Cyber Expo Ireland Turns AI Risk Into a Board Test

Cyber Expo Ireland put a practical question in front of Irish boards at its May 20, 2026 gathering in Dublin: how do you prove cyber resilience when artificial intelligence (AI, software that can generate or classify content from data) helps attackers write cleaner phishing lures, move faster and stress every weak control?

The sharper signal came from the agenda itself. AI, ransomware recovery, identity abuse, supply chain security, the Network and Information Security Directive and the Digital Operational Resilience Act were treated as linked obligations rather than separate talking points. That is where the event matters after the conference floor has emptied.

A Dublin Gathering Built Around Proof

Renaissance, Ireland’s IT security distributor, hosted the ninth edition of the event at Leopardstown Pavilion, with the confirmed Renaissance programme describing a free business event built for security professionals, managed service providers, resellers and executives responsible for technology risk.

Its value came from compression: a keynote from Paul C Dwyer, president of the International Cyber Threat Task Force and chief executive of Cyber Risk International, followed by streams on AI security, compliance, identity, ransomware, critical systems and managed service delivery. The floor put global vendors beside Ireland based managed service providers (MSPs, outsourced IT and security firms that run systems for clients), value added resellers (VARs, firms that sell and configure technology for customers) and industry specialists.

That mix matters because resilience is now an operating claim. A company cannot say it is safe because a tool is installed; it has to show which risks are owned, tested and reported when something breaks.

AI Moved From Presentation Topic to Operating Condition

The dedicated AI stream had an unusually blunt shape: attack, defend, govern. The Cyber Expo AI security session covered autonomous offensive operations, deepfakes, AI driven security operations centres (SOCs, teams and tools that monitor attacks), shadow AI risk, model risk and the EU AI Act.

Generative tools lower the cost of bad writing, fake voice clips, fraud scripts and targeted research. Defenders get help too, especially in triage, mobile threat intelligence and detection. The bottleneck moves to trust: who approved the model, who can inspect its output, who owns the logs and who stops a rushed deployment before it leaks data?

The European Union Agency for Cybersecurity (ENISA, the EU cyber agency) gave the wider context in its ENISA Threat Landscape 2025 report, which analysed 4,875 incidents across the period from July 1, 2024 to June 30, 2025. Ireland’s security conversations now sit inside that European threat picture.

Regulation Has Turned Resilience Into Evidence

Regulation gave the Dublin agenda its hard edge. The Network and Information Security Directive (NIS2, the EU law setting cyber risk and reporting duties for critical and important entities) expands duties across sectors such as energy, transport, health, digital infrastructure and managed service providers. The NCSC’s public NIS2 page says Ireland missed the October 17, 2024 transposition deadline and has been working through a full overhaul of existing law.

The European Commission’s NIS2 incident reporting guidance sets out the practical rhythm: an early warning within 24 hours of awareness, a fuller notification within 72 hours and a final report no later than one month later.

• Who decides that an incident is significant enough to report?
• Who can brief the regulator if the chief information security officer (CISO, the executive accountable for cyber risk) is unavailable?
• Which supplier contracts force fast notice when a third party is hit?
• Where is the proof that backups, identity controls and recovery procedures were tested?

Financial firms have even less room for vagueness. The Digital Operational Resilience Act (DORA, EU rules for financial sector technology risk and outage resilience) has applied since January 17, 2025, and the Central Bank’s DORA guidance points to targeted rules on ICT risk management, incident reporting, resilience testing, third party risk and information sharing.

This is why evidence beats confidence. A board pack that says controls exist will not be enough when the clock starts. The useful question is whether the evidence can be found while systems are noisy, phones are ringing and customers are waiting.

The HSE Attack Remains Ireland’s Reference Point

Every Irish cyber resilience conversation still carries the Health Service Executive (HSE, Ireland’s public health service) attack of 2021. The HSE says its systems were targeted by a criminal cyber attack, no ransom was paid and 90,000 people were notified. Its HSE cyber attack response page says the route in was a phishing email sent in March 2021, with ransomware triggered in May that year.

That history matters because AI improves the front door for criminals. A fake supplier email can be cleaner. A voice note can sound more plausible. A social engineering chain can be researched in minutes instead of days. The weakness may still be human trust, but the attacker now gets better raw material.

For boards, the lesson reaches beyond staff training. Identity control, email filtering, endpoint visibility, Active Directory recovery, offline backups and crisis authority have to work as a chain. Break one link and the response becomes paperwork under pressure.

The Managed Service Provider Became the Hidden Stakeholder

The most exposed group at Leopardstown may have been the firms that run technology for other firms. Small and medium sized enterprises often buy security as a service because they cannot staff a full internal team. That makes MSPs central to resilience, but it also makes them attractive targets.

The Cyber Expo exhibitor list made that dependency visible. Cyber Ireland, Technology Ireland ICT Skillnet, GTIA, DNA IT, Nostra, Paradyn and other partners appeared beside global vendors such as Bitdefender, Proofpoint, Lookout, LevelBlue and Fortra. Irish resilience will be delivered through partners as much as through in house teams.

The risk is concentration. One weak service provider can give an attacker a path into many customers. One over stretched help desk can miss the early clue. One poorly written service contract can leave a client unsure about notification, logs, recovery duties and who pays for the forensic work. For smaller organisations, choosing a provider is now a cyber governance decision.

A National Risk Problem Lands on Company Desks

The National Cyber Security Centre (NCSC, Ireland’s national cyber authority) made the same move from abstract risk to practical duty in its 2025 National Cyber Risk Assessment launch. It identified three systemic risks for the State: a dynamic geopolitical environment, evolving technology and supply chain security. It also called for stronger visibility, proactive cyber defence, better resilience, supply chain assurance and investment in national capacity.

For a warehouse, clinic, school or software firm, that national language becomes ordinary chores: supplier inventories, incident logs, privileged access reviews, backup tests, table top exercises and board minutes that show decisions were made before the alarm.

The hard part is cultural. Cyber teams have spent years buying controls; now they have to prove those controls survive a bad day. Boards have spent years asking if they are covered; now they need to ask who can make a decision at 2am and what evidence will exist by lunchtime.

If the May 20 conversations turn into tested runbooks and cleaner supplier contracts, the event will have done more than fill a room in Dublin. If they fade into another folder of slide decks, the next major incident will find the same gap, only with faster attackers on the other side.