SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Flux result aec568f9 6058 4698 84f4 390bda71a536
#
Data Protection
#
Digital Transformation
#
Cloud Security

Cyber rules shift as geopolitics & AI reshape policy

Thu, 16th Apr 2026 (Yesterday)
Author image
By Catherine Knowles, News Editor

NCC Group has published the fifth edition of its Global Cyber Policy Radar, which says cyber regulation is being reshaped by geopolitical tension, state-backed cyber activity and the adoption of artificial intelligence.

The study argues that cyber policy has moved beyond technical compliance and is now more closely tied to national security, economic policy and geopolitical strategy. It cites tighter controls over supply chains, data and infrastructure as evidence that governments are using regulation to manage strategic risk in a more divided international environment.

One of the report's central findings is that digital sovereignty is becoming a major force in cyber regulation. Governments are asserting greater control over data, cloud infrastructure, technology supply chains and critical services, often without a shared international framework. The result is a more fragmented cyber landscape for organisations operating across multiple jurisdictions.

A second trend is the treatment of AI security through existing cyber rules rather than separate AI-specific regimes. NCC Group says regulators are applying current cyber obligations to the way businesses deploy and secure AI systems, increasing scrutiny of how organisations manage AI tools across their wider digital environments.

The third theme is board-level accountability. Regulators are placing direct oversight and personal responsibility on senior leaders, moving cyber governance firmly into the boardroom. That shift comes as several major frameworks either enter into force or move towards enforcement, including NIS2, DORA, the EU Cyber Resilience Act, the AI Act and the US Cyber Incident Reporting for Critical Infrastructure Act.

Offensive Shift

The report also highlights what it describes as a broader shift in state cyber strategy. Governments are increasingly concluding that defensive measures alone are not enough, and offensive cyber tools are becoming more central to national security planning.

NCC Group points to recent US cyber operations, including activity linked to Iran, as an example of cyber activity being integrated into wider military and geopolitical strategy. It says a similar approach is emerging in a growing number of European states, raising questions about international coordination, escalation risks and the role of private companies.

Without common global rules, the expansion of offensive cyber activity could deepen the fragmentation of cyberspace, the report warns. For multinational companies, that could mean more complex compliance requirements and greater pressure to respond when governments seek support for cyber efforts.

The findings come as businesses face growing regulatory demands on resilience, reporting and governance. Cross-border operators in particular are dealing with a patchwork of national and regional rules that increasingly reflect strategic priorities as much as technical standards.

Katharina Sommer, Director of Government Affairs and Analyst Relations at NCC Group, described the shift in policy:

"Cyber policy has become an extension of geopolitics. As trust between states erodes, cyber regulation is increasingly shaped by national security concerns, supply-chain risk and the use of cyber capabilities as a strategic tool.

"Our latest Global Cyber Policy Radar shows that governments are no longer relying on resilience alone. From U.S. cyber operations linked to Iran to the expansion of offensive cyber capabilities across Europe, states are signalling that cyber is now a core component of deterrence and power projection," she said.

The report frames the change as a practical issue for corporate leaders, not just security teams. Organisations now need to think beyond technical compliance to governance, resilience and their position on cooperation with public authorities.

That matters as cyber risk becomes more tightly connected to broader political tensions. Rules covering data location, infrastructure dependence, software supply chains and incident reporting are increasingly being shaped by national priorities, leaving companies to navigate both regulatory obligations and strategic expectations.

Sommer said boards will need to take a more active role.

"For organizations, this fundamentally changes the operating environment. Digital sovereignty, offensive cyber activity and regulatory accountability are converging, placing new expectations on boards to understand not just compliance, but where their organization stands when governments call for cooperation. Those that engage early, build evidence-led resilience and put cyber firmly in the boardroom will be best placed to navigate this increasingly fragmented landscape."

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member