The Compliance Landscape Every Organization Must Know in 2026 | By Brian McCarthy | Cyber & Risk Governance | March 2026 | 10 min read

Cyber & Risk Governance | March 2026 | 10 min read

Compliance is a top concern for auditors, risk officers, and board members. Organizations recognize that the regulatory landscape for cybersecurity, data protection, and governance is changing rapidly.

In 2025 and 2026, new global regulations are pushing accountability upward — to executives, directors, and governance bodies — while enlarging the scope of compliance. Cybersecurity is now a boardroom obligation, an audit priority, and an underwriting concern.

This guide provides a practical overview of the current regulatory environment and its relevance. By the end, you will be able to identify your most urgent compliance priorities and determine the next steps for your role. Board members and directors will gain actionable steps to fulfill their governance obligations, including practical tools and sample oversight checklists to document cyber risk oversight, clarify board-level responsibilities, and track compliance progress over time.

Why This Moment Is Different

Multiple factors are making 2026 a pivotal year for compliance.

Board-level liability is now a reality. The SEC's updated cybersecurity disclosure rules hold directors personally accountable for cyber oversight. Boards are expected to actively supervise cyber risk, not just receive periodic briefings. Nearly 95% of S&P 500 boards now explicitly assign cyber oversight responsibilities, largely due to SEC requirements. Companies with passive governance structures must act promptly.

EU NIS2 requires a full uninstall and reinstall of NIS1, and comes packed with both civial and criminal liabilities for non-compliance for covered entities. Multi-nationals have their hands full.

Immediate actions for boards and directors include: reviewing and updating committee charters to explicitly assign and document cyber risk responsibilities; scheduling regular cyber risk briefings with management; establishing a standing agenda item for cyber risk at board meetings; and ensuring that cyber oversight activities are tracked and documented. These proactive steps will help directors respond quickly to new liabilities and demonstrate effective supervision to regulators.

AI is now a key regulatory focus. The SEC's 2026 examination priorities indicate that cybersecurity and AI have overtaken cryptocurrency as primary risk topics. Organizations must manage both the cyber risks introduced by AI and the AI systems they use internally. "AI washing" — falsely claiming AI capabilities — has become a new compliance and disclosure risk.

Third-party risk is now a central concern. Regulators, including the NYDFS and the EU's DORA, require robust vendor governance. Organizations may be held accountable for vendor breaches if they fail to perform proper due diligence.

State regulators are now leading enforcement efforts. With no comprehensive federal privacy law, 20 U.S. states enforce consumer privacy statutes. State attorneys general focus on whether businesses have effective data governance controls, not just a privacy framework.

The Regulatory Map: What Organizations Must Address

Below is a practical overview of major compliance obligations across jurisdictions and sectors.

U.S. Federal Laws & Regulations

Securities & Financial

The SEC's revised rules require written cybersecurity policies, timely breach notification, and extensive third-party risk management. Overlapping disclosure and reporting obligations now apply to public companies and registered financial firms. SOX, GLBA, and Dodd-Frank continue to govern internal controls, consumer data protection, and systemic risk oversight for financial institutions — and each increasingly intersects with cybersecurity requirements.

Critical Infrastructure & Defense

CIRCIA — the Cyber Incident Reporting for Critical Infrastructure Act — is expected to take full effect in May 2026, establishing mandatory nationwide reporting requirements for organizations operating in designated critical sectors covering cyber incidents and ransomware payments. This represents a significant expansion of federal cyber reporting obligations.

The DoD's CMMC, finalized in November 2025, ties contract eligibility to meeting one of three cybersecurity maturity levels, affecting the entire defense supply chain — not just prime contractors.

HIPAA and HITECH continue to govern healthcare data security, with enforcement remaining aggressive.

Data & Privacy

The DOJ Bulk Data Rule restricts certain international data sharing involving sensitive personal data and government-related datasets transferred to countries of concern, including China, Russia, and Iran. The FTC's updated COPPA regulations, effective June 2025, strengthen protections for children's data and expand obligations for platforms and services used by minors.

U.S. State Laws & Regulations

California's 2025 rules significantly heighten expectations around AI decision-making, mandatory cybersecurity audits, and formal risk assessment documentation — going well beyond traditional notice-based compliance.

NYDFS Part 500 — New York's cybersecurity regulation for financial services — completed its final phase of amendments in November 2025. Regulators are signaling strengthened scrutiny in 2026, covering leadership oversight documentation, asset inventories, access controls, multi-factor authentication coverage, and third-party risk evidence. If your organization operates in New York financial services, examination readiness is not optional.

Twenty states now enforce comprehensive privacy laws, with new states joining in 2026. The patchwork nature of state law creates real operational complexity for organizations operating across multiple jurisdictions.

International Regulations

European Union

DORA, in force since January 2025, requires EU financial entities and their service providers to satisfy rigorous technical, governance, and vendor standards — with direct obligations extending to technology providers outside the EU.

The EU AI Act is currently in its implementation phase, rolling out obligations by risk category across industries. The EU Cyber Resilience Act (CRA) will apply starting in 2027, targeting cybersecurity requirements for products with digital elements, including software. GDPR remains foundational, and enforcement continues to intensify — particularly around cross-border data transfers and data subject rights.

The Corporate Sustainability Reporting Directive (CSRD), effective in 2025 for large companies, now requires organizations to disclose how they manage cybersecurity risks as part of broader governance and sustainability reporting.

NIS2, the updated EU directive on network and information systems security, expands the range of sectors and entities required to implement risk management measures and report incidents — broadening mandatory cyber obligations well beyond financial services.

Other Jurisdictions

The UK, China, the Middle East, and Asia-Pacific have each added or expanded data and operational requirements in 2025 and 2026, making global compliance increasingly complex for multinational organizations.

Frameworks & Standards

Alongside legal obligations, operational frameworks have become essential reference points for demonstrating compliance. Regulators, auditors, and insurers frequently reference these when assessing organizational readiness.

• NIST Cybersecurity Framework 2.0 is the primary baseline referenced by U.S. regulators and insurers for evaluating the maturity of a cyber risk program.

• NIST AI Risk Management Framework has become newly critical as AI governance obligations expand across sectors.

• ISO 27001/27002 provides the international standard for information security management systems and is frequently required by contract counterparties and insurers.

• SOC 2 is essential for service organizations that need to demonstrate security controls to clients and business partners.

• PCI DSS v4.0 governs payment card data security with updated requirements that took effect in 2024.

• COBIT addresses IT governance and management, providing a structured approach to aligning IT with business and compliance objectives.

• COSO ERM remains the foundational framework for enterprise risk management and internal control, widely referenced in audit and governance contexts.

The Five Themes Every Compliance Program Must Address

Across frameworks and jurisdictions, five critical themes represent areas of greatest exposure and opportunity for improvement. Focusing on these allows teams to direct compliance efforts effectively and anticipate key questions from leadership or regulators.

1. Board and executive accountability. Governance bodies are now expected to demonstrate active oversight, not passive awareness. Documented board-level engagement with cyber risk, clear committee charters, and traceable decision-making are becoming standard audit requirements.

2. Third-party and vendor risk management. Supply chain attacks and vendor-enabled breaches have made third-party governance a top regulatory priority. Contracts, diligence processes, ongoing monitoring, and vendor incident notification obligations need to be formally structured — not managed ad hoc.

3. Incident reporting readiness. With CIRCIA, SEC disclosure rules, DORA, and state breach notification laws, organizations face overlapping reporting timelines, some as short as 72 hours. A tested, documented incident response plan with clear escalation paths and processes for materiality determination is essential. Boards play a critical role here by requesting regular updates on response plans, reviewing outcomes from tabletop exercises, and ensuring management addresses gaps and lessons learned. Directors should expect routine briefings on incident handling practices to demonstrate active supervision.

4. AI governance. The regulatory consensus is forming: AI systems must be governed, monitored, and disclosed. This includes AI used internally and AI embedded in third-party products and services. Organizations without formal AI governance programs are accumulating compliance risk with each passing quarter.

5. Cross-border data flows. The DOJ Bulk Data Rule, GDPR transfer mechanisms, China's DSL, and new Asia-Pacific frameworks have made international data transfers a significant compliance risk area. Mapping data flows and ensuring alignment with applicable rules is foundational work — yet many organizations have not completed it.

What Auditors and Risk Professionals Should Be Asking

If you work in audit, risk, or governance, the following questions are practical tools for evaluating your organization's compliance readiness and identifying critical gaps. These are increasingly the first questions regulators, insurers, and external auditors are asking:

• Does the board have documented processes for cyber risk oversight, and can we demonstrate that to regulators?

• Have we mapped all cross-border data flows against the DOJ Bulk Data Rule, GDPR, and applicable transfer restrictions?

• Do we have a tested incident response plan with defined timelines that meet our fastest reporting obligation?

• Is our third-party risk management program documented, risk-tiered, and actively monitored — not just a checklist at onboarding?

• Have we conducted or scheduled the cybersecurity audits now required under California's CPPA regulations, NYDFS Part 500, or other applicable frameworks?

• Where does AI appear in our operations and third-party tools, and what governance structure applies to it?

• 
  

These are not IT questions. They are governance questions — and the organizations that treat them as such are the ones best positioned for what regulators are demanding next.

The Bottom Line

The regulatory environment for cyber, risk, and governance now requires broad organizational literacy. Leaders, auditors, and risk managers must understand new obligations, the pace of regulatory change, and the direct accountability now placed on boards and executives. Gaps in understanding carry real consequences — financial, legal, and reputational.

The organizations that get ahead of this are not those with the largest compliance budgets. They are the ones whose leadership actually understands what is required and builds governance structures that reflect it.