- Capacity reports EY finds telco cybersecurity “under-prepared” for fast-evolving AI threats; only 59% have robust AI-risk methods vs 66% cross-sector.
- “Ineffective transformation” and geopolitics climb the agenda as legacy switch-offs and supply chains add operational exposure.
What happened: EY flags trust, AI and geopolitics as headline risks
Capacity summarises EY’s new “Top 10 risks in telecommunications” for 2026: the sector is under-prepared for AI-era cyber threats, while “privacy, security and trust” remains the top risk. EY says telcos trail other industries on measures like internal audits, AI ethics policies and third-party attestations; just 59% report a robust AI-risk methodology (vs 66% overall). Budget constraints (55%), balancing cyber with innovation speed (40%) and limited CISO input (36%) compound the gap.
EY also elevates “ineffective transformation through new technologies” and adds an “evolving geopolitical environment” to the top-five, with divergent AI investment signals: 33% of telcos plan to accelerate spend, 32% are re-thinking it. Legacy IT and network switch-offs require careful risk management to avoid outages and customer churn.
Also read: Colt cyberattack disrupts services across Europe
Also read: Bouygues Telecom breach exposes 6 million customers’ data
Why it’s important
For operators, EY’s list underscores a widening execution gap: boards want AI-driven efficiency, but controls, talent and governance lag. EY’s latest telecom report paints a sobering picture. Many executives talk up the promise of AI, but few have built the systems to manage it safely. Controls lag, expertise is thin, and governance frameworks remain patchy. The outcome is predictable: rising exposure to breaches and declining public confidence. Add geopolitical limits on data and hardware, and operators face rising programme costs and slower returns.
Fixing this requires less talk and more structure. Assign risk at the enterprise level, protect cyber budgets from cuts, and set tangible safety measures such as audit trails, independent testing, and public progress tracking. Hard metrics like incident response time or RPKI compliance say far more about readiness than marketing slogans. Until those appear, stakeholders will keep asking whether transformation is a sound investment — or just another layer of risk in disguise.
