New for 2026
The 2026 regulatory landscape
The regulatory environment has moved from guidance to enforcement. Continuous monitoring is no longer a best practice recommendation — it is a legal requirement for a growing proportion of organizations globally.
DORA
The Digital Operational Resilience Act entered full force on 17 January 2025 across all EU member states. It mandates continuous monitoring of ICT systems, 4-hour incident reporting for major incidents, regular digital operational resilience testing, and full ICT risk management frameworks. In November 2025, the ESAs published the first list of designated Critical Third-Party Providers (CTPPs). Financial services firms must now evidence continuous controls assurance, not just periodic audit compliance.
NIS2
Applicable across EU member states from October 2024, with full member-state compliance enforcement extending through October 2026. Covers 18 sectors including energy, transport, health, financial infrastructure, and digital services. Requires 24-hour breach notification, management body accountability for cybersecurity governance, and penalties of up to €10M or 2% of global annual turnover. NIS2 explicitly requires continuous monitoring of network and information systems.
SEC
The SEC Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rules require public companies to disclose material cybersecurity incidents within 4 business days, provide annual disclosures on cybersecurity risk management processes, and demonstrate board-level governance of cybersecurity. 54% of CISOs now cite personal liability in the event of a breach as a significant concern.
EU AI Act
The EU AI Act introduces new requirements for AI systems used in security contexts, including transparency, explainability, and human oversight obligations. AI systems used in critical infrastructure are classified as high-risk, requiring rigorous documentation, continuous monitoring, and evidence of human control. Organizations using AI in their security operations must be able to demonstrate how AI-generated recommendations are validated and governed.
CIRCIA (US)
The Cyber Incident Reporting for Critical Infrastructure Act final rules are expected 2025–2026, requiring critical infrastructure organisations to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. The US average breach cost reached $10.22M in 2025 — a record high, reflecting the compounding effect of higher regulatory penalties.
The convergence of compliance and security operations
The most significant shift in 2025–2026 is not the volume of regulation — it is the fact that compliance and security operations are now converging. Regulators want proof of continuous assurance, not point-in-time audit evidence. That means the tools you use for compliance must be the same tools you use for ongoing security monitoring. You cannot separate them. Organizations that still run periodic audits with manual data collection are not just operationally inefficient — they are structurally non-compliant under DORA, NIS2, and the SEC rules. CCM is no longer a competitive advantage, but a baseline requirement.