If you made it through Part One of my 2026 cybersecurity predictions, welcome back and welcome to the first real working week of January, where inboxes refill overnight, calendars suddenly matter again, and everyone is pretending their “new year, new me” energy will last beyond Friday.
January might bring clean slates, renewed optimism, and the illusion of control but threat actors don’t do resolutions. They don’t reset priorities, and they certainly don’t wait for Q1 planning cycles to finish.
So, for those easing back into the first proper working days of the year coffee-fuelled, protein shake on the go, and already watching suspicious logins roll in, here are a few more thoughts on what 2026 is likely to throw our way…
Prediction 7: Progress will be made on OT, ICS and critical infrastructure security
Operational Technology (OT), Industrial Control Systems (ICS) and critical infrastructure are now some of the most-targeted areas for cybersecurity attacks. Take the ENISA Threat Landscape 2025. The report doesn’t focus on OT security but analysed 4,875 EU security incidents across a wide range of public attacks and those reported directly to the European Union cybersecurity agency. Its analysis found a significant concentration of attacks on OT environments, accounting for the third largest share (18.2%) in the distribution of threat categories, behind mobile threats and web threats.
There is no single reason for the uptick in OT security risk and we’ve seen several factors converge in recent years that all contribute: expanded connectivity between IT/OT environments (and unsecure legacy OT systems), increased third party supply chain risk, geopolitical dynamics and a new class of ideologically-motivated attackers targeting CNI.
A recent joint advisory on OT security from the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) provided clear and actionable guidance for organisations operating in these areas, including creating accurate OT asset inventories and prioritising risk reduction. The advisory emphasised collaborative OT/IT risk management and aligning with standards like IEC 62443 and ISO/IEC 27001.
Regulatory pressure on OT operators will increase in 2026, particularly for organisations that fall outside of current CNI regulations, and we will see more targeted regulation that spurs action. This will drive organisations to focus on OT visibility, micro segmentation and secure remote access. Public/private collaboration will support this, but legacy constraints will continue to slow adoption and progress will be uneven. Sectors like utilities and transport will likely accelerate, with smaller operators lagging behind. Undoubtedly, we will see more notable security incidents in the months ahead.
Prediction 8: Talent shortages will drive automation and managed services uptake
Talent shortages in cybersecurity are well documented and anyone working at the coalface will be well aware of the associated challenges.
Official UK Government data from the Department for Science, Innovation & Technology (DSIT) in its 2025 cyber security skills in the UK labour market report shows that the overall cybersecurity skills gap stabilised in 2025, after falling sharply between 2023 and 2024. According to the report, there is now a net shortfall of approximately 3,800 people in the industry, which is “markedly lower” than the 11,100 shortfall in 2024. However, despite more graduates and apprentices fueling growth in the talent pool, technical skills gaps continued to increase by 28% year-on-year and this is only likely to grow as skills in areas like AI security become more in demand.
The impact of the skills gap is being felt across the board. A recent survey from systems integrator Insight Enterprises found that it has forced 64% of organisations across EMEA into taking risky shortcuts and making temporary fixes to meet security demands. This is the situation many – if not most – organisations find themselves in heading into 2026 with no material change in sight.
The result is that security teams will increasingly rely on automation, extended detection and response (XDR) and managed detection and response (MDR) services, as well as vendor-led MDR from leading vendors like CrowdStrike. It’s clear this shift is becoming necessary if organisations are to fill these gaps while managing rising regulatory pressure, increased complexity and more frequent attacks. XDR/MDR tools enable smaller security teams to operate far more efficiently and in 2026, we’ll see these move from ‘advanced’ options to essential compensating controls in the face of the growing skills shortage.
This will be further driven by regulation that forces board accountability, which will incentivise organisations to hire or buy robust services. My hope is that this increased investment will also spill over into comprehensive upskilling programmes, which will likely become mandated in some regulated sectors.
Prediction 9: Cross-border data controls will become a frontline security concern
The evolving regulatory landscape means organisations will no longer be able to assume that data protection compliance is a single, unified exercise across Europe and the UK. The EU and UK are increasingly diverging in policy and adequacy assessments and this will translate into more complex, operationally impactful cross-border data controls next year.
In October 2025, the European Data Protection Board (EDPB) issued Opinion 27/2025 on the UK’s adequate protection of personal data. While generally the view was positive, the EDPB was clear in highlighting ongoing legal uncertainty and the need for continuous monitoring of data transfer mechanisms. This should be a clear signal to organisations going into 2026 that a ‘set and forget’ approach to UK/EU data transfers is no longer tenable.
There is nothing inherently new about cross-border data flows being regulated. What is changing now is the combination of continuing UK policy divergence, renewed EU scrutiny of adequacy and geopolitical considerations around data sovereignty that together will raise the operational bar. Organisations will need to embed targeted data flow controls, lawful basis mapping and legal transfer mechanisms into their security architectures rather than treating them as compliance afterthoughts.
This will also put additional pressure on third-party supply chain risk. Contractual terms, data-handling practices and subprocessor transfers will all have to prove they align simultaneously with the GDPR, UK data protection law and sector-specific requirements.
Divergence in regulatory regimes and barriers to data flows will materially increase compliance complexity for organisations operating across multiple jurisdictions and will drive demand for more agile, policy-driven controls, as well as localisation strategies.
The practical effect in 2026 will be felt in both security design and operational risk management. Security teams will prioritise data minimisation by default (reducing export risk), enforce explicit lawful bases for processing at handoff points and build flexible routing and localisation mechanisms that can adjust to regulatory shifts without wholesale reengineering.
Legal and security functions will need to work far more closely together and risk assessments will have to encompass where data travels as much as how it is protected. Far from being a blip on the regulatory radar, this will be a structural shift with real consequences for architecture, third-party risk and cross-border operational resilience.
Prediction 10: Secure-by-design will shift from a competitive differentiator to a regulated baseline
There is much to say about the supply chain heading into 2026. Setting aside the obvious increase in third party supply chain threat activity for a moment, one of the most significant changes to how software and device vendors think about their supply chain comes with the ramp-up of enforcement around EU Cyber Resilience Act (CRA) (see ‘Prediction 1: Regulation’ in part one). Software and device vendors operating across the UK and EU will come under sustained pressure in 2026 as CRA enforcement ramps up.
The CRA represents a fundamental shift in how digital product security is regulated, granting authorities the power to issue financial penalties to manufacturers, mandate product recalls or restrict insecure products from the EU market entirely. In doing so, it aligns cybersecurity expectations for digital products with those applied in other safety-critical industries (with the same ‘CE’ marking) and moves decisively beyond the legacy model of self-certification and post-hoc vulnerability disclosure.
What’s changing in secure development and vulnerability management is the regulatory consequence of getting these wrong. The CRA makes product security a legal obligation throughout the lifecycle, rather than a best-effort commitment at release. This means capabilities such as software bills of materials (SBOMs), vulnerability response SLAs and demonstrable secure development practices are moving from optional add-ons to contractual requirements. Vendors operating in this space, including those focused on secure software development and verified cyber risk scores like BlueFort partner Orpheus, are already reflecting this shift. In 2026, we will increasingly see buyers asking for clearer evidence that security is designed from the start, measured consistently and maintained over time.
This shift will also reshape third party supply chain risk management. Point-in-time questionnaires and static supplier assessments will struggle to meet regulatory and procurement expectations. Instead, organisations will increasingly look for objective, continuously verifiable security signals – including SBOM transparency, signed build pipelines and standardised attestations – that can be validated independently. Vendors like BlueFort partner OPSWAT which are addressing supply-chain and content security challenges illustrate how demand is moving toward automated inspection, artefact validation and continuous assurance rather than trust-based declarations.
The regulatory pressure from the CRA will reinforce existing trends driven by NIS2, evolving procurement rules and the many high profile supply chain incidents we’ve seen in recent years. This will push organisations to require ongoing evidence of product security posture rather than paper compliance. For vendors, product security will no longer be a differentiator or a marketing claim, it will be a regulated baseline for market access.
Prediction 11: ‘Bank-grade’ cyber resilience will become normalised across other sectors
Going into 2026, financial services organisations and their cybersecurity providers are now a full year into compliance with the EU’s Digital Operational Resilience Act (DORA). Organisations subject to DORA are operating under a significantly elevated resilience regime, with centralised EU-level oversight of critical third-party ICT providers moving responsibility for cyber resilience beyond individual firms and into a shared supervisory model. This sets a new baseline for what good looks like in cyber resilience. In 2026, we will see this set an example for other high risk industries.
Lessons from DORA (and likewise NIS2) will increasingly spill over into other ‘important’ sectors like energy and healthcare across both the EU and the UK markets. Regulators, boards and insurers will begin to treat bank-grade resilience – defined by continuous risk management, rigorous third-party oversight, tested incident response and demonstrable operational recovery – as a reasonable standard rather than a sector-specific exception.
This will have particularly sharp implications for OT security environments outside traditional critical national infrastructure. Sectors like manufacturing, logistics and healthcare, which have historically operated OT systems with limited cyber oversight (and certainly without security designed-in), will face growing pressure to adopt resilience practices more commonly associated with financial services. This includes improved OT visibility, stronger segmentation, secure remote access and realistic resilience testing.
The result will be a gradual but irreversible normalisation of higher cyber resilience expectations across the economy. What began as a regulatory response to systemic financial risk will, by the end of 2026, have reset the bar for how organisations of all types are expected to manage cyber risk and operational disruption.
Prediction 12: Post-quantum readiness will shift from theory to preparation
2026 will be the year we see Q-Day! Or as Wired calls it, the “quantum apocalypse”. I am, of course, only joking. But if you’ve made it this far, I think it’s only sensible that I check that you’re still awake. Plus, I just couldn’t resist just one hyperbolic technology prediction.
Fear not, 2026 will not be a year of post-quantum panic. Having said that, we will see a visible shift from abstract discussion to practical preparation. More organisations will complete comprehensive inventories of their cryptographic usage, identifying where and how encryption, key management and digital signatures are embedded across applications, infrastructure and third-party services. For many, this discovery phase alone will be a significant step forward.
On the back of this, early pilot migrations to post-quantum or hybrid cryptographic algorithms will begin, focused on high-value or long-lived assets where the risk of ‘collect now, decrypt later’ is most acute. Adoption will remain cautious and targeted rather than broad, reflecting the operational and performance implications of new algorithms.
The dominant theme will be crypto agility. Organisations will prioritise the ability to swap algorithms, update key lifecycles and validate vendor readiness without major architectural disruption. Like anything in cybersecurity, preparation now reduces risk later. It may not be in 2026 that we see a post-quantum world become a reality, but post-quantum security is quickly moving from semi-sci-fi theory to a concrete consideration that requires real preparation.
And there we have it folks – 2026 predictions completed. I did say it was never going to be simple.
