Cyber Security in 2026: What Architecture, Engineering
and Construction Leaders Need to Know 

By Dave Adamson, Solutions Director, Creative ITC

Cyber resilience is becoming a business requirement.

As regulation tightens and digital dependency grows, AEC leaders must move beyond compliance and focus on the operational resilience that protects projects, people and performance.

The UK is entering a new phase of cyber security, one where resilience isn’t just encouraged – it’s enforced. With the Cyber Security and Resilience Bill progressing through Parliament, and recent updates to Cyber Essentials introducing automatic fail conditions, the direction of travel is clear: what was once guidance is now expectation. 

The new measures force a long overdue redesign of how architecture, engineering and construction firms plug common vulnerabilities. Frameworks are becoming increasingly proactive, requiring organisations to maintain robust oversight of controls, assets and risk exposure across the full scope of their own environments, as well as those of suppliers and partners. 

Many will interpret this as another compliance burden. In reality, it reflects something more fundamental: Cyber risk has become business risk.

AEC leaders face a new reality: resilience is no longer optional.

What AEC Leaders Need to Know 

• Cyber resilience is moving from best practice to regulatory expectation across the UK. 

• Cyber Essentials 2026 introduces stricter requirements around MFA, patching, cloud services and evidence of compliance.  

• The Cyber Security and Resilience Bill signals a wider regulatory focus on cyber resilience.  

• For AEC firms, cyber incidents increasingly threaten project delivery, commercial performance and client confidence.  

• Supply chain assurance is becoming a critical requirement as clients scrutinise third-party risk.  

• The organisations best placed to succeed will be those that embed resilience into day-to-day operations, not those that prepare for compliance once a year.

Why UK cyber regulation is increasing the focus on resilience 

The Cyber Security and Resilience Bill signals a broad policy shift. The Bill is designed to strengthen the UK’s ability to protect essential and digital services, pushing cyber resilience firmly into the realm of regulation, not recommendation. 

AEC firms are particularly exposed. The industry is closely involved with critical national infrastructure projects, and the sector has been a top five target for cyber attacks in the past year. 

Yet, in many cases, the bury-your-head-in-the-sand attitude persists. 

These statistics highlight a structural gap between recognition and action – a gap regulation is now stepping in to close. 

Resilience is no longer optional - and it’s no longer self-defined.

Cyber Essentials: the same standards – now with teeth. 

The Cyber Essentials revisions are designed to bring about this change, forcing actions many organisations have deferred for too long. Established as the baseline for cyber hygiene, the updated scheme now represents something far more revealing: a real-world test of whether your organisation is actually resilient.

The Three Operational Capabilities Cyber Essentials 2026 Is Testing 

1. Identity: Can you consistently control who has access? 

2. Visibility: Do you know what systems, users and cloud services exist? 

3. Recovery Readiness: Can you continue to operate when disruption occurs? 

The five technical controls haven’t changed - firewalls, secure configuration, user access, malware protection and patching still sit at the core. What has changed is the expectation behind them. April 2026 updates prioritise consistency and evidence: 

• Auto‑fail conditions are introduced for critical expectations, meaning gaps can no longer be treated as tidy‑up items after the audit. 

• Cloud services are defined and brought firmly into scope. 

• The shift from self-attestation to independent validation also means there’s now less wiggle room. 

The changes push Cyber Essentials out of annual “tick-box certification” project territory and into always-on operational proof. The message for AEC firms is clear – bake security into daily operations so audit readiness is continuous and intentional, and resilience is sustainable.

Why resilience matters in AEC 

A lack of resilience can result in: 

• Delayed project delivery 

• Loss of access to critical project information 

• Interrupted collaboration across supply chains 

• Increased contractual and financial risk 

• Reduced client confidence 

• Lost opportunities where cyber assurance forms part of bid evaluation 

Why Cyber Essentials matters more for AEC firms 

1. AEC runs on ecosystems, not estates 

AEC delivery relies on:  

• multi-party collaboration 

• common data environments 

• shared BIM data 

• specialist design and engineering tools 

• dynamic project delivery teams and supply chains 

This creates a complex distributed attack surface, where risk doesn’t sit neatly within IT alone - it flows across evolving projects, partners and platforms. 

When the scheme updates make cloud non‑optional and scope definitions non‑negotiable, complexity stops being a justification and becomes a risk exposure. 

In AEC, cyber risk rarely starts and ends within your own organisation.

2. Supply chain assurance is now real-world pressure 

AEC firms don’t deliver alone - and increasingly, that matters.  

• Clients are tightening supplier assurance expectations 

• Certification is becoming a baseline requirement for contracts 

• Regulation is moving toward ecosystem-level resilience 

Cyber Essentials is increasingly used as a trust signal across supply chains. When scope is vague, assurance is vague. That’s why the scheme is pushing for clearer scoping, legal entity clarity and explicit exclusions. 

The Cyber Security and Resilience Bill reinforces this direction, strengthening duties around services and dependencies that underpin national infrastructure and economic activity. 

Supply chains are now part of your risk profile.

3. Project disruption is the real risk multiplier 

Cyber incidents in AEC don’t just mean data loss. They can mean: 

• delayed project delivery 

• halted site operations 

• financial exposure from disrupted payments 

• reputational damage with clients and partners 

Cyber incidents can directly affect project timelines, budgets and commercial performance, not just IT systems. That’s why the conversation must shift from “How secure are we?” to “Can we still deliver if something goes wrong?”

Cyber Essentials 2026: what’s changing and what UK AEC firms need to do now 

1. MFA everywhere - and why it forces an identity rethink 

What’s changing:
MFA becomes mandatory for all cloud services where it’s available, and not enabling it results in automatic failure. This applies even where MFA is a paid feature.  

Why this hits AEC hard: 
AEC organisations often have “non‑human access” everywhere - integrations between platforms, scripts, automations, legacy connectors, and service accounts created years ago to keep projects moving. Enforced MFA kills the old service account model because static secrets can’t complete MFA challenges. 

What to do now: 

• Eliminate service accounts where possible and replace them with service principals / managed identities (token‑based, short‑lived, system managed).  

• Audit cloud services used across the business (not just “core IT”) and enforce MFA consistently across all users and admins. 

• Treat this as operating‑model hygiene: onboarding, offboarding, role change, and privileged access must be predictable, repeatable and reportable.  

This isn’t a Cyber Essentials problem. It’s an identity hygiene problem that’s finally too inconvenient to ignore.

2. Patching inside 14 days - the new resilience reality 

What’s changing: 
High‑risk and critical updates must be applied within 14 days, including operating systems, applications, and router/firewall firmware - another auto‑fail expectation. 

Why this hits AEC hard: 
In AEC, patching isn’t simple “IT maintenance.” It’s constrained by: 

• specialist applications and plug‑ins 

• project-critical environments where downtime is costly 

• site connectivity limitations 

• legacy infrastructure and appliances that don’t fit modern cycles.  

The scheme is effectively saying: patching within 14 days is a capability, not a promise. 

What to do now: 

• Build a live asset inventory so you know what must be patched, across offices, remote endpoints, site systems, and cloud-connected services. 

• Create test and deployment rings to patch fast without breaking production. 

• Improve change automation and rollback planning so speed doesn’t mean fragility. 

Auto‑fail patching = complete inside the window, or you don’t pass. 

3. Cloud is in scope - and scope has to be honest

What’s changing: 
Cloud services are more clearly defined, and are brought firmly into scope, alongside stronger expectations for transparent scoping: clearer scope descriptions, legal entity clarity, and explicit exclusions. 

Why this hits AEC hard: 
In AEC firms cloud services are everywhere: collaboration platforms, model coordination tools, file transfer tools, e‑sign platforms, project portals, and more - sometimes adopted at project or regional level. The changes reduce the viability of “we didn’t include that” thinking. 

What to do now: 

• Get brutally honest about scope: document boundaries, list entities, declare exclusions and fix what’s truly in scope rather than redefining scope around what’s easiest to pass. 

• Map cloud usage across departments and projects to avoid shadow scope problems at assessment time. 

• Use central policy enforcement where possible (identity, conditional access, configuration standards) so control is consistent at scale.  

Clarity, consistency and control are now non-negotiable.

The leadership takeaway: Cyber Essentials is now an operating model test 

It’s tempting to treat Cyber Essentials as a compliance event. In 2026, that’s the fastest route to disruption. 

The updated scheme is deliberately designed to surface gaps that only appear when controls aren’t genuinely embedded in day‑to‑day operations - across identity, patching, scope and governance. If Cyber Essentials still lives in a once‑a‑year spreadsheet, the new enforcement model will expose it. 

For AEC leaders, the real resilience questions are: 

• Can we enforce identity controls across dispersed teams, JVs and project ecosystems? 

• Can we patch quickly and safely across specialist, business‑critical environments without bringing work to a halt? 

• Can we clearly define scope across supply chains, partners and client environments in a way that stands up to scrutiny?  

If the honest answer is “sometimes,” the scheme’s tightening will expose that. 

Cyber Essentials 2026 doesn’t introduce new risk. It exposes where resilience has been inconsistent, assumed or incomplete.

This is where specialist security and managed service partners play a practical role - not by adding additional layers, but by instilling robust best-practice governance and industrialising the unglamorous work that real world resilience depends on. Continuous control monitoring. Patch compliance reporting. Identity hygiene. Configuration drift detection. Evidence capture that’s audit‑ready all year, not assembled in a rush before renewal. 

Done well, this support shifts Cyber Essentials from a calendar‑driven exercise to an operational discipline - one that scales with complex estates and evolving delivery models. 

Cyber Essentials doesn’t fail organisations. Inconsistent operations do.

What AEC leaders should prioritise now 

Resilience isn't built through annual audits or isolated security projects. It's the result of clear leadership, robust governance and operational discipline applied day in, day out. Focus on practical changes that improve resilience, not just audit outcomes. 

With that in mind, here are the priorities AEC leaders should focus on now. 

1. Make resilience a board-level responsibility 

Ownership drives consistency.  

2. Build full visibility of your estate 

No visibility = no control. 

3. Fix identity before anything else 

This is the fastest way to reduce risk exposure. 

4. Turn patching into a measurable capability 

Prove resilience, don’t assume it. 

5. Strengthen supplier and partner assurance 

Set baseline standards (e.g. Cyber Essentials) 

6. Reframe cyber around delivery continuity 

That’s where resilience becomes commercially relevant. 

The real opportunity: turning resilience into a competitive advantage 

Cyber Essentials 2026 isn't just raising the bar for compliance. It's reflecting a broader shift already taking place across the AEC sector. Clients are asking tougher questions. Supply chains are under greater scrutiny. Projects are more digitally dependent than ever before.  

And as regulation continues to evolve, the organisations that can demonstrate resilience will increasingly stand apart from those that simply claim it. 

Cyber Essentials 2026 isn't fundamentally changing the risks facing AEC firms. It is changing the level of scrutiny applied to how those risks are managed. In an increasingly digital and interconnected industry, resilience has become a core business capability, not an IT function. 

The organisations that succeed will be the ones with the operational discipline to maintain momentum. The firms that embed it into everyday operations will be better positioned to protect delivery, strengthen client trust and grow with confidence, turning resilience into a competitive advantage.

Compliance is annual. Resilience is daily.

Dave Adamson is Solutions Director at Creative ITC and works with AEC organisations across the UK to strengthen operational resilience, modernise technology environments and reduce risk while supporting project delivery and business growth.