Why did you decide to join the training instructor team? 

Paulo Calçada (PC): I joined this training at a particular moment in my own professional journey. After more than a decade leading Porto Digital, turning Porto into one of Europe’s most connected and data-driven cities, building shared infrastructure, urban data platforms, and governance structures that touched hundreds of thousands of citizens every day, I recently stepped away to start something new.  

Knowledge.Space is a venture focused on helping organisations harvest the technical and specialised knowledge that already exists within their own teams, and building the internal structures that allow them to adapt, in a structured and sustainable way, to the challenges brought by AI and rapid digital transformation. In many ways, it is the distillation of everything I learned in Porto: that the most critical asset any organisation or city holds is not its technology, but its accumulated knowledge, and that asset is almost always undervalued, poorly documented, and dangerously siloed. 

That framing shaped everything I brought to this training. Cybersecurity was never a separate workstream at Porto Digital: it was embedded in every infrastructure decision, every data governance policy, every partnership with a utility or a vendor. I joined because I wanted to share that perspective — that resilience is not a technical problem to be solved once, but a governance and culture challenge that cities must continuously earn. 

What I hoped to offer was not a model to be copied, but a reference point: here is what worked, here is what we got wrong, here is what we would do differently. Cities learn best from other cities. 

Alexander Maaß (AM): I have a professional background in criminal investigation. I now look back on almost 41 years of service experience in the field of internal security. During this time, my primary focus has been on international cooperation in combating organized crime and terrorism. Throughout my ten-year tenure during the early years of Europol, I gained both operational and strategic insights into the challenges of effective law enforcement in an increasingly innovation- and technology-driven world. During this period, I also served as an expert evaluator in international EU teams conducting mutual evaluations of national measures in this field. The use of technology shapes the nature of modern criminal activities as well as contemporary policing.  

I have been working for the Berlin Senate since 2016 in the area of cybersecurity within the ecosystem of a major metropolitan region and its critical infrastructures. Since September 2, 2025, I have been responsible for the Cybersecurity Coordination Office for the State of Berlin. This Coordination Office follows a concept of standardized coordination centers forming a nationwide cybersecurity network in Germany. The coordination center concept strategically unites diverse stakeholders from government, industry, research, and civil society to achieve a higher level of cybersecurity and resilience. 

This orchestrated approach relies on shared knowledge and strong cooperation among actors within a borderless cyberspace. This means that the threats, challenges, and best practices for maintaining a good level of cybersecurity and resilience are global and should therefore be shared. The LAC4 initiative is a valuable platform in this regard, which I am pleased to support, as shared knowledge represents doubled knowledge—not only for South America but also for Europe. Together, we can work towards safer cities and regions worldwide. 

Armani Pogosjan (AP): My background is in national security, where cybersecurity is one critical part of a much wider security picture. Coming from the military, I have worked extensively with crisis management in battlefield conditions and later translated that experience into the civilian context. This has given me a very practical understanding of how to solve complex civil crises using crisis management mechanisms that have already been tested under the most demanding circumstances. 

In my current role as Development Manager of the Estonian Cyber Reserve at the Estonian Information System Authority, I am responsible for making sure that our national cyber reserve really works in practice, from structures and procedures to training and exercises.  

I decided to join the instructor team in Montevideo because I believed that the solutions and lessons we have developed in Estonia could be meaningful for cities in Latin America as well. I wanted to show how structured crisis management and cyber resilience can help cities stay functional even under pressure. Seeing how well these ideas resonated, and experiencing the generosity of the people I met in Montevideo, was personally very moving and rewarding.  

What are the key challenges cities in LAC region face and how to overcome those? 

AP: What struck me most was how familiar many of the challenges felt. Two issues came up repeatedly: very limited resources and lack of coordination. Some cities described situations where essentially two people are responsible for security in a very broad sense, yet they are expected to plan for and manage complex cyber crises. Building a functioning crisis management mechanism in that situation is extremely difficult. 

In Estonia, we also started from a position of very limited resources. That constraint became a driver for creativity: we did not have capacity to waste, so we had to think carefully about priorities, roles and simple procedures that actually work under pressure. We focused on clear responsibilities, lightweight but effective coordination structures and regular exercises, rather than large and expensive systems.  

I see a similar opportunity in LAC cities. European and Estonian experience can help by showing that you do not need huge budgets to make progress:   

• you can start with simple but clear crisis plans: a simple plan is better than no plan; 
• build small but reliable coordination networks between cities, national authorities and critical infrastructure operators; 
• and use regular, realistic exercises to test and improve cooperation. 

The problems are shared, and many of the solutions are also shared, they just need to be adapted to local realities. 

AM: The challenges in cybersecurity and resilience are comparable everywhere. From the state’s perspective, there will never be enough qualified personnel, technology, time, or top-level training available. Innovations emerge faster than we can keep pace. Structures in politics and public administration often prove cumbersome in adapting to the flexible cybersecurity landscape, both in Europe and South America. These challenges can be addressed with agile and well-informed structures.  

PC: Based on the research I’ve done, many challenges in LAC cities mirror those we faced in Europe: fragmented responsibilities, constrained resources, legacy systems, and limited coordination between local and national authorities. 

In Europe, progress accelerated when cities clarified governance roles, strengthened cooperation with national cybersecurity bodies, and invested in capacity building rather than technology alone. LAC cities can move faster by prioritizing institutional coordination, shared protocols, and ecosystem-wide awareness. Cyber resilience depends as much on trust and cooperation as on technical solutions.  

What did you learn yourself? 

AP: The most striking thing for me in Montevideo was the level of openness and genuine willingness to do better. Participants spoke very frankly about their constraints, gaps and worries, not to complain, but to find solutions. This kind of honesty and trust is exactly what you need to build real resilience. 

The training also reinforced for me how interdependent our infrastructures are. Cybersecurity is truly borderless: incidents in one part of the world can have very real effects elsewhere through supply chains, shared technologies and connected systems. That means cyber resilience cannot be built in isolation. It requires international cooperation, peer learning and mutual support. 

Engaging with colleagues in Latin America was not a one-way exercise where the EU “explains how things should be done”. It also helped me see our own European and Estonian approaches with fresh eyes and test whether they still work when applied in a very different political, cultural and resource environment. 

PC: I came to Montevideo expecting to share. I left having gained considerably more than I gave.

The LAC region cities are not behind, they are navigating a different and in some ways more complex terrain: rapid urbanisation, fragmented governance, regulatory environments still being built, and a threat landscape that is evolving faster than institutions can respond. And yet the participants demonstrated a level of commitment and practical intelligence that was genuinely impressive.

One thing that stayed with me: the cities in the room were not asking for more technology. They were asking for governance clarity: who decides, who communicates, who is accountable. That is a challenge every city faces, Porto included. Europe does not have a finished answer to offer. We have some hard-won experience, and we should share it with appropriate humility. I also came away with a renewed sense that Knowledge Spaces, shared repositories of institutional memory across cities, are urgently needed in the LAC region, not as a future aspiration but as a near-term practical tool.  

AM: The workshop helped me critically reflect on our own standards and learn from the experiences and challenges of participants and team members. I took away a great deal from these three days.  

Moving forward, what do you think were key take-aways for the trainees? 

PC: If I had to identify what resonated most, it was the Shadow AI case study. The scenario, a municipal employee uploading sensitive data to an unapproved AI tool, a journalist calling two hours before publication, no policy in place, landed very differently from the theoretical frameworks. Participants recognised it immediately. It was not abstract. It had happened, or could happen, in their organisations next week. 

The deeper message that seemed to stick was this: cyber resilience is not about waiting to be fully prepared before acting. It is about building the governance habits: stakeholder maps, pre-approved decision protocols, communication chains. That allow you to respond well even when something unexpected happens. Cities that have practised those habits will always outperform cities that have better technology but no coordination culture. That, I think, is the most transferable lesson from Porto’s experience, and the one I hope participants carry forward.  

AP: One phrase that clearly resonated with participants was: “a simple plan is better than no plan.” Many realised that they do not need to wait for a perfect, comprehensive crisis plan. They can already make meaningful progress with a short, clear and realistic plan that everyone understands. 

During the exercises, I noticed a real “click” when participants started to see the gaps in coordination. For example, not knowing exactly who calls whom, in what order, when a cyber incident hits a critical service. That moment of discomfort was actually very productive, because it showed them where to focus their efforts after the training. 

If I had to summarise the key take-aways for the trainees, I would highlight three points:    

• Know your truly critical services and systems, you cannot protect everything equally. 
• Even very small teams can build a functioning crisis management mechanism, if roles and procedures are clear. 
• You must practice, not just write plans, because realistic exercises reveal coordination gaps and build trust before a real crisis hits.

I hope participants left with the confidence that, even with limited resources, they can take concrete, practical steps to strengthen the cyber resilience of their cities. 

AM: Improving cybersecurity and resilience is not achieved merely by purchasing expensive technology but also through far more cost-effective investments such as staff training, regular exercises, and intelligent organisational measures. The best firewall is well-trained personnel who understand the fundamental principles of cyber hygiene and can manage cyber threats even under stress.     

The workshop participants demonstrated great openness, willingness to learn, and flexibility. I believe these positive qualities will help them connect new experiences with their own expertise and respond more agilely to evolving cyber threats. This, in turn, leads to a higher level of resilience. 

Background   

Training “Is Your City Cyber Safe?”, taking place from 4 to 6 March 2026 in Montevideo, was attended by officials, policymakers and cybersecurity professionals from Southern Cone capitals Buenos Aires, São Paulo, Santiago and Montevideo as well as Uruguay’s cities like Canelones, Paysandú, Florida, Maldonado, Levalleja and Rivera, and national authorities of Uruguay.      

Training was led by EU CyberNet experts Alexander Maaß, Paulo Calçada and Armani Pogosjan who shared perspectives from Germany, Portugal and Estonia. LAC4 extends its gratitude for co-organisers: the Intendancy of the Department of Montevideo  (Intendencia  Departamental  de Montevideo),  the Agency for Electronic Government and Information and Knowledge Society of Uruguay  (AGESIC, Agencia de Gobierno Electrónico y Sociedad de la Información y del Conocimiento),  National Administration of Telecommunications of Uruguay  (ANTEL, Administración Nacional de Telecomunicaciones)  and the Delegation of the European Union to Uruguay.    

Further reading:  

• Photos
• Opening of the training
• First day conclusions
• Second day conclusions
• Third day conclusions