Cybersecurity
Cyberattacks surged in 2025, hitting organisations across sectors like retail and automotive. Rather than targeting heavily regulated industries, attackers are increasingly turning to consumer, industrial, and professional services businesses.
AI is accelerating this trend. It can generate malicious code, automate reconnaissance, and craft highly convincing phishing campaigns at scale, lowering the barrier to entry and making attacks faster, sharper, and harder to detect. At the same time, fears about quantum computing’s potential to break today’s encryption are adding new urgency to long-term cybersecurity planning.
Regulation is evolving just as quickly. But with global cybersecurity rules still fragmented, multinational companies face a complex web of overlapping, and sometimes conflicting, obligations. For cross-border organisations, implementation remains one of the toughest challenges.
As we move into 2026, the intersection between AI, emerging technologies, and cybersecurity is becoming a strategic priority for policymakers and businesses alike.
Cybersecurity risks
In the year ahead we can expect a significant uptick in AI powered cyberattacks, with AI conducting mass vulnerability scanning, generating polymorphic malware, fuelling deep fake phishing and mashing attacks, and orchestrating huge DDoS (distributed denial-of-service) attacks.
For Saudi Arabia, businesses remain at heightened risk of Nation State activity and hactivism, and there are rumours of some regulatory bodies mandating cybersecurity insurance in the near future.
Businesses should carry out an assessment of their preparedness - e.g. train employees with realistic phishing/deepfake drills, tighten third‑party controls and ensure policies and evidence are up to date. Delay in taking precautionary measures leaves businesses exposed. The ability of AI to run cyber-attack campaigns at scale, almost autonomously, materially increases the prospects of being attacked.
At the same time, regulators continue to increase the compliance burden on businesses. Accordingly, a clear watch needs to be kept for changes in cyber regulation and adjustments made to tick the new boxes. Perhaps one day we will see an evaluation of the success of cyber regulation in stopping cybercrime against the cost to industry.
AI-enabled attacks are becoming faster, stealthier, and harder to detect, with organisations increasingly adopting agentic AI systems.
APAC has seen a sustained rise in incidents of nearly 30%, with attackers weaponising AI for deepfake-enabled fraud, automated phishing, and social engineering. Manufacturing, finance, and professional services remain most at-risk, with investigation reports by regulatory authorities frequently flagging human factors, e.g. phishing, loss of storage devices, and inadvertent transmissions. This shows that technology alone can’t close the gap without governance and training.
By 2025, most APAC jurisdictions had enacted or refreshed cybersecurity regimes for the protection of critical infrastructures (most recently, Protection of Critical Infrastructures [Computer Systems] Ordinance for Hong Kong and Active Cyber Defence Law for Japan). Expect regulators to share principles like risk-based controls, accountability, and rapid reporting, while still anticipating local nuances driven by data protection rules and sector-specific mandates. Also look out for how regulators calibrate penalties and assess breach gravity in the region.
Clients should always start with a common organisational standard when devising a regional cybersecurity compliance framework. This may include formulating an incident response plan, and defining organisational responsibilities and reporting lines, with the flexibility to account for local jurisdictional-specific requirements. Given APAC does not have an EU-level of harmonised regulatory framework, this approach is essential where laws are converging yet remain fragmented.
Investment in employee training, continuous monitoring and clear escalation protocols are critical. Firms that combine responsible AI deployment with disciplined governance and proactive compliance will be best positioned to withstand the next generation of AI-enabled threats.
The EU has published its roadmap for the transition to quantum-secure cryptography.
The roadmap urges EU Member States and operators of important infrastructure to take action against future, advanced quantum computers which could break encryption methods used today. To stay safe, organisations will need to switch to quantum-secure encryption as soon as feasible.
For high-risk use cases, the EU has set a deadline of end of 2030 for completing this transition.
Companies in scope of the NIS2 Directive may fall into this high-risk category. If these companies manage their own encryption systems and cannot rely on a software update from their IT service provider, they should start preparing for the transition soon.
Cybersecurity regulation
The NIS2 Directive is gaining momentum across the EU as more Member States transpose it into national law.
Alongside other resilience and security legislation (e.g. CER Directive, Cyber Resilience Act, Cybersecurity Act), NIS2 remains key to achieving comprehensive cybersecurity coverage and strengthening the Union's collective resilience against cyber threats.
In 2025, most multinational entities subject to NIS2 began registering, conducting gap analyses and launching compliance programmes. However, uneven implementation across the EU has created uncertainty and made a uniform approach challenging.
Meanwhile, Member States have been establishing or strengthening their national cybersecurity authorities and Computer Security Incident Response Teams (CSIRTs), while national supervisory authorities are issuing guidance and establishing enforcement frameworks. In June 2025, ENISA published technical guidance on NIS2 implementation, offering practical support for entities in the NIS2 digital infrastructure, ICT service management, and digital providers sectors.
The European Commission’s Digital Omnibus package proposes a ’report once, share many’ approach by setting up a single point for incident reporting under NIS2, GDPR, eIDAS, DORA and CER, repealing incident reporting rules of the ePrivacy Directive. This approach is expected to be applied 18 months after adoption of the Digital Omnibus. Further changes may follow with a proposed revision of the Cybersecurity Act, slated for 14 January 2026.
We recommend prioritising cybersecurity compliance by conducting gap analysis, establishing national registration processes and governance structures, and ensuring documentation processes are in place to demonstrate compliance. Expect increased regulatory scrutiny and enforcement in 2026 as implementation matures.
In 2026, businesses should start preparing for the Cyber Resilience Act (CRA), which takes effect on 11 December 2027.
Starting from 11 September 2026, manufacturers will need to report on actively exploited vulnerabilities. One of the key challenges for businesses will be classifying their digital products as either 'important' or 'critical' as well as meeting requirements such as conformity assessments and future certification requirements across various EU? Member States.
Additionally, businesses must review products manufactured before 11 December 2027 to ensure they meet the CRA's secure-by-design requirements if placed on the market after 11 December 2027. Special attention should be given to digital products placed on the market before 11 December 2027 that will be subjected to a substantial modification after this date as this could bring them in scope of the CRA. Manufacturers, importers and distributors should remain vigilant to comply with these requirements.
DORA has applied from 17 January 2025, but implementation continues into 2026. Harmonisation with local NIS2 implementations is still in its early stages across many EU jurisdictions, raising practical challenges.
Financial entities have started updating their cybersecurity frameworks and amending their contractual documentation to comply with DORA. This will continue into 2026.
The first DORA-complaint threat-led penetration tests (TLPT) are still pending.
In response to DORA, ESAs have revised, or are in the process of revising, their guidelines on outsourcing:
- The European Insurance and Occupational Pensions Authority (EIOPA) has withdrawn its guidelines on ICT security and governance, as well as those on outsourcing to cloud service providers.
- The European Banking Authority (EBA) has launched a consultation on its draft guidelines on third-party risk management, with the aim of aligning them with the DORA regime.
- European Securities and Markets Authority (ESMA) issued revised guidelines on outsourcing to cloud service providers on 11 July 2025.
ICT service providers should check that their internal processes and policies enable them to fulfil their NIS2 and DORA (contractual) obligations, particularly regarding managing subcontractor-related risks and responding to ICT incidents. We expect first regulatory audits in 2026.
Financial entities should focus on applying DORA requirements to new AI and data-related technologies and applicable regulations (AI Act, Data Act, etc.).
Despite the transposition deadline of 17 October 2024, many EU member states have yet to implement the CER directive into its national legislation, similar to the NIS2 directive.
Both directives are likely to be implemented in parallel. To assist this, the European Commission issued non-binding guidance in September 2025 to help EU countries identify critical entities in across 11 key sectors, including energy, transport, drinking and wastewater, food, banking, and digital infrastructure.
The critical milestone arrives in July 2026, when Member States must complete identification of critical entities. Once identified, these entities will have just nine months to carry out comprehensive risk assessments and one additional month to adopt resilience-enhancing measures to prevent, respond to, and mitigate incidents disrupting essential services. The Directive establishes an all-hazard approach, requiring organisations to address natural disasters, terrorist attacks, insider threats, sabotage, and climate-related risks - moving beyond the cyber-focused requirements of NIS2.
Organisations in the 11 covered these sectors should assess whether they could qualify as critical entities and begin gap analyses against CER requirements, as the compliance window following designation is extremely challenging to meet. Smart organisations are identifying synergies between CER and parallel regulations (NIS2, DORA, Cyber Resilience Act) to create integrated compliance programmes rather than siloed initiatives.
The Chinese government is overhauling its cybersecurity regime with significant amendments to the Cybersecurity Law, with increased enforcement efforts and the implementation of the data security regime.
The revised Cybersecurity Law aligns with recent legal and technological developments, including AI, and raises penalties for violations. Additionally, the Cyberspace Administration of China (CAC) has published a regulation on how to report major cyber incidents. A network data security regulation also came into force, which is an important piece implementing the Data Security Law.
Companies should review their current cybersecurity measures and ensure compliance with the amended Cybersecurity Law or risk financial penalties up to $1.41 million for non-compliance.
On AI, China is expected to continue to strengthen AI Governance by stepping up enforcement on content management, algorithm filing and AI ethics, with more AI security standards to be drafted and published.
With the ever-increasing threat of cyber attacks and the clear impact it’s having on everything, from the NHS to shops, cyber resilience is going to be a key topic for 2026.
The UK Cyber Resilience Bill was introduced to the UK Parliament in November 2025 and is designed to increase the level of cyber resilience in the UK. The Bill is a result of two post-implementation reviews of the NIS Regulations and was announced in the King’s Speech in July 2024, but there is scope for it to change as it goes through Parliament.
The Bill proposes to bring in new services like data centres and managed service providers as well as increase obligations on those already in scope and their supply chains. Businesses operating in regulated sectors should monitor developments closely and begin planning for compliance and take the opportunity to influence the legislation as it passes through Parliament.
