Most executive committees still underestimate the operational impact of a cyberattack on critical infrastructure. Median recovery cost has quadrupled in two years across the energy and water sectors to reach $3 million. Switzerland imposed mandatory disclosure in 2025. NIS2 has redrawn obligations across Europe. This guide sets out what every executive needs to understand — and the seven questions to put to your CISO this week.

How the threat landscape has shifted in 2026

Executive cybersecurity priorities have visibly evolved. Digitally-enabled fraud and targeted phishing now top CEO concerns, ahead of AI-related vulnerabilities which have moved into second place. For CISOs (Chief Information Security Officers), ransomware remains the principal worry, followed closely by supply-chain disruption.

This perception gap between CEOs and CISOs reveals a strategic misalignment that matters. Top management focuses on preventing direct financial losses and adapting to emerging threats. CISOs remain focused on operational resilience and business continuity. The gap creates blind spots in security posture, particularly at the interfaces between IT, OT and the extended supply chain.

Understanding Operational Technology (OT)

Critical infrastructure runs on Operational Technology (OT) — the systems that manage industrial operations. OT encompasses Industrial Control Systems (ICS) and SCADA (Supervisory Control and Data Acquisition) systems, which automate production processes across sectors as varied as water, gas and electricity distribution, power generation, rail and intelligent road transport.

The fundamental difference between IT and OT cybersecurity lies in the priority hierarchy. In IT, confidentiality comes first, then integrity, then availability (the classic CIA model). In OT, the order inverts: availability first, then integrity, then confidentiality. An OT system must run 24/7, 365 days a year, sometimes for 20 to 30 years. This means fewer windows for downtime, security patches and hardware replacement. The direct consequence: OT systems frequently contain known and documented vulnerabilities that remain unpatched for years, sometimes decades.

This reality creates a significant maturity gap between IT and OT cyber practices — a gap that attackers have understood and now systematically exploit.

The real impact of cyberattacks on critical infrastructure

Cyberattacks against industrial networks and critical infrastructure produce wide-spectrum consequences: operational disruption causing production stoppages and revenue loss, physical damage to facilities, worker injuries, environmental disasters, regulatory compliance issues, and civil or criminal liability for executives.

Recent figures speak for themselves. According to the Sophos State of Ransomware in Critical Infrastructure 2024 report, the median ransomware recovery cost in the energy and water sectors quadrupled to $3 million — four times the global cross-sector median. 49% of ransomware attacks against these sectors began with the exploitation of a known vulnerability.

A particularly worrying trend is emerging: critical infrastructure operators increasingly choose to pay the ransom rather than restore from backups. The decision is understandable under operational pressure, but it fuels the criminal economy and guarantees attacks will continue. More importantly, it reveals a structural weakness — recovery programmes are not sufficiently tested to offer a credible alternative to capitulation.

The Swiss case: a modern regulatory approach

Switzerland illustrates a pragmatic approach with the introduction in 2025 of mandatory disclosure for cyberattacks on critical infrastructure. The Swiss National Cyber Security Centre (NCSC) processed nearly 65,000 cyber-incident reports in 2025, of which more than 220 were filed under the new mandatory regime. The Swiss Cyber Security Hub (CSH) now has approximately 1,600 members and serves as the central platform for exchange and disclosure.

This transparent approach enables collective threat understanding and coordinated response. For affected operators, it means three practical changes: a regulated disclosure window (24 to 72 hours depending on severity), a standardised incident-qualification procedure, and a duty to cooperate with the NCSC during investigation and remediation. Swiss companies must now integrate this obligation into their incident response plans — including the implications for external communication and crisis management.

NIS2 and the European cascade effect

The NIS2 directive (Network and Information Systems Directive 2), in force across the EU since October 2024, significantly expands the scope compared with NIS1. It now covers 18 essential and important sectors, including energy, transport, healthcare, water, digital services, food and critical manufacturing.

Swiss companies are not directly subject to NIS2, but indirect exposure is significant: European subsidiaries, customers under the directive requiring contractual alignment, and market standards that propagate through compliance pressure. In practice, a Swiss operator wishing to sell services to a German, French or Italian client classified as an essential entity will be required, contractually, to comply with NIS2 requirements.

Seven essential questions to ask your CISO this week

Every executive should evaluate their organisation's cyber posture through seven precise questions. The answers must be quantified, dated and supported by verifiable evidence.

1. Asset visibility. Do we have a complete and up-to-date inventory of all OT and ICS systems? Are we aware of every active connection between our IT and OT environments, including those established by suppliers and contractors?

2. OT vulnerability management. How many known critical vulnerabilities remain in our OT systems? For each one, what is the mitigation plan, the timeline for patching, and the compensating controls in place until full remediation?

3. Tested operational resilience. If we suffered a ransomware attack today, exactly how long would it take to restore our critical operations? When did we last test our recovery plans under realistic conditions, and with what result?

4. Segmentation and zero-trust architecture. Are our OT systems properly isolated from the corporate network and the internet? Have we implemented zero-trust architecture for access to critical systems, including privileged accounts and remote vendor access?

5. Threat monitoring and detection. Do we have real-time visibility on anomalies in our OT environments? Are we members of the relevant sectoral information-sharing centres (ISACs), and do we actively exploit their threat feeds?

6. Third parties and supply chain. Are suppliers and contractors with access to our critical systems subject to the same security requirements as we are? Do we audit their posture regularly, and do we have a plan in case of compromise of their infrastructure?

7. Geopolitical preparedness. Does our cybersecurity strategy account for scenarios driven by geopolitical considerations — infrastructure disruption, industrial espionage, influence operations? According to the World Economic Forum, 64% of organisations now factor these considerations into their planning.

From CISO to Chief Resilience Officer

Attacks on multibillion-dollar organisations will continue and intensify in 2026, fuelled by three converging dynamics: generative AI simplifying reconnaissance and automating social engineering, the continued growth of Cybercrime-as-a-Service democratising access to sophisticated offensive capabilities, and the rise of nation-state-sponsored activity, particularly against critical infrastructure.

In this context, the CISO role extends well beyond IT security in the strict sense. Success in 2026 belongs to organisations that combine technical depth with strategic vision, transforming security from a reactive function into a force for resilience, trust and growth. Executives need to view their CISO not merely as a security manager, but as a Chief Resilience Officer — architect of operational continuity in a hyperconnected environment.

Three priority investment areas for 2026

Three investment priorities stand out to strengthen critical infrastructure cybersecurity posture.

Break organisational silos. Cyber resilience depends on shared understanding and unified response across security, operations, legal and top management. A cyber crisis cell must be able to convene in less than 30 minutes, at any hour.

Invest in detection and response as much as in prevention. Given the increasing speed and complexity of attacks, the ability to detect within minutes and respond within hours has become as important as prevention itself. The classic 80/20 prevention-to-response investment ratio is shifting toward 60/40, or even 50/50 in the most exposed sectors.

Test, test, test. Threat actors innovate as fast as technology evolves. Continuous learning, red-team exercises, OT penetration testing and crisis simulations are now essential security disciplines, to be run quarterly rather than annually.

Critical infrastructure is the backbone of economies and societies. Its protection demands top-level executive commitment, a nuanced understanding of OT-specific risks, and close collaboration across the entire security ecosystem. The time to act is now — the consequences of inaction are too heavy to ignore.

Frequently asked questions

What is the difference between IT and OT cybersecurity? IT cybersecurity protects data and prioritises confidentiality first. OT cybersecurity protects industrial systems that control physical processes where availability and integrity take precedence over confidentiality.

What is the average cost of a cyberattack on critical infrastructure in 2026? According to the Sophos State of Ransomware 2024, the median ransomware recovery cost in the energy and water sectors reached $3 million — four times the global cross-sector median.

Does Switzerland require mandatory disclosure of cyberattacks? Yes. Since 2025, Switzerland requires mandatory disclosure of cyberattacks targeting critical infrastructure to the National Cyber Security Centre (NCSC).

What is the NIS2 directive and who is affected? NIS2 is the European directive on the security of network and information systems, in force since October 2024. It covers 18 essential and important sectors.

How do I know if my company's OT asset inventory is complete? A 30-day passive discovery audit typically reveals 20% to 40% of undocumented assets.

How long does it take to restore operations after a ransomware attack on an OT environment? Without a tested plan, 2 to 6 weeks. With a mature resilience programme, 48 to 96 hours.

COMYA Group's cyber practice supports executives in securing their critical infrastructure: OT/ICS audits, NIS2 and Swiss FADP compliance, penetration testing, resilience programmes and crisis exercises. For a confidential consultation, contact our team.

About: The COMYA Cyber team supports executives in securing critical infrastructure and building resilience programmes adapted to contemporary threats.