Cybersecurity is moving from a specialist technical function to a core management and compliance issue. Regulators in multiple jurisdictions are shifting from broad principles to detailed operational requirements, pressing organisations to implement robust controls, prove compliance and align cybersecurity with wider business strategy. Incident reporting, transparency and leadership accountability are becoming central features of the legal landscape, alongside growing expectations that organisations manage cyber risk across internal systems, vendors and supply chains.
The European Union is emerging as the most integrated regulatory environment. The NIS2 Directive, the Digital Operational Resilience Act, the Cyber Resilience Act, the Cyber Solidarity Act and a pending revision of the Cybersecurity Act are combining into a broader regime that covers products, services, operations and supply chains. The CRA has been in force since December 2024 and pushes secure-by-design development, vulnerability handling and incident reporting across products with digital elements, including software-only offerings. Its reporting obligations begin in September 2026, with many core duties taking effect in December 2027. DORA has applied to financial entities since 17 January 2025, with regulatory technical standards already in place for incident classification, reporting content and timelines, and the critical third-party provider oversight regime.
Outside the European Union, other major markets are also tightening cybersecurity governance. In the United States, the Cybersecurity and Infrastructure Agency’s rule under the Cyber Incident Reporting and Critical Infrastructure Act is planned for 2026. For the use of Artificial Intelligence, the National Institute of Standards and Technology is planning a Cybersecurity Framework, with the focus on securing Artificial Intelligence system components, conducting Artificial Intelligence-enabled cyber defence, and thwarting Artificial Intelligence-enabled cyber-attacks. On 12 November 2025, the UK introduced the Cyber Security and Resilience (Network and Information Systems) Bill to modernise its NIS regime, tighten reporting and transparency, and raise sanctions. In China, the first major overhaul of the Cybersecurity Law since 2017 took effect on 1 January 2026, increasing penalties, strengthening administrative enforcement, and extending extraterritorial reach.
The global picture remains fragmented, creating compliance challenges for international businesses that must track legislative change across different legal systems and regulatory cultures. Rising geopolitical tensions are adding urgency, particularly for sectors linked to public mandates such as defence, infrastructure and water. The integration of emerging technologies is also complicating regulation. The EU’s AI Act, for example, sets standards for the design and operation of Artificial Intelligence systems to ensure they are resilient to errors and secure against unauthorised alterations. Non-compliance can trigger substantial penalties under the EU’s NIS2 Directive of up to EUR10 million or 2% of worldwide turnover, alongside civil litigation and reputational harm. The broader direction is clear: cybersecurity law is becoming inseparable from data protection, consumer protection, corporate governance and technical risk management.
