The year-in-cyber genre is mostly a vehicle for selling next year's product roadmap, so I will try not to do that. What follows is, instead, a short and honest account of what 2025 turned out to be, what the noise mostly was, and what the genuinely consequential shifts were for boards I sit with in the UK. I have written it the way I would brief a chair on the train home from a December meeting.
Five things that were noise
These were the headlines that dominated the news cycle but, on the evidence we now have, did not turn out to be the things that mattered most.
AI-generated phishing was less of a marginal threat than the year's coverage suggested. The attackers did get better-quality phishing emails, faster. The clickthrough rates on simulated tests did not move materially. Phishing was already a problem the controls catch when they catch it and miss when they miss it. Slightly better grammar did not move that needle.
The arrival of an AI agent that could autonomously breach a network. It did not arrive. There were demonstrations, some impressive, of AI assistance in offensive workflows. Autonomy in the strict sense — start to finish, end-to-end, without human intervention — was not the operational reality at any point in 2025, including for the better-resourced state actors. Boards that were told otherwise were sold a future tense as a present tense.
Quantum-safe everything. The post-quantum-cryptography migration is a real, multi-year programme, mostly being driven by NCSC guidance and NIST standards. The marketing volume in 2025 outran the practical relevance to most firms by some distance.
Deepfake CEO-fraud cases. They happened. They were not, in proportion to the year's coverage, a leading vector for material loss in UK firms. The traditional business-email compromise pattern remained the larger source of loss.
The 'cyber insurance market is collapsing' story. It hardened, it did not collapse. Premiums rose, exclusions tightened, ransomware-pay clauses became more contested. The market remained available to firms with credible controls. Firms with poor controls discovered they had been paying less than they should have been all along.
Five things that were the actual story
These are the year's developments that boards I sat with will be living with into 2026 and beyond.
One: the ICO is calibrating on controls, not incidents. Capita's £14m fine in March. Advanced Computer Software's £3.07m fine in June. Both fines were issued for the security failings preceding the breach, not for the response to it. The pattern is clear and the language in the enforcement notices is clearer. The defensible position is no longer we responded well. It is we had appropriate controls evidenced beforehand. That is the line. It will be drawn more firmly in 2026.
Two: the regulatory perimeter widened. The Cyber Security and Resilience Bill had its second reading in January and entered substantive parliamentary work in the autumn. The bill's effect, once enacted, will be to widen the firms in NIS-equivalent scope to include large managed-service providers, data centres, and upstream critical suppliers — firms that were, in 2020, comfortably outside any cyber regulatory perimeter. By the end of 2026 several thousand UK firms will, in scope terms, find themselves in a place they have never been.
Three: ransomware moved further into shared services. Synnovis a year on was the case that established the pattern in 2024. 2025 saw further attacks on the supplier-underneath-the-supplier — managed IT providers, payroll bureaus, sectoral data aggregators. The trend will continue. Boards should expect that, in 2026, more incidents reaching the news will be of firms most people have never heard of, doing critical work for firms everyone has.
Four: state-aligned prepositioning is now a board-level matter. The NCSC/CISA joint advisory in March, and several others later in the year, made it visible that state-aligned actors are positioned inside UK critical national infrastructure with intent for disruption rather than espionage. The risk is no longer hypothetical. The risk discussion has moved from probability of intrusion to probability of activation. That is a different conversation, and boards in the affected sectors need to be having it explicitly.
Five: cyber-AI convergence at governance level. The thing that mattered in 2025 was not whether AI changed the threat surface — it changed it, but slowly. The thing that mattered was that AI moved into the same board agenda slot as cyber, in many firms for the first time. The implications of that — joint risk reporting, joint policy frameworks, joint executive ownership — are still being worked out. Firms that recognise the convergence are getting better governance for both. Firms that keep them in separate silos are losing time.
What boards I sit with are working on for 2026
A short list of what is actually on board agendas for next year, distilled across the dozen or so I have observed up close this year.
Mapping critical suppliers, not just by category but by name, and modelling the consequences of each going dark for 60 days. The Synnovis-shape exposure is now the question every audit committee chair is asking.
Designing the 24-hour and 72-hour reporting clock for the Cyber Security and Resilience Bill before it commences. The firms that wait for the commencement order will not be ready in time. The firms that build the muscle memory now will be.
Joint cyber-AI risk registers. Treating them as a single risk discipline, with one executive owner, one set of policies, and one reporting line to the board. The biggest single governance hygiene improvement available in 2026.
Tabletop exercises that include the public-timeline-of-extortion scenario. The Canvas / ShinyHunters playbook (still emerging at the time of writing) will be the case study most of us refer to in 2026. The firms that have rehearsed for the attacker-controls-the-clock pattern will hold their nerve. The firms that have not will lose theirs in public.
Honest evidence of the controls in place, not aspirations. The ICO will, in 2026, ask for evidence. Aspirational policy documents will not suffice. Boards should know what the actual evidence pack looks like before someone outside the firm asks for it.
One paragraph for the next year
If 2024 was the year UK boards started taking cyber risk seriously, 2025 was the year UK regulators started calibrating on the controls behind the risk. 2026 will be the year that calibration starts showing up in enforcement, in supervisory letters, and in the questions audit committee chairs are expected to be able to answer without notice. The firms that close the gap between policy and evidence will, by the end of 2026, look meaningfully more defensible than the firms that do not. The firms that do not close it will look that way in the wrong direction.
That is the work. See you in 2026.