← Back to all briefings
Compliance 8 min read Published Updated Credibility 92/100

2025 Regulatory Year in Review and 2026 Enforcement Priorities

Regulators globally increased enforcement activity in 2025 with record GDPR fines, SEC cybersecurity actions, and FTC privacy settlements. The EU AI Act entered its first compliance phase while DORA and NIS2 approached full application. Organizations should anticipate continued enforcement escalation and prepare for new regulatory requirements taking effect in 2026.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

The 2025 regulatory environment featured record enforcement activity across privacy, cybersecurity, and consumer protection domains. European data protection authorities issued GDPR fines exceeding €2 billion, the SEC pursued cybersecurity disclosure violations, and the FTC continued aggressive privacy enforcement. Simultaneously, major new regulations including the EU AI Act entered compliance phases with additional requirements taking effect throughout 2026. Organizations should conduct year-end compliance assessments and prepare for evolving regulatory expectations.

GDPR enforcement escalation

European Data Protection Authorities issued record GDPR fines during 2025, with aggregate penalties exceeding previous years' totals. Meta received significant fines for data transfer violations, TikTok faced penalties for children's data processing, and multiple organizations were penalized for security failures enabling data breaches. The enforcement trend indicates regulators applying mature enforcement capabilities developed since GDPR implementation.

Cross-border enforcement coordination improved substantially through the European Data Protection Board consistency mechanism. Complex cases involving multiple member states reached resolution more efficiently than earlier post-GDPR years. Organizations should expect coordinated enforcement affecting operations across multiple European jurisdictions.

Small and medium enterprise enforcement expanded beyond the initial focus on large technology companies. SMEs faced enforcement actions for security deficiencies, unlawful data processing, and inadequate consent mechanisms. Organizations of all sizes should ensure GDPR compliance programs address enforcement risk.

Enforcement focused now on substantive compliance rather than documentation deficiencies alone. Regulators examined actual data processing practices, security implementations, and data subject rights fulfillment. Organizations should ensure compliance programs produce genuine operational compliance, not merely policy documentation.

SEC cybersecurity enforcement

The Securities and Exchange Commission pursued multiple cybersecurity-related enforcement actions during 2025, establishing enforcement precedents for cybersecurity disclosure requirements. Actions addressed disclosure failures, internal controls deficiencies, and misleading security representations. Public companies face clear expectations for cybersecurity risk management and disclosure.

Material incident disclosure requirements generated enforcement actions when companies failed to disclose significant cybersecurity incidents within required timelines. The SEC demonstrated willingness to pursue disclosure failures even absent evidence of intentional concealment. Disclosure processes must function effectively under incident pressure.

Board-level cybersecurity oversight received enforcement attention. Actions cited inadequate board engagement with cybersecurity matters and failure to establish appropriate governance structures. Directors face potential liability for governance failures regarding cybersecurity risk management.

Internal controls over cybersecurity programs generated enforcement findings when controls proved ineffective in preventing or detecting security failures. Organizations should evaluate cybersecurity internal controls for adequacy and document control operation evidence.

FTC privacy enforcement

The Federal Trade Commission maintained aggressive privacy enforcement posture throughout 2025 using Section 5 unfair practices authority. Settlements addressed data security failures, deceptive privacy practices, and algorithmic discrimination. FTC enforcement creates compliance obligations even absent specific privacy legislation.

Health data privacy received particular FTC attention. Enforcement actions addressed health app data sharing, fertility tracking data practices, and mental health service privacy failures. Organizations handling health-related data outside HIPAA scope face FTC enforcement risk.

Children's privacy enforcement continued under COPPA with actions against platforms failing to obtain parental consent, implement reasonable security, or honor deletion requests. Organizations offering services potentially used by children must ensure COPPA compliance.

Algorithmic system enforcement addressed discrimination in automated decision-making. FTC actions cited discriminatory outcomes from credit, housing, and employment algorithms. Organizations deploying automated decisioning face potential FTC action for discriminatory algorithmic outcomes.

EU AI Act implementation

The EU AI Act entered its first compliance phase in late 2025 with prohibited AI system restrictions taking effect. Organizations must ensure no deployment of prohibited AI systems including social scoring, manipulation systems, and certain biometric applications. Prohibited system violations can result in significant penalties.

General-purpose AI provider obligations approach compliance deadlines in 2026. Foundation model providers face transparency, documentation, and safety evaluation requirements. Organizations providing or using foundation models should prepare for upcoming requirements.

High-risk AI system requirements begin phasing in during 2026, creating conformity assessment and quality management obligations. Organizations deploying high-risk AI systems in areas including employment, credit, and law enforcement must implement required controls. Assessment infrastructure and documentation preparation should begin now.

National AI regulatory authorities established during 2025 will oversee AI Act enforcement. These authorities developed enforcement approaches and guidance during the preparation period. Organizations should establish relationships with relevant national authorities and track enforcement guidance.

DORA and NIS2 application

The Digital Operational Resilience Act reached full application in January 2025, creating thorough ICT risk management requirements for financial services entities. DORA implementation experience during 2025 revealed common compliance challenges including third-party risk management, incident reporting, and resilience testing requirements.

NIS2 Directive transposition deadlines passed in October 2025, though member state implementation varied. Essential and important entities across numerous sectors face cybersecurity risk management and incident reporting obligations. Organizations should verify applicable national requirements and ensure compliance program alignment.

DORA and NIS2 overlap creates compliance complexity for financial services organizations subject to both frameworks. Regulators provided guidance on framework interaction, but organizations must ensure compliance programs address both sets of requirements. Harmonized compliance approaches reduce duplicative effort.

Enforcement patterns for these new frameworks remain emerging. Regulators indicated initial focus on significant violations and systemic risks while organizations establish compliance programs. However, enforcement tolerance for non-compliance will decrease as implementation periods conclude.

Sector-specific regulatory developments

Healthcare regulatory enforcement increased with HHS OCR pursuing HIPAA Security Rule violations more aggressively. Ransomware attacks and data breaches triggered enforcement investigations examining security rule compliance. Healthcare organizations should ensure technical security measures meet regulatory expectations.

Financial services regulators globally strengthened operational resilience requirements. Beyond DORA, jurisdictions including UK, Singapore, and Australia implemented or enhanced operational resilience frameworks. Global financial services organizations face multiple overlapping resilience requirements.

Telecommunications regulators addressed network security and resilience requirements following high-profile incidents. Requirements for incident reporting, security assessments, and supply chain risk management expanded. Telecom operators should verify compliance with updated regulatory expectations.

Energy sector cybersecurity regulation expanded with NERC CIP requirements updates and international equivalents. Critical infrastructure designation created new compliance obligations for energy sector organizations. Operators should track sector-specific regulatory evolution.

International regulatory coordination

Regulatory coordination across jurisdictions improved during 2025 through mutual recognition agreements and enforcement cooperation. Privacy regulators enhanced information sharing enabling coordinated enforcement actions. Organizations operating internationally face enforcement from multiple coordinated regulators.

Data transfer regulation continued evolving with adequacy decisions, standard contractual clauses, and alternative transfer mechanisms. The EU-US Data Privacy Framework operated through its first full year providing a transfer mechanism for participating organizations. Organizations should verify transfer mechanisms remain valid and operational.

AI regulation coordination advanced through international dialogs and standard-setting activities. While approaches vary across jurisdictions, core principles demonstrate convergence. Organizations implementing AI governance frameworks should design for cross-jurisdictional applicability.

Sanctions and export control compliance intersected now with technology regulation. Technology companies face compliance obligations spanning data protection, cybersecurity, and trade compliance domains. Integrated compliance approaches address multiple regulatory frameworks efficiently.

2026 enforcement priorities

Regulators signal 2026 enforcement priorities through public statements, enforcement trends, and resource allocations. AI regulation enforcement will increase as compliance deadlines arrive and regulatory authorities mature. Organizations deploying AI should anticipate enforcement attention.

Cybersecurity incident response and disclosure will remain enforcement focus areas. Regulators expect organizations to detect, respond, and disclose incidents appropriately. Incident response capability investments reduce enforcement risk alongside operational benefits.

Third-party risk management receives increasing regulatory scrutiny across frameworks. Supply chain incidents and vendor-related breaches drive enforcement attention. Organizations should ensure third-party risk programs meet regulatory expectations.

Data broker and data trading regulation expansion indicates additional compliance requirements approaching. Organizations engaged in data commerce should track regulatory developments and prepare for potential new obligations.

Compliance program recommendations

Year-end compliance assessments should evaluate program effectiveness against 2025 regulatory expectations. Gap identification enables prioritized remediation before 2026 enforcement activity. Assessment scope should cover all applicable regulatory frameworks.

Board reporting on regulatory compliance should include enforcement environment analysis and organizational risk positioning. Directors benefit from understanding enforcement trends affecting the organization. Compliance reporting should inform governance oversight.

Compliance resource planning for 2026 should account for new regulatory requirements taking effect. Additional compliance activities require staffing, technology, and budget allocation. Resource planning prevents last-minute scrambles when compliance deadlines arrive.

Integration across compliance domains improves efficiency and effectiveness. Overlapping requirements across privacy, cybersecurity, and operational resilience frameworks enable coordinated compliance approaches. Siloed compliance programs duplicate effort and create consistency risks.

Short-term steps

  • Conduct year-end compliance assessment across applicable regulatory frameworks.
  • Review GDPR compliance including actual practices, not just documentation.
  • Verify SEC cybersecurity disclosure processes function under incident conditions.
  • Assess prohibited AI system risk and ensure no violating deployments exist.
  • Confirm DORA and NIS2 compliance program implementation status.
  • Evaluate third-party risk management against regulatory expectations.
  • Plan 2026 compliance resources accounting for new requirements.
  • Brief board on enforcement environment and organizational risk positioning.

Bottom line

The 2025 regulatory year demonstrated continued enforcement escalation across privacy, cybersecurity, and emerging technology domains. Record fines, expanded enforcement scope, and new regulatory frameworks create compliance pressure requiring sustained organizational attention. Organizations lacking adequate compliance programs face increasing enforcement risk as regulatory capabilities mature.

New regulatory frameworks including the EU AI Act, DORA, and NIS2 create additional compliance obligations with meaningful penalties for violations. These frameworks transition from preparation to enforcement phases during 2026. Organizations should complete implementation activities and establish ongoing compliance operations.

Regulatory coordination across jurisdictions indicates international enforcement cooperation will increase. Organizations operating globally face potential enforcement from multiple coordinated regulators. Compliance programs should address requirements across all relevant jurisdictions.

Enforcement priority signals guide compliance investment prioritization. AI regulation, cybersecurity incident response, and third-party risk management represent areas of enhanced regulatory focus. Organizations should ensure compliance capabilities address priority areas appropriately.

This analysis recommends organizations approach 2026 with compliance programs positioned for continued enforcement pressure. Investment in compliance capabilities provides enforcement risk reduction alongside operational benefits from improved security, privacy, and risk management practices.

Similar analysis

Additional analysis covering similar themes.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
92/100 — high confidence
Topics
GDPR Enforcement · SEC Cybersecurity · EU AI Act · DORA · NIS2 · FTC Privacy
Sources cited
3 sources (edpb.europa.eu, sec.gov, ftc.gov)
Reading time
8 min

Further reading

  1. EDPB Annual Report 2025 — edpb.europa.eu
  2. SEC Division of Enforcement 2025 Annual Report — sec.gov
  3. FTC Privacy and Data Security Annual Review — ftc.gov
  • GDPR Enforcement
  • SEC Cybersecurity
  • EU AI Act
  • DORA
  • NIS2
  • FTC Privacy
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.