Security leaders at the UK’s top critical national infrastructure (CNI) firms are relying more than ever on regulatory compliance to drive their cyber maturity and investments, Bridewell has found.
In its latest Cybersecurity in CNI Report 2026, the UK-based cyber service provider found that 35% of security leaders working across the UK’s 13 CNI sectors cited regulatory requirements as the primary influence on their security programs. This is up from 26% the in 2025 and 29% the year before.
In parallel, increased connectivity, the desire to support innovation and evolving cyber threats have all stagnated as cyber maturity influences. Only 25% of respondents mentioned one of these factors as driving security investment in 2025 and 2026.
This trend is likely due to a regulatory acceleration, with new legislation like the UK’s Cyber Security Resilience Bill (CSRB) and the EU’s NIS2 directive and Cyber Resilience Act (CRA) coming into force. Moreover, the UK has recently seen the overhaul of the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) for CNI organizations.
Speaking during a Bridewell press event in London on March 17, Sam Thornton, COO of Bridewell, said despite regulation compliance being considered more important than before for driving security investment, 35% is “still fairly low.”
“I think we will start to see regulation growing as the main driver of security investment in the next years to come,” he added.
Regulatory Challenges Loom for UK Critical Sectors
At the same time, the Bridewell report showed that adoption of major regulatory frameworks remains inconsistent. Less than half of respondents (46%) reported implementation or compliance with the CAF and only 29% reported adoption of the EU’s NIS2 directive.
It’s therefore “unsurprising”, said the report, that 39% of respondents admit low confidence in their cybersecurity measures for data protection.
Anthony Young, Bridewell’s CEO, said that, while there will always be people complaining about too much regulation, “the stick still works to improve cybersecurity.”
He added that the financial sector, one of most heavily regulated industries in the UK, is a good example as financial businesses have always led the way in cyber maturity levels in the country.
However, Young warned that “compliance on paper does not automatically translate into operational resilience.”
“Regulators are asking harder questions, and organizations will need to demonstrate policy alignment as well as real-world capability,” he said.
Additionally, Martin Riley, Bridewell’s CTO and head of the firm’s managed security services, observed that some of the benefits of regulatory guidance can also add more challenges for CNI organizations.
For instance, Riley said that in the UK, many CNI companies are mandated to achieve compliance with the new Enhanced Cyber Assessment Framework (eCAF) by March 2028.
“Now, with the CSRB coming into force later this year, the government will have the unilateral ability to change regulation on a whim, which could significantly disrupt the eCAF compliance roadmap for these organizations,” he explained.
93% UK CNI Hit by Cyber Incidents Last Year
Bridewell’s report also showed that almost all organizations in the UK’s CNI sectors have been targeted by cyber threat actors, with 93% of respondents reporting a cyber incident in the past year.
Of those who experienced an attack, 50% cited IT disruption and outage it as a major impact and 34% mentioned OT operations being affected as a result of a cyber incident.
Targeted organizations were found to have suffered revenue loss in 31% of cyber-attacks and data loss in 31% of cases.
More positively, however, these incidents have also resulted in increased cybersecurity budgets for 36% of respondents.
AI Emerges as Key CNI Cyber Concern
For the first time in its annual report, Bridewell asked security leaders about AI cyber risk.
While data protection and privacy remained the top cybersecurity challenge for almost half of respondents (43%), AI came second with 39% citing it as a top concern.
At the same time, AI is being rapidly adopted in defensive operations with more than a third (36%) of organizations already using AI to automate incident response and support threat hunting (35%).
Young likened the adoption of AI to “the early days of cloud.”
“It is powerful and widely adopted but often implemented faster than the controls designed to secure it. Organizations must apply the same discipline and guardrails to AI that they now expect for cloud and digital infrastructure,” he warned.
For Riley, keen adopter of AI tools himself, AI is now “central to modern cyber defence.”
“If you are not using AI to accelerate detection and response, you are falling behind attackers who are already using it against you. The challenge for 2026 is not whether to adopt AI, but how to govern it safely,” he said.
Finally, the research also uncovered a striking confidence gap in post quantum cryptography (PQC).
While 90% claimed to feel prepared, 38% admitted they have yet to review government guidance. This disconnect highlights what Bridewell describes as “confidence without clarity” in emerging risk areas like PQC.
Bridewell’s Cybersecurity in CNI Report 2026 was released during its CNI Cyber Security Summit, on March 19, in London.
It builds from a 27-question survey of 600 security leaders conducted by Censuswide across 13 critical infrastructure sectors in the UK.