Report

Cybersecurity & Privacy 2026: Enforcement & Regulatory Trends

Global enforcement and regulatory shifts continue to redefine cybersecurity and data governance.
March 2026
Authors: Ezra D. Church, Vishnu Shankar, Ksenia Andreeva, Todd Liao

Privacy and cybersecurity developments in 2025 were driven by ongoing regulatory development and enforcement. In the United States, federal and state authorities advanced detailed security, audit, and reporting frameworks.

Across the UK, EU, and Middle East, resilience and data governance remained core priorities, while China and other Asia-Pacific jurisdictions expanded incident reporting, cross-border transfer controls, and operational requirements.

This report highlights the most consequential regulatory, enforcement, and market trends across key geographies and offers a forward look to 2026.

Key Takeaways

  • US federal cybersecurity rules and standards advanced significantly. The CMMC and DOJ’s Data Security Program, which focuses on transfers of sensitive personal or government-related data to countries of concern, drove enforcement risk and national security controls across the government contracting and data ecosystems.
  • US states expanded privacy and ADMT governance. California’s final regulations for ADMT, cyber audits, and privacy risk assessments signaled stronger state oversight and mounting compliance burden for many companies.
  • UK/EU cybersecurity and resilience frameworks continued to mature. Critical infrastructure and operational resilience requirements evolved alongside global discussions on AI governance and digital markets.
  • Middle East risk and compliance considerations deepened around infrastructure and data flows. Cybersecurity expectations increasingly touched energy, infrastructure, and cloud operations, with multinational implications.
  • China established new reporting and outbound data transfer obligations. Incident reporting rules and certification-based cross-border frameworks elevated scrutiny and contractual governance requirements.
  • Asia-Pacific markets pursued broader data protection and transfer alignment. Regional legislative and operational changes reflected shared priorities around resilience, vendor oversight, and breach escalation.

UNITED STATES

A New Federal Playbook for Cyber Risk

CMMC Final Rule

The US Department of Defense’s final Cybersecurity Maturity Model Certification rule, issued in November 2025, marked a significant shift in federal cybercompliance by formally tying contract eligibility to demonstrated cybersecurity maturity across three levels aligned to the sensitivity of federal contract information and controlled unclassified information. The rule’s audit and certification requirements extend through the defense industrial base via contractual flow-downs, increasing exposure for subcontractors and suppliers.

Inaccurate certifications or representations regarding cybersecurity posture now carry heightened risk under the False Claims Act, even where no cyber incident has occurred, placing renewed emphasis on documentation, internal controls, and audit readiness.

DOJ Data Security Program

In parallel, the US Department of Justice implemented its Data Security Program pursuant to Executive Order 14117, restricting certain data transactions involving “countries of concern.” The program distinguishes between prohibited and restricted transactions involving sensitive personal data and US government–related data, imposing security, governance, and recordkeeping obligations on covered entities.

This framework reflects a growing national security overlay in cybersecurity regulation, requiring organizations to reassess cross-border data flows, vendor relationships, and cloud architectures through both privacy and geopolitical risk lenses.

Incident Reporting Momentum – CIRCIA and Sector-Specific Rules

Federal momentum around incident reporting accelerated in 2025, amplified by the Cyber Incident Reporting for Critical Infrastructure Act and implementing rulemaking efforts at the Cybersecurity and Infrastructure Security Agency. Adding onto existing sector-specific reporting regimes, proposed rules would require covered entities to report substantial cyberincidents within 72 hours and ransomware payments within 24 hours.

These developments may require organizations to refine intake workflows, escalation thresholds, and cross-functional coordination to ensure timely and accurate reporting across overlapping regulatory obligations.

NIST CSF 2.0 and Incident Response Guidance

The release of NIST’s Cybersecurity Framework 2.0 and accompanying incident response guidance further clarified federal expectations around governance-driven cybersecurity programs. The updated framework emphasizes enterprisewide accountability, calling for incident response planning that integrates legal, compliance, communications, and executive leadership alongside technical teams.

Organizations are increasingly expected to maintain documented playbooks, define decision-making authority, and coordinate with third-party service providers as part of a mature incident response capability rather than treating response as an ad hoc or purely technical function.

Emerging DOJ Criminal Enforcement Posture

Criminal enforcement activity in 2025 underscored the federal government’s willingness to pursue ransomware, insider-enabled cybercrime, and related conspiracies through coordinated investigations. Indictments involving sophisticated ransomware operations highlighted the role of credential misuse, privileged access, and internal control failures.

These cases reinforce the importance of identity and access management, monitoring of insider risk, and incident response strategies that anticipate parallel criminal, regulatory, and civil exposure following a significant cyber event.

The Rise of State-Driven Cyber Governance

CPPA Rules on ADMT and Cybersecurity Audits

The California Privacy Protection Agency, the state’s privacy regulator, finalized regulations in July 2025 governing automated decision-making technology, cybersecurity audits, and risk assessments, significantly expanding compliance obligations for many businesses. The rules require enhanced transparency, meaningful human involvement, and ongoing assessments where processing presents heightened risk, while also mandating formal cybersecurity audits and reporting for certain high-risk activities.

These requirements elevate documentation and governance expectations well beyond notice-based compliance.

State AG Activity in Privacy and Cybersecurity Enforcement

State attorneys general continued to assert a leading role in privacy enforcement, with actions targeting digital tracking technologies, health-related data, opt-out requirements, and online consent mechanisms.

In the data security realm, enforcement theories increasingly focused on deceptive practices and inadequate disclosures rather than breach response failures, signaling that cybersecurity and privacy compliance must be aligned with public-facing representations and consumer expectations even in the absence of a data incident.

New State Privacy Laws Take Effect

The effective dates of new comprehensive privacy statutes in states such as Tennessee, Minnesota, and Maryland further accelerated the shift toward a multistate compliance model. In the absence of legislation at the federal level, and after California led the way to create a comprehensive consumer privacy law in 2018, almost half of the states have now followed with laws of their own. 

But these laws are not uniform and introduce varying requirements related to security safeguards, risk assessments, and individual rights, adding complexity for organizations operating nationally and reinforcing the need for scalable, jurisdiction-agnostic governance frameworks.

Texas AG Enforcement and Texas ‘Mini-TCPA’

Texas enforcement activity highlighted growing scrutiny of data practices tied to communications, marketing, and emerging consumer protection statutes, including the state’s so-called “Mini-TCPA.” These developments signal increased risk for companies operating in telecom, advertising, and digital engagement spaces, where data collection and automated outreach practices intersect with privacy and cybersecurity obligations.

Operational Implications

Taken together, state developments in 2025 significantly increased the documentation, assessment, and governance burden on organizations, particularly those operating across multiple jurisdictions. Managing overlapping audit, risk assessment, and disclosure obligations has become a core operational challenge, requiring closer coordination between cybersecurity, privacy, legal, and compliance functions.

Entering 2026, organizations should expect regulators to focus less on one-off compliance artifacts and more on whether privacy and cybersecurity programs operate coherently and at scale across jurisdictions.

Access the Full Cybersecurity & Privacy Report

Download the complete report for in-depth jurisdictional analyses, sector-specific compliance implications, litigation developments, and practical guidance for navigating evolving cyber and privacy enforcement in 2026.



Authors

Ezra D. Church
パートナー
Philadelphia
Vishnu Shankar
パートナー
London Brussels
Ksenia Andreeva
パートナー
Dubai
Todd Liao
パートナー
Shanghai