Skip to main content

Regulatory Fragmentation: From Anomaly to Strategic Focus

Regulatory fragmentation has become a defining feature of today’s global business environment.

Increasing regulatory divergence and fragmentation in areas such as artificial intelligence, cybersecurity, data privacy, and climate and other sustainability issues are driving risk, compliance, and operational challenges for US multinational companies.

Once the exception, regulatory fragmentation across federal, state, and global jurisdictions has become a defining feature of the global business environment, directly impacting decisions on where to grow, how to structure products and data, and how to design governance and control frameworks that can withstand shifting and misaligned rules and regulations.

As such, boards should help ensure the company is addressing this challenge strategically rather than treating it as a siloed compliance issue by integrating it into core strategy, risk, and governance processes and frameworks.

Regulatory Patchwork and Pitfalls

Industries that sit at the intersection of heavy regulation and rapid innovation, including financial services, large technology or digital platforms, energy and extractives, and globally integrated manufacturers and supply chain intensive sectors, will be most affected by regulatory divergence and fragmentation in the following key areas:

Climate and other sustainability disclosures: While the US Securities and Exchange Commission’s (SEC) climate rule is a thing of the past, many companies will be subject to evolving California, European Union (EU), and International Sustainability Standards Board regulations. There is significant divergence among US federal, state, and global climate and sustainability frameworks, requiring companies to navigate conflicting or nonaligned disclosure, target setting, and transition planning expectations.

Data privacy and AI: Many companies must reconcile the data privacy and consumer protection requirements of both the EU’s and the United Kingdom’s General Data Protection Regulation, as well as a growing set of US state privacy laws, each with different requirements that are driving region-specific data architectures and governance. At the same time, AI rules are fragmenting across the EU AI Act and US state AI and automated decision-making laws, such as hiring, credit, and underwriting, forcing companies to run multiple risk classifications, documentation standards, and model governance processes.

Cybersecurity and critical infrastructure: Multiple federal, state, and foreign regimes are imposing overlapping security, incident reporting, and sector-specific requirements that companies and critical infrastructure operators must reconcile. Financial services, health-care, energy, and large technology providers are particularly exposed.

Trade, sanctions, and geopolitical risks: Frequently changing US tariffs, export controls, and sanctions—especially those targeting strategic technologies and certain countries—interact with differing regimes in Europe and Asia, forcing multinationals into increasingly fragmented product, supply chain, and investment configurations.

Financial and digital markets: Digital assets and broader capital formation rules sit in a fragmented global environment. As discussed in the KPMG LLP report, Ten Key Regulatory Challenges of 2026, regulatory divergence and the need to “balance the regulatory stack” will be vital as firms try to innovate while staying aligned with core prudential conduct standards. While regulators are moving from uncertainty and enforcement only approaches to more structured frameworks for crypto assets, stablecoins, and tokenized payment instruments, expect uneven progress across markets, sectors, and regulators.

The Board’s Role

To help ensure the companies they serve take a strategic approach to addressing the risks posed by regulatory divergence and fragmentation, boards should consider focusing on the following four key areas:

Management’s structure and processes: Assess whether the company manages regulatory fragmentation as a critical enterprise risk through an enterprise-wide structure versus a narrow compliance focus. Many multinationals form cross-functional regulatory teams with the risk, compliance, finance, and legal functions serving as the architects and integrators of how the company interprets, reconciles, and operationalizes overlapping federal, state, and global rules.

Each business unit and functional area designs and owns the day-to-day operation of controls in their respective domains. The finance function maintains responsibility for internal controls and, with management’s disclosure committee, for disclosure controls and procedures. The internal auditor is also typically part of the cross-functional team. The goal is a collaborative structure that integrates compliance, operations, information technology, and business units to elevate regulatory risk beyond a siloed compliance effort.

Reports to the board and standing committees: Boards should consider the adequacy of management reports to the full board and its standing committees. Does the board periodically, typically quarterly, receive a dashboard of enterprise-wide regulatory risks that shows the top areas of divergence, by jurisdiction and topic, trends, and linkage to strategic objectives and key performance metrics?

The dashboard should highlight where fragmentation is driving material operational, financial, or reputational risk. Directors should request a semiannual deep dive on key regulatory pressure points, such as AI, data privacy, cybersecurity, and sustainability, as well as how overlapping and conflicting requirements are rationalized in policies, controls, and reporting.

Boards may also consider asking management for an annual, enterprise-wide regulatory strategy review covering technology enablement, talent, and cross-functional coordination to monitor divergence and reporting obligations. Where regulatory intensity is high or increasing for a particular industry or jurisdiction, boards should expect updates at every regular board or committee meeting until the risks are addressed.

Clarifying board and committee oversight responsibilities: As discussed in the KPMG report, On the 2026 board agenda, defining and refining board and committee risk oversight responsibilities remains a challenge, particularly when multiple committees have oversight responsibilities for a category of risk, such as climate and sustainability, cybersecurity, generative AI, data privacy, compliance, talent, and culture risks. The board must clearly delineate the responsibilities of each committee. To oversee risk effectively when the full board and two or more board committees are involved, boards should think differently about how to coordinate committee activities. For example, a board may establish a new committee comprising a member of each standing committee to oversee the particular category of risk and to help ensure coordination of the risk oversight activities of the other committees. Other approaches include periodic joint meetings of certain committees, overlapping committee memberships, and in all cases, ensuring robust reporting out by committees to the full board.

Monitoring the SEC’s deregulatory agenda: Boards should task management with monitoring the SEC’s planned deregulatory actions and how they might impact the company’s regulatory divergence and fragmentation risk profile.

In its “Spring 2025 Regulatory Agenda,” the SEC outlined its regulatory priorities under chair Paul Atkins. In addition to an emphasis on crypto assets and facilitating capital formation, the priorities included proposed rulemaking that would simplify or streamline materiality-based disclosures, as well as the withdrawal of rulemakings on human capital management and board diversity disclosures.

In September 2025, Atkins confirmed that the SEC will propose a rule change which, if approved, would allow companies to continue reporting quarterly or switch to semiannual reports, in line with other jurisdictions, such as the United Kingdom and EU.

Given the scope of the SEC’s proposed deregulatory initiatives—and the implications for the company’s earnings reports frequency, disclosure practices, internal controls, risk profile, compliance obligations, and shareholder engagement strategies—boards and audit committees should stay well-informed on the planned rulemakings and receive regular updates from management, legal counsel, and auditors about potential implications for the company.

This article first appeared in NACD Directorship Magazine.

Meet our team

Image of Patrick Lee
Patrick Lee
Senior Advisor, KPMG Board Leadership Center, KPMG US
Read bio
Image of Patrick Lee
Patrick Lee
Senior Advisor, KPMG Board Leadership Center, KPMG US
Read bio

Receive the latest insights from the Board Leadership Center

Sign up to receive Board Leadership Weekly and Directors Quarterly

Subscribe

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2026 KPMG LLP, a Delaware limited liability partnership, and its subsidiaries are part of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you

Thank you for subscribing. We're excited to welcome you to our community. You can now look forward to the latest news, trends, upcoming events, and thought leadership delivered directly to your inbox.

Subscribe to insights from KPMG Board Leadership Center

Board Leadership Weekly - A weekly email providing the latest news, trends, upcoming events, and thought leadership focused on the board and C‑suite from KPMG, the BLC, and other leading sources. 

Directors Quarterly - A compilation of articles, insights, and upcoming events.

All fields with an asterisk (*) are required.

Select publications you want to receive and any topics of interest below. Select all that apply.

Please check checkbox.
Please check checkbox.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline