UK Cyber Security and Resilience Bill
The UK Cyber Security and Resilience Bill was introduced in November 2025 and is still moving through Parliament. It has not yet been enacted, though it is widely expected to become law during 2026. For compliance teams, the key point is timing rather than certainty. While the headline legislation may pass next year, many of the detailed operational obligations will not apply immediately. Core requirements for sectors such as data centres, relevant managed service providers, large load controllers, and designated critical suppliers will be set out later through secondary legislation. The government has confirmed it will consult on these detailed rules after the Bill passes, followed by a phased implementation period. This gives organisations time to prepare, though early planning will be essential.
The scope of the Bill significantly expands the existing NIS framework. A new “data infrastructure” sector will bring medium and large data centres into regulation for the first time. Relevant Managed Service Providers, meaning organisations that manage or administer customer IT systems, will also be brought within scope. In addition, the Bill captures large load controllers and certain critical suppliers that support essential or digital services. For compliance professionals, this means reassessing whether your organisation, or key suppliers you rely on, may fall into scope even if they were previously outside NIS regulation.
Incident reporting obligations are also being strengthened. The definition of a reportable incident now includes events that are capable of causing a significant impact, not just those that have already done so. Regulated organisations will be required to submit an initial notification within 24 hours, followed by a full report within 72 hours. Notifications must also be made in parallel to the National Cyber Security Centre. Where customers or users are likely to be affected, organisations will need processes in place to notify them promptly and clearly. This places greater emphasis on early detection, internal escalation, and well-rehearsed reporting procedures.
Enforcement powers under the Bill are materially stronger. Regulators will have access to tougher penalties for serious non-compliance, including fines of up to £17 million or 4 percent of global turnover. For compliance teams, this raises the stakes around governance, documentation, training, and supplier oversight. Demonstrating reasonable and proportionate security measures, along with effective incident response planning, will be critical in managing regulatory risk once the regime comes into force.
For a deeper breakdown of what the Bill means in practice, including affected sectors and compliance steps, you can download the VinciWorks guide to the UK Cyber Security and Resilience Bill.
UK’s Cyber Essentials scheme
An updated version of the standard is expected in April 2026, labelled version 3.3. While this is an update rather than an entirely new framework, it represents a meaningful tightening of expectations and should be treated as a substantive change for organisations that rely on cloud services or operate hybrid environments.
The scope of the update places a stronger emphasis on cloud security. Multi-Factor Authentication will be mandatory for all available cloud services, closing off previous flexibility where MFA could be limited to higher-risk systems. The update also clarifies scoping rules, confirming that all internet-connected devices fall within scope. For compliance teams, this removes ambiguity around peripheral systems, remote access tools, and connected devices that may previously have been overlooked.
Secure development requirements are also being strengthened. The update places greater weight on application development practices, with clearer expectations around secure coding, testing, and change management. Organisations will need to be able to evidence that security is embedded throughout the development lifecycle, rather than applied only at deployment or after incidents occur.
Incident recovery and resilience are another major focus. The updated standard tightens requirements around backups, including expectations for separation, testing, and recoverability. Regulators and auditors will expect stronger evidence that backups are effective and protected against compromise. The update also closes common loopholes that have existed around hybrid and remote working environments, making it clear that security controls must apply consistently regardless of where systems or staff are located.
Version 3.3 signals a shift from high-level assurances toward demonstrable, auditable controls. Preparation should focus on confirming MFA coverage, reviewing device inventories, strengthening secure development evidence, and validating backup and recovery arrangements across all environments.
EU Cyber Resilience Act reporting obligations
From 11 September 2026, manufacturers will be legally required to report actively exploited vulnerabilities and severe cybersecurity incidents affecting products with digital elements. This marks the first operational milestone under the Cyber Resilience Act and introduces formal incident reporting duties that many product manufacturers have not previously faced.
The obligations apply to a wide range of products with digital elements that are subject to conformity assessment. This includes industrial hardware and software such as IoT devices, programmable logic controllers, and sensors, as well as software products including desktop, web, and mobile applications and operating systems. Intelligent consumer devices are also in scope. For compliance teams, the key issue is breadth. The CRA does not only target traditional IT or consumer software vendors. It captures manufacturers across industrial, embedded, and consumer technology supply chains.
The reporting timelines are prescriptive and demanding. Once a manufacturer becomes aware of an actively exploited vulnerability or a severe incident, an early warning must be submitted within 24 hours. A full notification must follow within 72 hours. In addition, a final report is required no later than 14 days after a corrective measure becomes available for an actively exploited vulnerability, or within one month for other severe incidents. This requires clear internal escalation paths between product security, engineering, legal, and compliance functions.
Notifications are made through a single, central process. Manufacturers submit reports once via the CRA Single Reporting Platform. The report is addressed to the Computer Security Incident Response Team in the Member State where the manufacturer has its main establishment and, except in exceptional circumstances, the information is shared simultaneously with ENISA. This centralised model is designed to reduce duplicate reporting, though it also increases consistency and visibility of enforcement.
Beyond incident reporting, the CRA introduces a staged compliance timeline. Vulnerability reporting obligations begin on 11 September 2026. Full compliance with all essential cybersecurity requirements applies from 11 December 2027 for products placed on the market.
These broader obligations include security-by-design and by-default principles, technical documentation, conformity assessments, and CE marking. For compliance professionals, this means incident reporting is only the first step. Organisations should already be mapping product portfolios, reviewing secure development practices, and planning for evidence and governance requirements well ahead of the 2027 deadline.
EU Digital Identity Wallet (EUDI Wallet)
The EU Digital Identity Wallet framework is moving from policy to operational reality. Under Regulation (EU) 2024/1183, every EU Member State must make at least one certified EU Digital Identity Wallet available to citizens and residents by late December 2026. Member States must also recognise EUDI Wallets issued by other EU countries. This deadline flows from the European Commission’s implementing acts adopted in November 2024 and reflects the regulation’s 24-month rollout requirement. By the end of 2026, digital identity wallets will therefore be a mandatory part of the EU’s public digital infrastructure.
The scope of the regulation is broad and extends well beyond governments. Member States are responsible for issuing or formally recognising EUDI Wallets. Public sector bodies must accept the wallet wherever electronic identification is required to access online services. The regulation also applies to private-sector relying parties, particularly in regulated industries such as finance, banking, telecommunications, energy, transport, healthcare, education, and digital infrastructure. Very Large Online Platforms under the Digital Services Act and gatekeepers under the Digital Markets Act must accept the wallet for authentication when a user chooses to use it. In practice, any organisation offering services in the EU that depend on strong electronic identification or authentication should assume it will fall within scope.
The new rules impose clear functional and governance requirements. Member States must ensure that at least one certified wallet is available and that wallets can securely authenticate users and present verified identity data. This includes government-issued personal identification data and digitally signed attributes such as professional qualifications or licences. The framework is designed to support both online and offline use, expanding the wallet beyond purely digital transactions.
User control and privacy are central to the regime. Individuals must be able to selectively share specific attributes rather than disclose full identity profiles, and explicit user consent is required for each use. Privacy-by-design principles are embedded throughout, limiting data disclosure to what is strictly necessary and requiring transparency over how identity data is processed and relied upon.
Interoperability and security are equally critical. Wallets must comply with EU-wide technical standards to ensure cross-border functionality. This includes common protocols, cryptographic safeguards, logging, portability, and resilience requirements.
Compliance is validated through formal certification and conformity assessment processes, which will be a key focus for regulators.
Acceptance obligations are phased. Public authorities must accept the EUDI Wallet wherever electronic identification is required for online services once the framework is live. Mandatory acceptance for certain private-sector organisations, particularly those already subject to strong customer authentication requirements, applies from 2027.
NIS2 in 2026: what changes and why it matters
The EU’s NIS2 Directive marks a step change in how cybersecurity is regulated across Europe. It significantly expands the number of organisations in scope, strengthens security and governance requirements, and introduces tougher supervision and penalties. By 2026, NIS2 moves decisively from national transposition to active enforcement.
Sweden: new Cybersecurity Act from January 2026
Sweden will implement NIS2 through a new Cybersecurity Act that enters into force on 15 January 2026, replacing earlier legislation. The law brings thousands of additional organisations into scope, including public administration bodies, food and waste operators, and a wide range of digital and service providers. Security obligations apply across entire operations rather than being limited to narrowly defined critical systems.
For private entities, the regime generally applies to organisations with 50 or more employees or annual turnover above €10 million, although smaller entities designated as critical are also captured. Supervision will be split between national authorities, with the Swedish Civil Contingencies Agency overseeing most sectors and the Swedish Post and Telecom Authority responsible for electronic communications.
Finland: already in force, with 2026 as the enforcement year
Finland implemented NIS2 through its Cybersecurity Act in July 2025, making it one of the first Member States to complete transposition. The practical compliance focus intensifies in 2026. By 31 March 2026, essential entities must be fully compliant with all obligations. From January 2026, a new national supervisory authority takes responsibility for healthcare sector oversight.
The Finnish framework dramatically expands scope, increasing the number of regulated entities from around 1,100 under NIS1 to approximately 5,500. Covered sectors include energy, healthcare, transport, manufacturing, and digital infrastructure. Importantly, Finland has introduced direct management accountability. Boards and CEOs are personally responsible for ensuring adequate cybersecurity expertise, approving risk management measures, and overseeing compliance.
Enforcement powers are significant. Essential entities face fines of up to €10 million or 2 percent of global annual turnover, while important entities face penalties of up to €7 million or 1.4 percent.
EU-wide focus: April 2026 as the compliance line in the sand
Across the EU, 18 April 2026 is the critical enforcement milestone. By this date, organisations in scope must have robust cybersecurity measures actively implemented and evidence ready for regulatory inspection. Core obligations include incident reporting, risk-based security controls, supply chain security, management training, and formal governance arrangements.
By April 2026, national authorities are expected to move into active supervision and enforcement mode. For compliance professionals, the priority actions are clear: confirm whether the organisation is in scope, complete gap analyses against NIS2 requirements, register with national authorities where required, strengthen supplier and third-party security controls, and ensure senior management is trained and accountable.
US CIRCIA deadline for final cyber incident reporting rules
The deadline for finalising the cyber incident reporting rules under CIRCIA has been pushed back, with CISA now expected to publish the final regulations in May 2026. While this delays formal enforcement, the underlying statutory obligations have been in place since the law was signed in 2022. For compliance teams, this is a preparatory window rather than a pause, especially for organisations operating in regulated or critical sectors.
The Cyber Incident Reporting for Critical Infrastructure Act applies broadly across the US critical infrastructure landscape. It covers entities operating in 16 designated sectors, ranging from energy, transport, and healthcare to financial services, communications, and IT. CISA has estimated that more than 300,000 organisations could fall within scope once the rules are finalised. The purpose of the law is to give the federal government timely visibility into significant cyber incidents and ransom activity, enabling faster coordination, threat intelligence sharing, and deployment of federal support where needed.
CIRCIA introduces mandatory reporting timelines that will require disciplined internal processes. Covered entities must report substantial cyber incidents to CISA within 72 hours of becoming aware of them. Any ransom payment made in response to a cyber incident must be reported within 24 hours. These timelines are fixed in statute and will not be discretionary once the rules are in force.
Organisations should already be identifying whether they fall within one or more critical infrastructure sectors, defining what constitutes a reportable incident under CIRCIA, and aligning incident response, legal, and executive decision-making so reporting deadlines can be met without delay.
US Federal Cybersecurity Maturity Model Certification
The latest Cybersecurity Maturity Model Certification requirements are now formally embedded into US defence procurement rules. From November 2025, CMMC requirements began appearing as acquisition clauses within the Defence Federal Acquisition Regulation Supplement, commonly known as DFARS. This marks the point at which compliance shifts from preparation to enforcement. Throughout 2026, contractors will face increasing pressure to complete assessments, obtain certifications, and demonstrate ongoing compliance in order to win new Department of Defense contracts or retain existing ones.
CMMC applies to contractors and subcontractors operating anywhere within the Department of Defense supply chain who handle either Controlled Unclassified Information or Federal Contract Information. Controlled Unclassified Information, or CUI, refers to sensitive information that is not classified yet still requires safeguarding under federal rules. Federal Contract Information, or FCI, covers information provided by or generated for the government under a contract that is not intended for public release. For compliance teams, this means obligations extend well beyond prime contractors and often capture smaller suppliers and service providers.
The model is structured around tiered compliance levels aligned to the sensitivity of the information being handled. Level 1 focuses on basic cyber hygiene and is assessed through self-attestation. Level 2 applies where Controlled Unclassified Information is involved and requires implementation of the security controls set out in NIST Special Publication 800-171, either through self-assessment or an accredited third-party assessment depending on contract requirements. Level 3 applies to the most sensitive programmes and introduces enhanced security controls with mandatory third-party assessment.
In many cases, contractors must formally document their CMMC level within contract proposals and relevant compliance registries. For compliance professionals, the priority is ensuring that information flows are accurately mapped, the correct CMMC level is identified, and evidence is in place well before procurement deadlines.
California SB 446 on data breaches and customer notification
California Senate Bill 446 introduces tighter and more prescriptive data breach notification requirements. The law was enacted in October 2025 and takes effect on 1 January 2026, giving organisations a short window to update incident response and notification procedures.
The most significant change is the introduction of a firm 30-day deadline to notify affected individuals after discovery of a data breach. Limited delays are permitted, though only where required for law enforcement purposes or where additional time is genuinely necessary to determine the scope of the breach and restore the integrity of affected systems. For compliance teams, this removes the flexibility that previously existed around notification timing and places greater emphasis on early investigation and decision-making.
The law also introduces a new notification requirement to the California Attorney General. Where a single data breach triggers an obligation to notify more than 500 California residents, organisations must now notify the Attorney General within 15 calendar days of notifying affected individuals. Previously, there was no statutory deadline for notifying the Attorney General, which often led to delayed or inconsistent reporting.
SB 446 requires tighter coordination between legal, security, and communications teams. Incident response plans should be reviewed to ensure clear triggers, accelerated escalation, and the ability to meet both individual and regulator notification timelines without delay.
China – Major cybersecurity law amendments & cross-border data rules
China is introducing major amendments to its Cybersecurity Law alongside new cross-border data transfer standards, marking a significant tightening of the country’s cybersecurity and data governance regime. The amended Cybersecurity Law takes effect on 1 January 2026, with the updated national standards governing cross-border data transfers following on 1 March 2026. Together, these changes materially raise compliance expectations for organisations operating networks, handling data, or providing digital services in China.
The amendments modernise the original 2017 Cybersecurity Law and align it more closely with China’s wider data protection framework, particularly the Personal Information Protection Law and the Data Security Law. The scope of enforcement is expanded across network operators, critical information infrastructure operators, and associated personnel. The reforms also clarify responsibilities in emerging areas such as artificial intelligence governance, prohibited online activities, and the protection of personal and important data in cyber contexts.
Enforcement powers and penalties are significantly strengthened.
Fines for serious cybersecurity violations are increased, particularly where incidents involve large-scale data breaches or disruption to critical information infrastructure. The amended law introduces clearer individual liability for responsible personnel, increasing personal exposure for executives and security leaders. Penalties are also expanded for failures to remediate known security vulnerabilities, report cybersecurity risks, or notify authorities of incidents in a timely manner. Organisations can also face sanctions for selling or deploying cybersecurity products that have not been certified or tested in line with national requirements.
Cross-border data controls are a central feature of the reforms. From March 2026, new national standards introduce tighter requirements for exporting data from China, including certification obligations and safety assessment criteria. These rules sit alongside existing transfer mechanisms under the Personal Information Protection Law and reinforce the expectation that cross-border data flows are actively risk-assessed, documented, and approved.
The amendments also formally integrate artificial intelligence development into China’s cybersecurity supervision framework. Organisations deploying AI systems will face heightened expectations around risk monitoring, security controls, and regulatory oversight, particularly where AI systems process personal or sensitive data.
Hong Kong Protection of Critical Infrastructures (Computer Systems) Ordinance
Hong Kong has introduced a new cybersecurity regime for critical services through the Protection of Critical Infrastructures (Computer Systems) Ordinance. The law was gazetted in March 2025 and is scheduled to come into force by January 2026, creating a formal statutory framework for protecting systems that support essential services.
The ordinance establishes mandatory cybersecurity obligations for operators of critical infrastructure in Hong Kong. This includes essential service providers in sectors such as energy, financial services, telecommunications, and other industries where disruption could affect public safety, economic stability, or service continuity.
The focus is on protecting critical computer systems from cyberattacks and ensuring that essential services can continue to operate during and after incidents.
Operators are required to implement appropriate technical and organisational security measures, carry out ongoing risk management, and maintain effective incident detection and response capabilities. These obligations go beyond best practice guidance and create clear, enforceable duties to assess risks, protect systems, and respond promptly when incidents occur.
Enforcement powers under the ordinance are significant. Regulators can investigate suspected non-compliance and impose penalties where organisations fail to meet their obligations. Beyond financial sanctions, enforcement action carries material reputational risk, particularly for organisations delivering public or systemically important services. For compliance professionals, the priority is to ensure critical systems are identified, security controls are documented and tested, and incident response arrangements are robust before the law takes effect in 2026.
