Cyber regulation is rapidly evolving into a frontline instrument of geopolitical competition, according to new research from NCC Group. The firm’s fifth edition of its Global Cyber Policy Radar, released April 15, 2026, underscores a structural shift: cyber policy is no longer confined to technical standards and compliance frameworks; it is now deeply embedded in national security strategy, economic statecraft, and international power dynamics.
Drawing on its advisory work with governments worldwide, NCC Group concludes that intensifying geopolitical tensions, the rise of state-sponsored cyber operations, and the accelerated adoption of artificial intelligence are collectively reshaping the global regulatory environment. For enterprise security leaders, this convergence is introducing a new level of complexity—one where compliance, risk, and geopolitical alignment are increasingly inseparable.
From Compliance to Strategic Instrument
The report makes clear that cyber regulation has moved beyond its traditional role as a governance mechanism. Instead, it is now being actively used by governments to assert control over digital ecosystems, manage supply chain dependencies, and project influence across borders.
From data localization mandates to restrictions on cloud infrastructure and critical technologies, regulatory frameworks are increasingly reflecting national priorities rather than global consensus. The result is a fragmented cyber landscape, where organizations must navigate inconsistent and sometimes conflicting requirements across jurisdictions.
Three Forces Reshaping Cyber Regulation
NCC Group identifies three dominant forces driving this transformation:
- Digital sovereignty: Governments are asserting greater control over data, infrastructure, and technology supply chains, often without a unified international rulebook. This trend is accelerating fragmentation and complicating cross-border operations.
- AI security through existing frameworks: Rather than relying solely on standalone AI legislation, regulators are embedding AI oversight into existing cyber regulations—placing new scrutiny on how organizations deploy, secure, and govern AI systems.
- Board-level accountability: Regulatory pressure is shifting decisively upward, with senior executives and boards facing direct responsibility for cyber risk, resilience, and compliance outcomes.
Together, these forces are redefining the scope of enterprise cyber risk—expanding it beyond IT and security teams into the highest levels of corporate governance.
Offensive Cyber Moves to Center Stage
One of the report’s most consequential findings is the growing normalization of offensive cyber capabilities within national security strategies.
Historically viewed as a secondary or covert capability, offensive cyber operations are now being positioned alongside traditional military tools. Recent U.S. cyber activity linked to Iran, along with similar developments across Europe, illustrates how governments are integrating cyber operations into broader geopolitical and defense strategies.
This “offense-forward” posture reflects a growing consensus among nation-states that defensive measures alone are insufficient to counter persistent cyber threats.
However, the shift raises significant concerns. In the absence of widely accepted international norms or guardrails, the expansion of offensive cyber activity risks escalating tensions, further fragmenting cyberspace, and placing private-sector organizations in increasingly complex positions, particularly when governments seek cooperation or support.
Regulatory Wave Intensifies
The report also highlights the mounting impact of major regulatory frameworks now coming into force or enforcement globally, including:
- NIS2 Directive
- Digital Operational Resilience Act (DORA)
- EU Cyber Resilience Act
- EU AI Act
- Cyber Incident Reporting for Critical Infrastructure Act
As these frameworks take hold, organizations are facing heightened scrutiny around cyber governance, operational resilience, and executive oversight. Compliance is no longer a static requirement—it is an ongoing, dynamic process tied directly to geopolitical developments and regulatory evolution.
A New Mandate for the Boardroom
Katharina Sommer, Director of Government Affairs and Analyst Relations at NCC Group, emphasized the strategic implications of these shifts.
“Cyber policy has become an extension of geopolitics,” she said. “As trust between states erodes, cyber regulation is increasingly shaped by national security concerns, supply chain risk and the use of cyber capabilities as a strategic tool.”
She added that governments are signaling a clear departure from a purely defensive stance. “From U.S. cyber operations linked to Iran to the expansion of offensive cyber capabilities across Europe, states are signaling that cyber is now a core component of deterrence and power projection.”
For enterprises, this evolving landscape demands a more proactive and strategic approach. Organizations must not only strengthen technical defenses but also clarify their позиции on public–private collaboration, develop evidence-based resilience strategies, and ensure that boards are equipped to make informed decisions in a rapidly shifting risk environment.
"Those that engage early, build evidence‑led resilience and put cyber firmly in the boardroom will be best placed to navigate this increasingly fragmented landscape,” Sommer added.
Navigating a Fragmented Future
The Global Cyber Policy Radar ultimately points to a future defined by fragmentation, heightened accountability, and deeper entanglement between cyber risk and geopolitics.
For security leaders, the takeaway is clear: cyber regulation can no longer be treated as a compliance checklist. It is now a strategic variable, one that influences everything from market access and operational continuity to reputational risk and national alignment.
Organizations that recognize this shift early and elevate cyber governance to the boardroom will be best positioned to operate effectively in an increasingly complex and contested digital landscape.
About NCC Group
NCC Group is a people-powered, tech-enabled global cyber resilience and software escrow business. With more than 2,000 employees across Europe, North America, and Asia-Pacific, the company provides cybersecurity expertise to public- and private-sector organizations worldwide. More information is available at https://www.nccgroup.com/.