Cybersecurity 2026: What IT managers need to prioritise now

The documentation and reporting requirements under NIS 2 are now in force: annual reviews, internal audits and robust reporting (e.g. via Cert+) are mandatory and are required by the authorities. An up-to-date and auditable Information Security Management System (ISMS) represents the established standard for meeting NIS 2 requirements. The directive does not explicitly mandate an ISMS, but it does require comparable, documented security measures and their regular review.

2026 timeline:

Q1: Address the final NIS 2 gap and verify audit readiness

Q2: Meet awareness obligations through automated, individually tailored training

Q3/Q4: Ensure continuous evidence management for audits and regulatory bodies through documentation

Ransomware incidents remain among the most critical business risks. The key question is: “Will we be able to carry on working tomorrow if all our systems are encrypted today?” A setup comprising up-to-date, tested backups (offline and cloud), regularly practised contingency plans, and thorough preparation by all decision-makers is essential.

2026 Timeline:

• Q1: Create, review and regularly practise comprehensive contingency plans/immediate response measures
• Q2: Review backup strategy (isolation, restore tests, cloud/hybrid)
• Ongoing: Regularly incorporate lessons learnt from incidents back into processes

Many companies are still grappling with legacy issues from the COVID-19 period. VPN access points that were set up incorrectly or using outdated software – often still active and lacking multi-factor authentication (MFA). These open gateways are a goldmine for attackers. Implementing MFA at every external interface offers the best possible cost-benefit ratio. Access points that are no longer required must be systematically removed.

2026 Timeline:

• Immediately: Inventory of legacy issues and risk assessment of all remote access points
• Q2: Rapid implementation of MFA for all external interfaces
• Ongoing: Firmware/patch management of access gateways, regular access reviews

The complexity and speed of attacks are now almost impossible to manage internally alone – particularly at a time of skills shortages. Managed Security Service Providers (MSSPs) safeguard operations, take the pressure off the team and maintain high security standards. Switching to or expanding MSSP services is a strategic imperative for 2026 and also acts as a risk buffer against staff shortages.

2026 Timeline:

• Q1/Q2: Review MSSP models and select/develop suitable partners
• Q2/Q3: Secure business-critical services, establish service level controls
• Q4: Regularly review and adapt MSSP services and contracts

AI-based phishing attacks, sophisticated quishing (QR code) and smishing attempts (via messaging services) are now commonplace. Future-proof solutions require a combination of awareness training, robust email security and advanced mobile security with real-time updates powered by threat intelligence. Human vigilance, adaptive spam filters and strictly regulated access rights on mobile devices together offer the best possible protection.

2026 Timeline:

• Q1/ongoing: Update defence mechanisms for email and mobile devices to keep pace with the latest attack methods
• Q2/Q3: Firmly schedule simulated attacks (phishing, quishing, smishing) as a control measure
• Q4: Review all protection concepts for mobile and email traffic based on real incidents and lessons learnt

An uncomfortable truth: the IT service provider or system integrator can become a point of vulnerability, typically via remote maintenance tools. If the system integrator is compromised, hundreds of companies could potentially be affected at the same time. A sound awareness of risk and clear control mechanisms for third-party access are essential: How is access technically regulated? Does the service provider itself use MFA? Are there contingency plans in place for incidents at the service provider? How is access documented and verifiable?

2026 Timeline:

• Q1: Compile an overview of all active service provider access points (including remote maintenance solutions)
• Q2: Update contractual and control mechanisms for commissioned data processing/third-party maintenance
• Q3/Q4: Regularly review service providers from a technical and organisational perspective; conduct audits or access tests at least every six months

Quantum-resistant encryption and comprehensive AI governance are key medium-term projects for 2026: the migration of sensitive data, the phasing out of outdated encryption methods, and the seamless monitoring of production AI systems must now be included in the roadmap. Compliance checks and updates to guidelines should be scheduled on an ongoing basis.

• MFA is essential for all access points; backups must be isolated and tested
• MSSP partnerships streamline processes and take the pressure off your own team
• Keep awareness campaigns and security measures up to date with the latest attack methods
• Keep your emergency manual up to date; don’t just keep it ‘on the shelf’
• Regularly review third-party access and service providers from both a technical and organisational perspective

• Prioritise full traceability of all measures and documentation
• View the MSSP as a strategic partner and actively involve them
• Targeted investment in quantum cryptography and AI compliance
• Foster risk and incident awareness throughout the organisation
• Ensure regular reviews and adjustments to changing threat landscapes are firmly embedded in the plan

2026 will determine whether security and compliance remain mere words on paper or become an integral part of day-to-day operations. Organisations that master the fundamentals – such as multi-factor authentication (MFA), disaster recovery planning and vendor vetting – keep awareness and technology up to date, and intelligently supplement their operations with an MSSP, will minimise risks whilst ensuring maximum protection of their resources. The Securepoint team stands ready to provide consistent support throughout the implementation process, acting as an experienced sparring partner and technology provider.