Skip to main content

03 Maintaining Cyber & Data Security

Ten Key Regulatory Challenges of 2026

Columns

Increasingly sophisticated threats to data require organizations and governments to employ advanced technology, adaptive strategies, and skilled professionals to protect critical data and operations.

Ten Key Regulatory Challenges of 2026

“As we emerge from the era of exploding AI adoption, privacy will be the true differentiating measure of innovation. Leaders’ success won’t be based on how much data they gather, but how wisely and respectfully they steward the information they were entrusted.” 

Orson Lucas
Partner
Advisory


“Joining the Cyber Risk Institute’s Innovator Program signifies our shared commitment to advancing cyber risk assessment in the financial sector. Through collaboration and supporting industry adoption of the CRI Profile, we aim to enhance the precision and effectiveness of cyber risk assessments, empowering financial institutions to navigate the evolving cyber landscape with confidence.” 

Matt Miller
Principal
Advisory

Federal Rationalization

03 Maintaining Cyber & Data Security

Expressed need for interagency harmonization to align regulatory expectations, reduce overlap, and streamline reporting requirements, including:

  • Establishment of single point of cyber coordination.
  • Reauthorization of CISA 2015 and funding of CISA to further its role in information/threat sharing.

Information sharing between industry and government is declining due to staffing and funding reductions, and termination of advisory boards.

Examples

What to Watch

  • Alignment of federal cyber efforts (e.g., support for “clean” reauthorization of CISA 2015, ONCD Statement (Cairncross))
  • Industry recommendations to “enhance ONCD authority” and “restore CISA capabilities” (e.g., US CSC 2025 Annual Report)
  • Formation of industry coalitions to establish standards (e.g., CRI membership and its Financial Services Cyber Security Profile) 
  • Release of National Cyber Strategy and “follow-on” action items; anticipated to increase cross-sector agency harmonization
  • Potential reauthorization of CISA 2015 and funding for CISA
  • Execution of action items in EO 14239, including:
    • Clarification of state role
    • Implementation of a risk-based approach incorporated into the National Resiliency Strategy, National Critical Infrastructure Policy, National Risk Register
  • Potential updates to rulemakings (e.g., CISA cyber incident reporting rule, reconsideration of SEC cybersecurity disclosure rule)
  • Adoption of the CRI Financial Services Cyber Security Profile and associated Maturity Model

State Complexity & Divergence

03 Maintaining Cyber & Data Security

Executive directives (e.g., EO 14239, EO 14306) prescribe a more active role in infrastructure resilience and preparedness to the states, resulting in an increase in state legislative activity directed to critical infrastructure and consumers of digital services connected to critical infrastructure.

Examples

What to Watch

  • More than 800 cybersecurity bills introduced across 49 states in 2025 with at least 200 bills enacted in 44 states1. Focus areas include:
    • Agency leadership structures for cyber coordination
    • Technical safeguards and best practices
    • Compliance and reporting requirements
    • Incident response plans
  • Continuing legislative and regulatory activity to strengthen state and local cybersecurity protection related to critical infrastructure and social media; focus areas to include detection, reporting, risk assessment, TPRM, and privacy
  • Increasing fragmentation and federal-state and state-state divergence
  • Potential skills-based workforce constraints
  • Potential rulemaking or policy guidance to clarify federal vs. state cybersecurity roles

 1Derived from NCSL.org 

Data Privacy

03 Maintaining Cyber & Data Security

Continued focus at the federal level on national security, sensitive data (e.g., biometric, geolocation), and deepfakes, with a lessened focus on broader consumer protections.

Expansion of state laws and regulations, often in combination with cyber and AI laws, including ongoing attention to children’s privacy and the definition of sensitive data.

Examples

What to Watch

  • Restrictions on transfer of sensitive data to select countries (e.g., DOJ bulk sensitive data rule, FCC connected vehicles and subsea cables ownership proposals)
  • Development of frameworks to export full-stack AI technology packages (e.g., DOC RFI implementing EO 14320)
  • Strengthened protections for children, including “personal data” (e.g., biometric data), data retention and deletion, and parental consent (e.g., FTC COPPA rule, multiple state laws)
  • Forthcoming reconsideration of CFPB Personal Financial Data Rights Rule (Section 1033); potential ongoing legal challenges
  • Potential rulemakings related to cross-border data sharing/technology sales
  • Increasing compliance challenges, federal-state-global (e.g., India DPDPA, EU-US DPF)
  • Strengthened protections for children’s data, sometimes coupled with AI laws and regulations (e.g., verifiable parental consent, unsolicited direct messaging) and expansion of age thresholds (e.g., ages 13-17) with enhanced verification systems
  • Ongoing state level enforcement of privacy protections (e.g., CA CCPA actions re: policy disclosure, opt-out rights, data sales) 

Adaptive Frameworks

03 Maintaining Cyber & Data Security

Development and application of new approaches to cybersecurity and digital infrastructure, secure software/cloud service providers, and innovative technologies.

Examples

What to Watch

  • Federal contracting requirements to protect sensitive unclassified information, including in supply chains (e.g., DOD CMMC Final Rule)
  • Updated standards and security protocols (e.g., NIST Cybersecurity Framework and related guidance)
  • Enhanced TPRM expectations to include fourth parties, specific contract requirements, continuous monitoring of vendor security risks, and threat information sharing with critical vendors

Expectations for enhanced approaches to cybersecurity and data protection, including:

  • Prioritization of data governance, including protections for customer data, models and algorithms, data sharing and protocols for collection, retention, deletion, and archiving
  • Governance frameworks designed to be scalable, integrated across the business, informed by lessons learned, and supported by workforce training and development
  • Application of new tools (e.g., Security-By-Design principles, AI threat detection systems, quantum-safe encryption)
  • Potential increases in regulatory requirements with penalties for noncompliance (e.g., federal, state, global)

03 Maintaining Cyber & Data Security:

Read the document

Download the Section

Dive into our thinking:

Ten Key Regulatory Challenges of 2026

Balancing the Regulatory Stack

Download PDF

Explore more

Points of View

Points of View

Insights and analyses of emerging regulatory issues and their impact.

Read more
Regulatory Insights View

Regulatory Insights View

Series covering regulatory trends and emerging topics

Read more

Regulatory Alerts

Quick hitting summaries of specific regulatory developments and their impact.

Read more

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Subscribe

Meet our team

Image of Laura Byerly
Laura Byerly
Managing Director, Clients & Markets, Regulatory Insights, KPMG LLP
Read bio
Image of Orson Lucas
Orson Lucas
Principal, Advisory, Cyber Security Services, KPMG US
Read bio
Image of Matthew P. Miller
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Read bio
Image of Laura Byerly
Laura Byerly
Managing Director, Clients & Markets, Regulatory Insights, KPMG LLP
Read bio
Image of Orson Lucas
Orson Lucas
Principal, Advisory, Cyber Security Services, KPMG US
Read bio
Image of Matthew P. Miller
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Read bio

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2026 KPMG LLP, a Delaware limited liability partnership, and its subsidiaries are part of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline