It’s the end of 2025 and, as every year, we see plenty of articles and newsletters aiming to share the big news of what security changes to expect in 2026 with dramatic forecasts such as “hyper-risk”, “catastrophic attack waves” and “next-gen cyber storms” (just to pick our three favourite ones). From our experience, these forecasts are not incorrect since the financial damages from cyber attacks are increasing every year, but what remains is that companies which do their homework well can take control and build an efficient security programme that reduces risks sustainably.

The landscape will keep evolving, and most of the movement has been visible already for years and will continue. Below we summarise the developments that we see increasing day to day and that will continue to shape our security work next year.

AI security from all directions

AI is everywhere: in daily work, in the media, and it should be embedded in every security roadmap. AI-powered security tools are now standard features, attackers use AI to scale reconnaissance and social engineering, and every company needs AI security governance. The opportunity for efficiency is real, and so are the risks of data leakage, model abuse and third-party exposure. With this impact in mind, AI-based security trends are the first ones we highlight.

What to expect

Mainstream tools integrate AI for detection and response. Governance expectations rise across legal, compliance and customers. Attackers improve the speed and quality of phishing, business email compromise and credential harvesting with automated content.

Why it matters

Uncontrolled AI use can expose sensitive data or create compliance issues, while well-governed adoption reduces analyst overhead and improves time to detect and respond. The balance is intentional enablement, not bans or a free-for-all.

How to act

• Inventory AI usage across teams and vendors and set guardrails for allowed data, logging and quality gates where a human remains in the loop.

• Add AI risks to threat models. While they differ by use case, start with common risks such as prompt injection, data leakage, model or training-data poisoning, model inversion and theft, jailbreaks, third-party and supply-chain risk, and output-based exfiltration.

• For your security team, use AI for safe productivity gains such as tier-1 triage, alert summarisation, knowledge retrieval and risk-based decision enablement with documented human review and approval.

Zero Trust is the new normal

I remember a speech I gave at it-sa back in 2023 about Zero Trust moving from initial hype to an overused buzzword. Zero Trust both redefined foundational security practices and, at the same time, challenged organizations to adopt them in a practical way. In 2026 it is no longer a buzzword, it’s just accepted as the new normal. It is the baseline for best-practice architectures and strategies. Principles such as explicit verification, healthy devices, least privilege and segmentation around what matters drive security across SMEs and large enterprises, whether they call it Zero Trust or not.

What to expect

Tooling and infrastructure become more Zero Trust-ready as leading providers build the principles in by default, from identity and endpoint management to monitoring. Culturally, security teams keep applying Zero Trust in day-to-day decisions, while broader mindset adoption across business teams such as HR, operations and development remains a work in progress.

Why it matters

The reason Zero Trust matters has not changed. Compromised credentials and unmanaged endpoints remain among the most common entry paths. Zero Trust reduces blast radius, enables a modern workforce across locations and devices, and improves operational processes by driving consistent, policy-based decisions.

How to act

• Start small but impactful. Identify quick-win use cases, implement them, then expand as budget allows. A phased approach manages costs while steadily improving security.

• Maximize what you already have. Use existing identity, endpoint and network capabilities to enforce MFA, device health and least privilege before buying new tools.

• Where new tools are required, choose platforms that integrate easily and remove complexity so you can scale features and performance later. Many vendors offer trials or smaller editions to validate fit.

Cyber insurance tightens

Insurers are getting pickier. They want to see real security in place, not just a nice policy on paper. Questionnaires go deeper, follow-up questions are sharper, and they increasingly ask for proof instead of accepting a simple yes. At the same time, premiums and deductibles are climbing, and it is becoming more common to see tighter wording or exclusions around large, widespread incidents or very old, unsupported systems. A cyber policy can soften the financial hit when something goes wrong, but it does not replace basic security work.

What to expect ‍

Insurers now look much more closely at how your controls work in practice. They care about whether MFA is in place for important accounts and remote access, whether EDR actually runs on servers and endpoints, how you handle privileged accounts, whether backups are immutable or offline, and whether you run and document incident response exercises rather than leaving them in a slide deck.

Why it matters

How insurable you are, and what you pay, depends more and more on the real maturity of your controls, not on what is written in a policy document. Gaps tend to show up as higher premiums, higher retentions, or limits and exclusions in the wording. Strong, well-documented controls can speed up renewals and help you get better terms.

How to act

• Treat the questionnaire as a free gap analysis and build a 90-day plan for every “no”.

• Show resilience, do not just claim it. Use immutable or offline backups, test your RTO and RPO, and keep concise records of tabletop exercises.

• Go into negotiations with evidence. Bring MFA coverage views, EDR rollout status, a simple picture of your privileged-access setup, and short reports from restore tests. Insurers highly value a security strategy that already meets their requirements by default.

OT security needs shared visibility

Operational Technology sits at the heart of safety and uptime. For a long time, OT lived in its own world with very limited visibility. That silo is hard to justify today. Production lines, building automation and plants are too connected, and they depend on basic cyber hygiene and clear rules for how they talk to IT systems.

What to expect

Cyber attacks increasingly hit systems that control physical processes, not just office IT. That includes classic OT in plants and production, and IoT devices in buildings and logistics. Ransomware, remote-access abuse and misconfigurations can now have real-world impact, from stopped lines to building failures. As connectivity grows, these attacks become more likely, not less.

Why it matters

‍If OT goes down, the business goes down with it. Blind spots in plants quickly become safety issues and revenue risk. Auditors and customers increasingly expect proof that you know what runs in your environment and how you bring it back if something goes wrong.

How to act

• Start with a passive asset inventory, tag what is safety or production-critical, and watch for new or changed devices to keep the picture current.

• Bring IT and OT security together with shared tools, shared data and clear joint ownership for incidents, plus practical zoning such as a Level 3.5 DMZ (Industrial DMZ) and strict, MFA-protected remote access with session recording.

• Segment networks so that critical OT zones are clearly separated and issues in office IT or one line do not spread to the whole plant.

Compliance in 2026: NIS2, CRA and the EU AI Act

Regulatory expectations are getting clearer and more concrete. For organizations that have ignored the basics, the next years can mean heavy lifting, especially around topics such as asset visibility, patch discipline, secure development with SBOMs and AI governance. Teams that have kept a reasonable level of hygiene might still feel some pressure, but they will not see anything completely out of nowhere. The focus is shifting from having plans to being able to prove what you actually do.

What to expect

Regulators and industry bodies publish more specific rules, guidance and audit criteria. Boards get clearer accountability, and procurement teams ask for stronger evidence. That can include SBOMs, secure development checkpoints and basic AI risk documentation for systems that matter.

Why it matters

‍If your security fundamentals are weak, compliance turns into a disruptive and expensive project that competes with everything else you want to build. If the fundamentals are there, the main task is to show reliability with evidence and to weave compliance checks into normal development and operations rather than bolting them on from the outside.

How to act

• Clarify if and how major regulatory requirements such as NIS2, the Cyber Resilience Act and the AI Act touch your business, then build one security program that covers all of them instead of three separate projects. Use a single control catalogue, reuse controls where possible and automate evidence collection where realistic.

• Train leadership and product managers in plain language. They do not need to become lawyers, but they must know which regulations apply, what “criticality” means for your services and products, and how this links to business risk and value. Compliance readiness is a metric that causes attention to get the bare minimum done, but real buy in comes when they see how it protects revenue, customers and brand.

• Bring in external experts if you do not have enough experience in house, but do it with care. You do not want a consultant who just helps you scrape over the compliance line for this year. You need someone who understands your business model and can design a security and compliance program that actually fits how you work. At the same time, avoid building everything around a single provider so that you end up dependent on their methods, their tools and their pricing. Aim for partners who transfer knowledge, document clearly and leave you with options, not with a lock-in.

What is not new, just overdue

Most so-called predictions for 2026 are trends that have been emerging since 2024 or earlier. If your organization follows a strategy of continuous improvement aligned to modern, long-term business requirements, we do not see a major game changer that should keep you awake at night. On the other hand, organizations that have aimed for the bare minimum until a severe cyber attack hits, an audit is failed or too many customer opportunities are lost will see risk increase in 2026 and for the foreseeable future.

One article cannot cover every trend, but the list above outlines the main drivers. While the post-quantum era is another core topic that is widely discussed, we do not see tangible progress that lets us predict clear security-relevant changes for 2026 with confidence. That can change quickly.