment of the Luxembourg House of Cybersecurity in 2022.

Reflecting on these advances, Pascal Steichen remarked: “We are in a very good shape, but there is still a lot to do. First of all, technology will not solve today's cyber challenges, nor tomorrow's. We need a different approach.” He added: “We need a multidisciplinary approach. To prepare for the unknown, or even for the known, we need to develop governance and policy frameworks.”

There then followed welcoming speeches, via video, from Luxembourg’s Deputy Prime Minister and Minister for Foreign and European Affairs and Foreign Trade, Xavier Bettel, and Minister of Defence, Minister of Mobility and Public Works and Minister of Gender Equality and Diversity, Yuriko Backes. Deputy Prime Minister Bettel said: “In today's world, the links between governance, risk management and cyber security are becoming more important, especially as we also look at how these issues connect with space and defence technologies.” He also remarked: “[This] is an opportunity to take a step back and look at what tools and approaches we need and how we can support each other through meaningful collaboration, both at the technical and strategic levels.”

In her speech, Minister Backes said: “We are committed to continuously improving our cybersecurity maturity by aligning with GRC best practises. As we face an evolving threat landscape, we must ensure that cybersecurity remains deeply embedded in our organisational culture.”

Chair in Cyber Policy at the University of Luxembourg, Niovi Vavoula, then provided a keynote speech on the geopolitical perspective of cyber threats and global resilience. She talked of the increasing number of cyber-attacks and their ongoing influence in developments within the field of cybersecurity. She highlighted the impact of the “non-Petya” cyberattack in June 2017, which affected companies worldwide, causing an estimated €10 billion in losses and directly influencing CEOs to develop additional cybersecurity protocols.

She then spoke of how legislation can have both a positive and negative effect on fighting cybercrime and used the European Union (EU) legal instruments - NIS2 Directive, Cyber Resilience Act, Cyber Solidarity Act - as an example of a lack of consistency and cooperation in the field. She remarked: “One of the key problems that the EU cyber security landscape has is the extent to which both the regulatory requirements and institutional cooperation is coherent with policy documents and incoherent with one another.” She added: ”This is a problem that of course creates fragmentation, creates uncertainty for private entities, creates confusion”. She also noted the ”lack of harmonised rules on information sharing” and how this “signifies that there is a need to strengthen such information exchange across the different actors”.

She also spoke of the problems of the “patchwork” of legislation which exists, the impact of artificial intelligence (AI) on cybersecurity, being both a potential threat and solution, as well as the questions which exist about the potential impact of quantum computing on worldwide data security.

After a short break, there followed a panel discussion which focused on national and international cybersecurity strategies. The discussion was moderated by Luc Dockendorf (Ministry of Foreign and European Affairs, Defence, Development Cooperation and Foreign Trade) and featured contributions from Hervé Bah (Ciberobs Consulting), Els Debuf (International Committee of the Red Cross) and Emmanuelle De Foy (Ministry of Foreign Affairs Belgium). The participants provided descriptions of their work within the field of cybersecurity and fielded questions for the audience.

This was followed by an additional panel discussion which focused on strategy in the sectors of Space, Defence, Law Enforcement and Civil Security. Ben Fetler (Luxembourg Directorate of Defence) moderated the panel, which consisted of Georgios Stamatoukos (European Defence Agency), Freddy Dezeure (Independent Cybersecurity Advisor), Annita Larissa Sciacovelli (University of Bari Aldo Moro) and Hans De Vries (European Union Agency for Cybersecurity - ENISA).

After a break for lunch, the summit continued in the afternoon with several thematic discussions on subjects such as disruptive technologies and their impact on governance and cyber resilience for SMEs.