Fortinet is a Business Reporter client
The cyberthreat landscape has never been more demanding. More than three-quarters of organisations worldwide reported an increase in cyber fraud in the World Economic Forum’s Global Cybersecurity Outlook 2026, underscoring how rapidly the threat environment is escalating.
What makes this moment particularly challenging is that the growth in attacks is driven less by the development of novel exploits and more by availability and automation. Sophisticated attack toolkits can now be hired by relatively unsophisticated actors, dramatically lowering the barrier to entry. For organisations responsible for critical national infrastructure (CNI), the implications are stark: the time for action is now.
Governments and regulators are signalling that cyber resilience is no longer optional. In the EU, the Digital Operational Resilience Act (DORA) and the NIS2 Directive are imposing new and stringent cybersecurity requirements on essential services. In the UK, the forthcoming Cyber Security and Resilience Bill introduces a range of mandatory process obligations, including a challenging 24-hour window for incident notification.
Emerging cyber defence technology
Yet robust processes, however necessary, are not sufficient on their own. Technology is evolving at pace. The cyber defences that CNI organisations use must evolve with it.
Artificial intelligence sits at the centre of this transformation. It is simultaneously one of the most powerful tools available to defenders and one of the most dangerous weapons in the hands of attackers. Adversaries are already leveraging AI to increase the speed and volume of their campaigns, automating reconnaissance, adapting malware and scaling social engineering attacks. CNI organisations must fight fire with fire, deploying AI-powered security capabilities to detect, analyse and respond to threats in real time. Crucially, this deployment must be accompanied by sound governance frameworks and investment in staff skills. AI without oversight introduces its own category of risk.
Quantum readiness is another area demanding urgent attention, though it is one that many senior leaders have yet to fully internalise. Quantum computing, when it matures, will render current encryption standards obsolete, decrypting in hours what would take classical computers millennia. This is not a theoretical threat. Criminals are already harvesting encrypted data and storing it, anticipating that quantum computing capabilities will allow them to decrypt it within the next few years. The National Institute of Standards and Technology (NIST) has published a set of post-quantum encryption standards, designed to meet this “harvest now, decrypt later” approach; and CNI organisations should be actively working towards adoption now, rather than waiting for quantum computing to mature.
Cloud computing presents an opportunity for CNI organisations to improve resilience, with many benefits including redundancy, scalability and rapid recovery. However, it also introduces data sovereignty issues. For organisations operating under GDPR and sector-specific regulatory requirements, the key questions are where does data reside and who can access it?
To manage this problem, organisations are increasingly adopting a hybrid approach: repatriating sensitive data to on-premises infrastructure, and combining this with the use of specialist cloud services that provide guaranteed local data processing. Cloud-first is giving way to cloud-smart.
Accelerating IT and OT convergence
The technological landscape is further complicated by the growing convergence of information technology (IT) and operational technology (OT). Until now, cybersecurity investment has been concentrated on IT environments. That is no longer adequate.
Operational technology – the systems that control physical processes in utilities, transport and manufacturing – is increasingly networked and increasingly exposed. But cybersecurity budgets for OT and industrial control systems (ICS) are lagging even as attacks surge. The consequences of a successful OT compromise can be severe: physical disruption, safety incidents and cascading infrastructure failures.
What makes this convergence particularly challenging is that IT and OT do not share the same priorities. IT environments are optimised for data integrity, confidentiality and availability. OT environments prioritise process uptime, safety and reliability. Applying IT security protocols wholesale to OT systems can introduce new operational risks. The leaderships of CNI organisations provide governance that respects both sets of requirements and ensures neither is sacrificed for the other.
Considerations when adopting technology
For CNI leaders navigating these pressures, several principles should guide technology adoption. Resilience must be built in and regularly tested to see if it still works as expected. Protections need to evolve continuously as threats evolve. Multinational organisations must reconcile differing data privacy and changing resilience regimes across jurisdictions.
Governance is never negotiable. Responsible AI use requires data governance processes that prevent the bias and inaccuracy caused by poor-quality data. Additionally, the principle of “secure by design”, embraced by leading security vendors such as Fortinet, should be embedded in procurement and development decisions.
Perhaps most importantly, CNI organisations should not try to navigate this environment alone. Public-private partnerships and information-sharing are vital. So too is the selection of partners with CNI expertise, who understand the regulatory landscape, the operational constraints and the emerging technologies, and who have learned the hard lessons that experience with demanding bodies such as NATO provides.
The challenges ahead are formidable. Meeting them requires the most effective technology, the strongest governance and the right allies.
Fortinet delivers cybersecurity for CNI everywhere it is needed, protecting data in the cloud and on premises. Explore the issues around protecting CNI from today’s cyberthreats at the Fortinet Quantum Virtual event or its AI summit.
Leave a comment