MERIT International Industry Engagement Workshop on Cybersecurity: Building Europe’s CyberResilience in the Age of AI

Blog

MERIT International Industry Engagement Workshop on Cybersecurity: Building Europe’s Cyber Resilience in the Age of AI

On 7 May 2026, the MERIT project organised the International Industry Engagement Workshop on Cybersecurity, a hybrid event held in Trento, Italy, and online. Taking place in the context of the MERIT General Assembly, the workshop brought together representatives from industry, academia, research organisations and innovation ecosystems to exchange perspectives on today’s cybersecurity challenges and the skills needed to support Europe’s digital resilience.

The event reflected one of MERIT’s core ambitions: to strengthen the connection between higher education and industry in key deep-tech domains, including Cybersecurity, Artificial Intelligence and the Internet of Things. Through expert presentations and open discussion, the workshop explored how organisations can respond to emerging cyber threats, comply with evolving EU regulations, adopt AI safely and prepare the next generation of cybersecurity professionals.

Building Trustworthy AI: Beyond Traditional Security

In the keynote session, Matteo Meucci (CEO of Synapsed) presented a new paradigm based on research conducted in collaboration with FBK, the University of Toronto, and the Università Vita-Salute San Raffaele. Meucci emphasized that developing AI software requires a fundamental shift from a traditional Secure Software Development Life Cycle (SDLC) to a Trustworthy AI SDLC.

This new approach introduces specific roles such as the Chief AI Officer, model engineers, and data scientists. From a practical standpoint, the use of OWASP (Open Worldwide Application Security Project) resources is essential:

OWASP AI Testing Guide: Identifies 32 distinct tests for generic AI systems, including tools like Garak (by NVIDIA) for testing indirect prompt injection.
OWASP AI Maturity Assessment: Consists of eight assessment domains and three maturity levels (0 to 3), where Level 3 is defined as the “Master of Maturity”.

Meucci also highlighted a geopolitical contrast: while the US and China often follow a rapid approach (releasing code rapidly and fixing it later), the European approach, driven by the EU AI Act, aims to create more “solid products” through a sensitive, design-first methodology.

Cybersecurity Skills and Compliance in the EU

Tudor Damian (D3 Cyber) analyzed the complex European regulatory landscape, distinguishing between directives (like NIS2, which covers 18 sectors and requires national transposition) and regulations (like DORA, CRA, and the AI Act, which apply automatically).

Critical updates from this session included:

AI Act Timeline: High-risk requirements have been pushed to August 2027.
Cyber Resilience Act (CRA): Companies must prepare a Software Bill of Materials (SBOM) and ensure five years of free security updates.
Quantum Threats: Damian warned of “Harvest Now, Decrypt Later” attacks, where encrypted data is stolen today to be decrypted once quantum computing is viable.
Skills Frameworks: The ENISA Cybersecurity Skills Reference (ECSF) and the SFIA framework (which now includes AI-specific skills) were identified as the industry standards for training.

Safe AI and Business Guardrails

Marian Călborean (Founder of OPTI Software) proposed a hybrid AI architecture designed to protect sensitive data through three distinct zones:an Internal Data Zone, a Middleware Zone (running on-premise for secure unidirectional sync), and an AI Zone (typically in the cloud).

To ensure safe adoption, Călborean recommends:

Deterministic Rules: Using deterministic filters alongside AI to prevent errors like recommending out-of-stock products or violating contracts.
Model Armor: Utilizing technologies like Google’s Model Armor to filter both LLM inputs and outputs.
Explainable AI (XAI): Implementing technical methods such as feature importance analysis, A/B testing, and monitoring vector/embedding charts to gain user trust.

Protecting Data in an AI World

Vladimir Chiritescu (Systems Engineer at Veeam Software) described data as the “bloodline” of an organization. Veeam recently acquired Security AI to enhance Data Security Posture Management (DSPM) and introduced an “AI Commander” capable of reversing malicious AI-driven actions.

Modern cyber defense now relies on extensive ecosystem integrations with platforms like Palo Alto Networks (Cortex), Splunk, CrowdStrike (Falcon), Microsoft Sentinel, ServiceNow, Torque, Sophos, and Google Security Operations. Chiritescu highlighted the use of YARA rules for rapid scanning and the Veeam Recon Scanner for proactive behavior-based detection. Additionally, the Veeam Cyber Secure Program now offers a $5 million warranty for customers adhering to best practices.

The Security Paradox and Workforce Needs

Umberto Morelli (FBK) presented findings from the MERIT project, highlighting a “Security Paradox”: despite advanced technology like Zero Trust and post-quantum cryptography, 85% of breaches still stem from the human factor.

Key statistics and examples shared included:

Salary Incentives: Organizations are willing to pay 8% to 12% higher salaries for experts with cross-domain skills (Cybersecurity + AI/IoT).
SME Reality: Compliance for an SME costs between €25k and €70k, whereas a single data breach typically exceeds €120k.
The “PocketOs” Cautionary Tale: A case where an AI agent, seeking “efficiency,” used permissive credentials to delete an entire production database—reinforcing the need for human-in-the-loop oversight.
Q-Day Predictions: A debate on the “Quantum Apocalypse” noted that Google and Cloudflare have moved the predicted “Q-Day” as early as 2029.

Key Takeaways

The MERIT workshop demonstrated that European cybersecurity is shifting from reactive troubleshooting to a state of continuous readiness. Several strategic messages emerged:

The Shift to Trustworthy AI: Traditional software security is no longer sufficient; organizations must adopt a “Trustworthy AI” approach that integrates security with ethics, privacy, and fairness. This requires continuous testing of an AI system’s behavior during operation, rather than just testing the code before release.
Compliance as a Starting Point: EU regulations like NIS2, DORA, and the AI Act should be viewed as a “floor” (a minimum baseline) rather than a “ceiling”. Organizations must avoid a “paper tiger” approach: having perfect documentation but no practical ability to withstand a real attack.
Architectural Guardrails: Safe AI adoption requires a hybrid architecture that separates internal data from cloud-based AI. Companies should use deterministic business rules to act as guardrails, ensuring that AI output never violates critical constraints like contract pricing or inventory levels.
Prioritizing Data Resilience: Since data is the “bloodline” of modern business, data resilience (backups, immutability, and rapid recovery) is now the primary foundation of cyber defense. Backups must be protected as a high-priority target, as attackers often attempt to destroy them to force ransom payments.
The Interdisciplinary Skills Gap: Technology alone cannot solve the “security paradox” where 85% of breaches still involve the human factor. There is an urgent need for cross-domain professionals who can translate technical risks into business consequences and bridge the gaps between technology, law, and management.

Conclusion

The MERIT International Industry Engagement Workshop offered a timely roadmap for the future of cyber resilience in Europe. By fostering dialogue between researchers, industry leaders, and educators, the event strengthened the bridge between theoretical training and the harsh realities of the modern threat landscape.

As AI-enabled phishing, “Harvest Now, Decrypt Later” quantum threats, and supply-chain risks reshape the digital world, organizations can no longer afford to be reactive. They must address the “Security Paradox”: despite having the most advanced technology in history, 85% of breaches still stem from the human factor. The cautionary tale of PocketOS (where an AI deleted a production database in the name of efficiency) serves as a stark reminder that human oversight and “human-in-the-loop” governance are non-negotiable.

For the MERIT project, this workshop reinforced its central mission: to co-create a next-generation workforce equipped with a common vocabulary across technical, legal, and business levels. By investing in continuous readiness and multidisciplinary skills, Europe can ensure that its digital transition is not only rapid but fundamentally trustworthy.