Cybersec Europe 2026 ran 20-21 May at Brussels Expo, Palace 5. Five conversation themes dominated the Jimber booth: sovereignty, tool sprawl, NIS2 audits, agentless devices, and AI governance. Each connects to a broader shift in how European mid-market IT teams evaluate security platforms. If you lead IT for an organisation with 50 to 400 users, these five themes will define your H2 2026 planning.
The booth, the floor, and what shifted
Cybersec Europe 2026 landed at a different moment than any previous edition. The Belgian CyberFundamentals (CyFun) verification deadline of 18 April 2026 had passed five weeks earlier. Operational Technology had its own dedicated theatre for the first time. And the Easyfairs programme, powered by Computable, included sessions on sovereign cloud procurement and decentralised identity that would have seemed academic two years ago.
We previewed four conversations we expected before the event. All four landed. A fifth, around AI governance, surfaced more prominently than we had weighted it. Not because it caught us off guard, but because mid-market visitors arrived with specific GenAI policy questions that most SASE vendors had not yet addressed in their event messaging.
This is not a recap of keynotes. It is what we heard across two days at booth 05.A117, filtered through what it means for mid-market SASE selection heading into the second half of 2026.
Sovereignty was the question, not the answer
Data sovereignty was the most frequent opener at the booth. Not as a vague preference for European vendors, but as a specific, technical line of questioning.
The questions were sharper than in previous years. Multiple visitors asked specifically whether decryption keys ever leave EU jurisdiction, not just whether the SASE points of presence were hosted in Europe. One IT director from a Belgian manufacturing firm brought a printed checklist from their legal department with seven questions about corporate ownership, data processing agreements, and subprocessor chains. Another asked whether a subsidiary structure with a US parent company would create indirect CLOUD Act exposure, even if the subsidiary operates independently.
The shift from “where is the data” to “who controls it under which legal regime” has been building since the EU Data Act entered into application in September 2025. Chapter VII of that regulation requires cloud providers operating within the EU to implement technical, legal, and organisational barriers against unlawful third-country government access to non-personal data hosted in Europe. That requirement creates a structural conflict with the US CLOUD Act, which compels US-headquartered entities to disclose data regardless of physical server location.
The European Commission reinforced this trajectory with a EUR 180 million sovereign cloud procurement tender in October 2025 and the expected publication of the Cloud and AI Development Act in the first half of 2026. European sovereign cloud spending is projected to reach $80 billion in 2026, growing 83% year-over-year according to industry projections.
What this means in practice: mid-market visitors at Cybersec Europe were not asking “are you European?” They were asking about corporate ownership structures, key management jurisdiction, and whether subsidiary arrangements with US parent companies create indirect exposure. AXS Guard’s Alex Ongena made the same point in his session on “sovereign-washing”, tracing the backend routing of security telemetry to distinguish genuine European sovereignty in SASE selection from marketing claims.
For Jimber, this conversation is straightforward. Belgian headquarters, EU-only data processing, no US parent company. We have been answering these questions since we built the platform, but the difference in 2026 is that visitors arrive having already done the legal homework. They no longer need convincing that sovereignty matters. They need to verify that the vendor’s architecture delivers it. The broader implication is that sovereignty is becoming an architectural requirement, not a procurement checkbox.
Tool sprawl finally feels expensive enough to act on
Tool consolidation was the second most frequent theme. The pattern was consistent: mid-market IT teams running six to ten separate security products, frustrated not just by licensing costs but by the operational overhead of reconciling dashboards during an incident.
Several IT managers described the same pattern: during their last security incident, the first hours went to pulling logs from separate consoles and reconciling timestamps rather than actually responding. One visitor from a logistics company with 280 users counted nine separate security tools across their environment, three of which had overlapping functionality and none of which shared a common event format. Their concern was not the licensing cost. It was that their CyFun auditor had asked for a unified incident timeline, and producing one took their team two full working days.
Industry data supports what we heard. The global SASE market reached an estimated $12.8 billion in 2025 and is projected at $15.2 billion for 2026, with compound annual growth rates ranging from 18% to 25% depending on the analyst (Dataintelo and Dimension Market Research, respectively). The variation reflects a genuine disagreement about what qualifies as “single-vendor SASE” versus co-branded product suites, but the direction is unanimous: consolidation is accelerating.
A concrete catalyst is the Cisco Umbrella legacy SKU end-of-life transition. Cisco published EOL bulletin EOL15688 in June 2025, with legacy SKUs reaching end-of-sale on 30 September 2025 and end of software maintenance on 30 September 2026. This forces mid-market organisations into a migration decision. Cisco routes legacy Umbrella users toward Cisco Secure Access, but achieving full SASE coverage within the Cisco ecosystem still requires separate licensing for Duo (identity), Meraki or Catalyst (SD-WAN), and ThousandEyes (monitoring). A typical 200-user organisation ends up managing four to five separate subscriptions.
This is exactly the friction that drives tool sprawl operationally. And the cost is no longer just licensing. Under NIS2 and CyFun, auditors expect organisations to demonstrate unified visibility across access control, web security, and network events. Stitching that evidence together from five separate consoles is expensive, error-prone, and slow. It is also why Jimber was built as a single-console platform from day one: not as a feature differentiator, but because unified logging and policy enforcement are the only way a three-person IT team can produce audit evidence without a two-day effort.
NIS2 audits feel different now that they have happened
The compliance conversation at Cybersec Europe 2026 sounded nothing like previous years. Before 18 April, visitors asked whether they needed to comply and which framework applied. After 18 April, the questions were operational.
Several visitors mentioned that their first internal audit revealed gaps they had not anticipated. Policy versioning was a recurring theme: auditors asked to see when access policies were last modified, by whom, and what the previous version looked like. One IT manager from a healthcare organisation said their auditor requested six months of access logs segmented by user identity, and their current VPN setup could only provide connection logs at the tunnel level, with no visibility into which applications each user actually accessed.
Research encompassing 670 in-scope European business leaders in April 2026 found that 84% of organisations facing active NIS2 enforcement admit they are not fully compliant. Only 16% feel prepared. The primary obstacles are budgetary constraints, shortage of internal security expertise, and a lack of clear implementation guidance.
Belgium is among the first EU member states where this is no longer theoretical. The CCB has designated three compliance pathways for essential entities: CyFun audit by an accredited Conformity Assessment Body, ISO 27001 submission, or direct CCB inspection. If an organisation can document that it engaged a CAB before 18 April, the CCB grants temporary operational leniency while awaiting auditor availability. Organisations that cannot prove they initiated the process receive no flexibility.
The capacity bottleneck is real. Accredited CABs are operating at maximum capacity, and the CCB’s pragmatic response, while reasonable, reveals that the enforcement timeline has outpaced the auditing infrastructure. Brand Compliance, one of the specialised CABs present at the event, was running advisory sessions throughout the two days.
For IT managers heading into H2 2026, the implication is clear: the next twelve months will surface which audit findings translate to Belgian NIS2 enforcement actions. Evidence collection is no longer a preparation exercise. It is an ongoing operational requirement.
Agentless devices remain the most under-addressed gap
NIAC and agentless device security came up consistently with visitors from manufacturing, healthcare, and local government. The conversation pattern was remarkably uniform: they know agentless devices are exposed, they do not know what proportional remediation looks like.
A municipal IT manager described over 600 devices on their network that cannot run an agent: printers, IP cameras, building management sensors, badge readers. Their current approach was VLAN isolation, but their CAB auditor had flagged it as insufficient under CyFun because they had no per-device communication policies, only broad subnet rules. A production manager from a food processing company asked how to secure Modbus-connected PLCs without touching the firmware or risking a line shutdown during installation. Both conversations pointed to the same gap: they understood the risk, but every remediation option they had evaluated either required agents the devices could not support or downtime the business would not accept.
Cybersec Europe 2026 featured a dedicated OT Theatre for the first time, reflecting the industry’s acknowledgement that operational technology can no longer be treated as a separate domain. The threat data supports the urgency. According to the Dragos 2026 Year in Review, ransomware groups capable of impacting industrial operations increased 49% year-over-year in 2025, collectively affecting more than 3,300 organisations globally. Manufacturing accounted for more than two thirds of these victims.
The visibility crisis is equally stark. Fewer than 10% of OT networks globally maintain adequate traffic telemetry. Average dwell time for OT intrusions sits at 42 days, dropping to 5 days for organisations with comprehensive monitoring. A significant percentage of OT security failures are misclassified as standard IT incidents because compromised HMIs and engineering workstations run Windows operating systems.
Named threat groups like SYLVANITE, AZURITE, and VOLTZITE have evolved from reconnaissance to targeted manipulation of physical environments. ENISA and Dragos both reported increased targeting of European critical infrastructure, including energy, water utilities, and manufacturing supply chains.
What we heard at the booth aligns with what the research shows, and with what we see in our own deployments: the gap between IoT/OT deployment speed and security coverage is widening. Mid-market organisations need agentless device security with inline isolation that enforces per-device communication policies without requiring agents, firmware changes, or production downtime. Jimber’s NIAC hardware was designed for exactly this scenario, and the conversations at the booth confirmed that the market need is catching up to what the technology already addresses. The IT-OT convergence challenge is no longer a future concern. It is a live audit finding.
AI changed the conversation but not the platform requirements
This was the theme we weighted lowest in our pre-event preview. AI came up at the booth in two distinct ways, and both confirmed something we had been seeing in customer conversations since early 2026: mid-market IT teams care far more about controlling GenAI data flows than about AI features in their security stack.
Visitors asked about Copilot governance and shadow AI far more than about AI-powered features in security platforms. One CISO from a professional services firm described discovering that consultants were pasting client deliverables into public ChatGPT instances to speed up formatting. Their SWG blocked the domain entirely in response, which prompted a revolt from staff who used it for legitimate internal tasks. What they wanted was tenant-level control: allow the corporate Copilot environment, block personal ChatGPT accounts, and log what gets uploaded. A second visitor asked specifically about Model Context Protocol servers running on developer laptops and whether SWG policies could detect that traffic pattern.
The first pattern was shadow AI governance. Employees using public GenAI platforms for work tasks, routinely exposing corporate source code, client data, and intellectual property. The emergence of Model Context Protocol (MCP) servers, which run locally on developer endpoints and connect external AI models to local filesystems, has created a data exfiltration channel that bypasses legacy network firewalls entirely.
The second pattern was regulatory clarity. The EU AI Act reached its first major enforcement milestones in 2025, with unacceptable-risk bans taking effect on 2 February 2025 and general-purpose AI model obligations applying from 2 August 2025. The Digital Omnibus on AI, provisionally agreed on 7 May 2026, deferred high-risk AI system obligations for standalone systems from August 2026 to December 2027, giving mid-market organisations more time but also more confusion about what applies now.
The European Commission’s Draft Guidelines on High-Risk Classification, published on 19 May 2026, clarified that systems used to monitor, evaluate, or allocate tasks to workers automatically trigger high-risk classification. For any mid-market organisation using AI in HR workflows, this creates immediate compliance obligations around logging, human oversight, and risk management.
What visitors wanted from their SASE platform was not AI-powered threat detection (though that has practical applications in DNS-layer blocking and traffic routing). They wanted granular, application-level GenAI controls: the ability to distinguish between corporate AI tenants and personal accounts, audit prompt contents for sensitive keywords, restrict file uploads to verified AI platforms, and isolate untrusted browser-based AI sessions. Standard SWG domain blocking is no longer sufficient when the same URL hosts both the company Copilot tenant and an employee’s personal account. Jimber’s SWG already supports URL-category and application-level policy enforcement, which gives IT teams the control surface they need without blanket domain blocks.
What these conversations imply for H2 2026
Five themes, one pattern. Mid-market SASE buyers in Europe are no longer comparing feature lists. They are evaluating operating models.
Can this platform demonstrate sovereignty under the EU Data Act and GDPR without contractual workarounds? Does it consolidate enough tools to produce the unified audit trail that NIS2 and CyFun demand? Can it secure the 40% of network devices that cannot run an agent? Does it give my three-person IT team control over GenAI data flows without becoming a full-time policy project?
The priority order has shifted. Two years ago, feature coverage drove the shortlist. In 2026, operating model fit drives the decision. A platform with every feature but requiring five consoles, three separate licences, and a US parent company under the CLOUD Act does not clear the bar for a Belgian organisation with 200 users and a CyFun audit in the diary.
Jimber’s single-vendor SASE platform is built for exactly this evaluation. One console, EU-only data processing, transparent pricing, and NIAC hardware for agentless devices. Not because those happen to be our features, but because those are the questions the market is asking.
Frequently asked questions
When and where was Cybersec Europe 2026? Cybersec Europe 2026 took place on 20-21 May 2026 at Brussels Expo, Palace 5. The event was organised by Easyfairs and powered by Computable, featuring a dedicated OT Theatre and expanded Tech Theatre alongside the main exhibition floor.
What were the dominant themes at Cybersec Europe 2026 for mid-market IT teams? Five themes dominated mid-market conversations: data sovereignty under the EU Data Act, tool sprawl and SASE consolidation, post-deadline NIS2 and CyFun audit readiness, agentless device security for OT and IoT environments, and AI governance including shadow AI and EU AI Act compliance.
Did the post-NIS2 deadline change the conversations at the event? Yes. Before the 18 April 2026 CyFun deadline, conversations centred on whether organisations needed to comply. After the deadline, visitors asked specifically about evidence collection, audit evidence gaps, and the operational reality of demonstrating compliance to accredited Conformity Assessment Bodies.
How is sovereignty changing European SASE buying decisions? Sovereignty has moved from a preference to a technical requirement. The EU Data Act (Chapter VII) requires barriers against unlawful extraterritorial data access, creating a structural conflict with the US CLOUD Act. Mid-market buyers now evaluate corporate ownership structures, key management jurisdiction, and backend data routing rather than accepting “EU data centre” claims at face value.
What did mid-market visitors say about agentless device security? Visitors from manufacturing, healthcare, and local government consistently identified agentless devices as their most under-addressed security gap. The conversation pattern: they know printers, IP cameras, building management sensors, and industrial controllers are exposed, but they lack proportional remediation that does not require agents or production downtime.
If one of these five conversations landed for your team, we would happily continue it. Book a 30-minute conversation with the Jimber team to walk through how a single-vendor SASE platform handles the sovereignty, audit, and agentless device questions in your environment.
