Forrester’s Technology & Innovation Summit EMEA 2025 brought together over 400 of Europe’s most forward-thinking technology leaders from 28 countries, as well as Forrester analysts who collectively traveled 44,750 kilometers. At a time when innovation feels as exhilarating as it is exhausting — in an era defined by AI-led disruption, economic volatility, and rising regulatory pressure — the mood in London was one of cautious confidence. While other global events dazzle with spectacle, Technology & Innovation Summit EMEA stayed true to its pragmatism and structure, remaining sharply focused on accelerating meaningful progress — with ethics, transparency, and trust enabling sustainable innovation at scale. The companies that thrive won’t be those moving the fastest but those that are moving wisely by balancing experimentation with accountability.

The overarching theme, “Mastering Tech Mayhem,” resonated throughout the sessions. As the summit unfolded, one thing became clear: Yesterday’s unlikely fears, uncertainties, and doubts have morphed into today’s chaotic reality — geopolitical strife, tariffs, trade wars, regulatory hurdles, and AI dominate public discourse. The security and risk track deconstructed and anticipated current and emerging risks; how to address digital sovereignty, AI, and other regulatory complexities head-on; and how to act decisively to secure your organization. It highlighted the importance of building a security and risk culture that unites stakeholders, who can respond to challenges collectively and with a steady hand. To truly meet your innovation needs, move beyond speed and scale to resilience. Security, risk and tech leaders learned that:

  • Cybersecurity threats in 2025 and beyond require preparation and a steady hand. We paused and deconstructed 2025’s cybersecurity landscape. AI — predictive, generative, and agentic — is rewriting the rulebook. Societal, economic, and technological uncertainty adds to the complexity. Insider risk is rising as workforce stress leads to unexpected behavior. Deepfakes have surged, with a 1,500% increase in parts of Europe due to AI breaking language barriers for both defenders and attackers, as well as the fact that deepfakes are increasingly being used to bypass biometric security measures. Our CISO guest speakers, Nick Jones and Simon Strickland, highlighted how to prepare and respond to this landscape — through an elevated focus on human risk management, insider risk programs, and deepfake detection and defense. We were reminded of the criticality of human skills: negotiation, influence, and personal resilience.
  • Innovation without ethics is short-lived. Compliance is essential for trustworthy AI, but it’s only the first step. Frameworks such as Forrester’s new Agentic AI Guardrails For Information Security (AEGIS) framework help security and tech leaders design, govern, and manage AI agents and their infrastructure. Minimum viable sovereignty (MVS) provides a pragmatic, risk-based approach that balances budgets, business goals, and legal compliance to tackle AI sovereignty. Remember that even the most advanced technology is useless without trust. A sound approach to trustworthy AI considers customer trust attitudes, which are shaped by expectations and risk perception. Adopt responsible AI frameworks that strengthen accountability for AI initiatives; align AI systems with business intent, values, and goals; and embed cognitive empathy in your AI systems.
  • Reducing your risk means that you have to think like an attacker. Security and tech leaders face a reshaped landscape of AI, automation, and regulation. They must evolve from compliance-driven testing to adversary-driven readiness — defenses that reflect how real attackers operate. Amid this chaos, leaders must urgently consider the three fundamental objectives of threat actors: to modify, destroy, or steal data. To defend against these objectives, you’ll need to distill meaningful behavioral patterns from background data clutter, using active hunting of your technology ecosystem as an intelligence source. Security and risk pros should actively perform structured security assessments such as red- and purple-teaming, reducing uncertainty through preparation and continuous testing.
  • Digital sovereignty is moving from a data protection to a business continuity issue. Once an extension of GDPR and privacy concerns, digital sovereignty is now a theme that’s top of mind for CIOs, CISOs, and every tech leader in EMEA. Organizations worry about their digital sovereignty posture with regard to risks such as the “kill switch” and broader dependencies on foreign jurisdictions through their vendors and service providers. Tech leaders want to know the perils they haven’t even thought about and how to protect their IT stack without bleeding out their budgets. To do this successfully, take a deep breath and don’t let gut feelings influence your sovereignty strategy. Don’t try to boil the ocean — work toward achieving MVS.
  • Maturity assessments must incorporate risk quantification. Maturity assessments aren’t a new topic in cybersecurity — they’ve been utilized by security organizations for over 20 years. Clients use them to measure the maturity of their capabilities, and while helpful, they don’t answer a fundamental question: “Which cybersecurity investments should I prioritize to maximize risk reduction?” The “Mature And Justify Your Security Program” presentation outlined that maturity assessments alone aren’t enough and that risk quantification can add a whole new dimension to a classic recipe, as firms such as Netflix have found. For organizations approaching a defined maturity level, using risk quantification helps with many of the limitations of maturity assessments by adding how maturity improvements link to financial risk reduction outcomes.
  • Your security organization structure must be adaptive. The structure of your security organization defines your team’s agility, influence, and business value. Once a subset of IT, cybersecurity is now a strategic driver of growth and trust. With AI reshaping risks and roles, structure matters more than ever. Organizations typically follow five archetypes — centralized, federated, oversight-driven, business-centric, or product-centric — each with unique strengths and trade-offs. CISOs should design deliberately to align security with business ambition. AI accelerates this evolution, introducing governance leads, automated operations, and adaptive roles. Tech leaders should consider that the challenge isn’t choosing a model but instead creating one that evolves with ambition, technology, and regulation. To be successful, security structures must be dynamic, giving you the ability to spin up new teams without a full overhaul.

We remain deeply dedicated to our clients, research, and shared mission. Together with our global security and risk colleagues, we look forward to supporting you across the focus areas above. For questions concerning topics in this blog, please connect with our experts — Jinan BudgePaul McKay, Tope OlufonEnza Iannopollo, Dario Maisto, and Madelein van der Hout — either through an inquiry or guidance session.