The past 12 months have once again proven that the cybersecurity landscape is rarely short on incident. Major security breaches cost organisations billions of pounds as threat actors honed their tactics and ruthlessly targeted human weakness. AI adoption began in earnest among many enterprises, expanding their attack surface just as AI-powered technologies gave adversaries a boost. And all the while, the compliance burden grew, as regulators did their best to mandate enhanced cyber resilience across supply chains.

Let’s take a look at five things we learned in 2025:

New Regulations Proliferate

Compliance deadlines arrived in quick succession over the past 12 months. First up came the Digital Operational Resilience Act (DORA) – an EU effort to safeguard the region’s financial services sector. Crucially, DORA places new risk management, testing and incident response requirements not only on financial players themselves, but also their IT and other operational suppliers. It aims to harmonise laws across the bloc, improving baseline security by holding senior managers personally accountable for non-compliance – impacting an estimated 22,000 companies in the region.

As critical infrastructure, the sector was overdue regulation of this sort. Cyber incidents over the past two decades have caused $12bn in direct losses to global financial firms, according to the IMF. Yet six months in, it became clear that compliance was far from straightforward. A study published over the summer found that just half of responding organisations had incorporated DORA’s requirements into their broader resilience programmes. And a majority had not yet reached DORA standards of resilience.

Elsewhere, the compliance burden increased with amendments to the EU’s Cybersecurity Act (CSA) to mandate certification schemes for managed security services. The government passed a long-overdue update to the UK GDPR: the Data (Use and Access) Act, which should help to reduce red tape, enhance secure data sharing and make it easier to use data responsibly.

Meanwhile, a new NIST Cybersecurity Framework will evolve the standard to make it more current and fit for purpose – especially in the context of AI development and automated decision making.

Resilience Takes Centre Stage

One thing many of the above laws and regulatory regimes have in common is the goal of improving cyber resilience. Headline-grabbing incidents such as major supply chain disruption at several European airports, and a weeks-long ransomware outage at Britain’s largest carmaker show us why the regulators are moving in this direction. According to a WEF study this year, over half (54%) of global organisations identify supply chain challenges as their biggest barrier to achieving cyber resilience.

Nor is this only an IT issue. A Dragos/Marsh McLennan report from August claimed that OT risk could be costing organisations at least $330bn annually.

That’s why organisations like the National Cyber Security Centre (NCSC) are urging action. The agency said half (48%) of the incidents its Incident Management team responded to over the past year were “nationally significant”, while the number categorised as “highly significant” surged 50%. The word “resilience” is mentioned 139 times in the latest NCSC annual review. Unfortunately, basic security capabilities are flatlining or falling across key competencies like staff training, supplier risk management and incident response, according to the government’s own figures. That’s part of the reason why it finally introduced the Cyber Security and Resilience Bill in November.

Breaches Galore Hit Customers Hard

In too many large organisations, security is still siloed within the IT department, rather than being seen as a growth enabler. The hope is that regulations like the ones cited above will start to change hearts and minds in the boardroom. In the meantime, CISOs have a growing body of evidence to support their requests for funding, as big-name cyber incidents continued to hit home.

The aforementioned disruption at Heathrow Airport is a case in point. That came after a ransomware breach at check-in software supplier Collins Aerospace, resulting in delays that went on for weeks at some European airports. Direct ransomware attacks on UK high street retailers M&S and the Co-op Group cost the firms hundreds of millions in direct costs and lost sales, and may have destroyed hard-won customer loyalty.

If boards and senior managers don’t join the dots between cyber resilience, business performance and long-term brand value, their competitors certainly will. A Sophos study this year found that Britain is something of a global outlier. Some 70% of ransomware victims had their data encrypted, much higher than the global average of 50%, and the 46% figure reported by UK victims in 2024.

The Threat Landscape Evolves

Yet things are not getting any easier. The typical corporate attack surface continues to grow thanks to investments in digital services, cloud ecosystems and AI. But budgets and skills are in short supply. And threat actors continue to innovate and evolve.

This year, we saw a growing preference for using remote access tools (RATs) and remote monitoring and management (RMM) systems in attacks. Often these formed the next stage of a multi-layered attack in which initial access was achieved by targeting IT helpdesks and/or employees with vishing techniques. Vulnerability exploitation also continues to be popular. And the weaknesses of the open source ecosystem are being probed with growing frequency and impact. A first-of-its-kind npm worm showed how far threat actors are prepared to go to get what they want.

Organisations must also adapt to a new reality: financially motivated cybercriminals and state actors are no longer mutually exclusive entities. Lines are blurring and risks are evolving at pace.

New AI Risks Emerge

Against this backdrop, AI is both an opportunity and a risk for security and compliance teams. On the one hand there are innovative new solutions hitting the market every week to improve detection and response, pen testing, and vulnerability research, among other things. By automating more tasks, teams can also do more with fewer resources, which is particularly helpful amid an ongoing skills shortage.

But AI is also a risk. As Deloitte Australia discovered, hallucinations can take a significant reputational toll on corporates. AI can also be used for nefarious purposes, such as vulnerability exploitation, social engineering, malware development and more, the NCSC warned this year. And vulnerabilities in existing large language models (LLMs) and platforms like DeepSeek represent business risks that must be better managed.

It’s good to see the government taking a lead on AI safety and risk management. A new code of practice could help British firms harness the power of the technology while building projects on firmer foundations. And a government initiative to create a new AI assurance sector is a promising idea.

But there’s still a way to go. In the meantime, standards like ISO 27001 and ISO 42001 can help IT and security teams steer their organisations in the right direction. Risk is inevitable, and it continues to evolve. Those best placed to manage it in a systematic but agile way will start 2026 strongest.

To find out more on the current threat landscape, read our State of Information Security 2025 report.