NFCERT 2026 CTL: The Expanding Web of Cyber Threats: Supply Chains, Insiders, and the State-Crime Nexus in 2026

The Nordic Cyber Threat Landscape (CTL) 2026 report, published by Nordic Financial CERT (NFCERT) reveals a complex interplay between financially motivated criminals and state‑backed operators. Their methods differ, but their convergence around shared tools, infrastructures, and access points makes today’s digital ecosystem far more exposed. True defence in 2026 means knowing not just what you control, but who you depend on.

According to NFCERT’s general manager, Morten Drægni , “Our purpose remains clear: to support informed decision-making, enhance collective defences, and contribute to a shared understanding of the threats that challenge our sector.”

Click here to download the full report.

Ransom operations remain a global disruptor.

Despite intensified law enforcement efforts, ransom operations remain among the most profitable and persistent threats. The Ransomware‑as‑a‑Service (RaaS) model enables skilled operators and affiliates to scale efficiently, while ransom demands and multi‑layered extortion tactics have grown more aggressive. In the Nordics, financial institutions face heightened indirect consequences through third‑party service providers and interconnected vendors rather than direct targeting. For boards, ransomware isn’t just a technical risk; it’s a recurring business‑continuity threat.

Nation‑states exploit the same ecosystem.

State‑aligned actors increasingly borrow from the criminal playbook, using supply chains, managed service providers, and software dependencies as stealthier pathways into high‑value networks. Espionage, data collection, and strategic pre‑positioning inside critical infrastructure drive these intrusions, reflecting long‑term geopolitical priorities rather than short‑term financial gain.

Insiders amplify systemic exposure.

Malicious or coerced insiders are emerging as critical enablers across both criminal and state‑linked operations. Recruitment, often targeting financially stressed employees or contractors, is facilitated through online communities and fraudulent employment schemes. The human layer, such as trust, pressure, and persuasion, remains the enduring vulnerability that technology cannot fully defend.

The path forward: sustained trust and strategic foresight.

Resilience in 2026 isn’t about building higher walls. Trust remains the Nordic currency of confidence, and in the coming years, protecting it will define short-, medium-, and long-term cybersecurity strategy. In the past year, we have seen an increase in threat actors exploiting both technology and human relationships. Thus, resilience depends on governance and trust as much as security tools.

Boards must ensure oversight extends beyond the organisation’s perimeter, into its suppliers, workforce, and digital partners. In 2026, the defining question for boards is no longer if a breach will occur, but where trust might erode first.

Key Findings

  • Ransomware remains a dominant disruptor, sustained by Ransomware‑as‑a‑Service models that enable scalable, professionalised criminal operations.
  • Nation‑States increasingly mirror criminal tactics, exploiting shared infrastructure, supply chains, and trusted vendors to achieve strategic, long‑term objectives.
  • Insider threats are resurging, driven by financial stress, coercion, and targeted recruitment through fraudulent hiring or remote‑work channels.
  • Supply‑chain and third‑party dependencies magnify systemic risk, turning one compromised vendor into a potential domino effect across interconnected sectors.
  • Resilience now hinges on trust visibility, demanding stronger governance, cross‑sector collaboration, and strategic oversight beyond the organisational perimeter.

Download the 2026 NFCERT Cyber Threat Landscape Report

About NFCERT

Nordic Financial CERT is a nonprofit organisation governed and paid for by its members in the Nordic financial industry- e.g. banks, central banks, insurance companies, payment companies, pension companies and more. It acts as a hub for sharing and collaboration, both between members and their vendors, as well as through public/private partnerships with national cyber security centres, cyber-crime police, and more.

Press Inquiries

For interviews, contact Morten Drægni via +47932 17 153 or email morten.dragni@nfcert.org.

Press Image of Morten Drægni (Right-click to download)

Kreditering: Thomas Brun NTB / Kommunikasjon Fri Bruk NFCERT