In the fall of 2025, several major cyber crises – affecting the automotive industry, air transport and agri-food – highlighted the persistent fragility of organizations in the face of large-scale cyberattacks. These events showed that, despite years of investment in cybersecurity, the ability to absorb the shock, maintain activity and restart quickly remained largely insufficient.
The publication of the CESIN / OpinionWay 2026 Business Cybersecurity Barometer confirms this diagnosis today. The figures objectify what feedback already suggested: cyber resilience remains the poor relation of cyber strategies, even though the threat has become a long-term part of the normal functioning of the economy.
A trivialized threat, still major impacts
In 2025, 40% of the companies surveyed say they have suffered at least one significant cyberattack. While this figure marks a slight decrease compared to previous years, the consequences remain serious. More than 80% of the companies affected indicate a direct impact on their business: disruption or production stoppage, financial losses, customer delays and/or damage to image.
The cyberattack is therefore no longer an exceptional event, but a recurring risk. However, it continues to generate impacts, revealing a lasting gap between the level of the threat and the real capacity of organizations to deal with it.
A persistent imbalance between protection and resilience
The barometer highlights a now well-established observation. Overall, companies say they are well prepared in advance: detection, prevention and protection are reaching high levels of maturity. On the other hand, when we look at the response and resilience to major incidents, the indicators deteriorate sharply.
The response capacity, post-incident reconstruction and above all the definition of business palliatives remain insufficiently developed. Only one in two companies believes that they have really defined (and operational) business BCPs. This imbalance confirms that cybersecurity has long been thought of as a matter of tools, whereas cyber-resilience is above all a matter of organization, governance and decision-making in a degraded situation.
Crisis management training that is spreading
Two-thirds of companies now say they have implemented a cyber crisis management training program, an improvement on the previous study, reflecting an increased awareness of the need to prepare. However, the analysis reveals a heterogeneity of practices: while more than a third of companies carry out exercises periodically, a significant proportion is still limited to one-off simulations, while a third have not taken any steps.
Third parties, now at the heart of the risk
Another major lesson: the growing weight of third parties. 30% of companies estimate that more than half of their cyber incidents come from their ecosystem. Ransomware at a supplier, data leakage via a service provider, cascading downtime: these scenarios, observed on a large scale in 2025, confirm that cyber resilience can no longer be thought of at the scale of an isolated organization. It must now be part of a broader value chain approach, integrating industrial, software and operational dependencies. As such, the conduct of crisis management exercises involving this value chain must be the natural outcome of this observation.
This evolution echoes the NIS2 and DORA regulatory frameworks, which explicitly enshrine the supply chain as a critical perimeter for controlling cyber risk, by imposing on organizations greater responsibility for the management, steering and training of the crisis involving their critical third parties.
Cyber resilience as a strategic focus of cybersecurity policies
The findings of the CESIN 2026 Barometer thus confirm an observation already made in the autumn [Eight years after the emergence of mass cybercrime, cyber resilience remains the poor relation of cybersecurity] : the period 2025-2030 marks the beginning of a new cycle, where cyber resilience will be at the heart of cybersecurity strategies. Managers are now waiting for a demonstrated ability to maintain activity in a crisis situation. Cyber resilience must therefore now become a pillar of organizational security. And this is excellent news: the recent publication of the National Cybersecurity Strategy reinforces this approach, by enshrining, through its pillar 2, a broader and collective vision of cyber resilience.
Would you like to discover the complete barometer?
Article written by:
Guillaume CHÉREAU – COO Alcyconie
Read the article
Alcyconie Masterclass at FIC 2026 - Plunging sensitive organizations into the heart of a hybrid cyber crisis
5 February 2026Read the article
Alcyconie at the FIC from 31/03 to 02/04 in Lille
2 February 2026Read the article
