Lunch at Le Tournant, in Brussels’ neighbourhood Matonge, is quiet today. Only a few tables are occupied, a welcome pause from the EU Bubble’s constant buzz. The lunch menu offers several options, but today’s guest and I both settle on the same dish: boeuf au cidre, with chestnut cream, purée and vegetables to start. 

Our guest is Roberto Cascella, Chief Technology Officer at the European Cyber Security Organisation (ECSO), a public-private federation that brings together industry, researchers and public institutions to strengthen Europe’s cybersecurity ecosystem. As the plates of slow-cooked beef arrive, Cascella reflects on cybersecurity as a discipline shaped more by time rather than speed. “You do need to move quickly,” he explains, “but if you rush without a strategy, you usually miss what actually matters.”

His perspective is rooted in experience. Before joining ECSO, Cascella trained as an engineer. He began his career in academic research, where he focused on trust and reputation mechanisms in distributed computer systems. “I started with trust in distributed systems,” he says. “Now I work on trust at European scale.” Long before cybersecurity became a policy concern, he was studying how complex systems behave over time, and what happens when trust is assumed rather than built.

That early focus took him from Italy to France, where he moved through research environments at a moment when cloud computing was still largely experimental and questions of digital sovereignty had yet to enter the debate. His work centred on network measurement cloud federation projects, connecting infrastructures and services that were never designed to work together. “At the time, we were talking about interoperability, standards and portability,” he recalls. “We were solving technical problems. The political language came much later.”

When ECSO was created in 2016, Cascella joined at its outset, drawn by the idea of formalising cooperation between industry, researchers and public institutions. The move marked a shift in setting rather than in substance. “I did not move away from technology,” he says. “The technology moved into policy.” From Brussels, he found himself working on the same questions he had grappled with in research, only now at European scale, and with consequences that extended beyond laboratories and pilot projects.

Over time, his role within ECSO expanded, but it consistently covered some of the organisation’s most technical work. As CTO, Cascella oversees discussions on certification, supply chains and research priorities, areas where technical choices made today often become regulatory requirements years later. “These debates do not start when the law appears,” he says. “They start much earlier, when the technology is still being shaped.”

That sense of continuity has been tested in recent years, as the pace of technological change has accelerated. AI, in particular, has compressed timelines that once stretched over decades into a matter of months. Cascella does not dismiss its significance, but he is wary of the expectations that surround it. “The real challenge is not developing new tools. It is to make sure they are actually used properly.” AI systems are increasingly sophisticated and widely available, yet many organisations struggle to integrate them in any meaningful way. “You can buy an AI-powered solution very easily,” he says. “What is much harder is knowing how to use it, how to integrate it, and how to adapt it to your own environment.”

That gap, he argues, has to do with organisational readiness. Effective use of AI in cybersecurity depends on data governance, internal processes and skills that cannot be acquired overnight. “If you do not change the way an organisation works,” he explains, “the technology just gets stuck.” In practice, the same tool can produce radically different results depending on whether it is embedded in a system designed to learn and adapt, or simply added on top of existing structures in the hope of quick gains.

The disparity in that readiness is particularly visible among smaller organisations. Large companies may have dedicated teams, the resources to experiment and the capacity to adapt internal processes. Many smaller firms do not. They tend to adopt AI-driven security tools off the shelf, often without the time or expertise to understand how they work or how they should be tuned. “The same solution can look very powerful on paper, but if you do not have the structure around it, you will not get the benefit.” In those cases, AI risks becoming another layer of complexity rather than a source of resilience. Much of the problem gravitates towards skills shortages. The issue, Cascella argues, is not necessarily about hiring new people. “It is also about training the people already inside the organisation, and making sure the roles and skills actually match what the organisation needs.” Training existing staff, redesigning roles and aligning skills with real operational needs may matter more than simply hiring specialists. Without that groundwork, even the most advanced tools struggle to find their place.

The uneven distribution of organisational readiness mirrors a broader European pattern. Across sectors and Member States, levels of AI maturity vary widely, shaped by regulation, resources and national priorities. Cascella does not frame this as a failure, but as a structural reality. Coordination, he argues, matters more than technological leadership alone. Joint actions are essential to bring together Europe’s diverse capabilities, and doing so can become a genuine strategic advantage while strengthening resilience. “Not every country or organisation needs to be good at everything,” he says. “What matters is understanding where the strengths are, and how to link them.” In cybersecurity, where supply chains are long and interdependent, failing to build those connections can make fragmentation as much a risk as any technical vulnerability, weakening resilience across the chain.

For Cascella, this is where public–private cooperation becomes an operational requirement. Neither side, he argues, can address the challenges posed by AI in cybersecurity on its own. Governments may set frameworks and fund research, but they do not build or deploy most of the systems shaping Europe’s digital infrastructure. Industry, meanwhile, moves faster, but often without a clear view of regulatory expectations or longer-term societal risks. “The private sector alone cannot solve this,” he says. “The public sector alone cannot either.” Both funding and sustained dialogue matter: sharing priorities early, understanding constraints on both sides, and aligning innovation with real-world deployment. In cybersecurity, where AI-driven tools increasingly depend on shared data, standards and trust, that cooperation determines whether innovation scales responsibly or fragments further. Dessert arrives, chocolate mousse for me and chocolate cake for him, without breaking the thread of the conversation.

As AI systems become embedded in critical digital functions, Cascella notes, questions of sovereignty become more prominent. He is cautious: sovereignty, in his view, is not about technological isolation or self-sufficiency at any cost, but about understanding exposure, managing risk and integrating strategic foresight into innovation decisions. “Technology choices today are no longer just technical choices,” he says. “Decisions about where data is processed, who controls infrastructure, and which AI systems are relied upon carry legal, economic and geopolitical implications alongside security ones.” In cybersecurity, this comes down to dependencies that need to be understood in advance, rather than discovered when something fails. Anticipating those weak points is central to building long‑term resilience.

Looking ahead, Cascella is careful not to predict which technologies will dominate the next decade of cybersecurity. What matters, he says, is preparedness, supported by a kind of strategic foresight that guides innovation rather than tries to anticipate every trend. “The goal is not to react faster to the next challenge: it is to be ready for it.” As lunch comes to an end, the emphasis remains on building systems that hold over time, systems capable of adapting, absorbing shocks and sustaining resilience as the landscape shifts.

The AI over Lunch interview series is a project part of Virtual Routes’ AI-Cyber Research and Policy Hub. If you would like to sponsor this series, please reach out to hu*@************es.org.

Have someone in mind we should interview? We’re happy to hear your suggestions!