Blog
/
Compliance
/
February 11, 2025

NIS2 Compliance: Interpreting 'State-of-the-Art' for Organisations

This blog explores key technical factors that define state-of-the-art cybersecurity. Drawing on expertise from our business, academia, and national security standards, outlining five essential criteria.
Written by
Livia Fries
Public Policy Manager, EMEA
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Livia Fries
Public Policy Manager, EMEA
Default blog image
11
Feb 2025

NIS2 Background

17 October 2024 marked the deadline for European Union (EU) Member States to implement the NIS2 Directive into national law. The Directive aims to enhance the EU’s cybersecurity posture by establishing a high common level of cybersecurity for critical infrastructure and services. It builds on its predecessor, the 2018 NIS Directive, by expanding the number of sectors in scope, enforcing greater reporting requirements and encouraging Member States to ensure regulated organisations adopt ‘state-of-the-art' security measures to protect their networks, OT and IT systems.  

Timeline of NIS2
Figure 1: Timeline of NIS2

The challenge of NIS2 & 'state-of-the-art'

Preamble (51) - "Member States should encourage the use of any innovative technology, including artificial intelligence, the use of which could improve the detection and prevention of cyberattacks, enabling resources to be diverted towards cyberattacks more effectively."
Article 21 - calls on Member States to ensure that essential and important entities “take appropriate and proportionate” cyber security measures, and that they do so by “taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation.”

Regulatory expectations and ambiguity of NIS2

While organisations in scope can rely on technical guidance provided by ENISA1 , the EU’s agency for cybersecurity, or individual guidelines provided by Member States or Public-Private Partnerships where they have been published,2 the mention of ‘state-of-the-art' remains up to interpretation in most Member States. The use of the phrase implies that cybersecurity measures must evolve continuously to keep pace with emerging threats and technological advancements without specifying what ‘state-of-the-art’ actually means for a given context and risk.3  

This ambiguity makes it difficult for organisations to determine what constitutes compliance at any given time and could lead to potential inconsistencies in implementation and enforcement. Moreover, the rapid pace of technological change means that what is considered "state-of-the-art" today will become outdated, further complicating compliance efforts.

However, this is not unique to NIS regulation. As EU scholars have noted, while “state-of-the-art" is widely referred to in legal text relating to technology, there is no standardised legal definition of what it actually constitutes.4

Defining state-of-the-art cybersecurity

In this blog, we outline technical considerations for state-of-the-art cybersecurity. We draw from expertise within our own business and in academia as well as guidelines and security standards set by national agencies, such as Germany’s Federal Office for Information Security (BSI) or Spain’s National Security Framework (ENS), to put forward five criteria to define state-of-the-art cybersecurity.

The five core criteria include:

  • Continuous monitoring
  • Incident correlation
  • Detection of anomalous activity
  • Autonomous response
  • Proactive cyber resilience

These principles build on long-standing security considerations, such as business continuity, vulnerability management and basic security hygiene practices.  

Although these considerations are written in the context of the NIS2 Directive, they are likely to also be relevant for other jurisdictions. We hope these criteria help organisations understand how to best meet their responsibilities under the NIS2 Directive and assist Competent Authorities in defining compliance expectations for the organisations they regulate.  

Ultimately, adopting state-of-the-art cyber defences is crucial for ensuring that organisations are equipped with the best tools to combat new and fast-growing threats. Leading technical authorities, such as the UK National Cyber Security Centre (NCSC), recognise that adoption of AI-powered cyber defences will offset the increased volume and impact of AI on cyber threats.5

State of the art cybersecurity in the context of NIS2

1. Continuous monitoring

Continuous monitoring is required to protect an increasingly complex attack surface from attackers.

First, organisations' attack surfaces have expanded following the widespread adoption of hybrid or cloud infrastructures and the increased adoption of connected Internet of Things (IoT) devices.6 This exponential growth creates a complex digital environment for organisations, making it difficult for security teams to track all internet-facing assets and identify potential vulnerabilities.

Second, with the significant increase in the speed and sophistication of cyber-attacks, organisations face a greater need to detect security threats and non-compliance issues in real-time.  

Continuous monitoring, defined by the U.S. National Institute of Standards and Technology (NIST) as the ability to maintain “ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions,”7 has therefore become a cornerstone of an effective cybersecurity strategy. By implementing continuous monitoring, organisations can ensure a real-time understanding of their attack surface and that new external assets are promptly accounted for. For instance, Spain’s technical guidelines for regulation, as set forth by the National Security Framework (Royal Decree 311/2022), highlight the importance of adopting continuous monitoring to detect anomalous activities or behaviours and to ensure timely responses to potential threats (article 10).8  

This can be achieved through the following means:  

All assets that form part of an organisation's estate, both known and unknown, must be identified and continuously monitored for current and emerging risks. Germany’s BSI mandates the continuous monitoring of all protocol and logging data in real-time (requirement #110).9 This should be conducted alongside any regular scans to detect unknown devices or cases of shadow IT, or the use of unauthorised or unmanaged applications and devices within an organisation, which can expose internet-facing assets to unmonitored risks. Continuous monitoring can therefore help identify potential risks and high-impact vulnerabilities within an organisation's digital estate and eliminate potential gaps and blind spots.

Organisations looking to implement more efficient continuous monitoring strategies may turn to automation, but, as the BSI notes, it is important for responsible parties to be immediately warned if an alert is raised (reference 110).10 Following the BSI’s recommendations, the alert must be examined and, if necessary, contained within a short period of time corresponding with the analysis of the risk at hand.

Finally, risk scoring and vulnerability mapping are also essential parts of this process. Continuous monitoring helps identify potential risks and significant vulnerabilities within an organisation's digital assets, fostering a dynamic understanding of risk. By doing so, risk scoring and vulnerability mapping allows organisations to prioritise the risks associated with their most critically exposed assets.

2. Correlation of incidents across your entire environment

Viewing and correlating incident alerts when working with different platforms and tools poses significant challenges to SecOps teams. Security professionals often struggle to cross-reference alerts efficiently, which can lead to potential delays in identifying and responding to threats. The complexity of managing multiple sources of information can overwhelm teams, making it difficult to maintain a cohesive understanding of the security landscape.

This fragmentation underscores the need for a centralised approach that provides a "single pane of glass" view of all cybersecurity alerts. These systems streamline the process of monitoring and responding to incidents, enabling security teams to act more swiftly and effectively. By consolidating alerts into a unified interface, organisations can enhance their ability to detect and mitigate threats, ultimately improving their overall security posture.  

To achieve consolidation, organisations should consider the role automation can play when reviewing and correlating incidents. This is reflected in Spain’s technical guidelines for national security regulations regarding the requirements for the “recording of activity” (reinforcement R5).12 Specifically, the guidelines state that:  

"The system shall implement tools to analyses and review system activity and audit information, in search of possible or actual security compromises. An automatic system for collection of records, correlation of events and automatic response to them shall be available”.13  

Similarly, the German guidelines stress that automated central analysis is essential not only for recording all protocol and logging data generated within the system environment but also to ensure that the data is correlated to ensure that security-relevant processes are visible (article 115).14

Correlating disparate incidents and alerts is especially important when considering the increased connectivity between IT and OT environments driven by business and functional requirements. Indeed, organisations that believe they have air-gapped systems are now becoming aware of points of IT/OT convergence within their systems. It is therefore crucial for organisations managing both IT and OT environments to be able to visualise and secure devices across all IT and OT protocols in real-time to identify potential spillovers.  

By consolidating data into a centralised system, organisations can achieve a more resilient posture. This approach exposes and eliminates gaps between people, processes, and technology before they can be exploited by malicious actors. As seen in the German and Spanish guidelines, a unified view of security alerts not only enhances the efficacy of threat detection and response but also ensures comprehensive visibility and control over the organisation's cybersecurity posture.

3. Detection of anomalous activity  

Recent research highlights the emergence of a "new normal" in cybersecurity, marked by an increase in zero-day vulnerabilities. Indeed, for the first time since sharing their annual list, the Five Eyes intelligence alliance reported that in 2023, the majority of the most routinely exploited vulnerabilities were initially exploited as zero-days.15  

To effectively combat these advanced threats, policymakers, industry and academic stakeholders alike recognise the importance of anomaly-based techniques to detect both known and unknown attacks.

As AI-enabled threats become more prevalent,16 traditional cybersecurity methods that depend on lists of "known bads" are proving inadequate against rapidly evolving and sophisticated attacks. These legacy approaches are limited because they can only identify threats that have been previously encountered and cataloged. However, cybercriminals are constantly developing new, never-before-seen threats, such as signatureless ransomware or living off the land techniques, which can easily bypass these outdated defences.

The importance of anomaly detection in cybersecurity can be found in Spain’s technical guidelines, which states that “tools shall be available to automate the prevention and response process by detecting and identifying anomalies17” (reinforcement R4 prevention and automatic response to "incident management”).  

Similarly, the UK NCSC’s Cyber Assessment Framework (CAF) highlights how anomaly-based detection systems are capable of detecting threats that “evade standard signature-based security solutions” (Principle C2 - Proactive Security Event Discovery18). The CAF’s C2 principle further outlines:  

“The science of anomaly detection, which goes beyond using pre-defined or prescriptive pattern matching, is a challenging area. Capabilities like machine learning are increasingly being shown to have applicability and potential in the field of intrusion detection.”19

By leveraging machine learning and multi-layered AI techniques, organisations can move away from static rules and signatures, adopting a more behavioural approach to identifying and containing risks. This shift not only enhances the detection of emerging threats but also provides a more robust defence mechanism.

A key component of this strategy is behavioral zero trust, which focuses on identifying unauthorized and out-of-character attempts by users, devices, or systems. Implementing a robust procedure to verify each user and issuing the minimum required access rights based on their role and established patterns of activity is essential. Organisations should therefore be encouraged to follow a robust procedure to verify each user and issue the minimum required access rights based on their role and expected or established patterns of activity. By doing so, organisations can stay ahead of emerging threats and embrace a more dynamic and resilient cybersecurity strategy.  

4. Autonomous response

The speed at which cyber-attacks occur means that defenders must be equipped with tools that match the sophistication and agility of those used by attackers. Autonomous response tools are thus essential for modern cyber defence, as they enable organisations to respond to both known and novel threats in real time.  

These tools leverage a deep contextual and behavioral understanding of the organisation to take precise actions, effectively containing threats without disrupting business operations.

To avoid unnecessary business disruptions and maintain robust security, especially in more sensitive networks such as OT environments, it is crucial for organisations to determine the appropriate response depending on their environment. This can range from taking autonomous and native actions, such as isolating or blocking devices, or integrating their autonomous response tool with firewalls or other security tools to taking customized actions.  

Autonomous response solutions should also use a contextual understanding of the business environment to make informed decisions, allowing them to contain threats swiftly and accurately. This means that even as cyber-attacks evolve and become more sophisticated, organisations can maintain continuous protection without compromising operational efficiency.  

Indeed, research into the adoption of autonomous cyber defences points to the importance of implementing “organisation-specific" and “context-informed” approaches.20  To decide the appropriate level of autonomy for each network action, it is argued, it is essential to use evidence-based risk prioritisation that is customised to the specific operations, assets, and data of individual enterprises.21

By adopting autonomous response solutions, organisations can ensure their defences are as dynamic and effective as the threats they face, significantly enhancing their overall security posture.

5. Proactive cyber resilience  

Adopting a proactive approach to cybersecurity is crucial for organisations aiming to safeguard their operations and reputation. By hardening their defences enough so attackers are unable to target them effectively, organisations can save significant time and money. This proactive stance helps reduce business disruption, reputational damage, and the need for lengthy, resource-intensive incident responses.

Proactive cybersecurity incorporates many of the strategies outlined above. This can be seen in a recent survey of information technology practitioners, which outlines four components of a proactive cybersecurity culture: (1) visibility of corporate assets, (2) leveraging intelligent and modern technology, (3) adopting consistent and comprehensive training methods and (4) implementing risk response procedures.22 To this, we may also add continuous monitoring which allows organisations to understand the most vulnerable and high-value paths across their architectures, allowing them to secure their critical assets more effectively.  

Alongside these components, a proactive cyber strategy should be based on a combined business context and knowledge, ensuring that security measures are aligned with the organisation's specific needs and priorities.  

This proactive approach to cyber resilience is reflected in Spain’s technical guidance (article 8.2): “Prevention measures, which may incorporate components geared towards deterrence or reduction of the exposure surface, should eliminate or reduce the likelihood of threats materializing.”23 It can also be found in the NCSC’s CAF, which outlines how organisations can achieve “proactive attack discovery” (see Principle C2).24 Likewise, Belgium’s NIS2 transposition guidelines mandate the use of preventive measures to ensure the continued availability of services in the event of exceptional network failures (article 30).25  

Ultimately, a proactive approach to cybersecurity not only enhances protection but also lowers regulatory risk and supports the overall resilience and stability of the organisation.

Looking forward

The NIS2 Directive marked a significant regulatory milestone in strengthening cybersecurity across the EU.26 Given the impact of emerging technologies, such as AI, on cybersecurity, it is to see that Member States are encouraged to promote the adoption of ‘state-of-the-art' cybersecurity across regulated entities.  

In this blog, we have sought to translate what state-of-the-art cybersecurity may look like for organisations looking to enhance their cybersecurity posture. To do so, we have built on existing cybersecurity guidance, research and our own experience as an AI-cybersecurity company to outline five criteria: continuous monitoring, incident correlation, detection of anomalous activity, autonomous response, and proactive cyber resilience.

By embracing these principles and evolving cybersecurity practices in line with the state-of-the-art, organisations can comply with the NIS2 Directive while building a resilient cybersecurity posture capable of withstanding evolutions in the cyber threat landscape. Looking forward, it will be interesting to see how other jurisdictions embrace new technologies, such as AI, in solving the cybersecurity problem.

NIS2 white paper

Get ahead with the NIS2 White Paper

Get a clear roadmap for meeting NIS2 requirements and strengthening your cybersecurity posture. Learn how to ensure compliance, mitigate risks, and protect your organization from evolving threats.

Download Here!

References

[1] https://www.enisa.europa.eu/publications/implementation-guidance-on-nis-2-security-measures

[2] https://www.teletrust.de/fileadmin/user_upload/2023-05_TeleTrusT_Guideline_State_of_the_art_in_IT_security_EN.pdf

[3] https://kpmg.com/uk/en/home/insights/2024/04/what-does-nis2-mean-for-energy-businesses.html

[4] https://orbilu.uni.lu/bitstream/10993/50878/1/SCHMITZ_IFIP_workshop_sota_author-pre-print.pdf

[5]https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat

[6] https://www.sciencedirect.com/science/article/pii/S2949715923000793

[7] https://csrc.nist.gov/glossary/term/information_security_continuous_monitoring

[8] https://ens.ccn.cni.es/es/docman/documentos-publicos/39-boe-a-2022-7191-national-security-framework-ens/file

[9] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/KRITIS/Konkretisierung_Anforderungen_Massnahmen_KRITIS.html

[10] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/KRITIS/Konkretisierung_Anforderungen_Massnahmen_KRITIS.html

[12] https://ens.ccn.cni.es/es/docman/documentos-publicos/39-boe-a-2022-7191-national-security-framework-ens/file

[13] https://ens.ccn.cni.es/es/docman/documentos-publicos/39-boe-a-2022-7191-national-security-framework-ens/file

[14] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/KRITIS/Konkretisierung_Anforderungen_Massnahmen_KRITIS.html

[15] https://therecord.media/surge-zero-day-exploits-five-eyes-report

[16] https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat

[17] https://ens.ccn.cni.es/es/docman/documentos-publicos/39-boe-a-2022-7191-national-security-framework-ens/file

[18] https://www.ncsc.gov.uk/collection/cyber-assessment-framework/caf-objective-c-detecting-cyber-security-events/principle-c2-proactive-security-event-discovery

[19] https://www.ncsc.gov.uk/collection/cyber-assessment-framework/caf-objective-c-detecting-cyber-security-events/principle-c2-proactive-security-event-discovery

[20] https://cetas.turing.ac.uk/publications/autonomous-cyber-defence-autonomous-agents

[21] https://cetas.turing.ac.uk/publications/autonomous-cyber-defence-autonomous-agents

[22] https://www.researchgate.net/publication/376170443_Cultivating_Proactive_Cybersecurity_Culture_among_IT_Professional_to_Combat_Evolving_Threats

[23] https://ens.ccn.cni.es/es/docman/documentos-publicos/39-boe-a-2022-7191-national-security-framework-ens/file

[24] https://www.ncsc.gov.uk/collection/cyber-assessment-framework/caf-objective-c-detecting-cyber-security-events/principle-c2-proactive-security-event-discovery

[25] https://www.ejustice.just.fgov.be/mopdf/2024/05/17_1.pdf#page=49

[26] ENISA, NIS Directive 2

Written by
Livia Fries
Public Policy Manager, EMEA
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Livia Fries
Public Policy Manager, EMEA

How Attackers Abuse the Chinese Nezha Monitoring Tool

Network
June 10, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
Trending blogs
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL
May 26, 2026
4
How to Evaluate AI Vendors: 5 Key categories for AI Adoption
May 27, 2026
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Compliance
May 22, 2026

The CIP-015 Countdown: What Utilities Should Be Doing Before October 2028

CIP-015 is pushing utilities beyond perimeter security toward continuous internal network visibility. This blog explores what the standard requires, why anomaly detection and evidence retention matter, and how utilities can build a defensible INSM capability before the October 2028 compliance deadline.
Jeffrey Macre
Principal Industrial Security Solutions Architect
Read more
Compliance
November 25, 2025

UK Cyber Security & Resilience Bill: What Organizations Need to Know

The Government has introduced the UK’s Cyber Security and Resilience Bill (CSRB) to Parliament, which modernises the framework for Critical National Infrastructure first established under the 2018 NIS Regulations. The CSRB broadens the scope of regulated organisations, introduces a faster two-stage incident reporting model, strengthens oversight of supply chain risk and gives the UK government greater agility to make updates through secondary legislation as technology and threats evolve.
The Darktrace Community
Read more
Compliance
September 22, 2025

Understanding the Canadian Critical Cyber Systems Protection Act

The Canadian federal Government introduced Bill C-8 which would enact the Critical Cyber Systems Protection Act (CCSPA). The CCSPA will formalize baseline cybersecurity duties for operators in federally regulated critical sectors.
The Darktrace Community
Read more

Blog

/

AI

/

June 11, 2026

Cybersecurity for the Sports Sector: The Threats Facing a Digitized Industry in 2026

Sports Stadium cybersecurityDefault blog imageDefault blog image

Securing sporting events in 2026

When you walk into a stadium on game day, you are entering a small smart city. Ticketing, turnstiles, payments, public Wi-Fi for tens of thousands of fans, CCTV, lighting, even the HVAC all run on connected systems. The experience for fans has become unmatched, but that dependency has created a much larger attack surface than people may realize.

Our latest threat research backs that up. In the past year, a survey that Darktrace commissioned found that 84% of respondents from professional sports organizations had at least one cyber incident, and 57% were hit more than once. For a sector that relies on the impact of the live moment, those numbers translate directly into operational risk.

Why sports is a target for cyber attacks

Sport is a highly visible target with fixed timelines, so attackers know exactly when disruption will have the most impact. It also holds valuable data, athlete medical records, contracts, sponsorship deals, which carry financial, reputational, and regulatory risk if exposed. At the same time, delivery depends on a wide set of third parties: ticketing providers, broadcasters, cloud services, stadium technology. Any of those connections can become an entry point. Put visibility, timing, data, and dependency together, and you get an environment where even a small foothold can turn into a visible, time-critical incident.

How attackers target email and identity

Email and identity remain the front door. From October 2025 through March 2026, Darktrace / EMAIL™ detected more than 116,000 phishing emails aimed at sports organizations across our customer base, and our sports customers received 19% more phishing emails than organizations in other sectors. The numbers tell the story:

BY THE NUMBERS

  • 21% of phishing emails were aimed at VIPs.
  • 37% used novel social engineering.
  • 84% of malicious emails passed DMARC authentication

A large proportion of these emails passed authentication checks, which means traditional security controls are no longer a reliable barrier. Attackers are not relying on spoofed domains – they're using legitimate infrastructure and trusted platforms. Behavior matters. Once an account is compromised, the behavior shifts quickly. Login patterns change, inbox rules are created to hide responses, and accounts start being used for internal discovery or further phishing. These aren’t high-noise events. They sit in normal workflows, which is why they’re often missed.

Ransomware tells a similar story. In one case inside a sports deployment, attackers had quietly been moving data to an outside server for a full two weeks before they triggered encryption. By the time the ransom note appeared, the outcome was already set. That sequence shows up consistently is access first, movement next, disruption last. If detection starts at encryption, it’s already too late.

Why AI is an emerging blind spot in sports

The increasing adoption of AI is expanding the potential attack surface. 72% of the security professionals we surveyed expect AI to increase their cyber risk over the next year, and yet 35% are already using or planning to use it in stadium operations, the most critical functions to protect. In addition to prompt injection and AI build risks, shadow AI is becoming a more immediate issue. Staff are already putting sensitive data—performance metrics, scouting reports, contracts, health data—into tools with little or no governance. The upside is clear, but so is the exposure—and it is happening before most organizations have any visibility or control. At the same time, attackers are using the same technology to scale phishing and social engineering. The net effect is simple: more exposure, at higher speed.

How can cybersecurity professionals prepare

Across high profile events, Darktrace’s experience shows that effective cyber defense includes preparation, real‑time visibility, and the ability to respond dynamically and decisively when timing, complexity, and public exposure converge.

There are a few strategic implications for cybersecurity teams:

  • Get behavioral visibility across IT and OT, not just corporate systems.
  • Treat identity as your control plane. Most attacks in this sector start with credentials, not malware. MFA with behavioral detection helps solve that challenge.
  • Control third party and AI access the same way you control your own environment.
  • Rehearse response for live conditions, where decisions happen in minutes. Detection and response need to account for non-ideal conditions when engineers are under pressure and time constrained. In sport, timing is what turns small issues into major incidents. The same activity that would be manageable midweek becomes critical during a live event.

Why 2026 raises the cybersecurity stakes for sports

With the 2026 World Cup about to stretch across three countries and dozens of host cities, the attack surface is wide and the schedule is unforgiving.

Geopolitical signaling is raising the threat profile further. Previous international sporting events have demonstrated that nation‑state actors use the cyber domain to signal intent, influence narratives, or retaliate symbolically. In the context of the 2026 World Cup, Russia’s continued exclusion from international sport, the ongoing conflict in Ukraine, US defensive support to Ukraine, and Iran’s likely participation in the tournament introduce additional motivations for state‑aligned and non‑traditional affiliated actors to operate below the threshold of armed conflict. This doesn’t require new techniques—just the right timing and visibility.

In practice, this comes down to preparation: knowing what normal looks like across IT and OT, controlling third-party access, and spotting when behavior shifts.

In sport, disruption does not build slowly—it happens in real time and in public. By that point, the groundwork has already been set, long before the whistle goes.

About this research

Findings are based on Darktrace threat-research telemetry across sports-sector customer deployments (Q4 2025–Q1 2026) and a survey of 875 IT cybersecurity professionals in the US, UK, Australia, and Germany, fielded by Opinion Matters between May 28 and June 3, 2026. Read the full report for complete methodology, incident analysis, and strategic recommendations.

[related-resource]

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

OT

/

June 11, 2026

Protecting Stadiums & Events with AI

Default blog imageDefault blog image

Stadium and large public venue operators are confronted with a unique set of cyber security challenges. Often described as a ‘honeypot’ for cyber-criminals, the sports and entertainment industry is an attractive target for threat actors for three main reasons:

  • Modern sports organizations process sensitive and highly valuable data at scale;
  • Sporting events are highly visible and time-critical, operating in front of live audiences with no room for error;
  • Sports organizations rely on sprawling vendor ecosystems and supply chains to deliver broadcast, commerce, fan engagement services, and more.

In a recent Darktrace-commissioned survey, 84% of professional sports organizations reported at least one cyber incident in the past year, and 57% were hit more than once [1]. The potential ramifications of cyber disruption during a large-scale sports event cannot be overstated. A momentary lapse in access to power could bring TV broadcasts to a halt; disruption to access controls could restrict fans from entering the grounds; CCTV outages could increase the risk of criminal behavior and physical injuries. If data is not reliable and stadium machines are outputting the wrong metrics, a venue could become dangerously overcrowded. The barrier between the cyber and physical worlds has long dissolved – cyber-attacks threaten human safety.

In this blog, I explore the key challenges of stadium cyber security and explain the unique capabilities of Self-Learning AI that led me to adopt Darktrace as a head of ICT and cyber security for international venues and events. Over my career I have helped secure football and rugby World Cups, World Athletics Championships and more than 500 events ,and the lessons from each have only sharpened my conviction in this approach.

The access paradox

The biggest challenge lies in the paradox of securing a site where various internal services are provided to a large number of unknown and unmanaged users, suppliers and devices. When it’s game time, or ‘D-Day’, you see a huge influx of thousands of people, each with their own devices, needing to connect to your network and your infrastructure. The floodgates are opened. But certain parts of your digital environment need to remain protected: your sensitive employee and customer data, your critical OT systems. I liken this to opening the door to your home, and letting the entire town come in and wander around. But you still need to secure your master bedroom.

A multitude of different actors must be able to work on-site to provide services or content during the event. Broadcasters, staff and suppliers need to have access to manage the show, and all these people need to access or interact with the IT infrastructure. In many ways, these additional bodies are already inside the perimeter and could host unknown malicious threats.

This year, the paradox is wider than ever. A tournament spread across hundreds of suppliers and vendors means the foothold an attacker needs may already belong to a trusted partner – a single compromised supplier can become the doorway to everything else. And the adversary is no longer working alone: generative AI now lets attackers probe and weaponize vulnerabilities across thousands of software dependencies at a speed no human team could match, turning the access paradox from a manageable risk into a fast-moving target.

Achieving this balance between accessibility and security requires a shift in mindset from perimeter-based security to one that can detect and respond to threats on the inside. The complexities involved requires technology that can identify malicious behavior in real time based on the wider context of an incident. A particular behavior or connection may be benign in one context and yet critically disruptive in another — tools and technology must be able to discern between the two.

This is why I considered Darktrace’s Self-Learning AI a suitable fit: rather than defending at the perimeter, it focuses on detecting and responding to malicious activity already inside. Because it learns the unique ‘patterns of life’ of its surroundings, it can detect subtle deviations that indicate a threat and initiate a targeted response – without relying on pre-programmed rules and playbooks.

IT/OT convergence

The second key challenge is the issue of IT and OT convergence. Typical stadiums and arenas consist of a wide range of Industrial Control Systems (ICS).

This involves a complex and messy array of switches, cables, CCTV cameras, as well as devices and technologies being brought in by the media and the press, and all these IT and OT components are now interconnected, which means these technologies now have Internet Protocol (IP)-based threats to manage. The same challenges that the corporate infrastructure for stadium management faces in cyber security are therefore also now an issue for ICS security.

This challenge cannot be addressed by viewing IT and OT security in isolation — these two environments are linked because of the analogue migration to IP. A unified approach is required to detect and respond to threats that start in IT before moving to industrial systems.

The stakes are physical. CCTV, Access Control, Public Annoucement system, lighting and the giant screens are all now running over IP, and a disruption to any of them can force a venue to halt play on safety grounds. Scale compounds the problem. At the Qatar 2022 World Cup, eight stadiums were purpose-built to a single technical standard, which made the digital environment relatively uniform to defend. The 2026 tournament is the opposite: dozens of host venues across three countries, each with its own operator, its own contractors and its own legacy systems.This creates a far more fragmented and unpredictable estate to secure.

In addition, cyber security technology must be able to deal with complexity. Darktrace’s AI thrives in the most complex environments, with more data points adding more context to inform the AI’s decision making. It covers OT and IT with a single, unified AI engine, that can also detect and respond across cloud infrastructure, SaaS applications, email systems and endpoints. It is ready to adapt to the messy, interconnected systems that make up large stadiums’ digital infrastructure.

The time factor

Finally, the nature of stadium events means that timing is critical and puts enormous pressure on the organizers and operators. ‘D-Day’ cannot be replayed or postponed, and so if cyber disruption occurs during the event, every minute is crucial. You cannot reschedule a World Cup final or move an opening ceremony; the date is fixed, the world is watching, and there is no second take.

There is consequently a strong emphasis on two key metrics

  • Mean Time To Know (MTTK) — how long it takes the security team need to be aware of an incident; and
  • Mean Time To Restore (MTTR) — how quickly a team can act to contain the threat.

It is perhaps more imperative in stadium event management than anywhere else that these two metrics be minimized.

This leads to the third criteria in assessing cyber security technology: does it help with response? And critically, can that response be nuanced and targeted, able to contain that threat without causing further disruption?

To this end, Darktrace’s Autonomous Response takes machine-speed action to contain cyber-attacks, when humans are too slow to react or aren’t around at all. It’s powered by Darktrace’s AI, so it has a nuanced and continuously updating understanding of what’s ‘normal’ across IT and OT systems. This means its response actions are targeted: designed to eliminate the threat, but not at the cost of disruption. Crucially, this enables responses that are surgical rather than blunt. For example, taking an entire server offline to stop a ransomware attack can cause more disruption than the attack itself, so the real value lies in neutralizing the malicious activity precisely — containing the threat without taking down the systems the event and business depends on.

Depending on the nature and severity of the threat, the technology can block specific malicious connections by enforcing the normal ‘pattern of life’ of a device or account. When every second counts, this is the speed and granularity that you need in a cybersecurity technology.

Darktrace can be deployed across every area of the digital enterprise, including network, email, cloud and SaaS environments with the same self-learning approach, stopping anomalous behaviors that point to account takeover and other cloud-based threats. Earlier this year, we announced that Darktrace is also extending its behavioral approach to help businesses deploy and scale AI securely by understanding how these AI systems and agents behave, interact with other systems and humans, and evolve over time. This is critical because 72% of cybersecurity professionals at sports organizations believe AI will increase their cyber risk over the next 12 months [2].

Wherever it is deployed, Darktrace allows the stadium operator to focus on the vital part of the game and offers real-time protection without any modification in the network topology or infrastructure.

An adaptive defense

Cyber-criminals are constantly developing their approach in an attempt to evade security tools trained to look for specific hallmarks of an attack. As they get creative and continuously experiment with new tactics and techniques, the human operators using these tools are forced into a constant state of catch up.

An AI-based approach that learns an organization and its normal behavior patterns from the ground up puts an end to this game of ‘cat and mouse’, shifting the balance in favor of the defenders and allowing them to stay ahead of the threat. This matters more than ever, because adversaries are now using AI to scale their attacks. If you do not have AI working to protect you against malicious AI, you are already at a disadvantage.

With a nuanced understanding of what’s ‘normal’ for the business, unified IT/OT coverage, and an Autonomous Response solution that takes immediate, surgical action, the playing field is leveled, and large stadium and events operators can focus on delivering the best possible experience for attendees, digital viewers, partners and performers.

References:

[1] [2] Darktrace: Cybersecurity in Global Sport, June 2026. Findings based on survey of 875 IT cybersecurity professionals based in the US, UK, Australia and Germany, working in professional sports organizations (including clubs, societies & sporting bodies) employing 10+ people. The survey was fielded between May 28, 2026 and June 3, 2026 by independent market research agency, Opinion Matters.

Continue reading
About the author
Karim Benslimane
VP, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI