By Ieva Ilves

This article continues the series launched at the Munich Security Conference in February 2026. The Prague discussion was co-hosted by Trusted Future and Ilvesa Foundation on the margins of GlobSec Forum 2026.

Photo: Courtesy of GlobSec Forum 2026

Cybersecurity rarely earns center stage at foreign and security policy forums. It weaves through every discussion: infrastructure resilience, economic security, military readiness, and yet tends to stay in the background, visible mainly when something breaks.

Earlier this year, we convened a group on the sidelines of the Munich Security Conference where the focus was on the compliance trap: the growing paradox of rising cybersecurity investment producing not better security but better documentation. What the discussion in Munich left open was where to go from there. This month at the GlobSec Forum in Prague we found a partial answer: to develop an informal exchange of what works and what doesn’t among cyber security practitioners.

One pattern that repeated across the official program is worth noting: the difficulty of moving beyond process in formal settings. Much of the public debate focused on how Europe can optimize its existing frameworks. The questions around operational capability, how to defend digital infrastructure, what needs to change to get stronger, emerged mainly toward the end.

GlobSec convened shortly after Anthropic’s Project GlassWing and the Claude Mythos model had moved through the security community. In public sessions, it was largely absent from the agenda but inn corridors and closed-door settings, it was present in almost every conversation. Europe’s limited access was accepted by most as a rational outcome: legal uncertainty around dual-use AI, no real EU-level technical evaluation capacity, and a technology stack dominated by US companies who are part of the GlassWing project. There was also concern about GlassWing participation being used as a competitive differentiator. The view expressed was that networks built on shared operational trust should not become commercial assets. This is where informal and open-minded conversations among trusted experts proved their value.

From Operations to Outcome

The conversation in Prague identified that today, operational decisions are being made by practitioners working without adequate guidance. Decisions about supply chain security, pen testing legality under AI, open source vulnerabilities, and human-in-the-loop requirements are all being addressed by private sector and government actors alike. But the regulatory cycles are not keeping pace with the developments in technology and their applications in the real world. One participant framed a way to rethink the ambition entirely: what is needed is not optimization of existing frameworks but a different scale of US-Europe collaboration on capability, a mobilization rather than a process improvement.

Another important point that arose in the conversation is the pressure that small and medium enterprises (SMEs) are under as they seek to balance innovation and security. Many SMEs are citing cybersecurity concerns as a reason to resist or slow AI adoption. However, the argument made by cyber security practitioners was practical and instructive: organizations that avoid AI out of security fears are not safer, they are simply less capable, while adversaries adopt without hesitation. The goal should be to help organizations use AI safely, not to treat security as an argument against adoption.

The question of roles came up more than once. What can governments do in cybersecurity, and what falls to industry? The blurring of those responsibilities has created accountability gaps that regulation has not closed. Expectations of industry have expanded without a corresponding expansion of government capacity to support or verify.

The call for “cybersecurity by code” reflects an ambition that has been circulating for years: embedding security into system architecture rather than adding compliance layers afterward. It has not yet produced a framework with sufficient operational specificity.

The EU’s Sovereignty Tech package was flagged as worth examining from an operational angle. The strategic logic behind reducing dependence on non-European technology is clear. Whether the implementation strengthens or complicates actual security is a question that deserves more scrutiny in practitioner settings than it has received so far.

Informal Exchange as an Avenue

In many ways, the conversations that matter most in cybersecurity are increasingly happening outside formal sessions: in corridors, over breakfast tables, in rooms without official records. This may be due to a number of factors, most notably the fast pace at which real world developments are taking place. This is reflective of the field more broadly, we need to be nimble and adaptive with a focus on the results rather than formalities.

The series that began in Munich and continued in Prague is one version of that idea. A small senior group, off the record, a consistent question across sessions: what is working, what is failing, what is AI changing about both, and a short published output that tries to carry a position rather than a summary. Less talk. More security.

The discussion was held under the Chatham House Rule. This article reflects the authors’ own assessment and does not attribute specific views to individual participants.