Skip to content

Regulatory Shifts for 2025 and What to Expect for 2026

regulatory changes for 2026

2025 reshaped the regulatory landscape in ways that directly impact how organizations secure data, operate cloud workflows, and manage compliance risk. New rules, tightened enforcement, and clearer technical expectations pushed security programs toward measurable controls, continuous monitoring, and stronger governance. This article provides an overview of the main updates that defined the year and what they signal for 2026.

CMMC 2.0 United States Defense Industrial Base

CMMC 2.0 reached a major milestone in 2025 with the Final Rule published on September 10, 2025, and became effective on November 10, 2025. This completed the transition from the December 26, 2023 proposed rule to a fully enforceable DFARS requirement. The rule incorporates CMMC into contracting through DFARS 252.204-7012, 252.204-7019, 252.204-7020, and the new CMMC clause that contracting officers can now insert into FY26 solicitations.

CMMC remains anchored to NIST SP 800-171 Rev.3, requiring contractors handling Controlled Unclassified Information to implement all 110 controls, including access control, authentication, encryption, audit logging, configuration management, and incident reporting. Beginning November 10, 2025, solicitations may require either self-assessment, third-party assessment, or government assessment, depending on contract sensitivity and CMMC level. Contractors must also maintain accurate scoring in the Supplier Performance Risk System.

What to expect in 2026

2026 will see wider adoption of the new CMMC clause across DoD programs as the phased implementation accelerates. More solicitations will specify assessment level requirements, and contractors should expect increased emphasis on evidence-based NIST 800-171 compliance, verified scoring, and readiness for third-party assessments on higher-risk contracts.

Learn how StratoKey can assist with controls for CMMC Compliance.

Canada: CPCSC for Defense and Critical-Supplier Cybersecurity

Canada is advancing its Canadian Program for Cyber Security Certification, a framework that mirrors the role of CMMC in the United States. CPCSC introduces tiered certification levels for defense suppliers and organizations handling sensitive government data, aligned with NIST-based controls covering access management, encryption, monitoring, incident response, and vendor governance. The program is designed to establish a consistent security baseline across federal supply chains and improve interoperability with U.S. defense requirements.

What to expect in 2026

As CPCSC matures, Canadian contractors should prepare for formal certification expectations tied to defense and government procurement. Organizations operating across the U.S.–Canada supply chain will see increasing alignment between CPCSC and CMMC, with greater emphasis on evidence-driven security, data sovereignty assurances, and third-party oversight. This trend points toward more uniform security standards across North American defense ecosystems.

ITAR United States Export Controls

ITAR underwent meaningful updates in 2025, with the Department of State’s Directorate of Defense Trade Controls publishing a Final Rule on August 27, 2025, effective September 15, 2025. The rule revised 15 USML categories to reflect evolving defense technologies, clarified definitions, removed items no longer requiring control, and added new controlled articles.

What to expect in 2026

Organizations should expect additional category refinements as DDTC continues modernizing the USML. Increased scrutiny of cross-border data flows and technical data handling is likely, especially for digital engineering, AI-enabled systems, and cloud workflows involving ITAR-controlled information.

Learn how StratoKey can assist with ITAR Encryption Carve-out.

FedRAMP United States Federal Cloud

FedRAMP continued to operate as the standard authorization framework for cloud services used by U.S. federal agencies. Authorizations aligned to NIST SP 800-53 Rev.5 baselines following the official transition on 7 May 2024, with all Moderate and High systems expected to complete their Rev.5 updates during 2025. Impact categorization remained based on FIPS 199. FedRAMP High applied only to systems where loss of confidentiality, integrity, or availability could cause severe mission impact, while most services handling Controlled Unclassified Information continued to target FedRAMP Moderate.

Cloud and SaaS providers seeking authorization were required to meet Rev.5 control requirements across cryptographic protection, identity and access management, continuous monitoring, audit logging, and system integrity.

What to expect in 2026

2026 will emphasize continuous monitoring maturity, with agencies increasing scrutiny of vulnerability management, supply chain documentation, and automation of compliance reporting. The FedRAMP PMO is also expected to expand reciprocity with other federal frameworks following OMB guidance.

NIS2 Directive European Union

NIS2 moved into full effect on 17 October 2024, with enforcement activity accelerating throughout 2025 as Member States completed national transposition. The directive expanded the scope of essential and important entities and introduced stricter obligations under Articles 21 to 23 relating to risk management, incident reporting, supply chain security, access control, and business continuity. Article 26 increased executive liability, and Article 32 established corrective measures and penalties for inadequate security practices.

What to expect in 2026

2026 will bring more formal supervisory actions as Member States finalize enforcement structures. For organizations, especially those operating across sectors like energy, transport, healthcare, finance and digital infrastructure 2026 is when NIS2 compliance stops being theoretical. Meeting security, reporting, and supply-chain obligations will become core to risk management, vendor contracts, data-sovereignty strategies, and cross-border operations. Organizations should expect increased requests for evidence, more audits of supply chain controls, and sector-specific guidance clarifying acceptable risk-management measures.

GDPR and Global Privacy Law Expansion

GDPR remained the central regulatory anchor for global data privacy in 2025, with enforcement intensifying around Articles 5, 25, 30, 32, and 33. EU regulators continued to pursue large penalties for improper data transfers, insufficient encryption, and failure to meet the 72-hour breach reporting requirement. In 2025, the EU  issued a large fine, €530 million, against TikTok for transferring European user data to China without guaranteeing protections equivalent to EU standards and failing to assure that Chinese access laws wouldn’t violate user privacy obligations under GDPR.

By late 2025, more than 140 jurisdictions had implemented privacy or consumer-data laws largely modeled on GDPR principles. Regulators focused heavily on data minimization, vendor oversight, records of processing activities, and transparent processing. The volume and severity of fines increased across sectors handling sensitive personal data.

What to expect in 2026

Organizations should anticipate more guidance around AI training data, stricter enforcement on international data transfers, data sovereignty, and more coordinated cross-border investigations among EU regulators. Several regions are expected to align their national privacy laws more tightly with GDPR standards.

Check out our GDPR Encryption Guide.

HIPAA Security Rule Update: United States Healthcare

The Department of Health and Human Services released its Notice of Proposed Rulemaking (NPRM) on 6 January 2025, marking the first major update to the HIPAA Security Rule since 2013. The proposal revised requirements in 45 CFR 164.308, 164.310, and 164.312, introducing mandatory multifactor authentication, mandatory encryption of ePHI in transit and at rest, asset and data-flow inventories, vulnerability scanning, penetration testing, strengthened access controls, enhanced audit logging expectations, and continuous security risk assessments.

Policymakers are also signalling broader privacy reform through proposals like HIPRA, which aims to extend HIPAA-grade protections to wearable and app-generated health data.

These changes shifted many previously addressable safeguards into required safeguards, significantly raising the baseline for HIPAA covered entities and business associates.

What to expect in 2026

The final rule is expected in 2026, with phased compliance deadlines to follow. Healthcare organizations should plan for mandatory MFA across all clinical and administrative systems, the required encryption implementations, formalized testing programs, and expanded accountability across third-party vendors and cloud service providers.

Check out our HIPAA Encryption Guide and page to help you get on the front foot with the required encryption controls.

HIPRA Brings U.S. Wearable Data Into Scope

The US Senate has introduced the Health Information Privacy Reform Act, aimed at extending HIPAA-style protections to data generated by wearables and health apps. HIPRA will create a new class of regulated entities and require consent, transparency, access rights and stronger breach notification for health adjacent data that currently sits outside of HIPAA.

What to expect in 2026

The direction of travel is clear. Regulators want consistent safeguards for all health-related data, whether it originates in clinical systems or consumer devices. Organizations handling wearable telemetry data should expect increased scrutiny and more formal expectations around security, governance and data handling as policy discussions continue through 2026.

Where Security and Compliance Are Headed in 2026

Regulators are moving toward stricter, evidence-based security requirements that demand encryption, identity assurance, auditability, and full visibility across data flows. Rising AI-driven threats and recent SaaS supply-chain breaches have reinforced the need to secure sensitive data before it reaches third-party systems.

In 2026, enforcement will tighten as new rules take effect and technical/audited proof of compliance becomes mandatory. Organizations that deploy unified, data-centric controls now will be better positioned to meet these requirements and reduce exposure in the year ahead.

 

Secure Your Compliance Strategy for 2026

Please provide details with your inquiry so we can best assist you.