It is just past 11.30am and the usual EU-bubble crowd has yet to stir for lunch. Even the Northerners are not eating this early. Most restaurants are only starting to set up, but at LYN, a Lebanese spot opposite the European Parliament, the buffet is already prepared gleaming under the lights of an otherwise quiet room. I arrive early and take a table by the window.  In Brussels, a place serving before noon is a rarity, unless one fancies an avocado toast.

Luca Tagliaretti, Executive Director of the European Cybersecurity Competence Centre (ECCC), joins me soon after, having managed to carve out a short hour from a busy schedule. Based in Bucharest since 2024, he leads one of the EU’s newest agencies, created to turn cybersecurity policy into practice: investment, projects and cross-border hubs. “Our role is to make Europe more cyber-resilient, to move from research to real-world impact.”

The mission suits his pragmatic streak. Before the ECCC, Tagliaretti was an engineer at the European Central Bank, working on anti-counterfeiting technologies, and later Deputy Director and Interim Executive Director at eu-LISA, the EU agency responsible for managing the large-scale IT systems that underpin the bloc’s Justice and Home Affairs. “People think Brussels only regulates,” he says with a smile. “But we also build.”

As we help ourselves to the buffet, Tagliaretti explains the agency’s mission: to make cybersecurity part of Europe’s industrial backbone rather than a compliance burden. “We were created to close the gap between policy and practice,” he says. “We help set the strategy with insights from the ground, fund projects and bring together thousands of companies and institutions across the Union.” The challenge, he adds, is one of scale and speed. Europe’s ambitions in cybersecurity are growing quickly, and the ECCC’s role is to turn them into practical results. Tagliaretti speaks quickly, toggling between acronyms and examples, but his point is clear. “We’re a small agency with a big mandate,” he says, acknowledging that cybersecurity often evolves faster than the agency’s own funding cycles. Still, his outlook is far from the pessimism that sometimes surrounds Brussels. “You can’t just complain that things are slow,” he adds. “You must find the places where you can move.”

It is an engineer’s way of thinking: treating bureaucracy as something to debug rather than endure. Tagliaretti sees regulation and innovation not as opposing forces but as two parts of the same system. “Europe’s strength has always been in setting standards,” he argues. “That’s not a weakness. The rules we make here often shape the global market.” He adds: “I don’t agree that regulation kills innovation. Facebook, Apple, TikTok… None of these emerged because there was ‘no regulation’. Innovation comes from ideas and ambition, not the absence of rules.” For him, AI illustrates the point: a technology to be guided, not feared. “We look at AI as a tool for resilience,” he says. “It should simplify, not complicate.”

The real challenge for Europe when it comes to AI innovation, Tagliaretti argues, is not creativity but access to capital. “In the US, government agencies invest directly in start-ups,” he says. “They spot promising technologies early, especially those linked to defence or security.” Europe, by contrast, lacks the same risk appetite and concentration of investors. “We do not yet have those clusters where people move from one company to another, sharing ideas and experience,” he adds. That, he says, must change. “We should be able to look for champions, to support them early,” he continues. “That is how you actually build ecosystems.”

He finishes his soup, turning to the falafel and salad on his plate, while considering Europe’s broader place in the digital world. For Tagliaretti, questions of AI innovation and investment inevitably lead to sovereignty, which to him means the ability to make and secure Europe’s own technology. “Digital sovereignty is not about isolation,” he says. “It is about control over technology, supply chains and the data that underpins modern life.” All ECCC funding, he explains, goes to European companies. “We want to nurture local expertise and keep the knowledge here.” 

The aim is not to compete head-to-head with the US or China, but to strengthen Europe’s own ecosystem. “The competition in AI is not over,” he says. “But we must play our own game, with our own values.” What Europe does well, he adds, is cooperation, an advantage often overlooked. “Our superpower is the community: the ability to share knowledge across borders.” That instinct for collaboration, he argues, is what turns regulation into leverage. “GDPR did not kill innovation,” he says. “It created a new market for privacy technologies.”

Talk of sovereignty soon leads to people and to the skills Europe will need to sustain its ambitions. The much-cited “cybersecurity talent gap” does not worry Tagliaretti so much as it makes him skeptical. “The gap is real,” he says, “but not in the way people think. I do not see hundreds of thousands of cybersecurity job ads. The real issue here is awareness: many organisations still do not realise they need these people, and so they are not even looking for them.” Too often companies only invest in security after something goes wrong. “It is still seen as a cost, not a necessity and a strategic advantage,” he says. “Prevention does not make headlines, but recovery does.” AI, he believes, may help shift that mindset by taking on routine technical work and showing the value of skilled oversight. “AI will automate the basics,” he says, “but we will still need people who can make sense of what it finds, who understand the context.”

Within the ECCC itself, experiments with AI are still modest. ““We have tested internally a few of the tools provided by the JRC and the Commission,” he explains, “mainly to support analysis, but it is early days.” The Centre is also supporting and funding AI-driven systems to improve cyber threat detection and coordination between national and cross-border hubs. “It is not yet transformative,” he admits, “but it is a start: we need to understand how these tools work before we can help others use them safely.”

By now the restaurant has filled. Tagliaretti glances at his watch; the second lunch appointment is already waiting somewhere across town. Before leaving, he lays out his benchmark for the future: “If in five years, in the AI debate, we are no longer talking about dependency and threat but about growth and opportunities, then I will know we have succeeded.” 

The  AI over Lunch interview series is a project part of Virtual Routes’ AI-Cyber Research and Policy Hub. If you would like to sponsor this series, please reach out to

hu*@vi************.org











.

Have someone in mind we should interview? We’re happy to hear your suggestions!