When I wrote for TechRadar Pro last summer about cyber security’s shift to becoming a boardroom priority, rather than something handled in the back office, the implication was that capital would follow. Dealmaking activity at the end of 2025 and into 2026 has borne this out.
What’s different at the start of 2026 is the clarity of the boardroom’s thinking: cyber is being treated less as a technical headache and more as critical operational fragility, with direct consequences for revenue, regulation and reputation.
Director at Arrowpoint Advisory.
A serious incident is no longer judged by how attackers got in, but by the impact on the business. As high-profile attacks in the last few months - including M&S, the Co-op, Harrods, Heathrow and Jaguar Land Rover - have shown, operations stall, customer service seizes up, data becomes inaccessible and trust drains away at speed.
Unsurprisingly, cybersecurity now sits even more at the heart of business continuity and resilience.
You can see this reframing in increasing volume and value of cybersecurity dealmaking. In Q4 2025 there were 145 cyber security deals across Europe and North America, the busiest quarter since Q1 2022. Where values were disclosed, average deal sizes also moved higher to £311m versus a long-term average of £227m.
The point is not volume for its own sake. Buyers are responding to a threat landscape that is shifting faster than many organizations can respond through internal change alone.
Continuity, not compliance
Today, boards no longer need persuading that cyber risk exists. They need confidence it is being managed as a material business risk.
That is why the internal conversation has shifted. Compliance remains important, but the sharper questions are operational: how quickly can we detect a problem; how decisively can we contain it; how well can we recover; and have we practiced these moments rather than writing plans that sit on a shelf?
Ransomware remains a dominant threat, while AI is making phishing and social engineering quicker, cheaper and more convincing. Demand is rising for detection and response, backed by recovery planning, tested processes and clear accountability.
Resilience is rarely delivered by one product, it comes from integrated capability across software, services and managed operations. So for dealmakers, when gaps are obvious and time is short, M&A becomes a practical route to build capability quickly.
Identity is the main battleground
The center of gravity in cyber risk continues to move. As organizations migrate from on premise models to cloud based environments, the old idea that you can defend a clear boundary around the organization becomes less useful.
The challenge is increasingly about who has access to what, and what they can do once inside, including suppliers and third parties. Attackers are going where the keys are, and those keys are identities.
Crucially, those identities are no longer just people. Modern organizations rely on a fast-growing population of machine identities: service accounts, automated workloads and API tokens that keep cloud services and applications running.
They are easy to create, hard to inventory and often under-governed. In that world, zero trust is not a slogan, it is an attempt to bring order to a messy reality, and the identity layer beneath it has become central to board level discussion.
The risk is often misunderstood. Identity failures are not only about data loss. They are about loss of control. If an attacker can authenticate as a privileged user or trusted workload, they can move through systems like an insider, disabling defenses or deploying ransomware while looking legitimate.
That is why cyber leaders are not judged on preventing every breach, which is unrealistic, but on providing tighter access, sharper monitoring and faster containment.
Data sovereignty is becoming a commercial issue
Boards are also paying closer attention to where data lives and who can compel access to it. Cloud adoption has pushed more data across borders, while concerns about foreign regulation and state access are forcing organizations to think harder about local storage, encryption and governance.
For global groups, this shapes procurement and design decisions. For highly regulated sectors, it can determine which vendors are credible options at all. It also strengthens the case for a more consolidated approach, with fewer tools that integrate properly.
If policy enforcement, identity governance, encryption and monitoring must work together across jurisdictions, a stitched together set of point solutions can become a risk in itself, with more seams, more complexity and more scope for misconfiguration.
Why cyber M&A is rising
Given the accelerating trends set out above, it is no surprise that M&A is rising in the sector.
First, consolidation is accelerating. Given the multifaceted challenges presented by cyber threats, customers are fatigued by crowded security stacks filled with overlapping tools, each generating alerts and admin burden. They want fewer suppliers, tighter integration and clearer accountability.
Second, acquirers are building end to end capability in response to the growing range of threats businesses are now facing. Identity security, detection & response, incident readiness, cloud posture management, data protection and managed services increasingly need to operate as one.
That pulls buyers towards bolt-ons that fill product gaps, add sector expertise, bring managed capability in-house or extend geographic reach.
Third, budgets are more resilient than many assume. Cyber spend is increasingly defended as a cost of doing business in a modern, digital economy, particularly where it maps directly to operational resilience. That stability supports underwriting and deal appetite, even in uncertain conditions.
The UK is likely to follow the international momentum. While the levels of international volumes in late 2025 were not yet fully reflected in UK completed deals, pipeline activity is meaningful and expectations are for improvement through the first half of 2026.
None of this implies every asset will command a premium. Public markets still reward the combination of growth and profitability, and larger players tend to attract stronger valuations where they are seen to have the most compelling product exposure and route to scale.
The market is not paying for cyber in the abstract. It is paying for businesses that can show defensible differentiation and durable demand.
The next phase
Looking ahead into the near future, we expect that identity will remain a central concern in the sector. Sustained interest in identity governance, privileged access and managing non-human identities at scale will be front of mind. Resilience and response will continue to be highly valued, even more so than prevention.
Data governance and sovereignty will become more overtly commercial, shaping where organizations can deploy, store data and partner.
New technologies will add momentum to these themes. AI is already being used by attackers to sharpen phishing and social engineering, but importantly also by defenders to speed up detection and triage.
Quantum sits further out, but it matters because of its long-term potential to undermine current cryptography. Preparation is sensible, mapping exposure, understanding dependencies and prioritizing partners who can navigate the transition as standards mature.
Conclusion
Cyber is now treated, increasingly explicitly, as business continuity. In a world of cloud complexity, identity sprawl and cross border data risk, M&A is one of the fastest ways for vendors to build capability that matches the evolving threat landscape.
The vendors and organizations that integrate identity, resilience and governance into a coherent operating model will be best placed to protect performance and keep trust intact when incidents inevitably occur. This will shape where capital flows and which assets attract strategic attention through 2026.
We've featured the best business VPN.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.