The UK rail sector faces complex cyber security challenges under the NCSC Cyber Assessment Framework (CAF). This includes protecting operational technology (OT), managing legacy signalling systems, and securing a highly fragmented supply chain across Network Rail, TOCs, and ROSCOs. The Department for Transport applies CAF within the NIS Regulations, prioritising passenger safety alongside cyber resilience, particularly during CP7 infrastructure programmes.

In 2026, most organisations will be asking whether their cyber security operations capability is actually working for them. 

They have multiple tools deployed, dashboards lighting up, frameworks adopted, compliance boxes ticked. Yet, the same operational issues keep surfacing… alert fatigue, slow response, brittle processes, disengaged users, and a lingering sense that security is always one step behind the attackers. 

The water sector faces a unique set of pressures, such as geographically dispersed assets, legacy Operational Technology that predates the internet, and a regulator (the Drinking Water Inspectorate or DWI) that is increasingly focused on evidence over assertion.