Out of the shadows: CISOs and DPOs in the spotlight!

With the active support of the Club de la Sécurité de l’Information (CLUSIL), the Commission Nationale pour la Protection des Données (CNPD), and the Institut Luxembourgeois de Régulation (ILR), we are happy to release the 2026 edition of the Out of the shadows: CISOs and DPOs in the spotlight! survey. This third edition of the expanded Out of the shadows: CISOs and DPOs in the spotlight! captures a pivotal moment for both functions.

The survey findings highlight how regulatory developments such as DORA, NIS2, the Data Governance Act and the Data Act continue to expand responsibilities, while emerging technologies, particularly AI and cloud solutions, reshape operational realities. CISOs and DPOs are now more involved in major transformation projects, incident management and governance discussions, demonstrating their growing influence across organisations.

By exploring the realities, constraints and opportunities they face, it supports organisations in strengthening governance frameworks, aligning resources with expectations and preparing for the next wave of regulatory and technological change. Above all, it recognises the critical contribution of CISOs and DPOs to safeguarding trust and enabling sustainable digital growth.  

Download our survey

We conducted the survey through an anonymous online questionnaire including multiple‑choice, closed and open‑ended questions. Our 56 respondents consisted of 52% CISOs/ISOs, 32% DPOs and 16% professionals performing both roles.

Sector and industries of respondents

Education, background or area of specialisation

Gender of respondents, 2024-2026 

Men continue to make up the majority across all three profiles. While the distribution is slightly more balanced among those exercising both roles, the overall picture shows limited change from the 2024 edition. Luxembourg’s cybersecurity and data protection fields therefore still have progress to make in achieving greater gender balance.

Gender of respondents

2026

2024

Challenges faced by CISOs and DPOs

This year’s results show a clear rise in operational barriers for both CISOs and DPOs, with internal silos, IT system complexity and the spread of unsanctioned technologies emerging as increasingly significant obstacles. While CISOs are particularly impacted by shadow IT and fragmented responsibilities, DPOs highlight growing challenges linked to system complexity, employee negligence, and constrained budgets.

What are the barriers to success in your profession?

Benefits which GenAI will bring, according to CISOs and DPOs

Both CISOs and DPOs are involved in implementing artificial intelligence (AI) projects, with the former being slightly more likely to be involved from the start and receive support requests. CISOs view the main benefits of Generative AI (GenAI) as improving threat detection and continuous monitoring, with strengthened IT defences also featuring prominently. DPOs primarily highlight its benefits for monitoring and supporting data protection compliance. Professionals handling both roles most often point to stronger IT defences and better detection capabilities.

Which benefits do you think GenAI will bring to your company?

Impact of legislations according to CISOs and DPOs

New EU digital regulations are set to significantly broaden the scope of both CISO and DPO responsibilities. CISOs expect impact on heightened regulatory requirements, expanded cybersecurity measures and increased costs and control complexity. DPOs, meanwhile, anticipate a substantial rise in data protection‑related duties, alongside stronger compliance expectations driven by the evolving European regulatory landscape.

How much will the new legislation (Data Governance Act, Data Act, Digital Market Act, Financial Data Access (FiDA)) affect your responsibilities as CISO/ISO or DPO/Data Privacy Professional?

CISOs and DPOs are now firmly integrated into senior governance, yet their day‑to‑day impact is still shaped more by internal constraints than technical limits. Persistent issues from siloed structures and unclear responsibilities to shadow IT, system complexity and limited budgets, continue to hold back their ability to operate effectively. 

At the same time, rapid technological and regulatory change is reshaping their remit. AI is becoming more embedded in operations, bringing both clear security benefits and growing concerns around privacy, data volume and ethics, while emerging technologies such as sovereign cloud and quantum computing remain unevenly understood. Alongside this, new EU digital regulations are steadily expanding expectations around resilience, compliance, and oversight. 

Together, these pressures highlight a widening gap between rising responsibilities and the governance, resources and decision‑making authority needed to support them; a gap that organisations will need to address through clearer mandates, stronger accountability and more aligned operating models.