Cyber attacks have now affected almost every UK critical infrastructure organisation, with 93% reporting a cyber incident in the past year, according to Bridewell’s Cyber Security in CNI Report 2026.
The research shows attacks are increasingly causing operational disruption across sectors that underpin the UK economy, including energy, finance, transport and government. Half of organisations report IT disruption or outage following cyber incidents, while nearly one third (31%) say attacks have resulted in revenue loss.
Phishing and business email compromise remain the most common attack methods, with organisations experiencing an average of 11 phishing or BEC attacks per year, followed by malware attacks averaging eight incidents annually.
Data protection and privacy remain the number one concern for 43% of CNI organisations, continuing its year-on-year rise.
AI risk enters the top cyber concerns for the first time
AI cyber risk has entered the top tier of security concerns for the first time for 39% of organisations, as attackers increasingly use AI to scale phishing and malware attacks. At the same time, AI is being rapidly adopted in defensive operations with more than a third (36%) of organisations already using AI to automate incident response and support threat hunting (35%).
“AI is now central to modern cyber defence. If you are not using AI to accelerate detection and response, you are falling behind attackers who are already using it against you,” said Martin Riley, CTO at Bridewell. “The challenge for 2026 is not whether to adopt AI, but how to govern it safely.”
Anthony Young, CEO at Bridewell, added: “AI today feels very similar to the early days of cloud. It is powerful and widely adopted but often implemented faster than the controls designed to secure it. Organisations must apply the same discipline and guardrails to AI that they now expect for cloud and digital infrastructure.”
Regulation becomes the primary driver of security maturity
Regulation has now overtaken cyber threats themselves as the main driver of security investment, with 35% of organisations citing regulatory requirements as their main motivator, up from 26% last year.
At the same time, adoption of major frameworks remains inconsistent. Less than half report implementation or compliance with the Cyber Assessment Framework (46%) and only 29% report adoption of NIS2.
It’s therefore unsurprising that 39% admit low confidence in their cyber security measures for data protection.
“Frameworks are essential, but compliance on paper does not automatically translate into operational resilience,” said Young. “Regulators are asking harder questions, and organisations will need to demonstrate policy alignment as well as real-world capability.”
Confidence gap in post quantum readiness
The research also uncovered a striking confidence gap in post quantum cryptography. While 90% claim to feel prepared, 38% admit they have yet to review government guidance. This disconnect highlights what Bridewell describes as ‘confidence without clarity’ in emerging risk areas like PQC.
From awareness to execution
Bridewell’s research concludes that 2026 marks a turning point. With IT disruption affecting half of organisations and average breach costs continuing to rise along with rising geopolitical tensions, CNI leaders face mounting pressure to move from awareness to action.
“The speed of attack now outpaces traditional response models. Attackers can move from initial access to data theft in minutes. The organisations that succeed will be those that can detect attacks faster, respond in minutes rather than hours, and govern emerging technologies like AI securely,” Riley concluded.
