Cyber attacks have now affected almost every UK critical national infrastructure organisation, with 93% reporting a cyber incident in the past year, according to Bridewell’s Cyber Security in CNI Report 2026 released today.

The research shows attacks are increasingly causing operational disruption across sectors that underpin the UK economy. Half of organisations report IT disruption or outage following cyber incidents, while nearly one third (31%) say attacks have resulted in revenue loss.

Phishing and business email compromise remain the most common attack methods, with organisations experiencing an average of 11 phishing or BEC attacks per year, followed by malware attacks averaging eight incidents annually.

Data protection and privacy remains the number one concern for 43% of CNI organisations, continuing its year-on-year rise.

Anthony Young, CEO at Bridewell, commented:

“AI today feels very similar to the early days of cloud. It is powerful and widely adopted but often implemented faster than the controls designed to secure it. Organisations must apply the same discipline and guardrails to AI that they now expect for cloud and digital infrastructure.”

AI cyber risk enters top cyber concerns for first time

AI cyber risk has entered the top tier of security concerns for the first time for 39% of organisations, as attackers increasingly use AI to scale phishing and malware attacks. At the same time, AI is being rapidly adopted in defensive operations with more than a third (36%) of organisations already using AI to automate incident response and support threat hunting (35%).

“AI is now central to modern cyber defence. If you are not using AI to accelerate detection and response, you are falling behind attackers who are already using it against you,” said Martin Riley, CTO at Bridewell. “The challenge for 2026 is not whether to adopt AI, but how to govern it safely.”

Safety-critical decisions can’t be made autonomously - human oversight remains a must

Image credit: Bridewell

The report makes some highly relevant points for water sector utilities, the wider water sector and its supply chain, warning:

“For CNI, additional consideration needs to be taken for how AI tools interact with OT environments, if they are used at all.

“While AI tools may promise to enable valuable use cases such as predictive maintenance or process optimisation, such benefits shouldn’t be pursued at the expense of safety. Safety-critical decisions can’t be made autonomously and human oversight remains a must.”

According to the report, root cause analysis helps to explain why attack paths persist. Across sectors, the most frequently cited contributors are skills shortages, insufficient training, and poor monitoring and detection, closely followed by inadequate patching and the complexity introduced by multi-cloud and hybrid environments.

Asset visibility: the foundation still missing

Image credit Bridewell

Despite continued investment in cyber security tools and controls, the report also warns that asset visibility remains a fundamental weakness across CNI organisations. Only 29% report using a centralised or dynamically managed enterprise asset management approach, while a further 27% rely on a hybrid of manual and automated tracking. Just 12% have outsourced asset management to a third party.

The report warns:

"The challenge is particularly acute in asset-heavy sectors, where long-lived infrastructure, legacy systems, and non-standard devices are common."

Regulation now the primary driver of security maturity

Regulation has now overtaken cyber threats themselves as the main driver of security investment, with 35% of organisations citing regulatory requirements as their main motivator, up from 26% last year.

At the same time, adoption of major frameworks remains inconsistent. Less than half report implementation or compliance with the Cyber Assessment Framework (46%) and only 29% report adoption of NIS2. Unsurprisingly, 39% admit low confidence in their cyber security measures for data protection.

“Frameworks are essential, but compliance on paper does not automatically translate into operational resilience,” said Young. “Regulators are asking harder questions, and organisations will need to demonstrate policy alignment as well as real-world capability.”

Confidence gap in post quantum readiness

The research also uncovered a striking confidence gap in post quantum cryptography. While 90% claim to feel prepared, 38% admit they have yet to review government guidance. This disconnect highlights what Bridewell describes as “confidence without clarity” in emerging risk areas like PQC.

2026 marks a turning point - CNI leaders under pressure to move from awareness to action

Bridewell’s research concludes that 2026 marks a turning point. With IT disruption affecting half of organisations and average breach costs continuing to rise along with rising geopolitical tensions, CNI leaders face mounting pressure to move from awareness to action.

Overall, the findings suggest that incident response in CNI is often better defined on paper than proven in practice. “Closing this gap will require sustained investment in exercising, clearer decision-making authority and stronger integration between technical teams and organisational leadership, an approach increasingly mandated by government guidance and regulatory frameworks,” the report says.

“The speed of attack now outpaces traditional response models. Attackers can move from initial access to data theft in minutes. The organisations that succeed will be those that can detect attacks faster, respond in minutes rather than hours, and govern emerging technologies like AI securely,” Riley concluded.

Click here to download the report in full