Rail Cybersecurity in 2026: What the UK Market Data Tells Us About a Sector Under Pressure
UK railway cybersecurity spending is accelerating as ransomware, insider incidents, and IT/OT convergence expose the sector's growing attack surface. Part one of CYJAX's rail security series looks at the numbers behind the trend and what they mean for UK operators.

Key takeaways
- The UK railway cybersecurity market is estimated to grow from around £94 million in 2025 to £198 million by 2035, making the UK the third-largest national market in Europe.
- Ransomware remains the leading threat to the rail sector, accounting for 45% of recorded incidents in ENISA's first dedicated transport threat landscape report.
- The NCSC managed 429 cyber incidents in the year to September 2025, with nationally significant incidents more than doubling year on year.
- The September 2024 Wi-Fi incident affecting 19 stations shows that insider access and third-party risk remain live issues for UK rail operators, not theoretical ones.
- The Cyber Security and Resilience Bill will put the NCSC's Cyber Assessment Framework on a statutory footing and extend regulation deeper into the rail supply chain.
UK rail operators have spent the last decade digitising almost everything, from ticketing and passenger Wi-Fi to signalling and predictive maintenance. This transformation has delivered real operational gains. It has also turned the UK’s rail network into one of the more closely watched targets in critical national infrastructure cybersecurity.
CYJAX has built its understanding of the sector through direct work with operators including Network Rail, TfL and East West Rail, giving this analysis a grounding beyond the headline statistics. This is the first in a three-part CYJAX series on rail cybersecurity, starting with the market data, threat statistics, and a recent UK incident that shows exactly why operators are paying attention.
A Fragmented Sector Under Growing Pressure to Spend
The UK railway cybersecurity market reached a value of £279 million in 2025, which is projected to reach roughly £598 million by 2033. This represents a compound annual growth rate of 10.5% from 2026 to 2033. The UK accounted for 4.7% of the global market by revenue in 2025, with solutions such as risk and compliance management, threat intelligence, identity and access management, and data loss prevention making up the largest share of spend. That growth is being pushed by two forces at once: the rollout of the European Train Control System and the wider Digital Railway Programme, and a funding structure that has cyber resilience built into it. Network Rail, the train operating organisations, freight operators, and rolling stock leasing companies are all working to Control Period 7, the funding cycle running from April 2024 to March 2029. The Department for Transport and Office of Rail and Road expects cyber resilience to be embedded in CP7 delivery rather than treated as an add-on.
That fragmentation is itself part of the risk. Infrastructure management sits with Network Rail, operations sit with multiple train and freight operating companies, and rolling stock is leased in from separate organisationsagain. Network security and OT-specific protection are the fastest-growing categories of spend across this structure, driven by the breakdown of the separation between corporate IT and train control systems. This also highlights the difficulty of enforcing consistent segmentation across legacy trackside signalling, GSM-R communications, and a modern train's constant connection to mobile networks.
The Threat Picture Behind the Spending
Market growth is a lagging indicator. The threat data explains what is driving it, and the picture in the UK mirrors what European regulators are seeing across the wider transport sector. Under ENISA's Threat Landscape 2025 report, covering incidents between July 2024 and June 2025, transport was the second most targeted sector in the EU, accounting for 7.5% of all recorded incidents, behind only public administration. Of the incidents reported as having a significant impact under the EU's NIS Directive in 2024, 12% occurred in the transport sector.
The UK's own figures reinforce the pattern. According to the government's summary of the Cyber Security and Resilience Bill, the National Cyber Security Centre managed 429 cyber incidents in the year to September 2025. Almost half of these were classed as nationally significant, which was more than double the number from the previous year. Separately, that same government summary cites an independent assessment finding that 95% of the UK's critical national infrastructure organisations experienced a data breach in 2024. This placed the cost of cyber-attacks to UK businesses at £14.7 billion a year, equating to approximately 0.5% of GDP. Rail sits inside the transport sector, one of the categories the NIS Regulations already class as critical, so this is not a backdrop rail operators can treat as someone else's problem.
Incidents outside the UK illustrate the same pattern rail is exposed to. Sweden's Skånetrafiken and Italy's Ferrovie dello Stato were both hit by ransomware that disrupted ticketing systems in 2021 and 2022, as detailed in ENISA's report. Danish State Railways suffered major service disruption after a ransomware attack in October 2022. Additionally, Deutsche Bahn's station display boards were disrupted by WannaCry in 2017. This serves asa reminder that rail's exposure to opportunistic, non-targeted malware is not new.
A UK Case Study: The Station Wi-Fi Incident
Rail operators do not need to look overseas for evidence. In September 2024, public Wi-Fi across 19 major UK rail stations, including around 10 in London, was compromised to display extremist messaging. Affected stations included some of the busiest hubs on the network. The incident was traced to an insider account at Telent, the third-party provider managing the Wi-Fi service, rather than an external breach. British Transport Police launched an investigation, and the affected networks were taken offline as a precaution.
No passenger data is understood to have been compromised, but the incident highlighted two things UK rail security leaders already know. The first is that third-party and insider access remain among the hardest risks to close off. The second is that even a relatively contained IT incident at a handful of stations can generate significant public and regulatory attention for a national rail network.
The Regulatory Backdrop Is Tightening
None of this is happening in a regulatory vacuum. Rail transport is already classed as a critical national service under the NIS Regulations 2018, with the Department for Transport acting as competent authority and the NCSC's Cyber Assessment Framework used to judge whether operators are doing enough. The Cyber Security and Resilience Bill, which was introduced to Parliament on 12 November 2025, will put that framework on a statutory footing. It will widen the scope of who is regulated to include managed service providers and critical suppliers whilst also introducing 24-hour incident notification requirements backed by fines of up to £17 million or 4% of global turnover. For a sector built on a supply chain of signalling suppliers, Wi-Fi providers, and rolling stock companies, that focus is exactly where the September 2024 incident exposed the gap.
Why This Matters for Security Leaders
None of this means rail operators need to react to every headline. It means the investment case for structured, continuous threat intelligence is now backed by hard numbers and a tightening legal duty. Understanding which threat actors are active against specific parts of the UK rail sector, whether that is signalling, freight, or passenger digital services, and against suppliers is what turns this market and data into a defensible security budget.
In part two of this series, we look at why generic threat intelligence often fails to meet rail's specific needs, and what a rail-specific approach must account for instead.
Get Started with CYJAX CTI
Empower Your Team. Strengthen Your Defences.CYJAX gives you the intelligence advantage: clear, validated insights that let your team act fast without being buried in noise.



