The headline from Bridewell's 2026 Cyber Security in Critical National Infrastructure report is striking enough on its own: 93% of CNI organisations experienced at least one successful cyber attack in the past 12 months.
Not a near-miss. Not a probe. A successful attack.
For a sector that underpins the UK's power supply, water treatment, transport networks, financial systems and healthcare infrastructure, that figure is a wake-up call that demands more than a boardroom conversation. It demands structural change.
View The Cyber Security in Critical National Infrastructure Report
Having digested the full report - based on research among 600 cyber security professionals across 13 CNI sectors - several themes stand out. Not just as statistics, but as indicators of where the real gaps lie, and what organisations need to do to close them.
For years, frameworks like the Cyber Assessment Framework (CAF) and NIS Regulations sat alongside security programmes as aspirational guides. In 2026, that dynamic has shifted.
Bridewell's data shows that 35% of organisations now cite regulatory requirements as the primary driver of their cyber security maturity - up sharply from 26% the previous year. Audits are becoming more rigorous. Regulators are asking harder questions. And the emerging Cyber Security Resilience Bill (CSRB) is set to raise the bar further still.
Critically, this regulatory momentum is beginning to extend into the supply chain. The CSRB will bring Managed Service Providers (MSPs) formally into scope for the first time, recognising what the threat landscape has long demonstrated: MSPs are not peripheral IT providers - they are systemic risk points. A single compromise can ripple through hundreds of downstream client environments.
We've explored this in detail in our piece on how the Cybersecurity and Resilience Bill will impact MSPs. The short version: MSPs that act now, building demonstrable resilience into their operations, will be far better placed than those waiting for enforcement to arrive.
The Bridewell report identifies supply chain attacks averaging six incidents per organisation in the past year. More revealing is where those attacks are breaking through: cloud infrastructure (25% of respondents), applications and software (19%), and the human layer and supply chain (14% each) are the primary attack vectors across all CNI sectors.
The root causes tell a familiar story: skills shortages, insufficient monitoring, inadequate patching, and over-reliance on third parties. Many organisations acknowledge they don't have full visibility of their extended supply chain - and that the questionnaire-based approach to third-party risk assessment is, at best, an administrative comfort rather than a genuine risk management strategy.
The uncomfortable reality is that when a supplier is compromised, conventional communication channels are often the first thing to fail. Email is untrusted. Messaging platforms are inaccessible. Coordination collapses to mobile phones at precisely the moment when structured, secure communication matters most.
This is the core argument we make in our post on why your supply chain is your biggest cyber threat - and why mandating out-of-band communications as a supplier contractual requirement is one of the most immediately actionable steps any CNI organisation can take.
One of the most telling findings in the Bridewell report is the gap between perceived and actual resilience. 98% of respondents describe their organisation as cyber resilient. Yet when you look at average response times, the picture is rather different.
Data theft incidents take around 10 hours to respond to. Ransomware, nine hours. Supply chain compromises, eight. Meanwhile, the report notes that threat actors can exfiltrate data in minutes. The maths doesn't work.
What's driving this gap? A lack of communications infrastructure is a significant factor. The report finds that fewer than half of CNI organisations have established communications plans as part of their incident response capability - the weakest component across all sectors surveyed.
When a cyber incident occurs and primary systems are compromised, the absence of a pre-established, independent communications channel is not a minor inconvenience. It is a structural failure that extends dwell time, delays containment, and prevents the kind of clear regulatory reporting that frameworks increasingly require.
Out-of-band communications - a secure, isolated channel that sits entirely outside the primary IT environment - is the direct solution to this problem. It ensures that when Microsoft Teams, email and internal messaging platforms are unavailable or untrusted, your incident response team can still coordinate, your leadership can still be briefed, and your regulator can still receive timely, accurate updates.
Managing AI cyber risk has entered the top five concerns for CNI organisations for the first time in 2026, ranked second overall. This is not abstract anxiety - it reflects the reality of rapid, ungoverned adoption.
89% of organisations are now using agentic AI in some capacity, most commonly to automate incident response (36%) and support threat hunting (35%). The benefits are real. AI is helping security teams operate faster and at greater scale than human capacity alone would allow.
But the report draws an explicit parallel with the early days of cloud adoption and shadow IT - both of which were deployed faster than the controls needed to secure them. Organisations are now retrofitting governance onto AI systems that were already operational, with limited visibility into which AI agents have access to what data, under what conditions.
For CNI organisations, the challenge is compounded in OT environments, where the consequences of an AI system making an incorrect autonomous decision are not a financial loss - they are potentially a safety incident.
Perhaps the starkest gap identified in the report is around post-quantum cryptography. 90% of respondents describe themselves as prepared for the transition — yet 38% have never reviewed government guidance on the topic, and one in ten say the guidance is confusing and they don't know where to start.
Cryptography underpins virtually every system in a modern CNI environment. Without a clear understanding of where it is used, how easily it can be upgraded, and how long encrypted data needs to remain secure, claims of readiness are premature. Optimism and operational planning are not the same thing.
Running as a thread through the entire report is a persistent failure of asset visibility. Only 29% of organisations use a centralised or dynamically managed enterprise asset management approach. 23% rely on individual departments or teams to manage their own assets. 9% admit to having limited visibility or control over connected devices.
Without a complete and current view of what assets exist - particularly across hybrid IT and OT environments - security teams cannot effectively prioritise vulnerabilities, detect anomalous behaviour, or respond to incidents with confidence. Attackers, as the report notes, tend to find the assets the organisation didn't know were there.
This is not a technology problem. It is a governance problem. And it is one that directly undermines every other element of a CNI organisation's security posture.
The 2026 Bridewell report is a detailed, data-rich picture of a sector that knows it has a problem and is beginning - seriously, for the first time - to act on it. Regulation is working as a forcing function. AI is arriving faster than governance can keep pace. Incident response plans exist on paper but aren't tested under realistic conditions. And the basics — asset visibility, communications planning, supply chain oversight - remain stubbornly incomplete.
For MSPs and the CNI organisations that rely on them, the message is clear: resilience is not a product you can buy. It is a capability you have to build, test, and exercise - repeatedly, under realistic conditions.
That includes ensuring that when primary systems fail, you can still communicate. Securely. Independently. Without relying on the same infrastructure that may already be compromised.
The organisations that get this right in 2026 will be the ones that can demonstrate not just that they prevented an attack, but that when one occurred, they responded and recovered with confidence.
Interested in how out-of-band communications can strengthen your CNI or MSP incident response capability? Read our in-depth posts on the CSRB's impact on MSPs and why your supply chain is your biggest cyber threat.