PwC Luxembourg is proud to announce the third edition of the expanded “Out of the shadows: CISOs and DPOs in the spotlight”, a pivotal moment for both functions. The 2026 survey findings highlight how regulatory developments such as DORA, NIS2, the Data Governance Act, and the Data Act continue to expand responsibilities, while emerging technologies, particularly AI and cloud solutions, reshape operational realities. CISOs and DPOs are now more involved in major transformation projects, incident management, and governance discussions, demonstrating their growing influence across organisations.  

In July 2016, PwC launched the inaugural Out of the shadows: CISOs in the spotlight! survey, which was then followed by a second edition in 2018 (together with the CPSI) and a third edition in 2020, prepared in collaboration with the Club de la Sécurité de l’Information – Luxembourg (CLUSIL). We then decided to expand the scope of the survey by including DPOs and collaborating with the Commission Nationale pour la Protection des Données (CNPD) and the Institut Luxembourgeois de Régulation (ILR) to publish two surveys in 2022 and 2024. The CSSF also contributed to the 2024 survey edition. 

As businesses accelerate their digital transformation, the roles of Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) have become essential to maintaining trust, resilience, and regulatory compliance. In Luxembourg, cyber risks, data protection requirements, and technological advancements are intensifying in parallel, placing CISOs and DPOs at the heart of strategic decision-making. 

This year’s edition aims to provide clarity on the evolving landscape of CISO and DPO professions in Luxembourg. By exploring the realities, constraints, and opportunities they face, it supports organisations in strengthening governance frameworks, aligning resources with expectations, and preparing for the next wave of regulatory and technological change. Above all, it recognises the critical contribution of CISOs and DPOs to safeguard trust and enable sustainable digital growth. 

The report reveals persistent challenges. Many CISOs still report to IT departments, raising questions of independence and potential conflicts of interest. Budget ownership remains uneven; internal silos continue to hinder effectiveness, and resource constraints limit the ability to meet rising expectations. DPOs similarly navigate increasing complexity, balancing regulatory obligations with limited technological and organisational support. 

At the same time, the survey points to encouraging developments. Despite independence-related challenges, CISOs and DPOs are increasingly seeing their input more frequently considered in strategic conversations.
Moreover, awareness of cybersecurity and privacy risks is improving across organisations, reflected in stronger involvement in resilience initiatives, data governance programmes, and AI-related projects.” 

Maxime Pallez – Advisory Director, Cybersecurity PwC Luxembourg, said:
“Luxembourg stands out as a frontrunner jurisdiction in cybersecurity commitment, backed by national initiatives like the Luxembourg House of Cybersecurity. As cyber threats and technological innovation reshape the landscape, new EU regulations are strengthening operational resilience and fostering a safer digital environment. With increasing cyber-attacks and privacy concerns, now is the time for organisations to adopt proactive, robust cybersecurity and data protection strategies across all sectors. Building on these two foundations, organisations ready themselves for future growth.” 

Antonin Jakubse – Advisory Senior Manager, Privacy PwC Luxembourg, said:
“CISOs and DPOs are central to organisational resilience, providing their insights at the critical intersection of privacy, security, compliance and strategic decision-making. Their combined expertise enables organisations to safeguard sensitive data, ensure adherence to evolving privacy and regulatory requirements, and consistently integrate privacy considerations into strategic and operational decisions enabling safe use of new technologies. By strengthening governance and elevating privacy and cyber-risk awareness at the highest levels, they embed robust protections that support long-term operational stability and revenue growth.” 

Download the report presented at PwC Luxembourg’s Cybersecurity and Privacy Day 2026 for many more rich insights. Please feel free to contact us and our cyber and privacy experts can take a deeper look at any of the key topics covered in the report with you.