The Fortinet report makes it clear: cybersecurity in the energy sector is entering a new phase. Today, three forces matter most: IT/OT convergence, the growing scale of AI-enabled threats, and increasingly complex regulatory requirements. This is especially visible across Europe, the Middle East, and Africa. The author notes that energy now combines “aging industrial systems, new digital services, the integration of renewable energy sources, and a harsher threat landscape.” That sentence captures the scale of the challenge well.
As a result, energy companies can no longer treat security as “office network protection” only. It is not just about business data, either. In practice, the entire operational environment must be protected. This includes industrial systems, IIoT devices, critical infrastructure, and remote access. In addition, the supply chain also matters. Fortinet highlights that the sector needs an approach that simultaneously “protects operations, helps teams act quickly during incidents, and supports recovery, oversight, and audit requirements.”
One of the report’s key findings is the blurring boundary between IT and OT. On the one hand, this shift brings operational benefits. On the other hand, it increases cyber risk. Systems that were once isolated now send data to the cloud. They also connect to other networks and enable real-time analytics. While this model improves efficiency, it also expands the attack surface.
At the same time, many organizations are not keeping up with the pace of change. The report states that “57% of organizations admit their OT defense mechanisms lag behind their IT security controls.” From a strategic perspective, this points to the need for a full asset inventory. Clear ownership of OT security is also essential. Consistent segmentation across environments remains critical. Fortinet strongly emphasizes a lifecycle approach as well. Security should exist “from build to decommissioning,” especially in older OT architectures.
The report shows that AI in cybersecurity is a double-edged sword. On one side, it supports threat detection, data analysis, and response automation. However, it also accelerates attackers. Fortinet explains that AI enables more personalized phishing campaigns. It can also support malware that modifies its own code to evade detection. Importantly, the report states that AI “is becoming part of the entire attack cycle.” Consequently, threats become faster and more adaptive.
The conclusion is straightforward: energy organizations must develop more than technology. People and skills matter just as much. Teams need the ability to work with AI tools and keep oversight over them. At the same time, clear escalation procedures are necessary in OT environments. In addition, the report stresses the value of security exercises. It also points to the importance of regional collaboration. Together, these steps help organizations prepare for AI-supported campaigns.
In the regulatory section, the report strongly underlines the role of NIS2 for the energy sector. The directive covers energy companies as essential entities. Therefore, it introduces strict cybersecurity and incident reporting requirements. Yet implementation across EU countries is uneven. Moreover, different states emphasize different regulatory priorities. For organizations operating across borders, this creates extra compliance complexity. It also increases operational risk. The report also reminds readers that non-compliance can lead to very high penalties.
In this context, Fortinet also highlights the growing importance of cloud and data sovereignty. For example, recommendations include using European cloud providers. In addition, the localization of sensitive OT data becomes significant. The report mentions encrypting ICS telemetry and adopting hybrid edge-cloud architectures. This matters for organizations that want compliance to be reflected in technical architecture, not only in documentation. Fortinet puts it clearly: organizations should “develop European data and cloud sovereignty for OT resilience.”
The report also strongly emphasizes supply chain security in the energy sector. The authors describe risks tied to hardware and software components. They also highlight the need for strict supply chain controls. In particular, SBOM and HBOM are important. These are structured lists of software and hardware components. The report cites SBOM as a “key building block of software security and supply chain risk management.”
This approach also matters from a business standpoint. More organizations now ask not only about their own security. They also assess the reliability of vendors and components. This is especially relevant for critical infrastructure. Fortinet even suggests including the right to inspect equipment in contracts. In addition, it recommends removing clauses that restrict technical analysis of devices.
The report presents five priorities for cybersecurity leaders in energy. First, security must cover the entire lifecycle of IT and OT assets. Second, strict network segmentation aligned with the Purdue Enterprise Reference Architecture is required. Such a structure limits lateral movement and reduces incident impact. Third, organizations need continuous OT visibility. Real-time threat detection is also crucial. Effective response procedures are necessary as well. Fourth, OT resilience is strengthened through data sovereignty and well-designed cloud architecture. Fifth, cross-sector cooperation and regulatory flexibility remain important.
Operationally, the report also lists concrete target practices. It includes “full visibility of IT, OT, and IIoT assets” and “network segmentation.” It also stresses the “principle of least privilege” and “secure, controlled remote access.” Finally, it calls for “continuous SOC or MSSP monitoring with OT context.” In practice, this works as a ready checklist for organizations aiming to improve the cyber resilience of energy infrastructure.
The most important conclusion from the Fortinet report is simple. Energy cybersecurity cannot remain reactive. It also cannot stay split into separate IT and OT silos. Instead, an effective strategy must connect technology, people, and processes. Regulations and supply chain security also play a key role. Organizations that do not make this shift will struggle to maintain operational resilience. Over time, NIS2 compliance risk will rise as well. Secure digital transformation will become harder to achieve. In contrast, companies that treat security as the foundation of energy modernization gain stronger business continuity. They also gain better risk control and higher incident readiness.
We invite you to read the full report: 2026 Energy Cybersecurity Outlook EMEA.pdf
