Forrester’s Technology & Innovation Summit EMEA 2025 brought together over 400 of Europe’s most forward-thinking technology leaders from 28 countries, as well as Forrester analysts who collectively travelled 44,750 kms. At a time when innovation feels as exhilarating as it is exhausting — in an era defined by AI-led disruption, economic volatility, and rising regulatory pressure — the mood in London was one of cautious confidence. While other global events dazzle with spectacle, Forrester’s T&I Summit stayed true to its pragmatism and structure, remaining sharply focused on accelerating the right kind of progress where ethics, transparency, and trust enable sustainable innovation at scale. The companies that thrive won’t be those moving fastest, but those moving wisely by balancing experimentation with accountability.
The overarching theme, “Mastering Tech Mayhem,” resonated throughout the sessions. As the summit unfolded, one thing became clear: Yesterday’s unlikely fears, uncertainties, and doubts have morphed into today’s chaotic reality — geopolitical strife, tariffs, trade wars, regulatory hurdles, and AI dominate public discourse. The security and risk track deconstructed and anticipated current and emerging risks; how to address digital sovereignty, AI, and other regulatory complexities head on; and how to act decisively to secure your organization. It highlighted the importance of building a security and risk culture that unites stakeholders, who can respond to challenges together with a steady hand. To truly meet your innovation needs, move beyond speed and scale to resilience. Security, risk and tech leaders learned that:
Cybersecurity threats in 2025 and beyond require preparation and a steady hand. We paused and deconstructed 2025’s cybersecurity landscape. AI — predictive, generative, and agentic — is rewriting the rulebook. Societal, economic, and technological uncertainty adds to the complexity. Insider risk is rising as workforce stress leads to unexpected behavior. Deepfakes have surged, with a 1500% increase in parts of Europe due to AI breaking language barriers for both defenders and attackers, as well as the fact that deepfakes are now used to bypass biometrics. Our CISO guest speakers, Nick Jones and Simon Strickland, highlighted how to prepare and respond to this landscape — through an elevated focus on human risk management, insider risk programs, and deepfake detection and defense. We were reminded of the criticality of human skills: negotiation, influence, and personal resilience.
Innovation without ethics is short-lived. Compliance is essential for trustworthy AI, but it’s only the first step. Frameworks, such as Forrester’s Enterprise Agentic Guardrails for Information Security (AEGIS), help security and tech leaders design, govern, and manage AI agents and their infrastructure. Forrester’s Minimum Viable Sovereignty (MVS) provides a pragmatic, risk-based approach that balances budgets, business goals, and legal compliance to tackle AI sovereignty. Remember — even the most advanced technology is useless without trust. A sound approach to trustworthy AI considers customer trust attitudes, which is shaped by expectations and risk perception. Adopt responsible AI frameworks that strengthen accountability for AI initiatives; align AI systems with business intent, values, and goals; and design cognitive empathy in your AI systems.
Reducing your risk means you have to think like an attacker. Security and tech leaders face a reshaped landscape of AI, automation, and regulation. They must evolve from compliance-driven testing to adversary-driven readiness — defenses that reflect how real attackers operate. Amidst this chaos, leaders need to urgently consider the threat actors’ three fundamental objectives: to modify, destroy or steal data. To defend against these objectives, you’ll need to distill meaningful behavioral patterns from background data clutter, using active hunting of your technology ecosystem as an intelligence source. S&R pros should actively perform structured security assessments, such as red and purple teaming, reducing uncertainty through preparation and continuous testing.
Digital sovereignty is moving from a data protection to a business continuity issue. Once an extension to GDPR and privacy concerns, digital sovereignty is now a theme that’s top of mind for CIOs, CISOs, and every tech leader in EMEA. Organizations worry about their digital sovereignty posture with regard to risks like the “kill switch” and broader dependencies on foreign jurisdictions through their vendors and service providers. Tech leaders want to know the perils they haven’t even thought about, and how to protect their IT stack without bleeding out their budgets. To do this successfully, take a deep breath and don’t let gut feelings influence your sovereignty strategy. And don’t try to boil the ocean — work towards achieving MVS.
Maturity assessments must incorporate risk quantification. Maturity assessments aren’t a new topic in cybersecurity — they’ve been utilized by security organizations for over twenty years. Clients use them to measure the maturity of their capabilities, and while helpful, they don’t answer a fundamental question: “What cybersecurity investments should I prioritize to maximize my risk reduction outcomes?” The “Mature and Justify Your Security Program” presentation outlined that maturity assessments alone aren’t enough, and risk quantification can add a whole new dimension to a classic recipe, as firms like Netflix have found. For organizations approaching a defined maturity level, using risk quantification helps with many of the limitations of maturity assessments by adding how maturity improvements link to financial risk reduction outcomes.
Your security organization structure must be adaptive. The structure of your security organization defines your team’s agility, influence, and business value. Once a subset of IT, cybersecurity is now a strategic driver of growth and trust. With AI reshaping risks and roles, structure matters more than ever. Organizations typically follow five archetypes — centralized, federated, oversight-driven, business, or product-centric — each with unique strengths and trade-offs. CISOs should design deliberately to align security with business ambition. AI accelerates this evolution, introducing governance leads, automated operations, and adaptive roles. Tech leaders should consider that the challenge isn’t choosing a model but instead creating one that evolves with ambition, technology, and regulation. To be successful, security structures must be dynamic, giving you the ability to spin up new teams without a full overhaul.
We remain deeply dedicated to our clients, research, and shared mission. Together with our global security & risk colleagues, we look forward to supporting you across the focus areas above. For questions concerning topics in this blog, please connect with our experts — Jinan Budge, Paul McKay, Tope Olufon, Enza Iannopollo, Dario Maisto, and Madelein van der Hout — either through an inquiry or guidance session.
