ReRegulate

Cybersecurity has become a defining pillar of operational resilience for elite sports organisations behind the scenes of the football pitch. Professional football is continuously undergoing rapid digital transformation, embracing AI-driven analytics, cloud-hosted infrastructure, and advanced stadium infrastructure. As such, clubs have become data-rich commercial entities with a considerably wide attack surface that can be exploited by cybercriminals.

The Premier League’s partnership with Microsoft, announced in July 2025 as its official cloud and AI partner, highlights the scale and the stakes involved in this technological transformation. The collaboration saw the Premier League migrate its core technology infrastructure into the cloud and also launch the Premier League Companion (a Co-Pilot powered app focused on providing real-time insights to fans). As innovative as such transformations may seem, they expand the digital ecosystem, which clubs and governing bodies have to actively secure.

Football clubs participating in competitions as prestigiousas the Premier League and the UEFA Champions League attract a spectrum of threat actors: organised cybercriminal networks, hacktivists, and nation-state actors. These bad actors will be motivated by the commercial value and geopolitical visibility that elite professional football commands. It is for these reasons that there is an onus on clubs and federations to implement robust cybersecurity frameworks that are proportionate to the potential risks they face.

Where are these risks present?

Data Privacy: Athlete and Customer Data

Biometric data routinely collected from players through performance wearables tracking fitness and recovery metrics presents an acutely sensitive risk. A breach involving this category of information does not merely create a commercial and reputational issue, it also manifests as a legal problem.

Under the UK GDPR, clubs processing biometric data must have a framework which implements the Data Protection Principles, particularly the integrity and confidentiality principle (Article 5(1)(f)).  This requires personal data to be protected against unauthorised processing, accidental loss, and destruction. There are also conditions for processing biometric data used for identification purposes, which clubs must satisfy as they fall within the special category provisions of Article 9.

Clubs have operational obligations to adopt appropriate technical measures to secure their data (Article 32). Were a breach to occur, clubs are required to notify the Information Commissioner’s Office (ICO) within 72 hours and, where the breach poses a high risk, inform affected individuals without undue delay (Articles 33-34).

Under domestic law, the Data Protection Act 2018 underpins these requirements, and the ICO’s published guidance on biometric data processing sets out the practical expectations which organisations such as football clubs are expected to abide by. On the industry specific governing body level, the FA’s data protection guidance, the Premier League’s data compliance rules (Rule L.8), and the EFL Data Protection Requirements also impose additional obligations on the clubs to maintain governance structures that are fit for purpose.

It is also possible to have contractual obligations embedded within player agreements, which contain provisions aimed at the collection, processing, and use of player performance data.

Business Email Compromise (BEC)

Business Email Compromise has become one of the most detrimental and constantly evolving attack vectors in professional football. It is no surprise that elite clubs are prime targets because of the high-value commercial transactions they regularly conduct, ranging from multi-million pound transfer negotiations to major sponsorship agreements.

In 2020, the UK’s National Cyber Security Centre (NCSC) report on cyber threats to sports organisations noted that the email account of the Managing Director of an unnamed Premier League club was compromised during a transfer negotiation, with cybercriminals attempting to hijack a £1 million transfer payment. The attempt was intercepted only by the club’s bank (NCSC, 2020). In a separate incident, an EFL club suffered a ransomware attack in which almost all end-user devices were encrypted, corporate email was disabled, and stadium CCTV and turnstile systems were rendered non-operational — nearly resulting in a fixture cancellation, with attackers demanding a ransom of approximately 400 Bitcoin (NCSC, 2020). The NCSC reported that around 70% of sports organisations have experienced a breach or security incident, with 30% reporting more than five incidents in a 12 month period and the biggest single financial loss recorded at over £4 million (NCSC, 2020).

A BEC attack will often indicate a failure in foundational technical controls. As such, it is essential that clubs evaluate their implementation of controls such as:

• Multi-factor authentication (MFA) across email and financial systems
• Email authentication protocols that prevent domain spoofing, such as DMARC, DKIM, and SPF.
• Privileged access controls, particularly to high-value accounts in order to limit exposure.
• Monitoring and anomaly detection to identify unusual login or transaction activity
• Staff training on phishing and social engineering at all levels of the organisation

Infrastructure Attacks: Impact on Venues and Match-Day Operations

Football stadiums are complex ecosystems of interconnected operational technology: ticketing systems, access control, CCTV, electrical management, Wi-Fi and broadcasting infrastructure. A vulnerability in any one of these systems can have significant operational and safety consequences. The increasing reliance on automation within modern stadium access controls, digital ticketing, and real-time operational monitoring has expanded the attack surface. A proportional increase in dedicated cybersecurity resources is required to ensure the systems are protected against attacks such as Distributed Denial of Service (DDoS) attacks aimed at disrupting operations or Ransomware/point-of-sale malware aimed at retail vendors at the stadiums.

Major Tournaments: The FIFA World Cup 2026

The FIFA World Cup 2026 will be the largest in its history involoving 48 teams, 16 host cities, and 3 countries  (the United States, Mexico, and Canada). The scale of the event and its heavy reliance on digital infrastructure for ticketing, access control, payment systems, and broadcasting will no doubt have drawn significant attention from cybersecurity professionals and national security agencies (Optiv, 2025).

There is some historical precedent that underscores the risks the 2026 World Cup will face. Threat analysts found compromised network infrastructure following the 2022 World Cup in Qatar that could have disrupted communications and streaming services (Vijayan, 2024). The 2024 Paris Olympics also faced more than 140 cyber incidents across the duration of the event (Cyber Threat Alliance, 2025).

For the 2026 tournament, there has already been a surge in fraudulent domain registrations impersonating official World Cup ticketing portals and a number of merchandise outlets, designed in a bid to retrieve credentials and financial data from unsuspecting fans. Nation-state actors and hacktivist groups who usually have extended resources present a more sophisticated and potentially disruptive threat, with the capacity to target critical infrastructure (e.g. transportation, payment networks, broadcasting) as they tend to act as part of a broader operational or geopolitical objective. There is also the matter of a multi-jurisdictional structure of the 2026 tournament, spanning three national legal and regulatory environments. This adds a complex landscape to threat intelligence sharing and coordinated incident response.

FIFA and the National Associations involved in the tournament must ensure they do not treat it as an isolated cybersecurity event, but rather as an acceleration of risks that should already be embedded in daily security operations.

Governance Implications

A Board-Level Strategic Risk

Cybersecurity is not just an IT function; it is also a governance matter. As noted above, cyber risk is ever present for professional football clubs with financial, legal, and reputational dimensions that demand board-level attention. Boards and executive leadership must ensure that cyber risk is integrated into their strategic planning cycles, risk registers, and compliance frameworks, as opposed to a technical afterthought delegated entirely to IT teams.

A cybersecurity review conducted by the NCC Group on UK football found significant deficiencies across the sector, including a lack of adequate industry benchmarking, little to no incident response capability, inconsistent identity and access management, and a complete absence of data management governance in some clubs (NCC Group, 2024). A key recommendation from the report suggested that Premier League clubs should target approximately 10% of their technology spend on cybersecurity to achieve a proportionate level of maturity.

Accountability and Leadership

Defined cyber leadership is critical. The appointment of a Chief Information Security Officer will provide clear accountability for cybersecurity strategy, incident response, and data protection compliance. Where a standalone CISO is not operationally viable based on the organisational structure of a club, responsibility must nonetheless be clearly assigned and supported by appropriate resources.

Competition Integrity

The integrity of football competition also depends on the security of the technology that underpins it. Governing bodies must ensure that VAR systems, officiating technology, and player performance data are adequately protected. Data manipulation in such situations has the potential to undermine fair play with consequences that would be even harder to remedy after the fact. Implementing additional security measures, like UEFA did in its utilisation of an  AI-assisted draw process, highlights an awareness of this risk at the highest levels of football governance.

Proportionality in implementation

One of the more difficult governance challenges is the disparity in cybersecurity readiness between clubs of different sizes and financial means. A Championship club operating on a fraction of a Premier League club’s budget faces the same legal obligations under UK GDPR and the same broad threat landscape, but they have materially fewer resources to address them. Governance frameworks developed by football’s governing bodies will need to account for this discrepancy. A proportionate and tiered approach to cybersecurity standards that is scaled to a club’s size and revenue would reflect a similar logic applied by the Independent Football Regulator in its licensing conditions and the financial sustainability rules.

Regulatory and Contractual Penalties

Clubs that suffer data breaches involving athlete or customer data face potential ICO enforcement action under UK GDPR. These penalties are imposed on a case-by-case basis but can be up to £17.5 million or 4% of global annual turnover. Breaches can also trigger contractual liability under player agreements, commercial partnership contracts, and broadcast arrangements. Furthermore, the reputational damage that follows a breach may be the most lasting consequence of all.

Addressing Threats.

Establishing effective cyber governance in professional football requires a mixture of technical controls, organisational measures, and governance frameworks that are sustainable across clubs of varying sizes. The following areas should be considered as critical priorities when addressing these threats:

Zero Trust Security Architecture: Clubs should adopt a Zero Trust model, which operates on the principle that no user, device, or system should be inherently trusted, even when they are within the internal network. With the volume of partners and third party entities that tend to collaborate with football clubs, this is particularly relevant with their access to the club systems.

Defined Governance Frameworks: Clubs should ensure their cybersecurity governance policies are aligned with recognised international standards, including the NIST Cybersecurity Framework and ISO/IEC 27001. It is also good practice to use recognised and trusted cloud security benchmark standards when implementing security controls, such as the Microsoft Cloud Security Benchmark (MCSB), if the club operates using a Microsoft cloud infrastructure. These frameworks and benchmark standards provide a structured methodology for managing cyber risk and demonstrating compliance to regulators and stakeholders.

Cybersecurity Risk Assessments: Cyber threats are constantly evolving. Conducting regular cyber risk assessments will ensure continuous compliance with governing body requirements and internal standards set. It will also allow any changes and gaps to be addressed with technical controls where needed.   

Board Training and Executive Oversight: Directors and senior executives should receive regular training to ensure they are trained to provide meaningful oversight and have a clear understanding of cyber risk and the consequences of having inadequate controls in place.

Athlete Data Governance: Ensuring strict access controls, encryption, and data minimisation principles should govern the processing of player biometric and health data. This will ensure legal requirements on data collection and utilisation of athletes’ and customers’ data are adhered to.

Incident Response Capability: Incident Response Plans (IRP) should be developed and regularly tested to cover the scenarios most likely to affect them: ransomware attacks, BEC incidents, data breaches, and match-day infrastructure disruptions. These plans should be cross-functional, involving legal, communications, operations, and IT teams, with tabletop exercises frequently conducted.

Third-Party Security Management: The security of a club’s digital infrastructure is only as strong as its weakest supplier. As such, Clubs must vet third-party providers (e.g. analytics platforms, ticketing platforms, stadium tech suppliers, cloud service providers, ticketing companies) against clear cybersecurity standards and include contractual obligations on security practices, breach notification, and audit rights.

Conclusion

Cybersecurity in professional football is both a governance and a technology matter. The legal obligations are significant, with a number of governing bodies’ regulatory requirements that have to be met. The threat landscape is demonstrably serious, particularly with its constant evolution and expansion, and the consequences of inadequate controls (such as fines, compromised transfers, disrupted fixtures) are real. The recent introduction of the Independent Football Regulator highlights the fact that football has spent years building financial governance structures that hold clubs accountable for how they manage money. It is time to apply the same rigour and discipline to cybersecurity governance structures.

References

• Cyber Threat Alliance. (2025). Looking beyond the medal: A cybersecurity after-action report on the Paris Olympics. https://www.cyberthreatalliance.org/looking-beyond-the-medal-a-cybersecurity-after-action-report-on-the-paris-olympics/
• Information Commissioner’s Office. (2023). Guidance on biometric data. ICO. https://ico.org.uk
• NCC Group, Oxford Strategy Consultancy & Phoenix Sport and Media Group. (2024). Cyber security in UK football: A sector review. NCC Group.
• NCSC. (2020). The cyber threat to sports organisations. National Cyber Security Centre. https://www.ncsc.gov.uk
• Optiv. (2025). Defend against cyber threats for FIFA World Cup 2026. https://www.optiv.com
• Premier League. (2025). Handbook 2025/26
• Premier League. (2024). Player and related persons privacy policy. https://www.premierleague.com
• UK GDPR, Articles 5, 9, 32–34. https://www.legislation.gov.uk/eur/2016/679/contents
• UK Government. (2018). Data Protection Act 2018. legislation.gov.uk
• Vijayan, J. (2024). How soccer’s 2022 World Cup in Qatar was nearly hacked. Dark Reading. https://www.darkreading.com/cyber-risk/how-the-2022-qatar-world-cup-soccer-was-nearly-hacked