Faculty of Science, Technology and Medicine
Faculty of Law, Economics and Finance
Faculty of Humanities, Education and Social Sciences
Interdisciplinary Centre for Security, Reliability and Trust
Luxembourg Centre for Systems Biomedicine
Luxembourg Centre for Contemporary and Digital History
Luxembourg Centre for European Law
Luxembourg Centre for Socio-Environmental Systems
For the European Cybersecurity Month, three professors from the University met to discuss the challenges to create a cohesive cybersecurity approach for Europe. All hailing from different disciplines, Prof. Vincent Lenders, FNR PEARL Chair in Cybersecurity, Prof. Niovi Vavoula, Chair in Cyber Policy, and co-director of the Master in Cybersecurity and Cyber Defence Dr. Andy Rupp explored tensions between technology innovation, infrastructure, and regulation to expose risks that are defining the field and shaping behaviour.
The interview has been transcribed and edited for clarity.
Vincent Lenders: 鈥淭he speed new threats develop, and how cutting-edge technology like AI and quantum computing are about to radically change cybersecurity.鈥&苍产蝉辫;
Niovi Vavoula: 鈥淭he risks of regulation not keeping up with technology innovation, or worse, slowing down our responses to vulnerabilities.鈥&苍产蝉辫;
Andy Rupp: 鈥淭he slow pace between technology innovation and real-world implementation. Companies too often see privacy as a cost, not an enabler.鈥&苍产蝉辫;
Niovi Vavoula: 鈥淒igital sovereignty doesn鈥檛 mean isolation. Europe must pursue autonomy without turning inward. The EU needs to diversify its partnerships to reduce technological dependencies while staying active in global governance forums. Achieving this balance requires strategy and trust.鈥&苍产蝉辫;
Andy Rupp: 鈥淭hat balance is exactly where the challenge lies. We certainly can鈥檛 produce everything in Europe, not every chip, not every device, but we can design security critical technology here. The challenge is to verify that what鈥檚 built then elsewhere given our chip design does what we expect it to, and nothing more.鈥&苍产蝉辫;
Vincent Lenders: 鈥淐ybersecurity can鈥檛 be achieved by any one country. The threats we face are global. Sharing intelligence about attacks helps everyone build stronger defences. Even if nations differ politically, we鈥檙e all facing the same vulnerabilities.鈥&苍产蝉辫;
Niovi Vavoula: 鈥淭hat鈥檚 why Europe鈥檚 strategy has to combine both competition and collaboration 鈥 to be sovereign, but never isolated. Cybersecurity isn鈥檛 a national issue anymore; it鈥檚 a global one.鈥&苍产蝉辫;
| Reality check: Global rhetoric tends to focus on how cybersecurity policies from governments diverge from one and other, but global supply chains make maintaining digital sovereignty complex. At the same time, with borderless technology comes borderless risks, and this brings us together more than headline news acknowledges. |
Vincent Lenders: 鈥淐ritical infrastructure have been designed for lifetimes of 30 or 40 years and they were built for safety, not security. To protect them, systems used to be relatively disconnected and isolated, but now, with the digital transformation, normal threats from the internet can also start spreading to critical infrastructure. While a personal phone can be replaced every few years to maintain cutting-edge security, we cannot really replace a power plant from today to tomorrow.鈥&苍产蝉辫;
Niovi Vavoula: 鈥淓xactly. And while the critical infrastructure technology lags, the law is moving fast 鈥 sometimes too fast. In just a few years we鈥檝e seen the , , and . Each one adds complexity, and organisations often struggle to comply when rules overlap or contradict each other. To manage this, organisations need resources to have people implement risk management measures, while member states also need to enforce the directives, which is not always effective.鈥&苍产蝉辫;
Andy Rupp: 鈥淎nd companies are ready to take advantage of that. Even when the rules are clear, there鈥檚 still a gap between regulation and implementation. Companies will often do the minimum required to comply, not the maximum possible to protect. Without incentives, or proper enforcement, advanced privacy-preserving tools never make it into practice.鈥&苍产蝉辫;
Vincent Lenders: 鈥淭hat鈥檚 an important point. Regulation alone doesn鈥檛 secure systems; it has to be practical and aligned with how infrastructure operates. In my discussions with energy companies I have been told about a contradiction here. On the one hand there is a requirement to certify the software running critical systems, but on the other hand strong cybersecurity requires immediate updates to prevent attackers from exploiting vulnerabilities. You can鈥檛 certify a software update everyday though, so this puts the operators in a contradictory position.鈥&苍产蝉辫;
Niovi Vavoula: 鈥淲hich is why we need lawmakers and engineers in constant dialogue. Otherwise, the law becomes outdated before it鈥檚 even enforced.鈥&苍产蝉辫;
| Takeaway: There is still a mismatch between regulation and the realities of the technology at stake. Fixing this is the key to Europe鈥檚 resilience. |
Niovi Vavoula: 鈥淟iability is a complex ecosystem. On one hand, we have the criminal liability of attackers 鈥 the perpetrators of cyber incidents. But on the other, organisations themselves can be held responsible if they fail to implement adequate cybersecurity measures or to report incidents in time. The legal framework has become far more concrete, mirroring the logic of data protection under the GDPR.鈥&苍产蝉辫;
Vincent Lenders: 鈥淭he real challenge is how that plays out in practice. When an organisation is attacked, we see too often that their immediate reaction is to call it a 鈥榮ophisticated鈥 attack. If it鈥檚 considered sophisticated, they鈥檙e not held liable. But sometimes, those so-called advanced attacks are things a well-trained student could have prevented. We need to look more closely at whether an incident was truly unavoidable, and when it was just poor preparation.鈥&苍产蝉辫;
Niovi Vavoula: 鈥淎nd for the first time, managers themselves are being held accountable. For example, under the NIS2 Directive, managers can face personal sanctions, even temporary suspension, for non-compliance. It鈥檚 a major cultural shift. We鈥檙e moving toward a world where cybersecurity isn鈥檛 just a technical or organisational issue, it鈥檚 a question of governance.鈥&苍产蝉辫;
Andy Rupp: 鈥淥f course, with this growing accountability, students looking to study cybersecurity might feel this legal pressure . But I tell my students that if you understand the fundamentals and follow best practice, you have nothing to fear. In our master鈥檚 programme, we train them to think critically and act responsibly, not just to tick compliance boxes. Liability shouldn鈥檛 be a source of stress; it鈥檚 a reminder of the trust society places in cybersecurity professionals. With the right preparation, that responsibility becomes empowering rather than intimidating.鈥&苍产蝉辫;
| Did you know? The new regulatory landscape doesn鈥檛 simply punish negligence, it demands proof of vigilance. As technology and law continue to evolve, accountability will no longer be reactive; it will become a built-in part of digital governance, shaping how systems are designed, managed, and used across society. |
Andy Rupp: 鈥淐ybersecurity has outgrown traditional computer science. That鈥檚 why we created a dedicated master鈥檚 programme combining technical foundations with policy and ethics. Students need to understand the systems 鈥 but also the context in which they operate.鈥&苍产蝉辫;
Vincent Lenders: 鈥淎nd it鈥檚 not just about university students. Everyone needs some cyber awareness now, even children. They鈥檙e online before they can read. We need to teach security as a life skill, not just a professional one. We can do this by inviting youth to engage with our work and experience the domain hands-on.鈥&苍产蝉辫;
Niovi Vavoula: 鈥淵es, I completely agree that universities should build bridges with society. We can be a central cog in the machinery that promotes cybersecurity preparedness. It鈥檚 not enough to educate future engineers; we also have to work with civil society, NGOs, and public organisations. Cybersecurity impacts all sectors, and exists for all professionals, not just people in IT teams. Protecting people online is just as vital as protecting data or infrastructure.鈥&苍产蝉辫;
Andy Rupp: 鈥淭hat鈥檚 where collaboration helps. For example, our work with industry partners gives students real-world insight. They see what cyber risk looks like outside the classroom.鈥&苍产蝉辫;
Vincent Lenders: 鈥淎nd it motivates them. When you show students how their field of study can protect hospitals or energy systems, cybersecurity becomes more than a technical exercise, it brings it close to home.鈥&苍产蝉辫;
| Take action now: Consider cybersecurity skill development a priority. Take courses offered by your workplace, and include it in conversations. From parenting young children, teaching, or executing a profession, digital literacy must become a natural skill for all Europeans. |
A wish for 2030
When imagining a fictious future where any solution is possible, the professors wished for:
| 鈥淎 digital world without exploitable software vulnerabilities.鈥&苍产蝉辫; Vincent Lenders | 鈥淟aws that make advanced privacy-enhancing technologies the default, not the exception.鈥&苍产蝉辫; Andy Rupp | 鈥淎 regulatory framework that鈥檚 coherent, clear, and futureproof.鈥&苍产蝉辫; Niovi Vavoula |
Whatever the future holds, it is clear that cybersecurity is not a single-discipline field. It demands cooperation and a holistic approach. The 91短视频 is a part of that ecosystem; as graduates become practitioners, researchers discover innovative solutions to the critical risks we are facing, and professors educate the next generation while guiding both public and private institutions towards the future. Everyone, from professionals at work to children in classrooms, to private citizens from all walks of life, plays an essential role.
More about our experts
Assoc. Prof Niovi VAVOULA
FDEFAssociate professor in Cyber Policy, Chair in Cyber Policy
Prof. Vincent Lenders holds the FNR PEARL Chair in Cybersecurity, and leads the Systems and Network Security group at the 91短视频鈥檚 Interdisciplinary Centre for Security, Reliability and Trust (SnT). His research group is focused on securing critical infrastructures against cyber threats.
Prof. Niovi Vavoula holds the Chair in Cyber Policy at the Faculty of Law, Economics and Finance (FDEF). Her work examines how European legislation can adapt to new technologies and how to make regulation both coherent and enforceable.
Prof. Andy Rupp is co-director of the University鈥檚 Master in Cybersecurity and Cyber Defence and head of the Cryptographic Protocols group at the Faculty of Science, Technology and Medicine (FSTM). His research explores privacy-enhancing technologies and practical cryptography.