Anna Aisa Biarnés (ACAES): In 2026, the safety and security sector needs to demonstrate its added value more than ever before.
"In 2026, the safety and security sector needs to demonstrate its added value more than ever," says the manager of ACAES (Catalan Association of Security Companies).
The customer is not just be looking for "security", but for more efficient, better coordinated services adapted to changing risks. "This will affect installation and maintenance companies, alarm monitoring centres, surveillance companies and new services linked to cybersecurity.
What are ACAES' forecasts for the safety and security sector in Catalonia in 2026?
The forecasts for the security sector in Catalonia in 2026 are for sustained activity, but in a more demanding context than in previous years. Security can no longer be understood solely as surveillance, system installation or alarm response, but as a comprehensive service that combines prevention, technology, regulatory compliance, operational capability and professional confidence.
In Catalonia, the demand for security services will continue to be linked to several factors: economic activity, infrastructure protection, security in shops, industrial estates, communities, events, logistics centres and public buildings, as well as the increase in connected technological solutions. In addition, the social perception of security will continue to be a relevant issue. The public debate on citizen security in Catalonia is still very active, although it should be treated with rigour and without scaremongering, based on objective data.
ACAES believes that 2026 will be a year in which the sector will have to demonstrate its added value more than ever. The customer is not just be looking for "security", but for more efficient, better coordinated services adapted to changing risks. This will affect installation and maintenance companies as well as alarm monitoring centres, surveillance companies and new services linked to cybersecurity.
The labour framework must also be taken into account. The new State Collective Bargaining Agreement for Security Companies for the period 2026-2030 introduces relevant elements for the sector, including measures related to partial retirement and generational renewal of the workforce. This point is important because one of the structural challenges of the sector is to attract and retain professionals in an increasingly competitive labour market.
What other major challenges is the sector facing this year?
The first challenge will be the real professionalisation of the sector. Its role is increasingly preventive, technical and strategic. This requires better prepared companies, clearer procedures and more adaptable professionals.
The second challenge will be to attract and retain talent. The sector needs to recruit new generations, and also to improve the professional perception of many of its activities. In private security, rotation, 24/7 schedules, the ageing of part of the workforce and the need for ongoing training are all factors that directly affect the quality of service. Recent sectoral studies already point to talent recruitment, ongoing training and technological updating as key elements for the competitiveness of the sector.
The third challenge will be technological integration. Electronic security, smart video surveillance, connected systems, data analytics, remote monitoring, automation and cybersecurity are changing the way services are delivered. But here it is important to be clear: technology alone does not solve problems. A poor installation, an inadequate control centre or a poorly trained customer can turn a technological investment into a false sense of security.
The fourth challenge will be regulatory compliance. Security is a regulated and sensitive sector. Companies should pay attention to private security regulations, data protection, cybersecurity, risk prevention, subcontracting, certifications, maintenance and information custody, among other issues.
Another major challenge in 2026 will be the adaptation of the sector to the new requirements arising from the NIS2 Directive and the future Law on the Protection and Resilience of Critical Entities, currently being processed as a transposition of the European Directive CER 2022/2557. Both standards consolidate a key idea: security can no longer be separated between physical and digital security. The continuity of essential services will increasingly depend on the ability of organisations to prevent, withstand, respond to and recover from physical, technological or hybrid incidents.
For private security companies, this will have a double implication. On the one hand, some companies may be directly affected if they provide services considered relevant in critical or essential chains. On the other hand, even when they are not directly included as obliged entities, they will have to respond to greater demands from their clients: traceability, cybersecurity of installed systems, operational continuity, supplier control, information protection, incident management and documentary evidence of the services provided.
The NIS2 reinforces obligations on risk management, incident reporting, supply chain security and management accountability. This point is particularly important for the industry, because a security company can become a weak point if it manages alarms, video surveillance, access controls, communications or sensitive information without adequate measures. Cybersecurity will no longer be the exclusive domain of IT departments, but will become part of the minimum quality of any security service.
The future Law on the Protection and Resilience of Critical Entities will progressively replace the traditional focus on specific infrastructures with a broader model based on entities and the continuity of essential services. This will involve further risk analysis, resilience planning, coordination with competent authorities, preventive measures and resilience to major incidents. For the private security industry, this is an opportunity, and also a requirement: it will not be enough to provide services, it will be necessary to demonstrate that these services really contribute to the resilience of the client.
In this context, installation and maintenance companies will have to pay more attention to secure equipment configuration, credentials, upgrades, network segmentation, logging of interventions and documented maintenance. ARCs should strengthen their business continuity, platform protection, traceability of actions and response to technological incidents. Surveillance companies will need to be better integrated into emergency protocols, continuity and coordination with critical clients. And cybersecurity companies will be challenged to work in a more coordinated way with physical security.
ACAES believes that this regulatory change should not be seen solely as an administrative burden. Well managed, it can be an opportunity to raise the professional level of the sector, differentiate companies that work with rigour and reinforce the confidence of clients, administrations and citizens. The risk would be to address it late and merely comply formally. Real adaptation will require training, revised procedures, commensurate investment and a greater comprehensive security culture.
The fifth challenge will be public-private coordination. Private security does not replace public security, but rather complements it. In areas such as infrastructure, transport, events, retail, healthcare, corporate buildings or industrial estates, good coordination can make the difference between preventive action and a delayed response.
How will training and retraining in the sector be promoted?
Training will be one of the key themes of 2026. It will not be enough to meet the legal minimums. Companies that want to differentiate themselves should focus on more practical, continuous and specialised training. ACAES considers it necessary to promote three levels of training. The first is basic technical training, especially in regulations, installation, maintenance, protocols for action, customer service, risk prevention and documentation of interventions. In many cases, the difference between a good service and an excellent service lies in the quality of the procedure and traceability.
The second level is specialisation by activity. An installation technician, a central station operator, a security guard, a maintenance manager or a cybersecurity professional do not need the same training. Each area requires specific and up-to-date competences. The third level is cross-cutting training: communication, incident management, security culture, data protection, new technologies, responsible use of artificial intelligence and coordination with other actors. This point will become increasingly important because the risks are no longer separated. A physical intrusion can be linked to a technological failure, a misconfiguration, a weak password or a lack of protocol.
Retraining should be agile. We cannot rely solely on long, one-off courses. The sector needs more flexible formats: training capsules, simulations, practical sessions, short online training, regulatory updates and case studies. Training must be brought closer to day-to-day business, not separated from operational reality. In this regard, ACAES is working to offer our associated companies the necessary training, collaborating with private entities, with the Consorci per a la Formació Continua and with the Departments of the Interior and of Education of the Generalitat de Catalunya.
What specific challenges will the installation and maintenance sector face?
Installation and maintenance companies will face a particularly demanding year. Customers demand systems that are more connected, more integrated and easier to manage, but this increased connectivity also increases technical complexity and associated risks. The main challenges will be the correct configuration of systems, equipment upgrades, secure password management, documentation of installations, preventive maintenance and adaptation to new technological solutions. It will also be key to avoid installations that work "apparently well" but are not robust from a security point of view.
A key aspect will be the need to reinforce good practices in the commissioning, maintenance and replacement of equipment: change of default credentials, access control, logging of interventions, firmware updates and verification of communications. This is a point where the sector can improve a lot without the need for large investments, simply by applying method and professional responsibility. In this area, the impact of NIS2 will be particularly visible in supply chain security: choice of manufacturers, firmware upgrades, password management, remote access, technical documentation and the ability to prove that the installation does not introduce vulnerabilities to the customer.
What challenges will Alarm Receiving Centres face?
ARCs will be challenged to manage a greater volume of signals, more technological diversity and higher response expectations. The key will not only be to receive alarms, but to better distinguish between real signal, false alarm, technical failure, operational incident or emerging risk. The main challenges will be the reduction of false alarms, the improvement of protocols, the training of operators, the traceability of actions and the integration with video systems, access control and digital platforms. The quality of an ARC will increasingly depend on its ability to combine technology, human judgement and procedure. Operational resilience will also need to be strengthened. An ARC cannot afford continuity failures, communication problems or weaknesses in its internal systems. As a result, cybersecurity and business continuity will be increasingly linked to the operation of power plants.
What about the Surveillance sector?
In policing, the main challenge will be to dignify and specialise the function. The security officer cannot be seen as a passive presence. In many settings it is the first point of detection, prevention, care and response. During 2026 it will be necessary to reinforce training in conflict management, customer service, first aid, emergency response, coordination with law enforcement agencies, use of technology and reporting. Face-to-face monitoring will continue to be necessary, but will need to be better supported by technological tools and clear protocols. The lack of professional attractiveness of the sector will also need to be addressed. Without improved perception, stability and career development, it will be difficult to attract young talent. Generational change will not be achieved through staffing needs alone, but by offering a clearer and more valued career path.
What challenges will Cybersecurity face?
Cybersecurity will be one of the fastest growing areas and, at the same time, one of the areas most at risk of trivialisation. Many companies are starting to talk about cybersecurity, but not all of them have a real strategy yet. INCIBE data show the scale of the problem: more than 122,000 cybersecurity incidents were detected in 2025, with malware, ransomware and compromised IoT devices among the most relevant cases. This is especially important for the security sector, as more and more cameras, alarms, access controls and networked devices are becoming available.
The challenge will be to integrate cybersecurity into physical security. There is no point in securing a door if the access system is misconfigured, no point in installing cameras if they are exposed on the network, no point in connecting alarms if the credentials are still factory set. The convergence between physical and digital security is no longer a future trend: it is a present necessity.
By 2026, cybersecurity will no longer be an add-on and will become part of the minimum value proposition of many private security companies. Adaptation to NIS2 and critical entity resilience standards will require a review of how connected security systems are installed, maintained, monitored and documented.
What other issues are still outstanding in the security sector?
One issue that needs to be highlighted is the need for a greater preventive culture. Security cannot be limited to reacting when an incident occurs. It should be part of the day-to-day management of companies, communities, administrations and citizens. It will also be important to combat competition based on price alone. When security is contracted on cost alone, the result is often poorer service, less training, less maintenance and more risk. The sector needs to better explain the value of a well-delivered service.
Finally, 2026 should be a year to strengthen collaboration between associations, companies, administration, police forces, training centres and users. The security sector in Catalonia has technical capacity and experience, but it needs to move towards a more integrated, professional model adapted to new risks.
At ACAES, our role should be precisely that: to accompany companies, defend the professionalism of the sector, promote training, encourage good practices and help to ensure that security is understood as an investment in trust, continuity and protection.
In short, 2026 will be a year of transformation for the security sector in Catalonia. There will be opportunities, but also greater demands. Companies that invest in training, well-applied technology, regulatory compliance and professional quality will be better prepared. Those that continue to work with overly reactive or price-based models will have more difficulties.
The security of the future will be more technical, more connected and more collaborative. But it will still depend on something essential: well-trained professionals, responsible companies and a shared safety culture. ACAES invites all companies working in Catalonia to join the association to accompany them on this path.