Cybersecurity has become the backbone of digital resilience
SURF's Tech Trends Report 2026 is based on international trend studies, enriched with insights from experts from the SURF cooperative.
Published on December 28, 2025
.png&w=2048&q=75)
Bart, co-founder of Media52 and Professor of Journalism oversees IO+, events, and Laio. A journalist at heart, he keeps writing as many stories as possible.
Cybersecurity used to live in the background: a matter for IT departments, firewalls and incident response teams. That separation no longer exists. As education and research become deeply digital, cybersecurity has moved to the strategic core of institutions. According to SURF’s Tech Trends 2026 report, cyber resilience is now inseparable from institutional continuity, academic freedom and public trust.
The shift is driven by dependency. Universities, colleges and research institutes rely on cloud services, AI systems, connected devices and international data flows. That dependency creates value, but also exposure. A single compromised account, a vulnerable IoT device or an unpatched cloud service can disrupt education, halt research or leak sensitive data.
Tech Trends 2026
This is the fifth episode in a 10-part series about the technologies selected by SURF to be defining in 2026. SURF is the Dutch cooperative of education and research institutions. SURF's Tech Trends Report 2026 is a biannual publication based on international trend studies and market reports, enriched with insights from experts from the SURF cooperative and beyond. In 10 episodes, IO+ joins SURF in looking at the most important trends for the coming year.
AI as both shield and weapon
The most visible trend in cybersecurity is the dual use of artificial intelligence. On the defensive side, AI has become indispensable. Security operations centres increasingly rely on machine learning to detect anomalies, reduce alert fatigue and respond faster to incidents. Behavioural analysis and predictive models enable the identification of threats before they escalate.
At the same time, attackers are using the very same tools. Generative AI enables highly targeted phishing, realistic deepfakes and automated vulnerability scanning at scale. Open-source models further lower the barrier to entry, allowing smaller groups to launch sophisticated attacks.
As the report notes, this arms race does not eliminate the need for fundamentals. Strong identity management, patching, segmentation and awareness training remain essential. AI can amplify both strengths and weaknesses; it does not replace discipline.
Privacy-enhancing technologies go mainstream
A second major development is the growing accessibility of privacy-enhancing technologies (PETs). Techniques such as federated learning, synthetic data, multi-party computation and homomorphic encryption allow data to be analysed without being fully exposed.
For education and research, this is a turning point. PETs enable work with sensitive datasets (student records, medical data, and behavioural data) while respecting privacy and regulatory constraints. They support cross-institutional collaboration without centralising raw data.
However, PETs are not a panacea. They add architectural complexity and demand new skills. Institutions must invest in infrastructure and expertise to avoid creating systems that are secure in theory but unusable in practice.
Preparing for the quantum horizon
Perhaps the most unsettling cybersecurity trend lies further ahead: post-quantum cryptography. Once sufficiently powerful quantum computers become available, many of today’s cryptographic systems will be breakable. Worse, attackers are already storing encrypted data to decrypt it later; a strategy known as “store now, decrypt later”.
For universities and research institutes, the implications are profound. Sensitive research data, intellectual property and personal information often have long-term value. Without timely migration to quantum-resistant cryptography, confidentiality could be retroactively compromised.
SURF highlights the urgency of crypto-agility: the ability to switch cryptographic methods without rebuilding entire systems. Preparing for post-quantum security is not a future luxury, but a present governance challenge.
IoT: the invisible attack surface
Cyber risk is also expanding through the Internet of Things. Sensors, lab equipment, smart buildings and wearables are increasingly connected, often without being fully managed by IT security teams. Many devices lack long-term update mechanisms, creating hidden vulnerabilities.
New legislation, such as the EU Cyber Resilience Act, will force manufacturers to take responsibility for security updates throughout a product’s lifecycle. But institutions cannot outsource accountability. They must inventory their IoT assets, isolate networks and raise awareness among staff and students.
In research environments, especially, insecure devices can undermine both safety and data integrity.
Cloud security and shared responsibility
Cloud computing underpins much of modern education and research. Yet it also blurs responsibility. Security in the cloud is a shared responsibility between the provider and the user, and misunderstandings are common.
The report stresses the growing importance of zero-trust architectures, continuous monitoring and encryption across hybrid and multi-cloud environments. As institutions experiment with European and sovereign cloud alternatives, security becomes intertwined with questions of autonomy and compliance.
Shortages of skilled cybersecurity professionals further complicate matters. Awareness training for researchers and educators is no longer optional; it is a core component of institutional resilience.
Cybersecurity as a public value
Across all trends, SURF frames cybersecurity not just as protection, but as a public value. Without security, there is no trust. Without trust, there is no meaningful digital education or open research.
Cybersecurity choices affect inclusivity, autonomy and academic freedom. Overly restrictive measures can stifle collaboration; insufficient protection exposes communities to harm. The challenge is balance, and that balance must be governed rather than improvised.
The connective tissue of the digital future
In the context of the Tech Trends 2026 series, cybersecurity acts as connective tissue. AI, immersive technologies, data spaces and digital identities all depend on it. Cybersecurity weaknesses undermine other innovations.
The message from SURF is clear: resilience is not built through tools alone. It requires coordination, shared infrastructure, skills development and long-term thinking. Institutions that treat cybersecurity as a strategic capability rather than a technical afterthought will be better equipped to navigate an increasingly volatile digital landscape.
In a world where digital systems are no longer optional, cybersecurity is not merely about risk avoidance. It is about remaining in control.