Constangy Cyber Advisor 

The trends show that organizations should continue adapting to emerging laws and technologies, that resiliency and trust are becoming bedrock principles for being competitive, and that organizations need to invest in robust compliance and governance rather than learning about the value of cybersecurity and data privacy the hard way.

No. 1: Regulators will be busier than ever.

Last year was one of the busiest on record for regulators. Among the most significant developments was the formation of the Consortium of Privacy Regulations, which expanded to include 10 states’ regulators as of the end of 2025. Those states launched multiple coordinated investigatory sweeps, often targeting websites, which are publicly accessible indicators of organizations’ compliance posture. Practices that were reviewed included the (over-)collection of personal data, and (non-)compliance with Global Privacy Control opt-out requirements.

At the federal level, agency activity reached levels not seen in many years. At the start of 2025, the Securities and Exchange Commission began stringently enforcing its cybersecurity incident disclosure rules, which took effect late 2024. The rules require companies to disclose material cybersecurity incidents in their public filings and to report annually on cyber risk management. In the first quarter of 2025, more than 40 companies had disclosed incidents, and the financial penalties exceeded $1 million in addition to strict administrative penalties such as mandating that the companies obtain independent compliance monitoring and invest in strengthened organizational controls.

The Office for Civil Rights of the U.S. Department of Health and Human Services announced 20 major settlements involving more than $10 million in penalties, and the final number of all investigations in 2025 is expected to be in the thousands. And the U.S. Department of Justice announced multiple coordinated actions (with both domestic and international law enforcement) to disrupt ransomware schemes, prosecute malicious actors, and seize more than $100 million in assets.

This year is shaping up to be even more active than 2025. The Consortium of Privacy Regulators is certain to expand the scope and scale of its investigations, and there is a strong possibility that other states’ regulators will seek to join the group. Even if the Consortium does not expand, various state agencies have shown increasing interest in being seen as “strong” enforcers of privacy protections. CalPrivacy (formerly the California Privacy Protection Agency, or “CPPA”) has been staffing up, and with the Delete Request and Opt-Out Platform launching this month, announced the formation of a new strike force dedicated to investigating privacy violations and data broker compliance with the California Consumer Privacy Act and the Delete Act.

At the federal level, expect to see significant activity arising out of recent rulemaking. Federal contractors should be aware that the Defense Federal Acquisition Regulation Supplement rules related to the final Cybersecurity Maturity Model Certification program will be finalized and published this year. These will include heightened requirements for assessments and certifying compliance under Level 3 and Level 2 security controls for both contractors and subcontractors handling controlled unclassified information. In May 2026, a Final Rule is expected for the Cyber Incident Reporting for Critical Infrastructure Act, which will require entities across 16 categories of critical infrastructure to report significant cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency. Significant cyber incidents will have to be reported within 72 hours, and ransomware payments will have to be reported within 24 hours.

No. 2: Comprehensive legislation slows, but amendments and regulations speed up.

In 2025, more comprehensive data privacy laws took effect. On the other hand, fewer new omnibus laws were passed. Eight states’ laws took effect in 2025, but only three states (Indiana, Kentucky, Rhode Island) had laws that took effect on January 1, 2026. It is not clear that any states will pass new comprehensive legislation this year.

However, the lack of new comprehensive laws will not decrease the level of regulation related to cybersecurity and data privacy. Phased implementation of requirements under current laws (such as recognizing “universal opt-out mechanisms” in Oregon) will raise the bar for compliance for many organizations. In addition, existing legislation could be amended, or regulations issued, to create new requirements and approaches. For example, Maryland has rules for processing sensitive data only when “strictly necessary,” and Minnesota has explicit requirements for data mapping. It is expected that this trend of amending and strengthening regulations will continue into 2026, especially as legislators grapple with how to rationalize and incorporate emerging policy and technology issues, such as artificial intelligence standards, into existing regimes.

The Digital Omnibus proposal of the European Union may indicate how the legislative pendulum is swinging more toward “revise and reconcile,” as opposed to enacting new laws that may create redundancies or inconsistencies across regulatory frameworks. Consequently, organizations will have to keep a much closer eye on regulatory developments, as amendments and rulemaking tend not to be as widely publicized as sweeping new legislation.

No. 3: Convergence on cybersecurity standards.

In 2025, legislative and enforcement activity showed how many governments and regulators are organically aligning on certain baseline principles. In addition to broad consensus around data management and principles for AI governance, security has become a central focus.

Concerns about supply chain and software-as-a-service vulnerabilities are driving change. The concerns include industrialized cybercrime with faster attack life cycles, use of AI to enhance exploits both technically (zero-day attacks) or organizationally (social engineering via deepfakes). These concerns have resulted in a shift toward “zero trust” models, reflected in the increased reporting obligations to federal and state regulators. As a result, notification requirements – and associated shifting of liability and indemnification obligations – have become one of the most critical components of contracts with third parties.

At the same time, regulations and rulemaking have reflected a heightened emphasis on “resilience” through more testing (both internally, and independently through independent assessors) and expectations for security/privacy-by-design to be embedded more widely across entire organizations. The sweeping 2025 rulemaking package from CalPrivacy is one of the most significant developments in this regard, and probably representative of trends that will continue through 2026.

Make Data Privacy Day the start to a successful 2026.

As data privacy and cybersecurity become more complex, so too does the demand on organizations’ time and resources. The above three trends are only a subset of developments to be monitored in 2026, but are representative of areas that are likely to have the greatest impact on most organizations. This Data Privacy Day, we encourage organizations to consider the following:

• Ensure that your approach to compliance and governance is defensible. Organizations must rationalize requirements, remediate or mitigate compliance risks, and maintain the ability to demonstrate compliance at all levels. “Hoping to be overlooked” is not an option.
• Ensure that your organization is able to adapt to evolving statutory requirements, shifting threats, and regulatory scrutiny.
• Make “trust” a central tenet of your operations. Many threats, such as social engineering and third-party supply chains, seek to exploit trust. Accordingly, strengthening consumer, employee, and stakeholder confidence across multiple domains (for example, privacy, security, and ethics) is likely to make your organization more competitive.

Cheers to Data Privacy Day, and an exciting year ahead!

The Constangy Cyber Team assists businesses of all sizes and industries with compliance needs. If you would like additional information about state or federal data privacy laws, please contact us at cyber@constangy.com.