Menu

Cybersecurity outlook for 2026: four trends that SMEs cannot ignore

cybersecurity vooruitblik 2026

For many organizations, 2026 feels like “just another year.” That is, until you see how rapidly cyberattacks are changing. This is not only because attackers are becoming smarter, but also because our technology and rules are evolving. Machines are becoming more digital and therefore more vulnerable, scams are becoming more convincing thanks to GenAI, and the question “What if it goes down for a while?” is slowly changing to “What if it goes down tomorrow?”

Are you also curious about our Cybersecurity Review of 2025, in which we look back on the most notable cybersecurity issues?

Read this article and download the white paper

Below are the four trends that are expected to make a difference in 2026.

Machinery Regulation 2027: cyber becomes machine safety

The EU Machinery Regulation (Regulation (EU) 2023/1230) will apply from January 20, 2027, replacing the Machinery Directive from 2006. This makes 2026 the last full year of preparation.

Many people are surprised to learn that this regulation explicitly addresses the reality of modern machines. Today’s machines do more than just perform mechanical tasks; they run software, connect to networks, receive updates, and communicate with other systems. The recitals cite the emergence of digital technologies, such as AI, the Internet of Things (IoT), and robotics, as the reason why there were gaps in existing legislation that are now being closed.

Even more importantly for OT (operational technology), the text includes requirements that directly affect cyber resilience. For instance, there is a crucial health and safety component regarding “protection against corruption” (i.e., manipulation or undesirable influence via links or external connections), and it even references EU cybersecurity certification as a means of demonstrating compliance with certain requirements. It has been made clear that “cyber” is no longer just IT, but also part of product and machine safety.

GenAI phishing: the scammer gets a copywriting agency

Phishing is already a major issue, but by 2026, it will primarily involve large-scale, high-quality phishing attacks. Generative AI has drastically lowered the threshold for creating credible text. Poor grammar and odd phrasing used to be warning signs, but now, attackers can generate neat, businesslike emails in perfect English tailored to the industry, role, and tone in a matter of seconds.

ENISA (the EU’s cybersecurity agency) still cites phishing as the dominant entry point for cyberattacks. In their Threat Landscape report, they mention phishing as a very common starting point for cyberattacks and note the growing trend of AI accelerating and refining this type of social engineering.

Furthermore, ENISA reports that AI-assisted phishing now constitutes a significant portion of global social engineering activity. In other words, AI is no longer just a “gimmick”; it is quickly becoming the norm.

chatbots and data breaches

A chatbot leak as a reputation incident: “what you share can stick around”

The second prediction for 2026 is less technical but potentially more damaging: a data leak via a chatbot that causes reputational damage (or worse) to an organization. This could involve a large platform or a smaller tool or smart assistant that has been “conveniently” activated somewhere.

This is not hypothetical. We have already seen that AI services can make mistakes when it comes to data protection. For example, OpenAI described an incident in which a bug allowed some users to briefly see other users’ data (such as chat titles).

Meanwhile, much more information is shared with AI tools than people realize. Research on the use of AI applications shows that employees often upload or paste sensitive information into AI chatbots. Sometimes it is done without meaning to, and sometimes it is done because “quick” is chosen over “safe.”

There is an additional dimension to this. Modern AI workflows read documents, emails, and web pages. This opens the door to attacks in which seemingly innocent content actually contains malicious instructions. Microsoft refers to this as (in)direct prompt injection and has published extensive defensive measures against it.

In that context, “being aware of what you share with AI” in 2026 isn’t just a catchy slogan, it’s sensible risk management.

Minimum Viable Company: downtime becomes the real expense

The fourth trend is not about a new hack, but about the question: what happens to your company if something does go wrong? More and more organizations are shifting from the idea of “we must prevent everything” to “we must be able to continue working if it does happen.” This fits in with the concept of the Minimum Viable Company (MVC): the smallest functioning company that can still deliver, invoice, communicate, and meet basic requirements while the rest recovers.

Consulting firms and resilience frameworks use MVC to emphasize that, in a crisis, it is not necessary to immediately return to full capacity. Rather, the focus should be on maintaining a minimal, safe business operation. MVC can now be seen as an important boardroom topic because cyberattacks, outages, and supply chain problems are increasingly becoming “normal” business risks. MVC helps you focus on core processes, critical infrastructure, essential personnel, and key data so that, in the event of an incident, you know what “must stay alive” and don’t get lost in priorities.

For SMEs, this is perhaps the most practical lesson for 2026: not because you suddenly become immune, but because you prevent a single incident from turning into weeks of downtime.

Finally, 2026 will be the year of making mature choices

If you add up the four lines, you see the pattern: cyber is shifting from an “IT problem” to a “business reality.” Machines and OT are becoming more prominent due to the Machine Regulation. Phishing is becoming more convincing and widespread thanks to GenAI. AI tools are becoming more productive, but also more sensitive when it comes to data. The winners are organizations that already know in advance what their “minimum business” looks like.

In that respect, it makes sense that more and more organizations are looking for tools and partners that make AI use manageable and can protect data flows. Zscaler, for example, explicitly positions Zscaler AI around secure AI use and data protection. OpenSight is also an official Zscaler partner and guides organizations in these kinds of processes, precisely where technology, policy, and practice come together.

Would you like to know where your company will stand in 2026? Then it would be wise to conduct a risk assessment of your company.

Request Risk Assessment

See also our Cybersecurity Review 2025, in which we discuss the most notable cybersecurity issues in a white paper.

Related posts
Cybersecurity review 2025: the most important developments
Published on 12-12-2025
cybersecurity awareness 2025
Cybersecurity Awareness: Why a stand-alone training course is never enough
Published on 13-10-2025
cyber security awareness 2025 webinar header
Webinar: Cybersecurity Awareness
Published on 13-10-2025

Deze website maakt gebruik van cookies

Er worden cookies gebruikt om functionaliteiten op de website mogelijk te maken, statistieken bij te houden, gebruikersvoorkeuren op te slaan en voor marketingdoeleinden.

Bekijk hier onze privacyverklaring
ALLES ACCEPTEREN
ALLES WEIGEREN
WIJZIGEN

Noodzakelijk

Deze cookies zijn noodzakelijk om de website te laten functioneren en kunnen daarom niet worden uitgeschakeld.

Statistieken

Deze cookies verzamelen anonieme data waarmee we statistieken kunnen analyseren en de website kunnen verbeteren.

Persoonlijke voorkeuren

Deze cookies bewaren persoonlijke voorkeuren zoals taal of regio om het gedrag en design van de website op af te stemmen.

Marketing

Deze cookies maken het mogelijk om (gepersonaliseerde) advertenties te tonen.

OPSLAAN