Cyber attacks have now affected almost every UK critical infrastructure (CNI) organisation, with 93% reporting a cyber incident in the past year, according to new research from Bridewell.
The findings, published in Bridewell’s Cyber Security in CNI Report 2026, highlight the growing scale and impact of cyber threats across sectors underpinning the UK economy, including energy, finance, transport and government.
According to the report, cyber incidents are increasingly causing real-world disruption. Half of organisations said they had experienced IT outages or operational disruption as a direct result of attacks, while nearly one third reported financial losses.
Phishing and business email compromise (BEC) remain the most common attack vectors, with organisations experiencing an average of 11 phishing or BEC attacks per year. Malware incidents also remain prevalent, averaging eight attacks annually.
Despite this sustained threat activity, data protection and privacy continues to rank as the top concern for CNI organisations, cited by 43% of respondents.
AI Risk Enters the Top Cyber Concerns
For the first time, AI-related cyber risk has entered the top tier of security concerns, with 39% of organisations identifying it as a key issue.
The report suggests this is being driven by the increasing use of AI by threat actors to scale and enhance attacks, particularly phishing campaigns and malware development. At the same time, organisations are accelerating their own adoption of AI to strengthen defences.
More than a third of organisations said they are already using AI to automate incident response, while a similar proportion are leveraging it to support threat hunting.
Martin Riley, CTO at Bridewell, said AI is rapidly becoming central to cyber defence strategies.
“AI is now central to modern cyber defence. If you are not using AI to accelerate detection and response, you are falling behind attackers who are already using it against you,” he said. “The challenge for 2026 is not whether to adopt AI, but how to govern it safely.”
Anthony Young, CEO at Bridewell, added that many organisations are repeating patterns seen during early cloud adoption.
“AI today feels very similar to the early days of cloud. It is powerful and widely adopted but often implemented faster than the controls designed to secure it. Organisations must apply the same discipline and guardrails to AI that they now expect for cloud and digital infrastructure,” he said.
Regulation Driving Cyber Investment
The research also points to a shift in what is driving cyber security investment.
For the first time, regulation has overtaken cyber threats themselves as the primary driver, with 35% of organisations citing regulatory requirements as their main motivator for improving cyber security, up from 26% the previous year.
However, the report highlights inconsistencies in how organisations are implementing key frameworks. Less than half said they have adopted or complied with the Cyber Assessment Framework, while fewer than a third reported adoption of NIS2.
This gap is reflected in confidence levels, with 39% of organisations admitting low confidence in their cyber security measures for data protection.
“Frameworks are essential, but compliance on paper does not automatically translate into operational resilience,” said Young. “Regulators are asking harder questions, and organisations will need to demonstrate policy alignment as well as real-world capability.”
Confidence Gaps in Emerging Risks
Beyond current threats, the report identifies a growing disconnect between perceived preparedness and actual readiness in emerging areas such as post-quantum cryptography (PQC).
While 90% of organisations said they feel prepared for PQC, more than a third admitted they have yet to review relevant government guidance. Bridewell describes this as a case of “confidence without clarity”.
A Turning Point for CNI Security
Bridewell concludes that 2026 represents a turning point for cyber security across critical infrastructure.
With disruption affecting half of organisations and cyber attacks becoming more frequent and sophisticated, the report suggests organisations must shift from awareness to execution.
“The speed of attack now outpaces traditional response models,” Riley said. “Attackers can move from initial access to data theft in minutes. The organisations that succeed will be those that can detect attacks faster, respond in minutes rather than hours, and govern emerging technologies like AI securely.”
