3 Macrotrends That Will Reshape Risk, Compliance and Data Architecture in 2026

With the rise of AI, geopolitical volatility and supply chain disruption, technology regulation is entering a new era. In 2026, we’ll see several major developments that will reshape how organizations approach risk, compliance, data architecture and supply chain management.

Three macrotrends will define the regulatory landscape in 2026.

AI regulatory frameworks reaching maturity

2026 marks a turning point: For the first time, the world will see a complex, technically detailed regulatory framework for AI come into effect. The EU AI Act enters full force in August.

The regulation will drive substantial obligations across the region. Organizations will need to classify their AI systems as prohibited, high-risk or limited-risk. High-risk systems, in particular, must undergo conformity assessments that include requirements for data quality, logging, documentation of risks, lifecycle management and continuous oversight. These obligations will fundamentally change how AI systems are developed, deployed and governed.

While the EU pursues a unified, cross-border framework, the US is moving in a different direction. Instead of federal legislation, states are advancing their own AI bills. Colorado has already enacted its AI law, while California and New York are moving forward with similar initiatives, though the Trump Administration has sought to curtail these state-level efforts.

Consequently, recent developments in AI legislation will create a fragmented regulatory landscape for organizations. For multinational companies, AI regulation becomes especially challenging, because rather than following a single rule set, they must now comply with multiple layers of regulation across different jurisdictions.

Data localization and digital sovereignty are accelerating

Over the past decade, privacy laws dominated global legislation; however, 2026 brings a new focus on data as a strategic national asset. Increasingly, governments require that data about their citizens remain within national borders, that international data transfers be controlled and that cloud providers undergo local compliance reviews to ensure access is regulated by domestic law.

This trend is especially big in China, where personal information protection (PIPL) enforcement continues to mature, and in India, where implementation of the Digital Personal Data Protection Act is accelerating. Countries across APAC, Latin America and Africa are also developing stricter rules on where data must reside and how it may move across borders. These regulations extend beyond traditional data-processing requirements to include access controls, requirements for third-party provider relationships, infrastructure obligations and risk assessments related to third-party data handling. As a result, privacy regulations will become closely interconnected with national digital security.

For global enterprises, this means shifting from highly centralized data-processing models to more regionalized architectures, coupled with more complex vendor-management and compliance structures.

Cybersecurity

How to Reassure Stakeholders When Facts Are Still Unknown During Cyber Incidents

by Jena Valdetero, Wouter van Wengen, Jonah Pitkowsky, Lily Williams and Jamie Singer

December 22, 2025

Scenario planning and coordination between legal and communications experts allows organizations to build adaptable messaging

Read moreDetails

Supply chain transparency becomes non-negotiable

This evolution of data and AI regulation directly overlaps with a third trend: supply chain and third-party risk transparency. Regulators will increasingly demand proof that organizations can validate their contractual security commitments are actually being enforced in practice rather than simply existing on paper.

In the EU, the Digital Operational Resilience Act (DORA) sets new standards for financial services. The goal is to ensure that financial organizations maintain resilience even in the face of disruptions of their information and communication technology (ICT) third-party providers. In practice, this means closer monitoring of critical third-party providers, consistent incident-reporting requirements and mandatory testing of operational resilience frameworks.

In the US, the SEC’s cybersecurity disclosure rules are maturing in practice as well, though these rules, too, are facing backlash. Still, as of today, regulators impose stricter rules on cybersecurity incident reporting, risk-management and board oversight structure. This ties third-party security and risk management failures directly to regulatory exposure.

Critical infrastructure sectors — from energy and utilities to healthcare — will also follow this approach.

In practice, it means that organizations will need to demonstrate that they perform regular, meaningful risk assessments of all third-party providers. Compliance teams will be expected to provide technical, data-driven evidence of monitoring and controls over data flows, access and architecture.