CyberSpace - Global cyber expectations for 2026: New laws, regulations and increased severity of incidents? Part 1
Introduction
It is that time of year when we all pull out the crystal ball and try to predict what the new year has in store. Helpfully, a lot of the changes in global cyber have already been trailed with various new laws and regulatory changes to be aware of. There is, however, still room for our international colleagues to make informed predictions as to what other developments and changes we may see in respect of cyber incidents over the next 12 months.
To ensure this is digestible, we have split our overview into two parts – Part 1 covers the UK and EU and Part 2 will cover selected countries from the rest of the world. This latter part will also draw conclusions and identify the key considerations for those working in the cyber insurance market moving further into 2026.
UK
(i) Cyber Security and Resilience Bill
It is anticipated that the Cyber Security and Resilience (Network and Information Systems) Bill will receive Royal Assent by late 2026 and will likely pose considerations for cyber insurers, especially around increased regulation and enforcement, as it passes through Parliament.
The Bill represents a major overhaul of the UK’s cyber regulatory framework and is intended to improve national cyber defences and resilience, broaden the scope of regulated entities (including MSPs and data centres), strengthen incident reporting requirements and increase enforcement powers (including fines and regulatory direction).
(ii) Ransomware Ban
Following the UK government’s 2025 consultation on ransomware proposals, including targeted bans on ransom payments for public sector bodies and critical infrastructure operators, and mandatory reporting regimes, a private member’s bill has been listed for a second reading in May.
If passed, we anticipate ransomware payment restrictions (rather than a strict ban) and incident reporting requirements may well become mandatory for defined organisations, potentially with an expectation of direct regulatory engagement and oversight. Whatever is enacted will inevitably impact how cyber incidents involving ransomware are handled and could result in increased costs for insurers as well as the possibility of reduced transparency from policy holders.
(iii) Increased Powers for the Information Commissioner’s Office (ICO)
Whilst both legislative reforms considered above are expected to result in greater regulatory scrutiny, we already know that this will be case following the Data (Use and Access) Act 2025 coming into force at the end of 2025. This Act significantly expands the ICO’s investigatory and enforcement powers.
Of particular relevance to cyber insurers are: (a) s.97 expanding information notices to allow requests for documents, increasing the ICO’s scope of evidence collection during investigations; (b) s. 98 introducing new assessment notices to require controllers or processors to commission independent reports on matters specified by the ICO, to be done at the impacted organisation’s own expense; and (c) s.100 creating interview notices which will permit the ICO to compel individuals (including past employees) to attend interviews and answer questions relevant to suspected failings. It is anticipated that these increased powers will give the ICO a more proactive regulatory role and likely increase the regulatory and legal costs sought by policy holders from their cyber insurers.
EU
A key feature of 2026 across EU countries will be the implementation of the the NIS2 Directive which updates EU cybersecurity requirements for critical infrastructure. As explained in previous articles, it is left to member states to interpret how this is transposed into local law, including expanding the requirements of the Directive. We look at three examples of this below, as well as other key considerations in each country.
(i) Poland
It is anticipated that Poland’s implementation of NIS2 will be completed in Q1 2026 after over a year’s delay. On current information, the proposed regulations will be stricter than required by NIS2 and will significantly enhance existing requirements.
High‑Risk Vendor (HRV) regime
Despite strong criticism from industry, the draft regulations retain the HRV mechanism. The Polish Ministry of Digital Affairs calls it the most far‑reaching tool to secure critical IT services and is part of the EU’s coordinated 5G security approach (the 5G Toolbox). Although the 5G Toolbox targets telecoms, Poland plans to extend HRV decisions to all entities covered by NIS2, i.e. 18 sectors in total.
Once an HRV decision is issued:
- Specified equipment or software from HRVs cannot be placed on the market;
- Products already on the market must be removed within up to 4 years (for critical functions) or 7 years (for other equipment). Businesses will have to comply and bear replacement costs on their own. We consider Insurers may wish to consider the potential impacts of this for any policyholders in scope.
Other examples of Poland’s “gold‑plated” approach
- Whilst not included in NIS2, as local authorities are entitled to broaden the extent of new regulation, Poland is introducing a new administrative fine of up to PLN 100 million for breaching the act where there is (i) a direct and serious cyber threat to defense, state security, public safety/order, or life and health, or (ii) a risk of serious property damage or major service disruption.
- Directors and Officers (or similar) will be liable for the management of essential or important entities with personal fines of up to 300% (essential entity) or 100% (important entity) of their remuneration for specified failures, including ommissions, to meet imposed duties.
We anticipate insurers may wish to consider the extent to which these fines may fall within the existing scope of cover for Polish policyholders or those with Polish operations.
Security orders
The draft regulations introduce “security orders” not only for essential entities (as in the spirit of the Directive) but also for important and financial entities. Orders, which will be immediately enforceable, may be issued to coordinate the response to a critical incident or for a fixed term of up to two years.
Context and next steps
As the works in the Polish Parliament are still ongoing, there may be some changes to the above. Given their breadth and severity, the proposed rules pose an important impact to cybersecurity beyond the enforcement of GDPR.
During parliamentary consideration, there have been calls to extend compliance deadlines from 6 months to 12 months, but it remains unclear whether this change will be adopted.
(ii) Portugal
Concentration of Infrastructure and AI
Whilst we consider the impacts of NIS2 and DORA below, it is relevant to note that Portugal’s rapid emergence as a hub for data centers and AI-driven infrastructure has materially changed its cyber risk profile. This will likely make it a growing market for cyber insurers in 2026.
An increasing concentration of critical digital services within a relatively small number of providers has heightened accumulation risk: a cyber incident, technical failure or regulatory intervention affecting a shared infrastructure provider could simultaneously disrupt multiple policyholders across sectors, transforming infrastructure-level events into correlated loss scenarios rather than isolated claims.
AI adoption further amplifies this exposure. AI is being adopted unevenly, particularly by SMEs newly brought into scope under NIS2 (see more below), often without mature governance or control frameworks. This combination increases dependency on common third-party providers and raises the likelihood that AI-related incidents or regulatory non-compliance will crystallise across multiple policyholders at once.
NIS2-Transposing Regime
Portugal’s NIS2-transposing regime becomes effective on 3 April 2026.
The Decree-Law formally distinguishes “essential” and “important” entities (legal categories based on sector and size/criticality), bringing many mid-sized organisations into scope. Additionally, the CNCS (the Portuguese National Cybersecurity Centre) will set minimum cybersecurity measures and compliance levels for essential and important entities (which must assess and manage residual cyber security risks using appropriate and proportionate measures) and set specific incident notification obligations.
The National Security Cabinet and ANACOM (the Portuguese regulator for postal and electronic communications), which are designated as national authorities for cybersecurity, may impose further corrective and restrictive measures, including requiring providers to restrict or suspend services where cybersecurity obligations are not met — including in relation to foreign-based or outsourced suppliers. Where a provider services numerous organisations (either of which could be a cyber policyholder), that could result in operational disruption to multiple customers (all of who could be insured). Any losses arising may therefore result not just from the cyber incident itself, but also from additional business interruption losses caused by the regulatory actions.
DORA
In parallel to the NIS2 regime, there will be potential additional considerations for cyber insurers as a result of the Digital Operational Resilience Act (DORA).
European supervisors and the European Insurance and Occupational Pensions Authority (EIOPA) are expected to focus on ICT incident management, digital resilience testing, board-level engagement, and dependency on third-party technology providers. This sits alongside other EU-level milestones becoming operational in 2026, including early implementation phases of the AI Act, which will further sharpen expectations around governance, accountability, and risk controls in technology-driven operations. The result is a dual-pressure environment: policyholders in Portugal face stricter cybersecurity obligations under NIS2, while insurers face heightened expectations on how they govern, underwrite and absorb digital risk. In practice, we anticipate this is likely to translate into reduced tolerance for weak controls, more selective underwriting, and greater claims scrutiny.
(iii) Sweden
Sweden’s Cybersecurity Act (Sw: Cybersäkerhetslag) will enter into force on 15 January 2026, implementing the NIS2 Directive and replacing the Act (2018:1174) on Information Security for Essential and Digital Services (commonly referred to as the “NIS Act”) that implemented the NIS Directive.
The Cybersecurity Act introduces a broader scope, raised baseline controls as well as stricter penalties compared to the existing NIS Act. The new legislastion covers 18 sectors (including, but not limited to, energy, banking and financial and digital market infrastructures), with entities classified as essential or important based on sector, activity and/or size.
The notable changes included in the Act are:
- Obligations apply to an entire entity, not just security-specific functions in the organisation, i.e. a “whole-entity approach”. This means that the cybersecurity requirements apply to a covered entity’s entire IT environment and operations, including administrative systems, HR platforms, and other business functions. This will likely be a consideration for cyber insurers as well as other insurers, such a PI and D&O.
- Control expectations are stricter and clearer. This will hopefully improve the risk profile of current and prospective policyholders.
- Timelines are accelerated as providers of trust services must submit an early warning to the Swedish Civil Contingencies Agency within 24 hours of becoming aware of a significant incident, while other operators must do so within 72 hours. In addition, a final report must be submitted within one month of the early warning. Insurers should consider whether policyholders may be in scope in this regard.
- The Cybersecurity Act also contains enforcement measures in the form of reprimands, injunctions and prohibitions on holding management positions, as well as administrative fines up to the higher of 2% of global annual turnover or EUR 10 million for essential entities (1.4%/EUR 7 million for important entities). Again, as well as considering the scope of existing cyber cover, it is possible that such prohibitions and/or regulatory investigations could also result in claims under D&O policies.
To be continued
As trailed above, Part 2 of this article will follow in February 2026 with a focus on the rest of the world along with conclusions and considerations for Insurers.
Cyber Space – More to come…
This article is part of our Cyber Space series. These regular articles, produced for the cyber insurance market, are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across different jurisdictions.
As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.
As well as those named below, we are also grateful to the contributions from Dan Myers (UK), Sam Silver (UK), Magdalena Zajecka (Poland), Ricardo Pintão (Portugal), Teresa Vasconcelos Machete (Portugal), Erik Ullberg (Sweden), Jennie Nilsson (Sweden) and Martin Wedén (Sweden).
Amit Tyagi, Partner, London, CMS Cameron McKenna Nabarro Olswang LLP
João Leitão Figueiredo, Partner, Lisbon, CMS Portugal
Damian Karwala, Counsel, Warsaw, CMS Cameron McKenna Nabarro Olswang LLP
Christopher Gliddon, Senior Associate, London, CMS Cameron McKenna Nabarro Olswang LLP
Filip Sahlstedt, Associate, Gothenburg, CMS Wistrand
