Across disciplines: navigating legacy systems and innovation in cybersecurity

Vincent Lenders: “The speed new threats develop, and how cutting-edge technology like AI and quantum computing are about to radically change cybersecurity.” 

Niovi Vavoula: “The risks of regulation not keeping up with technology innovation, or worse, slowing down our responses to vulnerabilities.” 

Andy Rupp: “The slow pace between technology innovation and real-world implementation. Companies too often see privacy as a cost, not an enabler.” 

Niovi Vavoula: “Digital sovereignty doesn’t mean isolation. Europe must pursue autonomy without turning inward. The EU needs to diversify its partnerships to reduce technological dependencies while staying active in global governance forums. Achieving this balance requires strategy and trust.” 

Andy Rupp: “That balance is exactly where the challenge lies. We certainly can’t produce everything in Europe, not every chip, not every device, but we can design security critical technology here. The challenge is to verify that what’s built then elsewhere given our chip design does what we expect it to, and nothing more.” 

Vincent Lenders: “Cybersecurity can’t be achieved by any one country. The threats we face are global. Sharing intelligence about attacks helps everyone build stronger defences. Even if nations differ politically, we’re all facing the same vulnerabilities.” 

Niovi Vavoula: “That’s why Europe’s strategy has to combine both competition and collaboration — to be sovereign, but never isolated. Cybersecurity isn’t a national issue anymore; it’s a global one.” 

Vincent Lenders: “Critical infrastructure have been designed for lifetimes of 30 or 40 years and they were built for safety, not security. To protect them, systems used to be relatively disconnected and isolated, but now, with the digital transformation, normal threats from the internet can also start spreading to critical infrastructure. While a personal phone can be replaced every few years to maintain cutting-edge security, we cannot really replace a power plant from today to tomorrow.” 

Niovi Vavoula: “Exactly. And while the critical infrastructure technology lags, the law is moving fast — sometimes too fast. In just a few years we’ve seen the NIS2 Directive, DORA, and the Cyber Resilience Act. Each one adds complexity, and organisations often struggle to comply when rules overlap or contradict each other. To manage this, organisations need resources to have people implement risk management measures, while member states also need to enforce the directives, which is not always effective.” 

Andy Rupp: “And companies are ready to take advantage of that. Even when the rules are clear, there’s still a gap between regulation and implementation. Companies will often do the minimum required to comply, not the maximum possible to protect. Without incentives, or proper enforcement, advanced privacy-preserving tools never make it into practice.” 

Vincent Lenders: “That’s an important point. Regulation alone doesn’t secure systems; it has to be practical and aligned with how infrastructure operates. In my discussions with energy companies I have been told about a contradiction here. On the one hand there is a requirement to certify the software running critical systems, but on the other hand strong cybersecurity requires immediate updates to prevent attackers from exploiting vulnerabilities. You can’t certify a software update everyday though, so this puts the operators in a contradictory position.” 

Niovi Vavoula: “Which is why we need lawmakers and engineers in constant dialogue. Otherwise, the law becomes outdated before it’s even enforced.” 

Niovi Vavoula: “Liability is a complex ecosystem. On one hand, we have the criminal liability of attackers — the perpetrators of cyber incidents. But on the other, organisations themselves can be held responsible if they fail to implement adequate cybersecurity measures or to report incidents in time. The legal framework has become far more concrete, mirroring the logic of data protection under the GDPR.” 

Vincent Lenders: “The real challenge is how that plays out in practice. When an organisation is attacked, we see too often that their immediate reaction is to call it a ‘sophisticated’ attack. If it’s considered sophisticated, they’re not held liable. But sometimes, those so-called advanced attacks are things a well-trained student could have prevented. We need to look more closely at whether an incident was truly unavoidable, and when it was just poor preparation.” 

Niovi Vavoula: “And for the first time, managers themselves are being held accountable. For example, under the NIS2 Directive, managers can face personal sanctions, even temporary suspension, for non-compliance. It’s a major cultural shift. We’re moving toward a world where cybersecurity isn’t just a technical or organisational issue, it’s a question of governance.” 

Andy Rupp: “Of course, with this growing accountability, students looking to study cybersecurity might feel this legal pressure . But I tell my students that if you understand the fundamentals and follow best practice, you have nothing to fear. In our master’s programme, we train them to think critically and act responsibly, not just to tick compliance boxes. Liability shouldn’t be a source of stress; it’s a reminder of the trust society places in cybersecurity professionals. With the right preparation, that responsibility becomes empowering rather than intimidating.” 

Andy Rupp: “Cybersecurity has outgrown traditional computer science. That’s why we created a dedicated master’s programme combining technical foundations with policy and ethics. Students need to understand the systems — but also the context in which they operate.” 

Vincent Lenders: “And it’s not just about university students. Everyone needs some cyber awareness now, even children. They’re online before they can read. We need to teach security as a life skill, not just a professional one. We can do this by inviting youth to engage with our work and experience the domain hands-on.” 

Niovi Vavoula: “Yes, I completely agree that universities should build bridges with society. We can be a central cog in the machinery that promotes cybersecurity preparedness. It’s not enough to educate future engineers; we also have to work with civil society, NGOs, and public organisations. Cybersecurity impacts all sectors, and exists for all professionals, not just people in IT teams. Protecting people online is just as vital as protecting data or infrastructure.” 

Andy Rupp: “That’s where collaboration helps. For example, our work with industry partners gives students real-world insight. They see what cyber risk looks like outside the classroom.” 

Vincent Lenders: “And it motivates them. When you show students how their field of study can protect hospitals or energy systems, cybersecurity becomes more than a technical exercise, it brings it close to home.”