Artificial Intelligence (AI) is rapidly becoming a cornerstone of economic competitiveness, public service delivery, and national security. At the same time, it introduces new systemic risks to cybersecurity, privacy, and societal trust. This paper, developed under the Charter of Trust’s Principle 3 “Security by Default”, addresses this dual challenge: securing AI systems throughout their lifecycle while responsibly leveraging AI to strengthen cybersecurity.

Aligned with the Charter of Trust’s overarching goals—to protect data, prevent harm to people and infrastructure, and establish a reliable foundation for trust in a digital world—the paper outlines how Security by Default can operationalize Trustworthy AI. It positions security not as a reactive compliance exercise, but as an inherent, continuously enforced design principle that enables innovation while safeguarding resilience, transparency, and accountability.

Against a backdrop of increasing geopolitical competition, fragmented regulatory regimes, and accelerating AI adoption, the paper highlights the strategic importance of trust as a differentiator for organizations and societies alike. It examines key governance, technical, and regulatory risks surrounding AI, and underscores the need for coherent governance models that integrate cybersecurity, privacy, and ethical considerations from design through deployment and operation.

Building on the Charter of Trust’s prior work, the paper provides a high-level framework for embedding Security by Default across the AI lifecycle, aligned with emerging global regulations such as the European Union (EU) AI Act. It also demonstrates how AI, when securely designed and governed, can serve as a powerful enabler of cybersecurity—enhancing threat detection, incident response, and risk management.
Ultimately, the paper reinforces the Charter of Trust’s conviction that trust, security, and innovation must advance together. By embedding Security by Default and Trustworthy AI principles at the core of AI development and use, organizations can strengthen digital trust, improve resilience, and contribute to a safer and more reliable digital future.

Please download the full report below.

Artificial intelligence has become a critical component of modern industrial processes, cybersecurity operations, and digital infrastructure. As companies increasingly build and integrate their own AI capabilities, the need for secure, trustworthy, and compliant digital environments has never been more pressing.

In this paper, our AI Working Group provides a clear framework for organisations to navigate this landscape, marked by concentrated provider ecosystems, fragmented global regulations, and geopolitical supply chain risks, alongside the internal requirements necessary to build AI responsibly.

A key aspect is helping organisations prepare for the EU AI Act, based on the overarching principle that compliance cannot be treated as a simple checklist exercise, and should instead drive strategic transformation. Organisations are encouraged to ensure visibility over all AI systems in use, promoting alignment across technical, legal, and business functions. Strengthening governance is equally critical. Executive level oversight, supported by operational teams, should lead to consistent, iterative risk assessment throughout the AI lifecycle, ensuring that performance, ethical, legal, and operational risks are identified and addressed early.

Companies must also balance compliance investments against the financial and reputational risks of non compliance. The penalties under the AI Act are substantial. However, proactive preparation not only reduces exposure, it can also create a competitive advantage by enabling faster innovation, strengthening customer relationships and regulator trust, and reducing uncertainty in product development.

Looking ahead, organisations should treat AI governance as a long term, adaptive discipline. Regulation and technology will continue evolving, and resilience depends on flexible policies, modular system architectures, and scalable governance processes.

Continuous monitoring of regulatory developments, active participation in standards setting activities, and sustained investment in skills are essential to fostering a responsible AI culture centred around a holistic understanding of compliance.

Please download the full report below.

On Tuesday, the Charter of Trust convened a timely virtual panel discussion on 'Security by Default in View of Major Cybersecurity Regulations in North America'. With more than 100 participants joining from around the world, the discussion underscored just how urgent, and global, the cybersecurity challenge has become.

A huge thank you to our outstanding panellists for their invaluable insights and for sharing their experiences with us: Linda Strick (Cloud Security Alliance), Kyle McMillan (Siemens), Lauren Zabierek (CAS Strategies), Rob Spiger (Microsoft), Sam Curry (Zscaler), and great moderation from Sudhir Ethiraj (TÜV SÜD).

The CoT expert panel:
- discussed fragmented cybersecurity regulations in North America and the need for more resilient infrastructure and security-by-default practices ​
- emphasized the need to embed security early in product architecture rather than addressing it post-incident ​
- highlighted the importance of structured collection of security signals and incident reporting to improve software safety​
- discussed about software as critical infrastructure affecting national security, economy, and public health, requiring robust safety measures

Thank you to everyone who participated! A recording of the webinar can be found at the bottom of this page.

The Charter of Trust is taking decisive steps to secure our digital future in the quantum era. As quantum computing advances, the risks to today’s cryptographic systems grow ever more urgent. Our dedicated working group is leading the way in raising awareness, promoting standards-based migration, and fostering collaboration across industries, governments, and academia. Together, we are committed to a proactive, well-coordinated, and risk-driven transition to post-quantum cryptography—ensuring digital trust and resilience for generations to come. Discover our vision and join us as we shape a secure digital world for the quantum age.

Join us for a timely and dynamic edition focused on “Digital Omnibus & Trust: What It Means for Business in Europe” kindly hosted by the Representation of the Free State of Bavaria to the EU on November 20, 2025 at 11:00 AM (Central European Time) for a lunch event filled with insightful discussions on cybersecurity and trust in the digital age.

With the European Commission unveiling its landmark Digital Omnibus Package just one day before, this event is your exclusive opportunity to be among the first to explore its real-world impact on business and the digital economy across Europe.

What to Expect:
Opening remarks by:
Dr. Armin Hartmuth, Director, Representation of the Free State of Bavaria to the European Union
Dr. Sumit Chanda, COO, Atos Group Security & Business Lines CISO, and Co-Chair of the Charter of Trust.

Keynote Address:
Despina Spanou, Deputy Director General for Cybersecurity and Trust, European Commission (DG CNECT), will share first-hand insights into the objectives and expected impact of the Digital Omnibus Package.

Expert Panel Discussion featuring:Moderated by Sudhir Ethiraj, Global Head of Cybersecurity Office, CEO Business Unit Cybersecurity Services, TÜV SÜD.

Despina Spanou, Deputy Director General for Cybersecurity and Trust, European Commission (DG CNECT)
Kia Slæbæk Jensen, Cyber Advisor, Permanent Representation of Denmark to the EU
Suzanne Button, Field CTO EMEA, Elastic
Tomas Jakimavicius, Director European Government Affairs, Microsoft
Yana Humen, AI and Cybersecurity Policy Manager, Government and Regulatory Affairs, IBM

Interactive Q&A: Bring your questions and join the conversation on regulatory coherence, innovation, and the future of digital governance in Europe.

Closing remarks by Maria del Pino Gonzalez-Junco, Director of the Charter of Trust

Networking Lunch: Connect with peers, policymakers, and industry leaders in an informal setting.

Why attend?
Gain first-hand insights into the EU’s Digital Omnibus Package—straight from the policymakers and experts shaping it.
Understand the immediate implications for your business and how to navigate upcoming changes.
Be part of a strategic dialogue that could influence the future of digital regulation in Europe.

The rapid expansion of EU digital regulation has strengthened security, privacy, and trust, but it has also created overlapping obligations, inconsistent timelines, and administrative complexity. The Digital Omnibus Package provides a timely opportunity to streamline these rules, ensure greater coherence, and enable businesses to focus resources on resilience and innovation rather than redundant compliance tasks.
The Charter of Trust welcomes the Commission’s initiative to harmonize digital regulations across the EU, aiming to reduce administrative burdens while maintaining high standards of security and privacy. Representing the unified views of its Partners, this paper addresses all key legislation within the scope of the Digital Omnibus and offers comprehensive recommendations. It emphasizes the need for a unified incident reporting system, risk-based notification requirements, and fair compliance processes to minimize regulatory overlap. The Charter calls for clearer liability clauses, global recognition of certifications, and stronger supply chain security.
In data regulation, the Charter advocates ensuring alignment between the rules on data intermediation services under the DGA and B2B data sharing under the Data Act and extending exemptions to mid-cap companies, all while safeguarding trade secrets. For artificial intelligence, the paper recommends a phased approach to new requirements, integrated conformity assessments, harmonized compliance templates, and clear definitions, supported by sector-specific guidance and transparent AI categorization. The Charter also encourages the European Commission to ensure that ePrivacy reform is future-proof, fosters innovation, and reflects the needs of both businesses and consumers. Finally, it recommends robust security standards and cross-border recognition for the EU Business Wallet, with industry involvement in technical standards and integration with data access systems.
Collectively, these measures are designed to foster innovation, resilience, and trust in the EU’s digital landscape, allowing businesses to thrive in a coherent and future-ready regulatory environment.

We are thrilled to announce that we welcome Zscaler as the newest Partner to the Charter of Trust!

Zscaler is a leading cloud enterprise security provider helping global businesses accelerate their digital transformation by becoming more agile, efficient, resilient, and secure.

With Zscaler as a partner in the Charter of Trust, we aim to strengthen global cyber resilience through trust – by fostering actionable collaboration between industry leaders, governments, and public-private platforms. Zscaler brings robust expertise and innovation to the table, making it the ideal partner to drive this mission forward.

“Zscaler is excited to drive meaningful change alongside our new partners, laying a foundation of trust essential for successful digital transformation,” said Sam Curry, Zscaler CISO. “In today’s world, the need for reducing inherent trust and default access has never been greater. To truly stay ahead of ever-evolving threats, we must unite as a coalition of practitioners. Cyber attackers aren’t taking breaks, and with advancements like artificial intelligence, quantum cryptography, and emerging technologies on the horizon, collaboration is the key to securing the future.”

“We are proud to welcome Zscaler to the Charter of Trust. Their focus on cybersecurity innovation and commitment to openness reflect our shared ambition to create a safer, more resilient digital future. Together, we’ll strengthen trust, transparency, and security across the global digital landscape.” highlighted Dr. Summit Chada, Charter of Trust Co-Chair and COO Group Security & Business Lines CISO at Atos.

“With Zscaler as a Partner of the Charter of Trust, we believe that we can strengthen the global commitment to secure digital transformation by combining technological innovation with the Charter of Trust’s collaborative approach to cybersecurity leadership.” Ralf Schneider, Charter of Trust Co-Chair and Senior Fellow and Head of Cybersecurity and NextGenIT Think Tank at Allianz SE, welcomes Zscaler to the Charter of Trust.

We are excited to join forces and work together to advance digital trust and security across industries.

The Charter of Trust welcomes the opportunity to participate in the European Commission’s public consultation on the revision of the Cybersecurity Act. As a coalition united by the goal of strengthening digital trust, we are pleased to share our consolidated response and recommendations.

We support Policy Option 2, which focuses on targeted regulatory measures that address key challenges without creating unnecessary complexity. In this context, we emphasize the need to enhance the role and resources of ENISA, to ensure effective implementation of both current legislation and the European Cybersecurity Certification Framework (ECCF).

Our recommendations aim to improve transparency, collaboration, and efficiency across the EU’s cybersecurity landscape. These include:

- Introducing clear timelines for the development of certification schemes.

- Enhancing stakeholder engagement throughout the process.

- Establishing more structured communication channels between ENISA, the Stakeholder Cybersecurity Certification Group (SCCG), and sectoral ISACs (Information Sharing and Analysis Centers).

We call for a stronger ECCF, one that is transparent, inclusive, and aligned with international standards to foster global interoperability and ease compliance for organizations across borders. Equally critical is the harmonization of certification practices across EU member states and the mutual recognition of certifications to minimize regulatory fragmentation.

The Charter of Trust advocates for technically robust, standards-based certification schemes, with well-defined roles and responsibilities. We also stress the need for clarity on the interplay between voluntary and mandatory certifications, particularly in relation to the upcoming Cyber Resilience Act (CRA).

To streamline compliance and reduce administrative burden, we propose a unified, risk-based incident reporting regime that consolidates requirements under regulations such as NIS2, CRA, GDPR, and DORA. This would not only simplify reporting for organizations but also enhance the EU’s overall cyber resilience. In addition, we recommend incorporating liability protections and grace periods for incident disclosure.

Finally, we urge the Commission to strengthen supply chain security by adopting a risk-based classification approach and establishing baseline cybersecurity requirements for ICT suppliers.

The Charter of Trust remains fully committed to supporting the European Commission in shaping a secure, resilient, and trusted digital future for Europe. We look forward to continued collaboration in building a cybersecurity framework that meets the needs of all stakeholders, today and in the years to come.

On June 5th, the Charter of Trust convened a high-level workshop dedicated to one of the most pressing challenges in cybersecurity: how to train, attract, and retain the next generation of cyber professionals.

Bringing together representatives from Charter of Trust Partners and external organizations, the session focused on enhancing the Cyber Talent Academy, a growing initiative that is already demonstrating real impact. The workshop was a space for deep exchange, shared purpose, and forward-looking collaboration between cybersecurity and HR professionals.

One key theme ran through every conversation: the cyber skills gap continues to widen, and traditional recruitment methods are no longer enough. To meet growing demand, we must fundamentally rethink how we discover, train, and support talent.

A New Approach to Cyber Talent

The Cyber Talent Academy is emerging as a powerful model for change. By offering alternative pathways into cybersecurity, beyond conventional educational and career tracks, it opens opportunities to individuals from a range of academic, cultural, and professional backgrounds. Participants agreed that the programme holds strong potential for expanding the talent pipeline, increasing diversity, and making cybersecurity more inclusive and resilient.

The workshop discussions underlined several critical insights:

- Relying solely on established recruitment channels will not close the cyber talent gap.
- Tapping into overlooked talent pools, through inclusive outreach, training, and mentoring, creates real business value and aligns with corporate social responsibility goals.
- Stronger collaboration between cybersecurity and HR teams is essential, particularly when it comes to structuring mentorship, supporting life-long learning, and designing modern career pathways.
- Initiatives like the Cyber Talent Academy are already showing higher retention and greater team innovation in participating organizations.

“Attracting, retaining, and developing cybersecurity talent is a challenge faced by nearly every organization today,” says Dr. Sumit Chanda, Co-Chair of the Charter of Trust and COO Group Security & Business Lines CISO at Atos. “The Charter of Trust Cyber Talent Academy offers a bold and innovative response to this challenge.” Dr. Chanda further emphasizes the power of collaboration, between businesses, educators, and governments, as essential to closing the cyber skills gap. He adds, “Expanding access to cybersecurity training, especially for underrepresented communities, isn’t just the right thing to do, it’s smart business. Diverse perspectives are vital to building resilient and secure systems.”

Looking Ahead

This workshop was just the beginning. The energy, expertise, and ideas shared on June 5th are shaping the next phase of the Cyber Talent Academy, and informing how we support our partners in building stronger, more inclusive cybersecurity teams. We’re excited to continue this journey and will be sharing updates on upcoming developments.

Stay tuned. The future of cybersecurity talent is collaborative, diverse, and full of potential.

Yesterday, the Charter of Trust hosted a virtual panel discussion titled “Security by Default in View of Major Cybersecurity Regulations in Asia”, moderated by Sudhir Ethiraj from TÜV SÜD. This discussion brought together leading policymakers and industry experts to delve into the evolving landscape of cybersecurity regulations and foster actionable collaboration aimed at strengthening global cyber resilience.

We extend our heartfelt thanks to our distinguished panellists: Veronica Tan from the Cyber Security Agency of Singapore, S.S. Sarma and Ashutosh Bahuguna from CERT-In, Amitava Mukherjee and Didier Ludwig from Siemens, and Ki Hyun Park from Mitsubishi Heavy Industries.

Their insightful contributions covered the development and implementation of various cybersecurity regulations in Asia, sparking a truly engaging and interactive session. With roughly 80 participants, primarily from Asia, the discussion was enriched by thought-provoking questions from the audience, underscoring the urgent need for such dialogues.

The discussion covered a wide array of crucial topics. The panellists explored various regulatory frameworks that govern critical infrastructure in different Asian countries, examining the importance of establishing baseline requirements and adopting a risk-based approach across various industries to enhance cyber resilience.

A consensus emerged that security by default must be ingrained in the culture, while considering the essential role of regional context for effective implementation.

Thank you to everyone who participated! A recording of the webinar can be found at the bottom of this page.

In the face of rising global cyber threats, over 50 CISOs have called for greater international alignment of cybersecurity regulations to strengthen defenses and reduce fragmentation. This message was echoed at RSAC 2025, where experts from the OECD, European Commission, academia, and industry emphasized the need for principle-based collaboration. The Charter of Trust, a long-time advocate for regulatory harmonization, continues to support coordinated, effective approaches that prioritize clarity over complexity.

We are delighted to welcome Richard Skalt, Advocacy Manager at TÜV SÜD, as the new Leader of the Advocacy Workstream at the Charter of Trust. Richard steps into the role following María del Pino González-Junco, who recently assumed the position of Chair of the Global External Engagement Working Group.

With a strong background in advocacy and a forward-looking vision, Richard brings renewed energy to our mission of shaping a secure digital future. As he puts it:

“My motivation is to preserve and build upon the strong foundation of advocacy activities we’ve developed over the past years. At the same time, I’m committed to ensuring we’re in a position to shape the policies that will define how our business model and operations evolve in the future – including the cybersecurity of products and systems, the use, deployment, and distribution of robust AI solutions, as well as cloud security and secure datacenters.”

In a world defined by accelerating digital transformation and increasingly complex regulatory challenges, principled leadership and effective collaboration are more vital than ever. Under Richard’s leadership, the Advocacy Workstream will continue to engage policymakers, raise public awareness, and strengthen education around key issues such as cybersecurity, AI governance, and secure digital infrastructures.