Luxembourg's Second GRC Summit Focuses on AI Governance, Digital Sovereignty

On Wednesday 3 and Thursday 4 June 2026, the second edition of Luxembourg's Governance, Risk and Compliance (GRC) Summit took place at the Luxembourg Chamber of Commerce.

The summit focused on key cybersecurity and regulatory challenges, including artificial intelligence (AI) governance, digital sovereignty and post-quantum readiness, while bringing together governance, risk and compliance professionals, practitioners and decision-makers from across Europe.

Pascal Steichen, Founder and CEO of the Luxembourg House of Cybersecurity (LHC), officially opened the summit by welcoming participants and highlighting the growing importance of governance in an era increasingly shaped by artificial intelligence (AI). He noted that AI is changing the speed, scale and nature of risks, affecting how vulnerabilities are discovered, decisions are automated, information circulates and critical infrastructure is protected.

Speaking about the summit's central theme, Pascal Steichen said: "We will not simply address cybersecurity in the presence of AI. The idea really is to talk about governance in the age where AI is changing the speed, the scale and the nature of risk itself. Governance, risk and compliance can no longer be treated as purely protective or administrative. It needs to get to the frontline and is becoming a strategic discipline."

He also stressed the importance of strategic technological autonomy, warning against growing technological dependencies and arguing that governments, organisations and citizens should be able to understand, inspect and govern the technologies they use as artificial intelligence becomes increasingly embedded in decision-making processes. "Strategic technological autonomy shall not be a privilege. It must become a capability of everyone. It does not mean isolation. It does not mean protectionism. It means the capacity to understand, choose, build, secure, repair, change, interpret and decide," he said.

Carole Brückler, Director General for Industry, New Technologies and Research at Luxembourg's Ministry of the Economy, outlined the government's vision for digital sovereignty by 2030. She described data, artificial intelligence (AI) and quantum technologies as three interconnected pillars that should be developed jointly to strengthen competitiveness, innovation and economic resilience.

Highlighting the broader objectives behind the strategy, Carole Brückler explained that digital sovereignty should not be viewed in isolation, but as a means of strengthening innovation capacity, building a coherent ecosystem and increasing economic resilience: "We believe it doesn't need to be considered in isolation. It's about building competitiveness, enhancing capacity for innovation, building a coherent ecosystem and therefore broadly strengthening the resilience of the economy."

Professor James Harold Davenport of the University of Bath reflected on his experience managing a cyber incident involving a high-performance computing environment during the COVID-19 pandemic. He described how a coordinated attack exposed weaknesses in communication, incident planning and system update procedures, while highlighting the challenges of balancing cybersecurity requirements with operational priorities.

Drawing on the experience, James Harold Davenport stressed the importance of preparedness and understanding the needs of end users during a cyber crisis: "You have to understand your users and their priorities. It shows the difficulty when you haven't got an incident plan. Balancing operational priorities is the incident commander's job."

The third keynote speaker, Luc Dockendorf, Ambassador for Cybersecurity and Digitalisation at Luxembourg's Ministry of Foreign and European Affairs, focused on the concept of digital sovereignty within the European Union. He noted that upcoming EU initiatives are expected to address areas such as open-source technologies, semiconductor production, sovereign cloud and AI development, as well as the digitalisation of the energy sector.

Luc Dockendorf also highlighted the need to strengthen Europe's technological independence while maintaining a practical approach to innovation. He argued that investments in digital infrastructure and artificial intelligence should be driven by real needs and tangible benefits for citizens and businesses rather than by the notion of a global AI race.. "The alternative to the US approach of forcing AI into everything is to think first where we need it, where it's useful, where does it provide a real added value and then actually focusing on that rather than really forcing it into everything."

In addition to the keynote speeches, the summit programme featured a series of presentations, roundtable discussions and thematic panels dedicated to governance, risk and compliance (GRC) challenges. Discussions covered topics ranging from cybersecurity governance and digital sovereignty to regulatory developments, artificial intelligence (AI) and cyber resilience.

The second day of the summit featured keynote sessions, including "From Black Boxes to Responsible AI: Risk-Aware Governance for a Transparent and Accountable Future", with contributions from Isabel Barbera, Dutch Coordinating AI Supervisor at the Dutch Data Protection Authority (DPA), and Dr Frédéric Courivaud of DNV.

The programme also included community-building sessions focused on open-source GRC solutions and the implementation of the Cyber Resilience Act (CRA), alongside thematic discussions examining the integration of cybersecurity and GRC in disruptive technologies, as well as in humanitarian and human rights work.

The second edition of the GRC Summit concluded with closing remarks from François Thill, Director of Cybersecurity at Luxembourg's Ministry of the Economy.