SECURITY leaders at the UK’s top critical national infrastructure firms are increasingly driven by regulatory compliance to improve cyber maturity and investments, Bridewell has found, according to Bridewell. In its Cybersecurity in CNI Report 2026, 35% of security leaders across 13 CNI sectors cited regulatory requirements as the primary influence on their security programmes, up from 26% in 2025 and 29% the year before.
The report also notes that adoption of major regulatory frameworks remains uneven, with 46% reporting CAF implementation and 29% adoption of the EU’s NIS2 directive, while 39% admit low confidence in data protection measures. Speaking at a London event on 17 March, Bridewell’s Sam Thornton said regulation is still a major driver but “35% is fairly low” and that regulators expect policy alignment as well as real-world capability.
The research, based on a 27-question survey of 600 security leaders conducted by Censuswide, also highlights that 93% of UK CNI organisations reported a cyber incident in the past year, with 36% increasing cybersecurity budgets as a result.