As we enter 2026, global cybersecurity risk and laws are rapidly expanding. Geopolitical tensions, technological advancements, and evolving regulatory frameworks are reshaping how businesses approach cyber risk. This article explores the key developments in global cybersecurity laws in the United States (US), United Kingdom (UK) and European Union (EU), the impact of emerging technologies, and the strategic imperative for a culture of cyber resilience.
Geopolitics and the Rise of Cyber Regulations to Protect “Critical Infrastructure”
Geopolitical dynamics are influencing cybersecurity. Globally, national security concerns are driving a surge in regulations mandating data localization, stringent access controls, and mandatory incident reporting.
In the United States, cyber laws are and priorities are focused on national security. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates “critical infrastructure” entities to report “substantial cyber incidents” to the federal government within 72 hours and ransom payment disclosures within 24 hours. CIRCIA’s delayed regulations and reporting obligations are expected to go into effect in May 2026. Executive Order 14117 now requires businesses handling sensitive personal or government-related data to implement strict security and access controls to prevent unauthorized access by foreign adversaries, with compliance obligations now in full effect. With the shift at the federal level towards deregulation of businesses, states like California are introducing mandatory independent cyber assessments and audits. “Reasonable security” will be tested in the United States by class action complaints and evolving regulations that require both technical and organizational controls.
The EU’s Network and Information Security (NIS2) Directive and Cyber Resilience Act are setting new standards for critical infrastructure and digital services. NIS2 significantly widens the scope compared to the 2016 NIS regime. It covers “essential” and ‘important’ entities across 18 sectors, ranging from energy, transport, health and digital infrastructure to postal and courier services, waste management, chemicals, food production and a broad array of ICT and managed service providers. Key obligations of NIS2 include a registration with the national authorities, extensive risk management measures, supply chain security and incident reporting within 24 hours. NIS2 gives authorities a broad supervision toolbox, including audits and remediation orders, fines up to EUR 10 million or 2% of the worldwide annual turnover (whichever is higher), and in case of repeated or serious breaches, temporary bans for managers, temporary designation of a monitoring officer, and temporarily suspend certifications or authorizations concerning parts of the relevant business activities.
The UK’s Cyber Security and Resilience Bill will aim to align with EU frameworks while maintaining national autonomy. The UK Government also launched a consultation on proposals for a targeted ban on ransomware payments for all public sector bodies and owners and operators of critical national infrastructure, a ransomware payment prevention regime and a new mandatory ransomware incident reporting regime.
These developments mark a turning point: cybersecurity is no longer just an IT issue—cyber risk governance starts with effective board oversight, which requires active executive engagement and ultimately empowerment of all stakeholders. New cyber laws and regulations means legal teams play a central role in managing cyber risk, ensuring that compliance strategies are defensible and integrated across people, processes, and technology.
Regulatory Alignment & Standards Beyond Borders
Despite their differences, there is a growing push for interoperability and mutual recognition of standards, particularly in cybersecurity frameworks and supply chain security.
Less regulation in the U.S. tends to be more business-friendly. However, as digital sovereignty and data localization laws increase, it will require businesses to map their digital assets and redesign cloud infrastructure.
Certain countries implementing NIS2 have recognized the U.S.-developed NIST Cybersecurity Framework (CSF) as an acceptable framework, along with ISO 27001, a globally recognized standard for information security management systems. The European Union Agency for Cybersecurity, ENISA, and industry guidance confirm that these frameworks can be used to demonstrate compliance with NIS2 requirements in particular with the obligations governance and risk management measures. In the UK, the Government produced a Cyber Governance Code of Practice, co-designed with technical experts from the National Cyber Security Centre and has also published a mapping document for boards, directors and Chief Information Security Officers which highlights the similarities and differences between the Code and the NIST CSF.
AI and Cloud: Transforming Data Governance and Security
Artificial intelligence (AI) and cloud computing are revolutionizing cybersecurity. AI agents are now capable of both launching and defending against sophisticated cyberattacks. However, the rapid implementation of generative AI has outpaced governance, leading to increased attack surface and risks to organizations. In less regulated countries like the U.S., businesses may not be legally required to conduct risk assessments before using AI, which has accelerated the deployment of AI systems.
In the EU, following a risk-based approach, the EU AI Act stipulates different regulatory obligations for the development or use of AI systems depending on their risk classification. While some types of AI systems are completely prohibited, other AI systems are either only permitted if strict safety and transparency requirements are met, or already permitted if minimum requirements are met. To qualify as a so-called high-risk AI system that is subject to the most extensive regulatory obligations, the AI Act focuses in particular on the purpose of the AI system. High-risk AI systems include, inter alia, AI systems that are intended to be used for (i) inferring emotions or intentions of an individual from biometric data such as video or audio recordings, (ii) HR decisions such as hiring, promotion, or termination, (iii) credit scoring, or (iv) decisions on the admission of individuals to educational institutions.
Developers of high-risk AI systems – the so-called providers – must establish risk and quality management systems , implement technical measures to ensure that the training, validation, and test data used for the development of the AI system are relevant, representative, error-free, and complete. Moreover, providers must conduct a comprehensive review of compliance with all requirements of the AI Act and may only distribute the AI system if it confirms to its customers that it meets all requirements by affixing a “CE” mark.
Companies that use high-risk AI systems – the so-called deployers – are subject to reduced but still extensive obligations under the AI Act. This includes, in particular, the obligation to actively monitor and counteract the risks of high-risk AI systems by establishing a risk management system. Deployers must also implement technical and organizational measures to comply with legal requirements and the provider’s operating instructions, and are subject to reporting obligations. In addition, human oversight of high-risk AI system must be ensured.
In the UK, new legislation regulating AI (the UK AI Bill), is unlikely to be published until the second half of 2026. However, on 21 October 2025 the UK Government published a call for evidence on its proposals for a UK AI sandbox, known as the AI Growth Lab as part of its blueprint for AI regulation to drive growth and public trust.
In 2026, businesses must ensure that AI systems are transparent, auditable, and compliant with emerging regulations such as the EU AI Act and NIST AI Risk Management Framework.
Lessons from Recent Cyber Incidents: Creating a Culture of Resilience
Recent cyber incidents have caused global disruption to businesses and manufacturing sites, and underscore the importance of cybersecurity oversight from the top down. These events revealed gaps in social engineering defenses and incident response preparedness. Attacks on businesses through supply chain vulnerabilities reveals the interconnected nature of our systems and interdependency on vendors orsuppliers.
Boards are increasingly expected to take an active role in cyber risk governance. Best practices include regular briefings, tabletop exercises, and direct engagement with CISOs. Executive leadership teams are increasing their roles and engagement in effective cyber operations for their departments. Cyber training that is customized based on roles and access, can have a greater impact on early identification and risk mitigation.
Cybersecurity is now a strategic business issue. Businesses must align cyber risk management with organizational goals, ensuring that investments in security yield both protection and competitive advantage.
A Strategic Imperative for 2026
In 2026, cybersecurity compliance is not optional—it is a business imperative. Organizations must navigate a fragmented regulatory landscape, adapt to emerging technologies, and embed cyber resilience into their core strategies.
Legal, IT, and executive teams must collaborate to build defensible, integrated cybersecurity programs. By doing so, businesses can not only mitigate risk but also foster trust, seize opportunities in innovation, and maintain a competitive edge in an increasingly volatile digital world.
