Cybersecurity 2026

Introduction to the Cybersecurity Guide

Cybersecurity has shifted from a niche technical concern to a management board priority and, increasingly, to an enforcement reality. Lawmakers and regulators in many jurisdictions are moving from principles to practice, demanding that organisations not only implement robust controls but also adhere to certification schemes or otherwise prove their compliance. The result is a maturing patchwork of cybersecurity rules that pose new challenges to many organisations.

In the European Union (EU), the NIS2 Directive, the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA), the Cyber Solidarity Act, and a pending revision of the Cybersecurity Act are converging into a more integrated regime that reaches products, services, operations and supply chains. The US, Middle East and Asia-Pacific are simultaneously tightening rules, creating a patchwork of laws that management boards, legal departments and counsel must navigate cautiously.

The recent wave of cybersecurity regulations reflects a global recognition of the critical importance of safeguarding digital assets. These regulations underscore the necessity for comprehensive risk management strategies, accountability at the highest levels of management, and the implementation of rigorous security measures across all sectors. One of the primary implications of these regulations is the heightened accountability placed on organisational leadership. This shift in responsibility requires a cultural change within organisations, where cybersecurity is integrated into the core business strategy rather than treated as a peripheral IT issue.

Furthermore, the emphasis on incident reporting and transparency has profound implications for how organisations handle data breaches and cyber incidents. Timely reporting to regulatory authorities and affected parties is not only a legal obligation but also a critical component of maintaining trust and credibility.

Cybersecurity laws around the world

The rapid pace of technological advances and the growing significance of cyber-related systems for critical infrastructure are prompting lawmakers worldwide to introduce new legislation to address emerging cybersecurity challenges. One of the key challenges for international businesses in implementing cybersecurity regulations is the harmonisation of standards across jurisdictions. Differences in legal systems, regulatory approaches and levels of technological development can hinder efforts to establish common standards. For international businesses, it is crucial to react promptly to legislative amendments and implement the relevant cybersecurity obligations within their internal structure. Consequently, it is essential to consistently monitor legislative processes and general trends.

The EU continues to set the tone. Even as the transposition of NIS2 remains uneven across member states, management bodies already face explicit governance duties and potential liability, and supervisory expectations are sharpening. The CRA has been in force since December 2024 and pushes secure‑by‑design development, vulnerability handling and incident reporting across products with digital elements, including software‑only offerings. Its reporting obligations begin in September 2026, with many core duties taking effect in December 2027. In early 2025, a targeted update to the EU Cybersecurity Act strengthened the certification framework and empowered ENISA to develop new schemes, reinforcing trust in cloud and information security products and services.

DORA has applied to financial entities since 17 January 2025, with regulatory technical standards already in place for incident classification, reporting content and timelines, and the critical third-party provider (CTPP) oversight regime. The European Supervisory Authorities have already designated the CTPPs and launched oversight engagement. Financial entities should expect assertive supervision of ICT risk management, testing, third-party chains and reporting.

The United States is also consolidating incident reporting and governance obligations. The Cybersecurity and Infrastructure Agency’s rule under the Cyber Incident Reporting and Critical Infrastructure Act is planned for 2026. For the use of artificial intelligence, the National Institute of Standards and Technology is planning a Cybersecurity Framework, with the focus on securing AI system components, conducting AI-enabled cyber defence, and thwarting AI-enabled cyber-attacks. In addition, a range of state-level cybersecurity laws are already in place, with further legislation anticipated.

Beyond the EU and the US, cybersecurity momentum is also recognisable.

• On 12 November 2025, the UK introduced the Cyber Security and Resilience (Network and Information Systems) Bill to modernise its NIS regime, tighten reporting and transparency, and raise sanctions, largely aligning with the EU’s NIS2 Directive and easing cross‑channel co-ordination for multinationals.
• In China, the first major overhaul of the Cybersecurity Law since 2017 took effect on 1 January 2026, increasing penalties, strengthening administrative enforcement, and extending extraterritorial reach. It also introduces a new article addressing artificial intelligence, signalling that AI governance and cybersecurity will increasingly be treated as integrated policy concerns.
• Across the MENA region, Saudi Arabia’s National Cybersecurity Authority has entrenched mandatory baselines through Essential Cybersecurity Controls and sectoral extensions (including cloud), backed since 2024 by inspection and enforcement powers.
• The UAE and Qatar are likewise elevating baseline controls and clarifying notification expectations.

Challenges

Rising geopolitical tensions are one reason for stricter cybersecurity regulations worldwide. State-backed and state-aligned activity has grown more sophisticated, and sectors intertwined with public mandates (such as defence, infrastructure and water) face heightened exposure. Consequently, cybersecurity standards for the public sector have increased significantly worldwide.

The regulatory challenge now is less about intent and more about coherence of cybersecurity regulation. While the EU has made strides in creating a unified cybersecurity framework, achieving global consensus remains a complex task. Differences in legal systems, regulatory approaches and levels of technological development can hinder efforts to establish common standards. However, international co-operation and dialogue are essential to overcoming these barriers and creating a cohesive global cybersecurity strategy.

Another challenge lies in the integration of emerging technologies, such as artificial intelligence (AI) and the Internet of Things (IoT), into existing cybersecurity frameworks. These technologies offer tremendous potential for innovation but also introduce new vulnerabilities that must be addressed. The EU’s AI Act, for example, sets standards for the design and operation of AI systems to ensure they are resilient to errors and secure against unauthorised alterations. As technology continues to evolve, legal frameworks must be adaptable to accommodate new developments and address emerging threats.

In addition, the cost of non-compliance with cybersecurity laws is rising. Non-compliance can trigger substantial penalties under the EU’s NIS2 Directive of up to EUR10 million or 2% of worldwide turnover, alongside civil litigation and reputational harm. In the EU, a key driver is the personal liability of management introduced by NIS2.

Conclusion: integrated legal approaches are needed

Cybersecurity law can no longer be thought of as something separate and isolated but should be treated as an integral part of a larger, interconnected landscape, where a broad range of stakeholders must be integrated and where different laws are relevant, such as data protection law, consumer protection law and corporate governance. Technical aspects are also deeply connected with legal matters.

For legal professionals, navigating the complexities of cybersecurity law requires a deep understanding of both the regulatory landscape and the technical aspects of cybersecurity. The path forward involves balancing innovation with regulation, ensuring that legal frameworks are both comprehensive and adaptable to emerging threats.