FAIR Europe Summit 2026: Key Takeaways on AI, Cyber Risk and Better Decision-Making
On 4 June 2026, cyber risk leaders from across Europe gathered at ExCeL London for the FAIR Institute Europe Summit, held alongside Infosecurity Europe. Under the theme "Resetting Cyber Risk in the Age of AI," the event brought together CISOs, CIOs, risk executives, regulators, and practitioners to discuss how organizations can move beyond traditional cybersecurity metrics and manage cyber risk as a business issue.
For C-Risk, the Summit was particularly significant. Co-founders Tom Callahan and Christophe Forêt both moderated featured sessions and helped guide discussions throughout the day as leaders within the FAIR Institute Europe community.
A Turning Point for Cyber Risk Management
The central message of the Summit was clear: the traditional cybersecurity operating model is reaching its limits.
Organizations face increasing pressure from AI-driven threats, expanding digital ecosystems, regulatory requirements such as DORA and NIS2, and growing dependence on third parties. At the same time, boards and executive teams are demanding clearer answers to fundamental questions:
- What is our cyber risk?
- How is it changing?
- Which investments will reduce it most effectively?
- Are we managing it within acceptable levels?
Throughout the Summit, speakers consistently pointed toward a new operating model built around four principles:
- Continuous rather than point-in-time risk assessment
- Quantified rather than qualitative measurement
- Business-aligned rather than purely technical reporting
- Decision-focused rather than dashboard-focused security
The FAIR methodology was repeatedly highlighted as a practical, defensible framework for making this transition.
Key Discussions from Across the Summit
The event agenda explored several dimensions of modern cyber risk management.
The opening keynote examined how AI is transforming both the threat landscape and enterprise operations. Rather than viewing AI as another technology trend, speakers argued that AI is rapidly becoming core business infrastructure, creating new categories of risk that require continuous visibility and governance.
Other sessions explored:
The Future of Third-Party Risk Management
A recurring theme was the growing recognition that third-party risk has become inseparable from enterprise risk.
Speakers discussed how traditional questionnaire-based approaches often create an illusion of control while failing to provide meaningful insight into actual exposure. Emerging approaches combine threat intelligence, automation, and quantitative analysis to provide a more realistic picture of supplier risk and concentration risk.
Cyber Insurance and Risk Reduction
Another discussion focused on the evolution of cyber insurance from a transfer mechanism into a driver of measurable risk reduction.
Participants explored how organizations can use quantified risk data to improve underwriting discussions, prioritize controls, and align security investments with financial outcomes.
Continuous Risk Intelligence
Several sessions highlighted the industry's shift away from periodic assessments toward continuous risk monitoring.
As AI accelerates change across business environments, annual or quarterly reviews are increasingly unable to support effective decision-making. Organizations are moving toward automated risk intelligence models capable of tracking changing exposure and supporting ongoing prioritization.
C-Risk Moderated Two Featured Sessions
While the Summit covered a wide range of topics, C-Risk played a leading role in two of the day's most practical discussions.
Executive Panel: Resetting Cyber Risk in the Age of AI, DORA and NIS2
Moderated by Tom Callahan, the executive panel brought together cyber leaders from Recorded Future, Heidelberg Materials and Glovo to discuss how organizations are adapting to a rapidly changing threat and regulatory landscape.
Several important themes emerged:
- Ransomware remains one of the most significant cyber risks facing organizations.
- AI is expanding attack surfaces while simultaneously increasing the speed of both offensive and defensive operations.
- Regulatory frameworks such as DORA and NIS2 require organizations to make proportionate, evidence-based risk decisions.
- Quantification provides a defensible way to balance investment, compliance obligations, and business objectives.
- Third-party risk increasingly represents first-party business risk and requires greater accountability and visibility.
The discussion reinforced the idea that cyber risk management must evolve from a compliance exercise into a business decision-making capability.
Cyber Risk in Action: Practitioner Case Studies
Moderated by Christophe Forêt, this session showcased how leading organizations are applying FAIR-based approaches to real-world decision making.
Practitioners from Mastercard, Richemont, Maersk and Heidelberg Materials shared how quantitative methods are helping them prioritize investments, communicate with regulators, support operational decisions, and build scalable cyber risk programs.
Key lessons included:
- Measuring risk reduction is often more valuable than measuring control implementation.
- Clear scenario definition strengthens accountability and ownership.
- Control effectiveness analytics improve prioritization decisions.
- Automation is essential for scaling cyber risk management across large enterprises.
- Financial risk language enables more productive conversations with boards and executives.
Together, these case studies demonstrated how cyber risk quantification is moving from theory into day-to-day operational practice.
Five Themes That Defined the Summit
Looking across all sessions, five consistent themes emerged:
1. Cyber Risk Must Be Expressed in Business Terms
Organizations increasingly need to communicate cyber risk in financial and operational language that executives and boards can act upon.
2. Continuous Visibility Is Becoming Essential
Point-in-time assessments can no longer keep pace with today's threat environment.
3. AI Changes Both Risk and Risk Management
AI is simultaneously creating new exposures and enabling more scalable approaches to risk analysis and decision support.
4. Third-Party Risk Is Now Core Business Risk
Supplier ecosystems have become critical dependencies that require continuous evaluation.
5. Quantification Enables Better Decisions
Across compliance, investment, resilience, and governance discussions, quantified risk consistently emerged as the common language connecting security and business priorities.
Looking Ahead
The FAIR Europe Summit 2026 demonstrated that cyber risk management is entering a new phase. Organizations are moving beyond vulnerability counts, maturity scores, and compliance checklists toward approaches that support measurable, repeatable, business-driven decisions.
To learn more about cyber risk quantification and FAIR-based risk management, contact the C-Risk team.
