With the madness of Q4 drawing to a close and Mariah Carey permeating the airwaves it can mean only one thing, it’s ‘predictions season’ again! For anyone working at the coalface of cybersecurity, the idea of pausing as the Gregorian calendar approaches its contractual year-end to calmly anticipate what comes next is faintly laughable. The reality, as any weary SOC analyst or CISO will tell you, is that looking ahead is not a luxury – it’s a critical cybersecurity necessity.
In cybersecurity, we’re always looking ahead. Sometimes that’s years ahead or months ahead, often it’s seconds ahead. Effective cybersecurity demands anticipation, not reaction.
And so for my predictions this year (of which I have many, so what follows here is part one of a two part blog on cybersecurity predictions for 2026) rather than distant future gazing and high-level trends spotting (“AI will be a big thing”), I have tried to ground my predictions of what comes next in 2026 in the realities of what I am seeing now as I speak with CISOs and security professionals across a range of sectors.
So, grab a mince pie, a glass of fizz and sit in your comfy chair for a 6 minute read…
Prediction 1: Regulation will drive investment
The last few years have seen a raft of new information security regulations coming into force. These are placing increased levels of scrutiny on high-risk sectors like financial services (as with the EU Digital Operational Resilience Act (DORA)) as well as updated obligations around data security for organisations more broadly (such as NIS2). Plus, organisations subject to these must now contend with the risk of new financial penalties for compliance failures.
The EU Cyber Resilience Act, for example, which came into force in early 2025 and will reach the end of its transition period in 2027, introduces both product ban penalties as well as significant new financial penalties for non-compliance. Much like GDPR, penalties for compliance failures can be linked to a percentage of global turnover, representing a step change in not only the ‘secure by design’ ethos underpinning the legislation, but the global compliance burden it places on organisations.
The move from active oversight to full enforcement and the fact that enforcement activity between regulations will overlap in the coming 12-24 months means regulatory pressure will be the single biggest driver of cybersecurity investment in 2026. The sheer scope and depth of regulatory pressure around information security, governance, third party supply chain risk and incident reporting means compliance will be treated as a fundamental investment priority rather than a checkbox exercise.
Both NIS2 and DORA heighten board-level accountability, and I expect a comparative increase in board level scrutiny on incident reporting SLAs (often 24 hours or less), evidence of resilience testing and secure by design software practices, especially for any product touching the EU market. These regulations also tighten obligations around third-party supply chain security, for example with vendor risk assessments and real time incident reporting, and so this is also becoming a clear area of concern at board-level. More on supply chains in Prediction Blog Part 2…
UK organisations will also be looking ahead in 2026 at the evolving NIS regulations, which close some major gaps in the UK’s outdated 2018 legislation, and the upcoming Cyber Security and Resilience Bill. While the enforcement window for the latter is unlikely to come in before 2027, the direction of travel is clear. CISOs and boards – many of which are already facing new obligations from other regulations – will be aligning to the shift in UK cyber resilience expectations. This will push organisations into faster compliance cycles, and we can expect more audits, heavier enforcement and higher board level involvement in 2026.
Prediction 2: We’ll see Zero Trust, SASE and SSE scale up
Who would have predicted going into 2020 that the next few years would usher in a radical transformation of the modern workforce? I certainly don’t remember reading any! But as we move into 2026, hybrid working models and a reliance on remote access and cloud applications are now a given. And, barring another ‘black swan’ event, this means we can make some informed predictions on areas of investment.
The distributed nature of work means traditional security architectures are no longer fit for purpose and modernisation will remain a key priority for most organisations moving into the new year. We will see an acceleration around the adoption of Zero Trust Network Access (ZTNA), Secure Access Service Edge (SASE) and Secure Service Edge (SSE) as organisations consolidate remote access, web security and Cloud Access Security Brokers (CASB) into fewer platforms.
Interestingly, recent data from the Cybersecurity Insiders State of SSE Adoption 2025 report shows that organisations are increasingly using ZTNA as the primary entry point into SSE. Within 24 months, 79% of the organisations surveyed plan to implement SSE and 62% consider SASE solutions an important part of their security strategy.
What the data also shows, which is reflected in my experience of working with customers to replace legacy security stacks with the unified iboss Zero Trust SASE platform, is there is a clear shift towards consolidation in this area, with organisations preferring single vendor SASE solutions that unify networking and security and cut complexity. Take a look at how we helped South London and Maudsley NHS Foundation Trust with their secure access.
In 2026, this will translate into consolidation projects (VPN retirement, legacy proxy decommissioning) and stronger identity centric controls across hybrid workforces. I think we’ll see larger enterprises and regulated sectors accelerating ZTNA and adopting SASE solutions in 2026, but migration complexity and legacy systems means organisations will favour phased integration of existing stacks (VPNs, SWG, CASB) over wholesale replacement. We’ll also see growth in managed SASE and managed security service providers (MSSPs) capitalising on this shift.
Prediction 3: Ransomware remains critical
Ransomware will remain a top operational risk in 2026, and we’ll likely see the pace of evolution in the landscape continue to grow. The many high profile attacks we have seen recently will be front of mind for CISOs and boards across all sectors, and it is unsurprising that the CrowdStrike 2025 European Threat Landscape Report found ransomware attacks on European organisations reached historic highs in 2025, with the UK, Germany, France, Italy and Spain the most targeted nations.
In the UK, the ransomware attack on JLR caused UK car production to hit a 70-year low, with the Cyber Monitoring Centre (CMC) concluding it was the most economically damaging cyber event in UK history. Likewise, groups like DragonForce and Scattered Spider hit the retail sector particularly hard with ransomware in 2025. What we have seen from the fallout is that across the board, critical systems lack identity protection, and this is being further exacerbated by compromised third party access.
With identity as a clear attack vector, BlueFort has been working closely with strategic identity security specialist Silverfort to close these gaps for organisations in high risk areas such as healthcare and financial services.
We will undoubtedly see further high-profile ransomware attacks in 2026, both ‘traditional’ attacks and double extortion attacks that combine both financial extortion and data leakage.
We’re already seeing the speed of ransomware deployment increase significantly, but criminal groups will also adapt quickly to takedowns, develop more targeted, leaner operations and look for more opportunistic double extortion vectors.
Ransomware remains a core focus for agencies like ENISA and the National Centre for Cyber Security (NCSC) and we can expect more cross-border law enforcement wins, but also faster reconstitution. The challenge, as with any adversarial situation in cybersecurity, is that while law enforcement will continue to successfully disrupt networks, this is only pushing adversaries to adapt, change infrastructure and look to new affiliate models.
Prediction 4: AI-driven attacks and agentic defence will increase
As I pointed out at the start of this blog, AI security developments in 2026 are a fairly safe prediction to make. A (perhaps) slightly more nuanced perspective is that rather than plateauing, AI will bifurcate into more automated offence and more autonomous defence.
AI driven threats are, of course, front of mind for many IT professionals. Indeed, survey data from the ISACA 2026 Tech Trends and Priorities Global Pulse Poll indicates that the majority of European IT and cybersecurity professionals expect AI-driven cyber threats to be their top concern going into 2026, with roughly 51% citing this as their foremost worry. Driving this is a feeling of under preparedness for AI security risks, with just 14% of survey respondents feeling that their organisation is very prepared to manage risks associated with GenAI solutions.
What is clear is that AI is becoming a top attack vector and AI orchestration is enabling autonomous and scaled offensive cybersecurity operations – not to mention a sharp increase in deepfakes and automated social engineering campaigns. Thinking about the AI security risk going into 2026, it’s not unreasonable to predict the first headline grabbing, largely AI orchestrated breach in this timeframe. Having said that, although adversarial AI attacks will rise in 2026, they won’t become ubiquitous.
On the defensive side, agentic or hyper-automated security operations are emerging in the UK and Europe, with AI systems quarantining endpoints, rotating credentials and pre-drafting regulatory incident reports to meet tight NIS2 and DORA timelines. There are some exciting vendors in this space and BlueFort has partnered with Torq to support our customers deploying its AI-native autonomous SecOps platform.
In 2026, we will see AI powered security tooling and machine learning (ML) detection become more widely adopted in areas such as AIOps, automated triage and behavioural analytics. The flip side to this (because every action has a reaction) is that organisations will also face growing governance, explainability and data poisoning risks. We can expect more regulation and vendor transparency demands in this area. If you want to read more on AI – we’ve recently released our AI in cyber whitepaper.
Prediction 5: Confidential computing will go mainstream
Something that isn’t dominating headlines, but I see becoming increasingly prevalent in 2026 is confidential computing. While analysts increasingly position confidential computing as a strategic security capability, it is overshadowed as an immediate security priority by areas like AI security, identity security and third-party supply chain risk.
The Linux Foundation Confidential Computing Consortium recently ran a global survey with IDC across more than 600 IT leaders from 15 industries, which found 75% are adopting confidential computing. I agree with its governing body chair, who calls this a shift “from a niche concept into a vital strategy for data security and trusted AI innovation”. It’s clear to me that in 2026 we will see wider adoption still, as stronger data residency controls across the EU and UK continue to accelerate, driven by demands on regulated industries like finance and healthcare.
Discussions around sovereign cloud environments will also contribute to this shift. Confidential computing protects sensitive data even while it’s being actively processed, using hardware-based isolation so that neither cloud providers nor sysadmins can access it. As regulators focus on data flows and cloud concentration, this will naturally increase demand for clearer controls and provable, enforceable protections for data while it is in use.
Equally, as organisations adopt confidential computing across multiple clouds, they will face new challenges around multi cloud security. This will lead to a greater reliance on cloud security and posture management (CSPM) tools from vendors like Orca Security, F5 and Crowdstrike, which will increasingly be used as the policy and assurance layer to provide visibility, enforcement and audit evidence that sensitive workloads are correctly deployed on confidential infrastructure across multi-cloud environments.
Are you still with me?
Good. Because this last prediction steps away from the usual AI hype and cybersecurity buzzwords, and into something far more political, structural, and unavoidable. Prediction 6 isn’t about new tools or smarter algorithms. It’s about where your data lives, who ultimately controls it, and which laws apply when things get uncomfortable.
Prediction 6: Digital sovereignty will be a defining theme in 2026
Data sovereignty and jurisdiction will be a defining theme for the EU and by extension many UK/EU cross border businesses in 2026. So important, in fact, that it deserves its own call out.
European policy and market narratives are increasingly insisting on ‘local data, local control.’ Initiatives like the EU Cloud Certification Scheme (EUCS), an ENISA-led framework under the EU Cybersecurity Act (CSA), are creating a harmonised EU standard for cloud service security, and the wider European strategy for data is aiming to create a single market for data that ensures global competitiveness and data sovereignty for Europe.
This is being driven primarily by concern over geopolitical dynamics and extraterritorial laws like the US CLOUD Act. And while these concerns are driving regulation in Europe, they are also pushing demand for sovereign or ‘EU-only’ cloud and security services.
In a recent Gartner survey, 61% percent of Western European CIOs and IT leaders said geopolitical factors will increase their reliance on local or regional cloud providers. The analyst firm itself predicts that by 2030, more than 75% of all enterprises outside of the US will have a digital sovereignty and sovereign cloud strategy.
It’s clear that in 2026 we can expect more RFPs that explicitly exclude non-sovereign options and growth in ‘made in Europe/UK’ security ecosystems, including zero trust platforms designed to keep sensitive data and keys within UK/EU legal reach.
If you’ve made it this far, congratulations! You’re clearly either very committed or avoiding year-end admin. Either way, consider this a pause, not a finale. There’s another blog on the way with six more predictions, because apparently the future refuses to stay neatly summarised. Seasonal goodwill pending.
Look out for part 2 coming soon….
