Cybersecurity Roundup: Partnerships, Funding, and Emerging Threats – July 10, 2026 | EU NIS2, K2, InfraShield NullCloud AI and ISG

Cybersecurity’s most important developments do not always arrive as dramatic data breaches, ransomware incidents or newly disclosed vulnerabilities.

Sometimes the more consequential stories concern the systems being built—or failing to be built—before the next attack occurs.

That is the connecting theme across today’s cybersecurity news.

The European Commission is taking Ireland, Spain, France and the Netherlands to the European Union’s highest court for failing to fully transpose the NIS2 Directive, the bloc’s flagship cybersecurity law for critical sectors. K2 has completed a cybersecurity assessment conducted by the U.S. Department of Homeland Security, reinforcing the growing commercial importance of demonstrable federal security maturity. InfraShield has introduced NullCloud AI as an on-premises artificial intelligence platform aimed at cybersecurity, regulatory compliance and critical-infrastructure resilience. In the United Kingdom, a new Information Services Group report finds that enterprises increasingly want security providers to prove measurable reductions in exposure, response time and operational disruption.

At first glance, these stories span different parts of the cybersecurity industry. One concerns European law, another federal contractor assurance, another artificial intelligence in critical infrastructure and the fourth the purchasing priorities of U.K. enterprises.

Together, however, they reveal a fundamental change in the cybersecurity market.

The industry is moving from declarations to evidence.

Governments no longer want member states merely to endorse common cyber rules; they want those rules enacted and enforced. Federal agencies no longer want contractors simply to claim that they follow recognized frameworks; they expect assessments capable of validating governance and security controls. Critical-infrastructure operators do not only want AI tools that generate recommendations; they want systems that can operate within strict security, privacy and sovereignty constraints. Corporate boards are no longer satisfied by a list of deployed products; they want evidence that cyber investments reduce business risk.

This transition is overdue.

Cybersecurity has spent too many years measuring activity instead of outcomes. Companies count alerts, tools, blocked emails, vulnerability scans and employee-training completions. These figures may indicate effort, but they do not necessarily establish resilience.

A company can operate dozens of security products and remain unable to recover from ransomware. It can pass an annual audit while accumulating dangerous exposure between assessments. It can publish an incident-response plan that has never been tested under pressure. It can adopt AI-enabled security software without understanding where sensitive operational data is processed.

The emerging standard is more demanding: show that the controls work.

That expectation explains why today’s stories matter. They are not merely updates about regulation and product launches. They are signals that cybersecurity is becoming an operational discipline in which readiness must be continuously demonstrated.

Today’s cybersecurity landscape: regulation, assurance and resilience converge

The cybersecurity market was once divided into relatively clear categories.

Regulators wrote rules. Auditors checked compliance. security vendors sold technology. Consultants advised clients. Internal security teams detected and responded to threats.

Those roles are now converging.

A modern security platform may generate evidence for auditors while monitoring threats. A managed detection and response provider may be paid partly according to response-time and risk-reduction targets. Regulators may require continuous incident reporting rather than periodic certification. Cybersecurity consultants may provide both governance advice and technical validation. Artificial intelligence may interpret control requirements, correlate operational data and prepare compliance documentation.

This convergence reflects the nature of current threats.

Ransomware groups, state-backed operators, supply-chain attackers and financially motivated cybercriminals do not respect organisational boundaries. They exploit the gap between policy and implementation, between information technology and operational technology, and between a company and its third-party providers.

The defensive response must therefore connect governance, technology, operations and accountability.

NIS2 is intended to create that connection across Europe by imposing baseline security and reporting duties on organisations in critical and important sectors. The K2 assessment story demonstrates the U.S. federal sector’s expectation that cybersecurity governance and controls can withstand external examination. InfraShield’s NullCloud AI launch reflects demand for AI capabilities that remain inside controlled environments. ISG’s U.K. research shows enterprises trying to connect security spending with measurable operational results.

The common denominator is cyber resilience.

Cybersecurity seeks to prevent compromise. Cyber resilience assumes that prevention may fail and asks whether the organisation can continue operating, contain the damage and recover quickly.

That distinction is increasingly important. No serious organisation can guarantee that every phishing message will be stopped, every software vulnerability patched immediately and every supplier perfectly secured. The more realistic objective is to reduce the probability of a severe incident while limiting the consequences when one occurs.

Cyber resilience is therefore not a softer substitute for security. It is a broader and more practical expression of it.


European Commission takes four countries to court over delayed NIS2 implementation

Source: The Record from Recorded Future News

The European Commission has referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to notify full national measures implementing the NIS2 Directive.

The four countries are more than 20 months beyond the original transposition deadline of October 17, 2024.

The Commission is asking the court to impose lump-sum and continuing daily financial penalties until each country confirms that NIS2 has been fully incorporated into domestic law.

The legal action marks a significant escalation.

European directives do not become fully operational through political agreement alone. Member states must translate them into national legislation, establish responsible authorities and create the administrative processes required to enforce them.

When that national implementation is delayed, the European Union may possess an agreed cybersecurity framework on paper without having a consistent operating system for supervision.

That is precisely the problem the Commission is now confronting.

NIS2 was designed to reduce Europe’s fragmented cybersecurity posture

The original Network and Information Security Directive, adopted in 2016, was an important early effort to establish common cybersecurity obligations across the European Union.

Its implementation was uneven.

Member states interpreted scope differently, designated different authorities and applied different enforcement standards. Organisations providing comparable services could face substantially different obligations depending on their location.

NIS2 was intended to correct those weaknesses.

The updated directive expands the number of covered sectors, strengthens risk-management requirements, adds more specific incident-reporting duties and increases the potential consequences of noncompliance. Its scope extends across 18 critical sectors, including energy, transport, health, digital infrastructure, public administration, water, manufacturing and postal services.

The objective is not regulatory uniformity for its own sake.

Europe’s critical systems are interconnected. A cyber incident affecting a telecommunications provider, managed service company, cloud platform or energy operator in one member state can have consequences throughout the bloc.

A fragmented regulatory response creates weak points.

Attackers do not need every country to have inadequate cybersecurity rules. They need one vulnerable organisation with access to a wider network.

NIS2 seeks to raise the minimum level of security across the union so that one jurisdiction’s weaknesses do not become everyone’s problem.

The continuing delays in major member states undermine that objective.

The referral exposes the gap between European ambition and national execution

The European Union has developed one of the world’s most ambitious cybersecurity and technology-regulation agendas.

NIS2 is only one element. Other initiatives address digital operational resilience in finance, connected-product security, artificial intelligence, data governance and cyber certification.

The volume of regulation creates a strong impression of coordinated action.

Yet regulation is only effective when national institutions can implement and enforce it.

The Commission’s decision to take four countries to court demonstrates that legal ambition at the European level can outpace political and administrative capacity at the national level.

France, Spain, Ireland and the Netherlands are not peripheral participants in Europe’s digital economy. They host major technology companies, cloud infrastructure, financial institutions, pharmaceutical operations, logistics networks and public services.

Delayed implementation in these countries affects far more than domestic organisations.

It also complicates compliance for multinational companies. A business operating across the European Union may face one NIS2-derived national regime in a country that transposed the directive early, an incomplete regime in another country and transitional uncertainty elsewhere.

This fragmentation increases legal cost without necessarily improving security.

The worst outcome is regulatory complexity without operational consistency.

Financial penalties may matter less than political pressure

The Commission has requested lump-sum and daily penalties, although member states frequently complete the required legislative process before the court reaches a final judgment.

In that sense, the immediate purpose of the referral may not be to collect fines.

The stronger objective is to create political urgency.

Court proceedings make delay more visible. They force governments to explain their progress and create a formal consequence for continuing inaction.

The reputational pressure is especially relevant in cybersecurity. Governments frequently warn private companies that delayed patching and incomplete compliance create unacceptable risk. Those warnings lose credibility when the governments themselves fail to implement agreed security legislation on time.

Public authorities should be held to the same principle they apply to critical-infrastructure operators: known risk should not remain indefinitely unresolved.

Ireland has indicated that its National Cyber Security Bill is close to completion and that it expects to notify full transposition by the end of 2026. The Record reported no comparable public timeline from Spain, France or the Netherlands at the time of publication.

A further delay until late 2026 would mean organisations in some jurisdictions had spent more than two years operating without the complete national framework envisaged by NIS2.

In cybersecurity terms, two years is not an administrative pause. It is several generations of threat development.

NIS2 implementation matters because the threat environment is worsening

The legal dispute is occurring against a backdrop of sustained attacks on European institutions and essential services.

According to figures cited by The Record, the European Union Agency for Cybersecurity identified thousands of incidents affecting the bloc during the year ending in June 2025. Public administration accounted for 38% of recorded incidents, making it the most targeted critical sector, while transport represented 7.5%.

Those figures reinforce why implementation deadlines matter.

Public agencies store sensitive information, manage citizen services and connect to numerous external organisations. They also frequently operate legacy technology under budget and workforce constraints.

Transport operators face a different but equally significant risk. Their technology combines corporate systems, operational equipment, passenger data, payment infrastructure and extensive third-party supply chains.

The consequences of a cyberattack can extend beyond confidentiality.

An incident may delay medical treatment, interrupt electricity distribution, disrupt public transport, prevent benefit payments or degrade emergency communications.

Cybersecurity regulation in these sectors is therefore not merely an exercise in protecting data. It is part of protecting social and economic continuity.

Incident reporting will be one of the most difficult NIS2 obligations

NIS2 introduces tighter expectations around reporting significant incidents.

In principle, faster reporting helps national authorities understand campaigns, coordinate responses and warn other organisations.

In practice, early incident reporting is difficult.

During the first hours of an intrusion, an organisation may not know what happened, which systems are affected or whether the attack will become material. The security team is simultaneously trying to contain the incident, preserve evidence, communicate with executives and restore services.

A rigid reporting obligation can create administrative pressure at the worst possible moment.

However, allowing organisations to wait until every fact is confirmed may deprive other potential targets of valuable warning.

The answer is not to eliminate early reporting. It is to design reporting processes that accept uncertainty.

Initial notifications should communicate what is known without requiring premature conclusions. Later reports can provide verified details and corrective actions.

National authorities also need the capacity to receive and use the information. Requiring thousands of companies to report incidents has little value if understaffed agencies cannot analyse those reports and return useful intelligence.

Transposing NIS2 is therefore only the beginning.

Member states must fund regulators, cybersecurity agencies and response teams capable of making the directive operational.

Supply-chain risk will determine whether NIS2 succeeds

One of NIS2’s most important contributions is its attention to supply-chain cybersecurity.

Large organisations depend on cloud providers, software vendors, managed service providers, telecommunications companies, logistics businesses and specialised contractors.

Attackers understand that a well-defended enterprise may still be accessible through a smaller supplier.

The challenge is that supply-chain security can easily become a paperwork exercise. Large companies distribute questionnaires asking vendors whether they use encryption, multifactor authentication and incident-response plans. Vendors answer affirmatively, and the relationship proceeds.

That process documents a claim. It does not establish that the control operates effectively.

NIS2 should encourage more meaningful assurance, including contractual security obligations, evidence-based assessments, coordinated incident exercises and clearer visibility into subcontractors.

Organisations should prioritise suppliers according to actual operational dependence. A small provider with privileged network access may present more risk than a much larger supplier providing a noncritical service.

Effective supply-chain cybersecurity requires understanding the consequences of failure, not merely counting vendors.

NIS2 is connected to Europe’s wider cybersecurity framework

The delays have consequences beyond the directive itself.

NIS2 helps support the broader European cyber ecosystem, including national incident-response capabilities and cooperation mechanisms. The Cyber Resilience Act, which establishes security requirements for connected products, relies partly on the national structures strengthened through NIS2.

Vulnerability-reporting obligations under the Cyber Resilience Act are scheduled to begin applying in 2027.

If national structures remain incomplete, Europe risks layering new obligations on an uneven administrative foundation.

This illustrates a recurring problem in technology regulation.

Legislators can approve rules more quickly than governments can develop expertise, systems and enforcement capacity. Each new law interacts with previous requirements, creating dependencies that are not always obvious during political debate.

Cybersecurity regulation must be treated as infrastructure.

A new obligation requires trained people, secure reporting platforms, enforcement procedures, technical guidance and coordination with other authorities. Without those elements, the law may generate uncertainty rather than resilience.

The NIS2 verdict

The Commission is right to escalate.

A common cybersecurity framework cannot remain optional for member states more than 20 months after an agreed deadline. Critical infrastructure is too interconnected, and the current threat environment is too aggressive, for indefinite national delay.

Yet court action should not distract from the deeper task.

Passing legislation does not secure a hospital, energy company or transport network. Organisations need practical guidance, sufficient time to remediate weaknesses and access to skilled professionals. Regulators need the expertise to distinguish superficial compliance from effective risk management.

NIS2 will succeed only when it changes operational behaviour.

The court referrals may accelerate the legal process. The real test will be whether national implementation produces better asset visibility, stronger incident response, improved supply-chain assurance and faster recovery when attacks occur.


K2’s DHS assessment demonstrates the rising value of externally validated cyber maturity

Source: Homeland Security Today

K2 has announced the successful completion of a cybersecurity assessment conducted by the U.S. Department of Homeland Security.

According to Homeland Security Today, the assessment examined K2’s cybersecurity governance, security-control implementation and alignment with applicable federal cybersecurity requirements.

The reported result validated the maturity of the company’s cybersecurity program and its ability to maintain security and compliance processes supporting federal missions.

K2 has spent more than two decades supporting civilian and defence agencies. Its cybersecurity personnel have participated in more than 70 federal security-assessment engagements involving NIST Special Publication 800-53 controls, the Risk Management Framework, Authorization to Operate activities and continuous monitoring.

This is a company announcement, and the public report does not provide a detailed assessment scorecard or list of findings. That limitation should be acknowledged.

Even so, the story illustrates an important trend in the federal cybersecurity market: organisations are increasingly expected to prove their security posture through structured external examination.

Federal cybersecurity is becoming a market-access requirement

For companies serving the U.S. government, cybersecurity is no longer merely an internal technology concern.

It affects eligibility to compete for work.

Federal contractors may handle sensitive data, connect to agency systems, provide software, manage physical infrastructure or support national-security missions. A weakness in the contractor’s environment can become a weakness in the government’s environment.

This is why security maturity influences procurement.

An organisation with well-documented controls, experienced personnel and tested compliance processes may be viewed as a lower-risk partner. A company unable to explain how it protects systems and information may lose opportunities regardless of its technical expertise in other areas.

The market is moving toward a model in which cybersecurity evidence becomes part of the commercial product.

Customers are not buying only the promised service. They are buying confidence that the provider can deliver the service without creating unacceptable exposure.

K2’s announcement should be understood in that context.

Successful completion of a DHS assessment can strengthen the company’s position when seeking federal work because it provides an external signal of organisational discipline.

Cybersecurity governance is as important as individual controls

Security discussions often focus on technologies: firewalls, endpoint detection, identity platforms and encryption.

The DHS assessment reportedly examined governance as well as control implementation.

That distinction matters.

A control may operate effectively today and deteriorate tomorrow if no one owns it. Governance defines responsibility, decision authority, risk acceptance, escalation and oversight.

Consider vulnerability management.

A scanning tool may identify thousands of weaknesses. Governance determines which team must remediate them, how priorities are assigned, when exceptions are allowed and who accepts the residual risk.

Without governance, technology generates information that no one is required to act upon.

The same principle applies to access control, incident response, third-party risk and data protection.

Mature cybersecurity programmes connect technical controls to accountable owners and business decisions.

This is especially important in federal environments, where systems may involve multiple agencies, contractors and legacy platforms. Responsibility can become fragmented unless it is explicitly defined.

NIST SP 800-53 remains central to federal security assurance

K2’s experience includes implementation and assessment work involving NIST Special Publication 800-53.

The framework provides a broad catalogue of security and privacy controls used extensively across U.S. federal systems.

Its value lies partly in creating a common vocabulary.

Agencies and contractors can discuss access control, audit logging, incident response, configuration management and system integrity using recognised control families and assessment procedures.

The danger is treating the framework as a checklist.

A control can be documented without being effective. A policy may require multifactor authentication while exceptions allow sensitive systems to remain exposed. An incident-response plan may exist but fail during an actual crisis because team members have never practised their roles.

Control frameworks provide structure, not automatic security.

Strong assessors therefore examine implementation evidence and operational consistency rather than accepting policy statements alone.

K2’s public announcement does not disclose the assessment methodology in enough detail to evaluate that distinction. Nevertheless, the emphasis on programme maturity and sustained practices suggests that ongoing operation—not only policy creation—was relevant.

Continuous monitoring replaces point-in-time confidence

K2’s reported federal experience includes continuous monitoring.

This is a critical development because cybersecurity conditions change constantly.

A system considered secure during an annual review can become vulnerable the next day when a new flaw is disclosed, an administrator changes a configuration or a supplier account is compromised.

Point-in-time assessments remain useful, but they provide a snapshot.

Continuous monitoring attempts to create an ongoing view of risk by collecting information about vulnerabilities, configurations, identities, system activity and control status.

The approach supports faster response, but it also creates challenges.

More data can produce more alerts without producing better decisions. Organisations need to define which changes are meaningful, who reviews the evidence and how remediation is tracked.

Continuous monitoring must also be connected to authorisation processes. A system should not remain approved indefinitely when evidence shows that its risk has materially changed.

The most mature model treats authorisation as an ongoing condition rather than a certificate stored until the next audit.

CMMC raises the commercial stakes

Homeland Security Today connected K2’s assessment with increasingly stringent federal requirements, including the Cybersecurity Maturity Model Certification programme.

CMMC is designed to strengthen the protection of sensitive information within the U.S. defence industrial base.

Its significance extends beyond the specific framework.

CMMC represents a shift away from unquestioned self-attestation toward more formal evidence and, for relevant organisations, external assessment.

This changes cybersecurity economics.

A company that underinvests in controls may no longer be able to compensate by writing an optimistic policy document. Deficiencies can affect contract eligibility and revenue.

The approach can improve security, but it may also place pressure on smaller suppliers that lack large compliance teams.

Government agencies and larger contractors should therefore avoid creating a system in which only companies with extensive administrative resources can participate.

The objective should be meaningful security proportional to risk, not maximum paperwork.

Tools that automate evidence collection can help, provided they accurately reflect operational reality rather than creating polished but misleading reports.

Assessments should reveal weaknesses, not merely validate strengths

Cybersecurity announcements usually celebrate successful certifications and assessments.

The more valuable outcome may be the weaknesses discovered during the process.

A rigorous assessment should identify gaps in access control, asset inventories, incident-response procedures, vendor oversight or configuration management. Correcting those gaps is the point.

An assessment producing no meaningful findings should sometimes invite scepticism, especially in a complex environment.

No cybersecurity programme is perfect.

Organisations should view assessments as improvement mechanisms rather than public-relations events. Leadership should reward teams for finding and fixing weaknesses before attackers do.

The K2 announcement would be more informative if it included high-level details about lessons learned or improvements made, while protecting sensitive information.

Greater transparency could help other federal contractors understand the standard expected of them.

The K2 verdict

K2’s completion of a DHS cybersecurity assessment reinforces a clear market signal: federal customers increasingly value demonstrable security maturity.

The announcement does not provide enough detail to independently judge the depth of the assessment, and readers should distinguish a company-reported result from a publicly available audit report.

Even with that caveat, the strategic significance is real.

Cybersecurity assurance is becoming part of contractor credibility. Organisations that can document governance, implement controls, support continuous monitoring and survive external scrutiny will have an advantage.

The most successful federal providers will not treat compliance as a temporary project before a procurement deadline.

They will build security into routine operations.


InfraShield’s NullCloud AI reflects demand for private, on-premises cyber intelligence

Source: Industrial Cyber

InfraShield has unveiled NullCloud AI, described as an on-premises artificial intelligence platform for cybersecurity, compliance and critical-infrastructure resilience.

The product’s positioning is notable because much of the current AI market depends on remotely hosted cloud services.

For ordinary business applications, cloud-based AI can provide rapid deployment, access to powerful computing resources and frequent model improvements. In critical infrastructure, however, the calculation is more complicated.

Energy operators, nuclear facilities, industrial organisations and other critical-service providers manage highly sensitive data and systems that may be isolated from the public internet. Some operate air-gapped environments or networks subject to strict access and change-control procedures.

Sending operational data to a third-party cloud can create unacceptable security, privacy, sovereignty or reliability risk.

An on-premises AI platform seeks to address that concern by keeping processing within the organisation’s controlled environment.

Why on-premises AI matters in critical infrastructure

Cloud computing has transformed enterprise technology, but critical infrastructure cannot adopt every cloud pattern without modification.

Industrial systems may remain operational for decades. They often include specialised equipment, proprietary protocols and devices that cannot be patched or restarted as easily as conventional office technology.

Availability and safety take priority.

A cloud outage that interrupts a productivity application is inconvenient. A connectivity failure affecting a security function inside an energy or water environment can have more serious consequences.

On-premises deployment can reduce dependence on external connectivity and give the operator greater control over system configuration, data retention and update schedules.

It can also support environments in which sensitive asset information is prohibited from leaving a protected boundary.

This does not make on-premises AI automatically secure.

Local deployment transfers responsibility to the organisation. The operator must manage hardware, model updates, identity controls, monitoring and vulnerability remediation. A poorly configured local AI system may create as much risk as a poorly governed cloud service.

The correct argument is not that on-premises infrastructure is always safer.

It is that certain organisations need direct control over where data is processed and how the system operates.

Cybersecurity data is among an organisation’s most sensitive information

AI-powered security tools may process vulnerability reports, network diagrams, asset inventories, event logs, incident records and details about defensive controls.

This information is extremely valuable to defenders.

It is also valuable to attackers.

A complete vulnerability inventory can function as a roadmap for intrusion. Network architecture can reveal critical pathways. Incident reports can expose which detection tools are deployed and where response processes have failed.

Organisations should therefore evaluate AI security products according to both what the system produces and what information it consumes.

A model may generate an excellent compliance summary while creating a new concentration of sensitive data.

An on-premises architecture can reduce some exposure by keeping inputs and outputs inside the customer’s environment. The organisation still needs strong access control, encryption, audit logging and data-lifecycle policies.

AI does not remove the need for traditional security architecture. It makes that architecture more important.

Compliance automation is attractive because manual evidence collection is inefficient

Cybersecurity compliance requires substantial evidence.

Organisations may need to demonstrate security policies, system configurations, access reviews, vulnerability remediation, incident testing, employee training and supplier assessments.

Much of this work remains manual.

Security and compliance teams collect screenshots, export reports, update spreadsheets and prepare narrative explanations for auditors. The process consumes time that could otherwise be used to reduce risk.

AI can potentially improve this workflow.

A system could map evidence to control requirements, identify missing documentation, summarise changes and help teams prepare audit responses. It might also compare internal policies with technical data to identify inconsistencies.

For example, a policy may state that privileged accounts are reviewed every quarter. An AI-assisted system could examine available identity records and flag evidence suggesting that the review was missed.

This is more valuable than simply drafting a policy document.

The strongest compliance AI will connect written requirements with operational evidence.

However, automation creates a temptation to confuse document quality with security quality.

An AI system can produce an elegant compliance narrative even when the underlying control is weak. Organisations must ensure that generated documentation remains traceable to verified evidence.

Auditors should be able to see which source records support each conclusion.

AI recommendations must be explainable in high-stakes environments

Critical-infrastructure operators cannot responsibly follow an AI recommendation merely because the system produced it.

They need to understand the evidence, assumptions and potential operational consequences.

This is especially important when cybersecurity and safety overlap.

A security platform might recommend isolating a device or blocking communication. In a normal corporate environment, that action may interrupt one employee’s work. In an industrial environment, the same action could interfere with a physical process.

Automated remediation must therefore respect operational constraints.

Security AI should distinguish between advisory actions, reversible actions and high-consequence actions requiring human approval.

Explainability also matters for compliance. An operator should be able to demonstrate why the system classified a risk, how it mapped evidence to a requirement and what data influenced the recommendation.

A black-box AI system may accelerate analysis while making governance more difficult.

The greater the system’s authority, the greater the need for transparency.

On-premises AI supports sovereignty but may complicate model maintenance

Data sovereignty has become a major enterprise concern.

Governments and regulated industries increasingly want assurance that sensitive information remains within approved jurisdictions and is not used to train external models.

Local deployment can support those requirements.

Yet AI models require maintenance.

New vulnerabilities, attack techniques and regulatory interpretations emerge continuously. A model installed in an isolated environment may become outdated unless the provider creates a secure update process.

Updates themselves create supply-chain risk.

A malicious or compromised model package could introduce dangerous behaviour into a protected network. Operators need cryptographic verification, controlled testing and rollback capabilities.

They may also need to evaluate whether updates change model behaviour in ways that affect prior approvals.

The traditional software-patching problem becomes more complicated with AI because a model update may alter recommendations even when the user interface remains unchanged.

Critical-infrastructure AI therefore requires model governance, not merely software governance.

Organisations should track model versions, evaluation results, data dependencies and approved use cases.

Air-gapped environments still face cyber risk

InfraShield publicly positions its work around operational technology, industrial control systems and air-gapped environments.

Air gaps are frequently misunderstood as complete protection.

A network disconnected from the public internet may be less exposed to remote attacks, but it can still be compromised through portable media, maintenance equipment, supply-chain components, insider activity or temporary connections.

AI deployed inside an isolated environment must account for these pathways.

It may help analysts organise information and identify suspicious patterns without sending data externally. It may also introduce new software dependencies and require additional hardware inside a sensitive network.

Every new capability expands the system’s attack surface.

The security case for local AI should therefore include an assessment of how the platform is installed, updated, authenticated and monitored.

An on-premises label is not a substitute for secure-by-design engineering.

Human expertise remains essential

Critical-infrastructure cybersecurity involves specialised knowledge.

An analyst must understand both digital threats and the physical process being protected. A suspicious communication pattern may be malicious in one environment and normal in another.

AI can help process large amounts of information, but it may lack the operational context required to evaluate consequences.

The most credible product model is augmentation.

AI can retrieve relevant requirements, summarise evidence, correlate events and propose priorities. Human experts determine whether the recommendation makes sense within the operational and safety context.

This partnership can reduce workload without transferring accountability to a model.

Vendors should be cautious about promising autonomous security management in critical infrastructure. The market may reward ambitious claims, but operators need predictable behaviour more than novelty.

A system that reliably saves analysts several hours per week may be more valuable than one claiming to replace the security team.

Independent testing will determine NullCloud AI’s credibility

The available announcement positions NullCloud AI around three attractive concepts: local deployment, cybersecurity compliance and critical-infrastructure resilience.

Those concepts address genuine market needs.

The next question is evidence.

Buyers should seek information about supported deployment architectures, data handling, identity integration, logging, model security, evaluation methods and update processes. They should also examine how the platform performs with incomplete or conflicting information.

Cybersecurity AI should be tested against hallucination, prompt injection, data poisoning and malicious documents.

An attacker may attempt to influence an AI system by placing deceptive instructions in a report or log entry. The platform must treat untrusted content as data rather than authority.

Critical-infrastructure operators should also test failure modes.

What happens when the model is unavailable? Can the organisation continue its compliance and security processes? Does the platform fail safely? Can recommendations be reproduced and audited?

These questions will distinguish an operationally mature product from a compelling demonstration.

The NullCloud AI verdict

InfraShield’s on-premises approach aligns with an important direction in enterprise cybersecurity.

Organisations want the benefits of artificial intelligence without automatically surrendering control of sensitive data and critical workflows to public cloud services.

The concept is especially relevant for nuclear, energy and industrial environments.

However, local deployment is only one part of the security equation. NullCloud AI will ultimately be judged on the quality of its outputs, the transparency of its decisions, the security of its update process and its ability to operate within real-world safety constraints.

The broader market lesson is clear.

Sovereign and private AI will become a major cybersecurity category, particularly where data sensitivity and operational continuity outweigh the convenience of a fully managed cloud service.


U.K. enterprises demand measurable cyber resilience

Source: Business Wire and Information Services Group

U.K. enterprises are increasingly treating cybersecurity as a core business discipline rather than a collection of technical controls, according to the 2026 ISG Provider Lens Cybersecurity — Services and Solutions report.

The research finds that boards and regulators want companies to demonstrate how security investments reduce exposure, shorten response times and support operational continuity.

Organisations are replacing static compliance checks with continuous assurance models that generate current evidence for regulators, insurers and internal risk teams.

They increasingly want dashboards and readiness scores that show whether controls function under pressure.

The report also identifies growing demand for AI-assisted security operations, transparent AI decision-making, stronger supply-chain visibility, integrated information technology and operational technology protection, U.K.-based security operations centres and co-managed delivery models.

These findings describe a mature direction for cybersecurity procurement.

The question is whether the industry can deliver it without reducing resilience to another collection of questionable scores.

Boards are asking the right question: what changed because of the investment?

Cybersecurity leaders have traditionally justified spending by describing threats.

They discuss the number of attacks, vulnerabilities and malicious emails facing the organisation. Those figures can demonstrate that the problem is serious, but they do not necessarily show that a particular investment is effective.

Boards increasingly want a clearer connection between expenditure and outcome.

Did the new identity platform reduce privileged access? Did the managed detection service shorten the time required to investigate a serious alert? Did the backup programme improve recovery performance? Did supplier monitoring identify a risk that would otherwise have remained invisible?

These are better questions.

Cybersecurity budgets should not be protected from accountability simply because cyber risk is difficult to measure.

At the same time, leaders should avoid demanding false precision. Cybersecurity does not operate like a production line in which one investment reliably creates one measurable output.

A control may prevent an incident that never becomes visible. Threat conditions change. Different parts of the programme interact.

The objective should be decision-useful measurement rather than perfect mathematical certainty.

Control existence is no longer enough

ISG describes a shift from proving that controls exist to proving that they reduce risk.

This distinction should become a foundation of modern cybersecurity.

An organisation can deploy endpoint protection on every laptop and still fail to detect advanced malicious activity. It can require annual training and continue losing credentials to phishing. It can operate backups that cannot be restored within an acceptable period.

Control coverage is not control effectiveness.

Security teams need to test whether defensive systems perform under realistic conditions.

Purple-team exercises can evaluate detection and response capabilities. Recovery exercises can test whether backup data and procedures work. Phishing simulations can identify behavioural and process weaknesses. Attack-path analysis can reveal combinations of misconfigurations that create exposure.

The resulting evidence should guide investment.

A tool that generates thousands of alerts but does not help analysts identify serious incidents may have impressive activity statistics and poor business value.

Continuous assurance addresses the limitations of annual audits

Annual assessments provide a point-in-time view.

Cyber risk changes too quickly for that model to provide sufficient confidence.

Employees join and leave. Cloud resources are created. Permissions expand. Software components change. Suppliers gain access. New vulnerabilities appear.

Continuous assurance seeks to collect evidence as these changes occur.

The approach can improve readiness by identifying control failure before the next audit. It can also reduce the burden of preparing evidence because information is gathered throughout the year.

Automated evidence generation is particularly attractive in regulated sectors.

Financial institutions, healthcare organisations and critical-service providers may need to respond to multiple regulators and internal assurance teams. Repeatedly collecting similar information creates expense without necessarily improving security.

A common evidence layer could support several requirements.

The risk is automating a flawed interpretation.

If a platform incorrectly maps one technical setting to multiple control requirements, the organisation may develop false confidence at scale.

Continuous assurance systems require validation, data-quality controls and human review. They should make evidence easier to examine, not hide it behind a score.

Readiness scores can help—or mislead

ISG reports that enterprises increasingly expect dashboards and readiness scores.

Executives need concise information. They cannot review every technical finding.

A well-designed score can show trends, highlight weak areas and support prioritisation.

A poorly designed score can create security theatre.

The methodology matters.

A provider may improve a customer’s readiness score by closing large numbers of low-risk findings while leaving a small number of critical attack paths unresolved. A single numerical result may hide major differences among business units or systems.

Scores should therefore be decomposable.

Executives should be able to move from the high-level indicator to the evidence and assumptions underneath it.

Metrics should also reflect business context.

A vulnerability affecting an isolated testing system should not be treated identically to the same vulnerability on an internet-facing identity server.

The purpose of measurement is to improve decisions. Any metric that can be improved without reducing meaningful risk is vulnerable to manipulation.

Outcome-based contracts could reshape the security-services market

The report identifies growing demand for provider contracts connected to outcomes such as reduced attacker dwell time, faster response and improved resilience metrics.

This model has significant potential.

Traditional managed-security contracts may define service activities: monitor alerts, deliver reports and maintain agreed coverage. A provider can technically satisfy the contract even when the customer remains poorly protected.

Outcome-based contracting creates stronger alignment.

The provider has a commercial incentive to improve the customer’s actual capability.

Implementation will be difficult.

Cybersecurity outcomes depend on both provider and customer. A managed detection service cannot respond effectively if the customer fails to provide logs, maintain system inventories or grant appropriate access. The provider should not be held entirely responsible for conditions outside its control.

Contracts therefore need shared responsibilities and transparent baselines.

They should also avoid incentives to suppress reporting. A provider measured solely on a low number of incidents may classify events less severely. A provider measured solely on response speed may close investigations prematurely.

Balanced metrics are necessary.

Potential measures include detection coverage, time to validate serious alerts, containment performance, recovery-test success and reduction of known attack paths.

AI-assisted security operations are becoming necessary

Security operations centres process enormous volumes of data.

Analysts must distinguish routine activity from meaningful threats while attackers attempt to hide inside normal behaviour.

AI can help summarise alerts, correlate evidence and recommend investigation steps. It can reduce repetitive work and allow analysts to focus on higher-value judgment.

This is especially important given the persistent shortage of experienced cybersecurity professionals.

However, AI-assisted operations introduce their own risks.

A model may generate an incorrect explanation, overlook a subtle indicator or recommend an inappropriate response. Attackers may deliberately manipulate inputs to influence the system.

ISG’s emphasis on explainable models and human oversight is therefore appropriate.

AI should show which evidence supports its conclusion and communicate uncertainty.

Analysts must remain able to challenge the recommendation.

The most dangerous security AI is not a model that occasionally admits uncertainty. It is a model that presents an incorrect interpretation with enough confidence to stop further investigation.

Transparent AI is moving from differentiator to requirement

ISG argues that explainable AI decision-making is becoming a standard expectation in next-generation security operations and managed detection and response services.

This transition is healthy.

For several years, vendors marketed artificial intelligence as a proprietary advantage while providing limited information about how conclusions were reached.

Customers were expected to trust the algorithm.

That model is incompatible with regulated and high-risk environments.

A security team may need to explain why an account was disabled, why traffic was blocked or why an incident was escalated. Regulators, auditors and business owners may challenge the decision.

A provider should be able to demonstrate the relevant evidence even when it cannot disclose every detail of its model.

Transparency also supports improvement.

When analysts understand why the AI made a recommendation, they can identify systematic errors and provide useful feedback.

Explainability should not be reduced to a paragraph generated after the decision. It should include traceable evidence, model versioning and clear boundaries around automated action.

Supply-chain visibility becomes a primary concern

The report identifies supply-chain risk as a major enterprise priority.

This reflects the growing recognition that organisations do not control all the systems on which they depend.

A company may have strong internal defences and still be exposed through software providers, cloud platforms, identity services, contractors or data processors.

Traditional third-party risk management cannot keep pace with this complexity.

Annual questionnaires provide limited visibility into changing conditions. A supplier may pass an assessment and suffer a compromise weeks later.

Organisations need more continuous information about critical providers.

They should identify which suppliers can access sensitive data, disrupt operations or introduce software into important environments. They should establish reporting requirements and test coordination before a crisis.

Supply-chain resilience also requires alternatives.

A company that depends entirely on one provider for a critical function may have limited options during an incident. Business-continuity planning should consider how long the organisation can operate without the supplier and whether manual or alternate processes exist.

Cybersecurity teams should work with procurement and business owners rather than treating third-party risk as a separate compliance function.

IT and operational technology can no longer be secured independently

The convergence of information technology and operational technology is another major theme in the ISG report.

Industrial operations increasingly depend on digital connectivity, remote access, cloud analytics and enterprise applications.

These connections improve efficiency but allow threats to move across environments that were once more isolated.

IT security teams often prioritise confidentiality and rapid patching. OT teams prioritise safety, availability and process stability.

Both perspectives are legitimate.

A security control appropriate for an office network may create operational risk in a factory or utility. Conversely, leaving legacy operational systems unmonitored because they are sensitive to change creates long-term exposure.

Integrated governance is required.

Organisations need shared asset inventories, defined trust boundaries and coordinated incident-response plans. Security teams should understand which digital systems can affect physical processes.

Exercises should include both cyber and operational personnel.

The objective is not to make IT and OT identical. It is to ensure that decisions in one environment account for consequences in the other.

U.K.-based SOCs reflect demand for local accountability

ISG reports that buyers favour providers offering U.K.-based security operations centres and co-managed models.

Local operations can support regulatory expectations, data-sovereignty preferences and closer customer relationships.

They may also improve contextual understanding. Analysts familiar with the customer’s regulatory environment and operating hours may communicate more effectively during an incident.

Location alone does not guarantee quality.

A poorly managed local SOC is not superior to a highly capable international operation.

The more important concept is accountability.

Customers want to know who is monitoring their environment, where sensitive information is processed and who can make decisions during a crisis.

Providers should offer transparency about staffing, subcontractors, data flows and escalation procedures.

Co-managed models can preserve customer control while adding external expertise.

This arrangement is attractive because fully outsourcing cybersecurity may weaken internal knowledge. The organisation still needs people capable of understanding risk and challenging the provider.

Tool consolidation responds to operational overload

The report also notes growing interest in reducing overlapping security tools.

Many enterprises have accumulated products over years of reactive purchasing.

Each new threat generated another platform. The result is fragmented data, duplicated functionality and teams responsible for integrations that do not work reliably.

Tool consolidation can reduce cost and complexity.

It can also create vendor concentration.

An integrated platform may improve visibility, but dependence on one supplier increases the impact of an outage, vulnerability or commercial dispute.

Organisations should consolidate intentionally rather than pursuing the smallest possible number of vendors.

The correct objective is an architecture in which every product has a defined purpose and the tools exchange useful information.

A security platform should be judged by the operational workflow it enables, not the number of logos it replaces.

Post-quantum preparation is becoming part of resilience planning

ISG identifies preparation for post-quantum cryptography as another market trend.

Cryptographically relevant quantum computers may not yet be available, but organisations need time to identify and replace vulnerable algorithms.

The first step is visibility.

Companies should understand where cryptography is used, which systems depend on long-lived certificates and which information must remain confidential for many years.

This is difficult because encryption is embedded throughout software, devices and supplier products.

The “harvest now, decrypt later” threat adds urgency. Adversaries may collect encrypted information today in the expectation that future technology will make decryption possible.

Not every organisation needs an immediate full migration.

Every significant organisation should begin crypto-agility planning.

Cyber resilience includes preparing for technological changes that may invalidate existing security assumptions.

The U.K. market verdict

The shift toward measurable resilience is positive.

Cybersecurity providers should be expected to demonstrate that their services improve operational outcomes rather than simply generate more activity.

Continuous assurance, AI-assisted operations and outcome-based contracts can all contribute to that goal.

The danger is replacing one form of security theatre with another.

Dashboards, scores and automated reports are useful only when they remain connected to real evidence and business consequences.

The strongest U.K. security programmes will combine measurement with professional judgment. They will use AI to accelerate analysis without surrendering accountability. They will consolidate tools without creating dangerous dependence. They will demand clear outcomes while recognising that resilience remains a shared responsibility.


The larger cybersecurity trend: evidence is replacing assertion

The four stories point toward the same conclusion.

Cybersecurity claims are becoming less valuable without supporting evidence.

A European government says it supports NIS2. The Commission asks whether the directive has actually been transposed.

A federal contractor says it operates securely. A DHS assessment examines governance and controls.

A vendor says AI can improve critical-infrastructure cybersecurity. Buyers will ask where the data is processed, how recommendations are validated and whether the system can be independently tested.

A managed-security provider says it protects the customer. Boards ask whether attacker dwell time and operational disruption have decreased.

This transition will reward organisations capable of creating trustworthy evidence as part of normal operations.

It will challenge those that rely on annual reports, marketing claims and manually assembled compliance packages.

Compliance and resilience are becoming more closely connected

Compliance has often been criticised as a checkbox exercise.

That criticism is sometimes justified.

Organisations may focus on satisfying an auditor instead of reducing risk. Controls may be implemented narrowly to meet written requirements without addressing the broader threat.

Yet the correct response is not to abandon compliance.

Well-designed compliance can establish minimum expectations, clarify accountability and force organisations to address risks they might otherwise ignore.

The goal should be compliance that produces resilience.

NIS2 attempts to connect legal obligations with risk management and incident response. Federal frameworks connect controls with system authorisation and monitoring. Continuous-assurance platforms connect audit evidence with live operational data.

The distinction between compliance and security narrows when the evidence demonstrates that controls work.

AI is becoming both the defender and the object of defence

InfraShield’s NullCloud AI and the ISG report both highlight artificial intelligence’s expanding role in cybersecurity.

AI can help defenders analyse data, identify patterns and automate evidence. Attackers can use similar capabilities to scale reconnaissance, phishing and exploitation.

Security teams must therefore manage two problems.

They must use AI responsibly, and they must secure the AI systems themselves.

Models can be manipulated. Data pipelines can be poisoned. AI agents may receive malicious instructions from untrusted content. Sensitive information may be exposed through prompts, logs or third-party services.

An AI-enabled SOC is not automatically a more secure SOC.

Organisations need model access controls, evaluation procedures, monitoring and incident plans. They should identify which AI actions require human approval and how incorrect outputs will be detected.

The decision between public-cloud and on-premises AI should be based on data sensitivity, operational requirements and internal capability rather than fashion.

Cybersecurity measurement is moving closer to business impact

For years, security teams reported technical metrics that executives found difficult to interpret.

Critical vulnerabilities, alert volumes and patch percentages provide information, but they do not directly explain the consequence for the organisation.

The emerging focus on resilience creates an opportunity to improve communication.

Boards can consider how long important services would remain unavailable after a ransomware attack. They can examine whether the organisation can operate when a supplier fails. They can evaluate the potential financial and safety consequences of losing a critical system.

This does not eliminate technical metrics.

It connects them to decisions.

A vulnerability is important because it creates a plausible path to a damaging outcome. A backup control matters because it changes recovery time. An identity improvement matters because it reduces the probability that one compromised account becomes an enterprise-wide incident.

Security leaders should translate without oversimplifying.

Cyber risk cannot always be expressed as one financial number, but it can be connected more clearly to business objectives.

Public-private cooperation remains essential

NIS2 depends on cooperation among EU institutions, national governments and private operators.

DHS assessments depend on federal agencies and contractors sharing expectations and evidence.

Critical-infrastructure AI requires collaboration among vendors, operators, regulators and safety experts.

U.K. cyber resilience increasingly relies on co-managed relationships between internal teams and specialist providers.

No organisation can secure the digital economy alone.

Governments possess threat intelligence and regulatory authority but may lack direct visibility into every private network. Companies operate the infrastructure but may not see wider campaigns. Security providers observe patterns across multiple customers but must protect confidentiality.

Effective cooperation requires trusted mechanisms for sharing actionable information.

It also requires clear responsibility.

Partnership should not become an excuse for assuming that another party will handle the risk.

Contracts, regulations and incident plans should specify who acts, who communicates and who makes decisions.


What chief information security officers should do next

The first priority is to build an evidence strategy.

Security teams should identify which controls matter most, what evidence demonstrates effectiveness and how that evidence can be collected without excessive manual work.

This begins with critical assets and business services.

Not every control deserves the same level of monitoring. Organisations should focus on the systems whose failure would cause serious operational, financial, legal or safety consequences.

The second priority is to test resilience.

Plans should be exercised under realistic conditions. Executives, technical teams, communications personnel and relevant suppliers should understand their roles.

Recovery tests should measure actual restoration time rather than assume that backups will work.

The third priority is to govern AI security tools.

CISOs should know what data enters the model, where it is processed and whether it can be retained or used for training. They should establish approval boundaries for automated actions and test for manipulation.

The fourth priority is to reassess supplier dependence.

Organisations should identify the vendors capable of causing operational disruption or providing a path into sensitive systems. Contracts should include security and notification requirements proportional to that risk.

Finally, security leaders should improve board reporting.

Every major metric should support a decision. Reports should show trends, unresolved exposure and the effect of previous investment.

The purpose is not to make the security programme look successful.

It is to help leadership decide what must improve.

What cybersecurity vendors should learn

Security vendors should expect customers to demand proof.

Marketing language about “AI-powered protection,” “zero trust” and “military-grade security” is losing value.

Buyers want deployment evidence, evaluation results and operational references.

Vendors offering artificial intelligence should explain data flows, model limitations and human-oversight mechanisms.

Providers selling managed services should define measurable outcomes while acknowledging shared responsibilities.

Compliance platforms should maintain traceability from generated documentation to source evidence.

Critical-infrastructure vendors should design around safety, availability and long system lifecycles rather than applying enterprise IT assumptions without modification.

Local accountability will also matter.

Customers want to know who provides the service, where analysts are located and which subcontractors have access.

Trust will increasingly be won through transparency rather than broad claims of superiority.

What regulators should learn

Regulators should focus on implementation capacity.

Approving legislation is not enough. Authorities need personnel, secure reporting systems and technical expertise.

Guidance should help organisations understand how requirements apply in practice.

Regulators should avoid encouraging an industry devoted to evidence production rather than risk reduction.

Automated compliance can reduce burden, but supervisory teams must remain capable of challenging the quality of the underlying evidence.

Cross-border coordination is particularly important.

Threats and supply chains operate internationally, while enforcement frequently remains national. Information-sharing and common supervisory approaches can reduce the resulting gaps.

Regulators also need to update expectations as AI becomes embedded in security operations.

Requirements should address model governance, traceability and automated decision-making without prescribing one technical architecture.

The objective should be responsible outcomes.


Conclusion: cybersecurity enters the age of continuous proof

The cybersecurity industry is moving into an era in which readiness must be demonstrated continuously.

The European Commission’s action against Ireland, Spain, France and the Netherlands shows that regulatory commitments without implementation are no longer sufficient.

K2’s DHS assessment shows that contractors serving sensitive federal missions are expected to provide evidence of governance and control maturity.

InfraShield’s NullCloud AI announcement reflects the demand for artificial intelligence that can operate within private, regulated and operationally sensitive environments.

ISG’s U.K. research shows that boards increasingly expect security programmes to demonstrate measurable resilience.

The broader lesson is that cybersecurity is no longer defined by the presence of controls.

It is defined by their performance.

A company is not resilient because it has an incident-response document. It is resilient when teams can contain an attack and restore important services.

A supplier is not trustworthy because it completed a questionnaire. It is trustworthy when it can demonstrate how security is governed and tested.

An AI platform is not secure because it runs locally. It is secure when its architecture, data handling and behaviour withstand scrutiny.

A government does not have an effective cyber regime because it agreed to a directive. It has one when national authorities can enforce the rules and help critical organisations improve.

This emphasis on evidence should create a healthier cybersecurity market.

It may reduce demand for tools that generate activity without reducing risk. It may strengthen providers capable of combining technology with accountable services. It may also encourage boards to treat cybersecurity as part of operational performance rather than an isolated technical cost.

There will be resistance.

Continuous assurance exposes weaknesses more frequently. Outcome-based contracts create greater accountability. Transparent AI removes some of the mystery vendors use to differentiate products. Stronger regulation increases implementation costs.

Those pressures are necessary.

Cyber threats are becoming faster, more automated and more interconnected. Defenders cannot respond with annual snapshots and optimistic assumptions.

The next phase of cybersecurity will be built around live evidence, tested recovery, accountable partnerships and systems designed to remain effective as conditions change.

The defining question will no longer be whether an organisation has invested in cybersecurity.

It will be whether that investment can be shown to protect the operations people depend upon.

Peter Tolan is a Junior Content Editor for the HIPTHER network, where he has quickly established himself as a versatile voice in the global iGaming and technology sectors. Operating across the network's specialized platforms, Peter leverages a deep understanding of the European and American gaming landscapes to deliver high-impact, B2B intelligence. He is a key contributor to the "Evolution" side of the industry, specializing in the analysis of online gaming trends, the fast-paced world of esports, and the integration of deep-tech innovations. With a sharp eye for emerging technologies, Peter ensures that the HIPTHER community remains at the forefront of the global digital revolution.