In a landscape increasingly defined by stringent regulations, security leaders within the United Kingdom’s critical national infrastructure (CNI) sectors are turning to regulatory compliance as a significant catalyst for driving cybersecurity maturity and subsequent investments. This shift is highlighted in the recent Cybersecurity in CNI Report 2026, published by Bridewell, a UK-based cyber service provider. The report reveals that a notable 35% of security leaders across the UK’s 13 CNI sectors now identify regulatory demands as the chief influence on their security programs. This is a marked increase from the 26% recorded in 2025 and the 29% recorded in the previous year.
The findings from Bridewell indicate that the priorities within the cybersecurity landscape are shifting. Factors such as increased connectivity, the pursuit of innovation, and the ongoing evolution of cyber threats, which previously shaped security investments, appear to have stagnated as primary influences. In fact, only 25% of the survey respondents pointed to these factors as driving security investments in both 2025 and 2026. This could largely be attributed to an acceleration in regulatory efforts, exemplified by the introduction of groundbreaking legislation like the UK’s Cyber Security Resilience Bill (CSRB), alongside the EU’s NIS2 Directive and Cyber Resilience Act (CRA). Additionally, the UK has recently overhauled the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) tailored for CNI organizations, underscoring the regulatory momentum in place.
During a press event hosted by Bridewell in London on March 17, COO Sam Thornton noted the increasing reliance on regulatory compliance, although he highlighted that the 35% figure remains relatively low. His assertion indicates a looming potential for regulatory demands to become an even larger catalyst for security investments in the years ahead, emphasizing the need for organizations to take these regulations seriously.
The Bridewell report does, however, underscore some inconsistencies within regulatory adherence. For instance, less than half of the surveyed leaders (46%) reported having implemented or complied with the new Cyber Assessment Framework. Furthermore, only 29% indicated compliance with the EU’s NIS2 directive. These results have led to a glaring statistic: 39% of respondents expressed a lack of confidence in their cybersecurity measures related to data protection.
Bridewell’s CEO, Anthony Young, acknowledged the typical complaints surrounding regulatory burdens but stressed that regulation serves as an effective mechanism to enhance cybersecurity resilience. He pointed to the financial sector as a prime example; often the most regulated industry in the UK, it generally exhibits leading levels of cyber maturity. Nevertheless, Young cautioned against conflating regulatory compliance with operational resilience, warning that "compliance on paper does not automatically translate into operational resilience," thereby pressuring organizations to demonstrate alignment with policies as well as genuine capability in the real world.
Moreover, Martin Riley, Bridewell’s CTO and head of the firm’s managed security services, highlighted additional complexities arising from mounting regulatory expectations. He noted that many CNI organizations are now mandated to attain compliance with the Enhanced Cyber Assessment Framework (eCAF) by March 2028. As new regulations, such as the CSRB, come into effect, he warned that the government could alter these regulations at any time, potentially disrupting compliance roadmaps for various organizations.
Adding to the urgency of this cybersecurity dialogue, Bridewell’s report reveals that cyber threats are alarmingly prevalent across CNI sectors. A staggering 93% of organizations reported having been targeted by cyber threat actors over the past year. Of those affected, 50% reported significant disruptions to their IT services, while 34% noted operational technology (OT) impacts. Financial implications are evident, with 31% of those attacked experiencing revenue loss and an equal percentage reporting data loss. Conversely, these incidents have also spurred cybersecurity investments, with 36% of respondents increasing their budgets as a direct result of these attacks.
Interestingly, for the first time, the report emphasized the growing concerns surrounding AI as a cybersecurity risk. While data protection and privacy remain the foremost challenge for 43% of respondents, AI has surged to the forefront of concerns for 39%. Despite these anxieties, more than one-third of organizations have begun integrating AI into their defensive operations, utilizing it to automate incident responses and enhance threat hunting capabilities. Young likened the rapid adoption of AI to the early stages of cloud technology, emphasizing its powerful potential while also warning that the controls to secure it often lag behind.
Riley further stressed the central role AI plays in modern cyber defense, assertively declaring that organizations not leveraging AI risk falling behind in the face of evolving threats. Looking ahead, he states that navigating AI governance is now crucial for organizations, marking a pivotal transition in the cybersecurity paradigm.
Finally, the findings also spotlight a striking disconnect concerning preparedness for post-quantum cryptography (PQC): while 90% of the respondents expressed confidence in their readiness, 38% admitted they had not yet reviewed relevant government guidance. This paradox underscores what Bridewell labels as “confidence without clarity,” indicative of the challenges organizations face in understanding and navigating emerging risks.
The Cybersecurity in CNI Report 2026 provides a sobering snapshot of the current state of cybersecurity within the UK’s critical sectors, showcasing regulatory developments while highlighting the urgent need for improved compliance, resilience, and proactive measures against an ever-evolving threat landscape. Released during Bridewell’s CNI Cyber Security Summit on March 19 in London, the report is based on a survey of 600 security leaders across the 13 CNI sectors, conducted by Censuswide.