The big picture
Cyberattacks and IT disruptions are no longer rare, unpredictable events—they are operational realities that organizations must continuously prepare themselves for. The true measure of resilience lies not just in… how organizations respond to incidents, but in what changes they implement afterwards.
Our research examines how organizations across the United Kingdom and Europe respond to cybersecurity incidents, focusing on operational accountability, incident learning, and long-term resilience. It explores how businesses manage critical systems, respond to disruptions, evaluate lessons from incidents, and prepare their infrastructure for future threats.
A snapshot of our survey cohort
We surveyed more than 1,500 IT and business decision-makers across the UK, Spain, Germany, Italy, and the Netherlands, representing organizations ranging from small and mid-sized businesses to large enterprises.…
All respondents held responsibilities related to IT operations, cybersecurity, digital infrastructure, or risk management within their organizations. They came from a diverse range of sectors, including government, banking and finance, manufacturing, retail, technology, and healthcare.
Explore country-level insights
Compare regional perspectives or continue scrolling for the European and UK overview
Incident experience and exposure
Understanding operational resilience requires basing the conversation on real-world incidents and their impact. The study reveals that more than half of the respondents reported having experienced a cyber incident in the past year, and a significant minority (14%) reported more than half of the incidents as being business critical.
Overall
66%of respondents experienced at least one cyber incident in the past 12 months.
Cross-market comparison
UK77%
Germany75%
Netherlands70%
Spain47%
Italy62%UK
77%of respondents experienced at least one cyber incident in the past 12 months.
Cross-market comparison
Germany75%Netherlands70%Spain47%Italy62%Germany
75%of respondents experienced at least one cyber incident in the past 12 months.
Cross-market comparison
UK77%Netherlands70%Spain47%Italy62%Netherlands
70%of respondents experienced at least one cyber incident in the past 12 months.
Cross-market comparison
UK77%Germany75%Spain47%Italy62%Spain
47%of respondents experienced at least one cyber incident in the past 12 months.
Cross-market comparison
UK77%Germany75%Netherlands70%Italy62%Italy
62%of respondents experienced at least one cyber incident in the past 12 months.
Cross-market comparison
UK77%Germany75%Netherlands70%Spain47%Social engineering, malware-based attacks, and data breaches dominate the types of incidents reported, with vulnerable systems and user-driven security lapses being the major root causes.
Impact of the incidents across the organization
Incident response and accountability
One of the most important indicators of operational maturity is how organizations evaluate and learn from cybersecurity incidents. This begins with formal reviews and meaningful changes implemented after incidents.
Overall
95%Comparative analysis:
Formal reviews conducted after incidents
Cross-market comparison
- UK96%
- Germany95%
- Netherlands94%
- Spain89%
- Italy98%
UK
96%Comparative analysis:
Formal reviews conducted after incidents
Cross-market comparison
- Germany95%
- Netherlands94%
- Spain89%
- Italy98%
Germany
95%Comparative analysis:
Formal reviews conducted after incidents
Cross-market comparison
- UK96%
- Netherlands94%
- Spain89%
- Italy98%
Netherlands
94%Comparative analysis:
Formal reviews conducted after incidents
Cross-market comparison
- UK96%
- Germany95%
- Spain89%
- Italy98%
Spain
89%Comparative analysis:
Formal reviews conducted after incidents
Cross-market comparison
- UK96%
- Germany95%
- Netherlands94%
- Italy98%
Italy
98%Comparative analysis:
Formal reviews conducted after incidents
Cross-market comparison
- UK96%
- Germany95%
- Netherlands94%
- Spain89%
A clear majority of respondents report implementing meaningful improvements following incident reviews, with more than a quarter adopting broader, long-term measures to strengthen operational resilience. This leaves a notable minority making only minimal changes to address incidents and return to business as usual.
Changes implemented
in the last 12 months
Technical upgrades and workforce training lead the response playbook — supplier management and internal policy sit furthest behind.
Ninety-two percent of respondents confirm having a solid backup strategy, and 85% report clear responsibilities in the event of security incidents. However, ownership of incident management continues to rest primarily with IT and security teams, with limited ongoing support from the leadership.
BACKUP STRATEGY
CLEAR RESPONSIBILITIES
LEADERSHIP GAP
With around 72% indicating that leadership involvement occurs only during crises or when necessary, the findings reveal a critical gap between the level of management engagement cyber resilience demands and what is practised in reality.
Board/C-suite involvement in incident and crisis management
Critical systems and digital dependency
Modern organizations rely heavily on digital systems for their day-to-day operations. While system importance is largely balanced, IT operations and IT service management tools hold a slight edge, closely followed by access management and security monitoring tools.
Dependency on critical systems
Dependency on critical systems
Dependency on critical systems
Dependency on critical systems
Dependency on critical systems
Dependency on critical systems
75% have defined time targets for recognising and acting on incidents
90% are capable of detecting and responding to the incidents on the same day
However, recovery from incidents seem to relatively take longer durations of up to 10 days — and in some cases even up to 20 days. This growing recovery gap brings to light the operational burden in recovery and the impact of the high dependency on critical systems.
Workforce, skills, and operational pressure
Maintaining operational resilience requires skilled teams capable of managing increasingly complex infrastructures. With the majority of incident management responsibility owned by IT and security teams, over a quarter of the respondents say their teams are stretched, overloaded, or operating in crisis mode. This is especially concerning given skill gaps from evolving threats and a shortage of qualified staff that’s worsened by manual processes.
- ChallengesChallenges – Overall
- 0%
- 10%
- 20%
- 30%
- 40%
- 50%
- Skill gaps37%
- Lack of qualified workforce30%
- Poorly integrated tools28%
- Challenges
- 0%
- 10%
- 20%
- 30%
- 40%
- 50%
- Skill gaps40%
- Lack of qualified workforce32%
- Poorly integrated tools30%
- Challenges
- 0%
- 10%
- 20%
- 30%
- 40%
- 50%
- Skill gaps34%
- Lack of qualified workforce29%
- Poorly integrated tools27%
- Challenges
- 0%
- 10%
- 20%
- 30%
- 40%
- 50%
- Skill gaps35%
- Lack of qualified workforce28%
- Poorly integrated tools26%
- Challenges
- 0%
- 10%
- 20%
- 30%
- 40%
- 50%
- Skill gaps38%
- Lack of qualified workforce31%
- Poorly integrated tools29%
- Challenges
- 0%
- 10%
- 20%
- 30%
- 40%
- 50%
- Skill gaps36%
- Lack of qualified workforce30%
- Poorly integrated tools28%
This trend is reinforced by the majority reporting a notable impact on the workload of IT and security teams during incident crises, further compounded by increased operational pressure over the past 12 months.
Operational pressure in the past 12 months
- 44%Increased
- 38%Stayed
the same - 16%Decreased
- 2%Don’t
know
Resilience and future readiness
Cyber resilience is on the leadership agenda for most organizations (84%), but discussions are more often occasional (42%) than truly regular. Most respondents identify advanced and AI-powered attacks, data breaches, and human error as the top risks for the next 12 months. In response, investment priorities are largely focused on AI and emerging-threat preparedness, security monitoring and detection, training, and skills development.
Cyber resilience is on the leadership agenda for most organizations
of those are involved in regular conversations
Top risks predicted vs. top investment priorities across countries
All five of the surveyed countries showcase future vision towards addressing their predicted risks with relevant investment priorities.
| Country | Top risk | Investment priority |
|---|---|---|
| Across countries | AI-powered attacks | AI and advanced threat preparedness |
| UK |
AI-powered attacks | AI and advanced threat preparedness |
| Germany |
AI-powered attacks | AI and advanced threat preparedness |
| Netherlands |
Advanced cyberattacks | Training and skills development |
| Spain |
Advanced cyberattacks | Security monitoring and detection |
| Italy |
AI-powered attacks | AI and advanced threat preparedness |
Frequency of cyber resilience assessments
While many organizations are confident in handling cyber incidents, only half have formal cyber resilience methodologies, revealing a gap between perceived preparedness and actual resilience.
- More than
once a year - At least once
a year - Less than
annually
Wrapping up
Across the UK and Europe, businesses are increasingly recognising the importance of learning from incidents and strengthening operational resilience. However, many organizations still struggle to translate incident experience into meaningful improvements… in processes, infrastructure, and governance. Most of this struggle can be attributed to the shortage in talent as the threats are increasingly becoming unpredictable and sophisticated.
Building true resilience requires more than defensive technologies. It requires structured learning, clear accountability, skilled teams, and integrated operational tools that enable organizations to strengthen their security posture continuously.
Organizations that embed these practices into their operations will be better equipped to withstand disruptions and maintain business continuity in an increasingly complex digital environment.
Explore the overall state of operational resilience among UK and European businesses (2026)
