Last month, the UK government issued a policy paper warning that should focus the minds of every PE investor in technology.
The document, titled Energy Sector Cyber Security Strategy, was direct: “The cyber threat has increasingly focused on critical national infrastructure systems, as hacktivist groups and high capability state actors strive to compromise these systems for political effect and propaganda victories.”
In Europe, PE investors are already targeting cybersecurity investments focused specifically on AI-driven threats to critical infrastructure and defense.
Eurazeo is one such investor that has made notable deals in the sector. Last month, the Paris-based firm invested in Nextron Systems, a Frankfurt-based cybersecurity group focused on threat intelligence and cyber forensics, offering software products designed to deal with advanced persistent cyber threats. The company gets 60% of its revenue from critical infrastructure, public sector and defense clients.
It previously backed the merger of Bridewella UK cybersecurity company specializing in national infrastructure, and French cybersecurity specialists I-Tracingalongside London-based Oakley Capital and Canada’s Sagard.
“Our interest in cybersecurity, particularly for critical infrastructure and defense, corresponds to a structural shift in the threat landscape,” said Jan Haase, managing director and head of the German-speaking DACH region in Eurazeo’s Elevate team, which targets the lower mid-cap segment.
Other PE investors in the space include Boston-based PSG Equitywhich last year backed Glasswalla UK group that uses patented technology to proactively rebuild files to eliminate risks such as malware and ransomware—a service used by government intelligence, defense, critical infrastructure and financial services clients.
AI has fundamentally upended the cybersecurity landscape.
Attacks that once required weeks of sophisticated preparation can now be executed in hours; phishing campaigns are generated at scale; synthetic voices can clone executives in real time; and ransomware-as-a-service has put advanced attack capabilities in the hands of low-skilled actors.
“Where it used to be opportunistic, it is now a lot more highly engineered operations, and as a result, we are seeing a lot more incidents across PE firms and their portfolio companies,” said Cecilie Oerting, director and head of cyber at Greenbrook.
Critical infrastructure is an area which is coming under increasing attack as we are in a world of heightened political tensions and nation-state actors
“When you get a press release talking about an acquisition or an investment in a new firm, that sort of information is now being used by the attackers. The impersonations are no longer a prince from Africa; they understand the history of the company,” said Simon Eyre, chief information security officer at Drawbridgewhich provides cybersecurity services to private markets firms.
According to Houlihan Lokey‘s Q4 2025 Cybersecurity Quarterly Update, non-human identities now outnumber human identities in the average enterprise by 144 to one in H1 2025, up from 92 to one just a year earlier. Most organizations have no clear framework for managing them.
“Whilst those threats are relevant to all businesses, critical infrastructure is an area which is coming under increasing attack as we are in a world of heightened political tensions and nation-state actors,” said Mark Smith, managing director at Houlihan Lokey.
The EU has committed €1.3 billion (about $1.5 billion) to invest in AI, cybersecurity and digital skills through the Digital Europe Programme between 2025 and 2027, including improving the resilience and security of critical infrastructure.
Alongside the funding, it has also introduced the NIS2 Directive and the Digital Operational Resilience Act, landmark cybersecurity frameworks that came into force in October 2024 and January 2025, respectively, making cybersecurity investment a legal obligation across critical sectors from energy and transport to financial services.
“Regulatory pressure, cyber insurance requirements and sovereign security concerns are driving sustained, non-discretionary spending in highly regulated sectors such as public infrastructure, energy, defense and government,” Eurazeo’s Haase said.
However, the barrier to entry is high. It can take many years for a company to obtain security clearances, regulatory credentials and local trust before winning a critical infrastructure client.
“They are less likely to buy on price, they need the best technologies, and therefore they are less price sensitive, because the critical thing for them is that they have the best,” Houlihan Lokey’s Smith said.
In Europe, that complexity is multiplied across languages, regulatory regimes and cultures of trust. But for PE investors, that’s the opportunity: the harder it is to win a critical infrastructure client, the harder it is for a competitor to take them away. .
