{"id":197092,"date":"2026-03-18T15:08:00","date_gmt":"2026-03-18T19:08:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/18\/less-talk-more-security-cyber-lessons-learned-from-munich\/"},"modified":"2026-03-18T15:25:10","modified_gmt":"2026-03-18T19:25:10","slug":"less-talk-more-security-cyber-lessons-learned-from-munich","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/18\/less-talk-more-security-cyber-lessons-learned-from-munich\/","title":{"rendered":"Less Talk, More Security: Cyber Lessons Learned from Munich"},"content":{"rendered":"<p><a href=\"https:\/\/cepa.org\/article\/less-talk-more-security-cyber-lessons-learned-from-munich\/\">Less Talk, More Security: Cyber Lessons Learned from Munich<\/a><\/p>\n<p><a href=\"https:\/\/cepa.org\/article\/less-talk-more-security-cyber-lessons-learned-from-munich\/\">https:\/\/cepa.org\/article\/less-talk-more-security-cyber-lessons-learned-from-munich\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-18 15:08:00<\/a><\/p>\n<p>Source Domain: <a href=\"cepa.org\">cepa.org<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>Awareness of cyber threats has risen dramatically in recent years. Policymakers,\u00a0industry\u00a0leaders, and security practitioners now\u00a0broadly acknowledge\u00a0that cybersecurity\u00a0is a core\u00a0component\u00a0of national and economic security. That recognition is an important\u00a0first step \u2014 but awareness alone does not automatically translate into meaningful\u00a0action.\u00a0<\/p>\n<p>In many cases, growing urgency has produced a cascade of regulations, reporting\u00a0requirements,\u00a0and compliance frameworks without clear measures of success. Too\u00a0often, bureaucratic processes create the illusion that compliance equals security. Real\u00a0cybersecurity, however, requires actionable steps, operational capability, and\u00a0measurable outcomes that demonstrably reduce risk.\u00a0<\/p>\n<p>In February 2026, on the sidelines of the Munich Security Conference and the Munich\u00a0Cyber Security Conference, Trusted Future and the Center for European Policy Analysis\u00a0(CEPA) co-hosted a private discussion exploring how to move toward a results-oriented\u00a0cybersecurity model. The discussion was co-chaired by Admiral Michael Rogers (ret.),\u00a0former Director of the National Security Agency and Commander of US\u00a0CyberCommand, and Ieva Ilves, Cyber Policy Advisor to the Government of Ukraine.\u00a0<\/p>\n<p>Held under the Chatham House Rule, the roundtable brought together cybersecurity\u00a0experts, policymakers, and practitioners from more than thirteen countries, primarily\u00a0across Europe.\u00a0<\/p>\n<p>Avoiding the \u201cCompliance Trap\u201d<\/p>\n<p>A central theme of the discussion was the need to avoid what participants described as\u00a0the \u201ccompliance trap.\u201d\u00a0<\/p>\n<p>European cybersecurity policy \u2014 particularly the implementation of\u00a0the Network and Information Security 2 (NIS2) directive\u00a0\u2014 illustrates a\u00a0growing paradox. While median organizational information security spending in Europe\u00a0has\u00a0reportedly\u00a0doubled (from\u00a0approximately \u20ac0.7 million\u00a0to \u20ac1.4 million), cyber incidents\u00a0across the EU increased\u00a0year-over-year\u00a0according to the\u00a0ENISA Threat Landscape 2025 report.\u00a0<\/p>\n<p>Europe is investing more in the administration of cybersecurity,\u00a0but that does not\u00a0automatically\u00a0translate\u00a0into better security.\u00a0<\/p>\n<p>Efforts such as the EU\u2019s\u00a0proposed Digital Omnibus\u00a0aim to streamline compliance\u00a0obligations and reduce regulatory burden. While simplification is welcome,\u00a0optimizing\u00a0paperwork does not necessarily improve resilience against adversaries. One participant\u00a0summarized the challenge succinctly: organizations increasingly\u00a0hire for\u00a0compliance\u00a0expertise\u00a0rather than defensive capability,\u00a0despite the fact that\u00a0effective cybersecurity\u00a0ultimately depends\u00a0on operational readiness, not documentation.\u00a0<\/p>\n<p>Participants\u00a0noted\u00a0that an estimated 89%\u00a0of small and medium-sized enterprises\u00a0(SMEs) expect to need\u00a0additional\u00a0cybersecurity staff to\u00a0comply with\u00a0NIS2, even as\u00a0defensive talent shortages persist. At the same time, ENISA data\u00a0indicates\u00a0that\u00a0roughly\u00a059%\u00a0of organizations struggle to fill cybersecurity roles, underscoring a widening\u00a0capability gap.\u00a0<\/p>\n<p>The group discussed Ukraine\u2019s wartime cyber defense as a contrasting model.\u00a0Ukrainian institutions have increasingly adopted outcome-based performance metrics\u00a0similar to\u00a0the\u00a0private\u00a0sector\u2019s\u00a0Objectives and Key Results (OKRs), measuring success\u00a0through real-world impact \u2014 for example, reduced service disruption or fraud losses \u2014\u00a0rather than procedural completion.\u00a0<\/p>\n<p>This approach may be particularly relevant as digital payment fraud continues to rise\u00a0across Europe,\u00a0reaching\u00a0roughly \u20ac4.2 billion\u00a0annually, or about 20%\u00a0of total fraud\u00a0losses,\u00a0according to ECB and EBA reporting.\u00a0<\/p>\n<p>Awareness has grown. What\u00a0remains\u00a0missing is execution. <\/p>\n<p>Rethinking Information Sharing\u00a0<\/p>\n<p>Participants agreed that both governments and industry must fundamentally rethink\u00a0information sharing.\u00a0<\/p>\n<p>Cyber threat intelligence is still too often treated as a competitive or sovereign asset\u00a0rather than a collective defense mechanism. By contrast, aviation security provides a\u00a0powerful model: safety\u00a0and threat intelligence are shared internationally in near real-time because airline safety is\u00a0universally recognized as urgent, operational, and\u00a0non-competitive.\u00a0<\/p>\n<p>Cybersecurity deserves the same treatment.\u00a0<\/p>\n<p>Incident response cooperation \u2014 not simply information reporting \u2014 should sit at the\u00a0center of resilience strategies. Faster sharing of indicators, tactics, and mitigation\u00a0strategies can dramatically reduce the spread and impact of attacks.\u00a0<\/p>\n<p>Company-to-company collaboration is equally important. The discussion emphasized\u00a0that cybersecurity is no longer merely an IT risk; it is a core business risk affecting\u00a0corporate survival, market stability, and national competitiveness. While CEO-level\u00a0awareness has improved,\u00a0participants agreed that cyber risk still lacks consistent\u00a0board-level prioritization across Europe.\u00a0<\/p>\n<p>European attitudes toward cybersecurity are evolving, but the infrastructure for effective\u00a0EU-wide operational coordination\u00a0remains\u00a0fragmented. Several participants suggested\u00a0that stronger industry-led initiatives may be\u00a0required\u00a0to bridge institutional gaps.\u00a0<\/p>\n<p>Lessons from Ukraine \u2014 and Europe\u2019s Structural Challenges\u00a0<\/p>\n<p>Ukraine\u2019s experience under sustained cyberattacks\u00a0offers important lessons for Europe.\u00a0Participants stressed that these lessons should be shared more systematically across\u00a0allied governments and\u00a0private-sectornetworks.\u00a0<\/p>\n<p>A recurring concern was Europe\u2019s tendency to default to regulatory solutions when\u00a0addressing cybersecurity challenges. While regulation plays\u00a0an important role, an\u00a0overemphasis on rulemaking can crowd out implementation and measurable outcomes.\u00a0<\/p>\n<p>Several\u00a0additional\u00a0structural challenges were\u00a0identified:\u00a0<\/p>\n<p>Ransomware is increasingly viewed as a national security threat,\u00a0and\u00a0neither the\u00a0European Union nor NATO has developed a fully unified operational response\u00a0framework.\u00a0<\/p>\n<p>Europe still lacks a true single market for cybersecurity, resulting in fragmented\u00a0procurement, certification, and incident response approaches.\u00a0<\/p>\n<p>Cyber workforce shortages\u00a0remain\u00a0acute,\u00a0exacerbated\u00a0by comparatively lower\u00a0salary competitiveness\u00a0relative\u00a0to the United States.\u00a0<\/p>\n<p>Unlike the\u00a0US, the EU lacks a centralized governmental \u201cbuyer\u201d\u00a0capable of driving security standards through large-scale procurement \u2014 a \u201cbuy\u00a0secure, comply secure\u201d model that has influenced US\u00a0market behavior.\u00a0<\/p>\n<p>Participants repeatedly returned to workforce readiness as a defining challenge:\u00a0organizations recognize the need for cybersecurity talent, but recruitment, retention, and\u00a0training systems are struggling to keep pace with demand.\u00a0<\/p>\n<p>Security-Proofing Policy<\/p>\n<p>Another major theme was the absence of systematic security screening in European\u00a0technology policymaking.\u00a0<\/p>\n<p>European legislation routinely undergoes environmental impact assessments, yet\u00a0comparable security impact reviews are rarely applied to major digital or economic\u00a0regulations.\u00a0The Digital Markets Act (DMA), for example, was developed\u00a0largely without\u00a0structured\u00a0input from operational security experts \u2014 a decision some participants believe is\u00a0reflected in challenges with implementation. More broadly, national security and cyberagencies from EU member states are often consulted late in legislative processes rather\u00a0than positioned at the front end of policy design.\u00a0<\/p>\n<p>This contrasts with the United States, where agencies such as the Cybersecurity and\u00a0Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the\u00a0Office of the National Cyber Director (ONCD) are routinely integrated into policy\u00a0discussions affecting digital infrastructure.\u00a0<\/p>\n<p>Participants also noted that globally recognized standards \u2014 including the Common\u00a0Criteria cybersecurity certification framework long supported by European governments\u00a0\u2014 have not always been fully\u00a0leveraged\u00a0in newer legislation such as the Cyber\u00a0Resilience Act. Existing technical standards, they argued, represent underused\u00a0resources.\u00a0<\/p>\n<p>Collaborative policymaking matters. The success of frameworks such as the NIST\u00a0Cybersecurity Framework\u00a0demonstrates\u00a0how government-industry cooperation can\u00a0create shared ownership, voluntary adoption, and lasting impact.\u00a0<\/p>\n<p>From Process to Outcomes\u00a0<\/p>\n<p>The Munich discussions reinforced a simple conclusion: cybersecurity policy must move\u00a0from process to outcomes.\u00a0<\/p>\n<p>Europe has successfully elevated cybersecurity onto the strategic agenda. The next\u00a0phase requires translating awareness into operational capability \u2014 measuring success\u00a0not by\u00a0regulations written or reports filed, but by attacks prevented, systems kept online,\u00a0and economic losses reduced.\u00a0<\/p>\n<p>Less talk. More security.\u00a0<\/p>\n<p>James Lamond is a Senior Fellow with the Democratic Resilience Program at CEPA\u00a0Ronan\u00a0Murphy is Director of the Tech Policy Program at the Center for European Policy Analysis.\u202f\u202f\u00a0<\/p>\n<p>Bandwidth is CEPA\u2019s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis.\u00a0CEPA maintains a strict intellectual independence policy across all its projects and publications.<\/p>\n<p>\t\t\t\t\t\t\t\t\tA Roadmap for Europe-US Tech Cooperation<\/p>\n<p>\t\t\t\t\t\t\t\t\tLearn More\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/p>\n<p>\t\t\tRead More From Bandwidth\t\t<\/p>\n<p>\t\t\tCEPA\u2019s online journal dedicated to advancing transatlantic cooperation on tech policy.\t\t<\/p>\n<p>\t\t\t\tRead More\t\t\t<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Less Talk, More Security: Cyber Lessons Learned from Munich https:\/\/cepa.org\/article\/less-talk-more-security-cyber-lessons-learned-from-munich\/ Publish Date: 2026-03-18 15:08:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":197093,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cepa.org\/wp-content\/uploads\/2026\/03\/SB203158-scaled-e1773857560183.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-197092","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/197092"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=197092"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/197092\/revisions"}],"predecessor-version":[{"id":197094,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/197092\/revisions\/197094"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/197093"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=197092"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=197092"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=197092"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}