Login Book a call Become a partner
Search
Clear search icon

2026 Mid-Year Cyber Review

Maddie Parker
Back to blog

Table of contents

Want to speak with sales?

Book a call

Six months in: the UK cyber landscape at the halfway point of 2026

Threat volumes are up, new legislation is advancing through Parliament, certification requirements have tightened, and the regulatory expectation behind Cyber Essentials has hardened across government, regulators, and supply chains.

This is CyberSmart's mid-year review, covering the threat data, policy and legislative developments, certification changes, and what it all means for managed service providers heading into H2.

The threat data

Verizon's 2026 Data Breach Investigations Report, based on more than 31,000 security incidents across 145 countries, found that vulnerability exploitation has overtaken credential theft as the most common initial access vector for the first time in 19 years. Exploitation now accounts for 31% of initial access, up from 20% the year before. Credential abuse has fallen to 13%. These are global figures rather than UK-specific data.

The UK Cyber Security Breaches Survey 2025/26 provides the domestic picture. Seven in ten businesses say cyber is a senior management priority. The data shows how far the actions lag behind that. The full breakdown:

  • 43% of UK businesses and 28% of charities reported a breach or attack in the past 12 months
  • For medium businesses the figure rises to 65%, and for large businesses to 69%
  • Phishing affected 38% of businesses and accounted for more than half of all attacks experienced by organisations that were hit
  • Ransomware prevalence roughly doubled year-on-year, from under 0.5% to approximately 1% of businesses, equating to around 19,000 UK organisations
  • Only 30% of businesses carried out a cyber risk assessment
  • Only 25% had a formal incident response plan
  • Only 15% reviewed the cyber risk posed by their immediate suppliers
  • Only 3% require suppliers to hold Cyber Essentials
  • Board-level responsibility for cyber security rose to 31%, reversing a multi-year decline
  • Cyber Essentials certification among businesses rose from 3% to 5%, though around a quarter of businesses report having controls across all five CE areas without holding the certification
  • The proportion of micro businesses able to recover from their most disruptive breach in under a day fell from 92% to 86%

CyberSmart's third annual MSP Survey, conducted with 350 MSP leaders across the UK and Ireland, found that three quarters reported their clients had experienced a breach in the past year. Two in five had dealt with a supply chain incident. Respondents named AI-enabled threats as their top concern, ahead of ransomware and phishing.

Incidents and threat actors

The NCSC recorded 204 nationally significant incidents in the 12 months to September 2025, more than double the 89 from the year before. At CYBERUK 2026 in April, NCSC Chief Executive Richard Horne disclosed that the composition of those incidents had shifted. Where attacks were previously dominated by criminal actors, the majority now originate directly or indirectly from nation states.

On 7 April, the NCSC published an advisory on Russian state-backed activity. The advisory attributed DNS hijacking operations to APT28, also known as Fancy Bear, a group the NCSC links to Russia's GRU Military Unit 26165. The attacks exploit vulnerabilities in SOHO routers, including TP-Link and MikroTik models, to redirect internet traffic through attacker-controlled servers and harvest login credentials including passwords and authentication tokens. The NCSC describes the activity as opportunistic in nature, with attackers casting a wide net before filtering down to targets of intelligence value.

On 23 April, on day two of CYBERUK 2026, the NCSC and 15 international partners published a joint advisory on China-nexus covert networks. State-linked actors are using large networks of compromised devices, principally SOHO routers, firewalls, network-attached storage, and IoT and smart devices, to route malicious activity and evade detection. A full technical advisory and executive summary are available from the NCSC.

In May, the NCSC CTO published a warning about an anticipated surge in software patches across open source, commercial, proprietary, and SaaS products, driven by AI's increasing ability to exploit accumulated technical debt at scale. The NCSC recommends enabling automatic updates wherever available, prioritising internet-facing systems, and replacing or removing from scope any software that can no longer receive security updates.

Speaking at RSAC 2026, Horne referenced economists who attributed the UK's October 2025 negative GDP print to the downstream effects of a single cyber attack on a major manufacturer.

Policy and legislation

The Cyber Security and Resilience Bill completed all Commons stages in the first half of 2026. The Bill received its second reading on 6 January, the same day the government separately published its Cyber Action Plan, a document driven by a new Government Cyber Unit and designed to improve visibility of cyber risks across public services, strengthen central oversight, and enable faster responses to attacks. The Public Bill Committee met from 3 to 24 February and reported by 5 March. Report stage and third reading both took place on 10 June 2026, after which the Bill passed to the House of Lords. Royal Assent is expected later in 2026, though phased implementation means it may not fully come into force until 2028.

The Bill extends the existing NIS regulatory framework to cover managed service providers and data centres for the first time. It introduces tougher incident reporting obligations, a broader definition of regulated entities, and a two-band, turnover-based financial penalties regime that was not available under the existing NIS framework. It represents the most substantial expansion of the UK's cyber regulatory scope since the NIS Regulations were introduced in 2018.

On ransomware, the government confirmed in 2026 that it will proceed with all three proposals from its 2025 consultation: a mandatory incident reporting regime for ransomware attacks, a requirement to notify the government before making a ransom payment, and a ban on ransom payments by public sector bodies and critical national infrastructure operators. These measures are not yet law. In healthcare, supply chain action has moved ahead independently of legislation.

From January, NHS England moved beyond voluntary commitments in its Cyber Security Supply Chain Charter to direct engagement with technology suppliers, contacting them to discuss cyber security controls and requesting supporting evidence where suppliers deliver services critical to patient care or operational continuity.

At CYBERUK 2026 in Glasgow, the government announced £90 million to improve cyber resilience across the economy, directed primarily at small and medium-sized businesses. The Cyber Resilience Pledge launched on 22 April 2026, committing signing organisations to make cyber a board-level responsibility, to sign up to the NCSC's free Early Warning Service, and to require Cyber Essentials across their supply chains. The Minister for Cyber, speaking separately at the New Statesman, confirmed the government's position that Cyber Essentials is the baseline standard for supply chain security across the UK economy.

The UK Energy Sector Cyber Security Strategy was published on 28 May 2026 by the Department for Energy Security and Net Zero, Ofgem, NCSC, and the National Energy System Operator. It sets out strategic objectives and a call to action for organisations operating across the energy supply chain.

In the defence supply chain, Cyber Security Model version 4 launched in December 2025, introducing Defence Cyber Certification (DCC) as the assurance framework for Ministry of Defence suppliers. DCC Level 0 is the minimum certification standard, with higher levels required depending on contract requirements. While DCC is not yet a legal requirement, contracts are already commercially requiring it. The scheme was developed through the Defence Cyber Protection Partnership and is based on NCSC standards, following the Strategic Defence Review's finding that UK Defence carried intolerable levels of cyber risk.

Certification changes

Cyber Essentials introduced a new question set, Danzell, in April 2026, replacing the previous Willow set. The two biggest changes are a hard auto-fail on multi-factor authentication for cloud services, and a stricter interpretation of the 14-day patching window for high and critical vulnerabilities. Cloud scoping has also been tightened. Both the MFA and patching requirements existed under Willow, but Danzell removes the interpretive flexibility that some organisations had been using to pass certification without fully meeting the intent of the controls.

The ICO stated in May 2026 that it expects organisations using or storing personal data to have the five Cyber Essentials controls in place, explicitly linking CE compliance to data protection obligations.

CE is now mandatory for public sector contracts over £5 million, required across the MOD supply chain under the DCC framework, and a condition for NHS Supply Chain suppliers handling NHS data, where Cyber Essentials Plus is the required level. The Cyber Resilience Pledge extends that further, asking signing organisations to require CE across their own supply chains.

CyberSmart's NIS2 compliance research found that only 16% of businesses consider themselves fully NIS2 compliant. The Cyber Security and Resilience Bill will impose comparable obligations once passed. For businesses that fall in scope, the compliance gap is likely to be substantial.

What it means for MSPs going into H2

Across the first half of 2026, the threat picture, legislative environment, and certification requirements have all moved in the same direction. Incident volumes are up, with the majority of nationally significant incidents now attributed to nation-state activity. The Cyber Security and Resilience Bill is advancing toward Royal Assent and will bring MSPs into regulatory scope for the first time. Danzell has raised the bar on CE certification. And the ICO, the government, and the Cyber Resilience Pledge have each explicitly named CE as the expected baseline.

For MSPs, the second half of the year brings concrete pressures. Client patch postures need to meet the 14-day Danzell requirement at scale. CE certifications need to accurately reflect client controls following the question set change. Clients operating in the defence supply chain need to understand their DCC obligations. And client cyber insurance needs to reflect the risk profile that the survey data now describes.

The fundamentals that address most of this have not changed: Cyber Essentials, consistent patch management, MFA, staff training, and supply chain visibility. What has changed is the weight of expectation behind them.

Behind every statistic and update in this review are businesses that need better cyber support than they currently have. CyberSmart is built to help MSPs do that at scale: Cyber Essentials certification across client estates, patch and vulnerability management that keeps clients compliant with Danzell's 14-day requirements, and security awareness training that addresses the human risk behind so many of the breaches the survey data describes.

Become the MSP your clients need right now.

Book a Call
Explore the Partner Programme