BSidesLuxembourg 2026

Presentation on why cloud sovereignty has become a board-level strategic issue, touching on foreign interference, platform lock-in, tech dependency, and the critical insight that not all cloud models are equal.
• Why sovereignty, autonomy, and resilience are executive-level concerns (regulatory mandates, legal exposure, operational continuity)
• The triple threat landscape (foreign interference via US CLOUD Act, platform lock-in costs, tech dependency risks)
• How the guide helps governments and critical organizations with risk mitigation frameworks and compliance mapping
• Two sovereign cloud operating models (Full EU Isolation vs. Guardrail Sovereign)
• Strategic alignment matrix showing how different cloud models match organizational needs
• EU regulatory context (DORA, NIS2, EU Data Act, upcoming Cloud & AI Act)
• Technical controls and implementation priorities

The briefing introduces a framework for organizational response organized across three time horizons, structured around five critical risks, seven high risks, and one medium risk. The framework defines 11 priority actions: Immediate (this week), Near-term (30-90 days), Strategic (6-12 months)

Being "Mythos-ready" does not mean reacting to one model or one announcement. It means permanently closing the gap between how fast vulnerabilities are found and how fast an organization can respond. The same AI capabilities that create this risk also create defensive opportunity: organizations can now find their own weaknesses before attackers do, review code at machine speed, and respond to incidents faster than any human team.

The industry has navigated systemic, hard-deadline threats before. Y2K required coordinated, disciplined effort — and the industry met it. The tools available to defenders today are substantially more powerful. Every action in this framework can begin this week.