AI Compliance for Cybersecurity
Cybersecurity is addressed by 50 regulatory updates across 9 jurisdictions and 11 frameworks. This page tracks how regulators worldwide are approaching cybersecurity in the context of artificial intelligence.
Framework Requirements for Cybersecurity
Regulations Covering Cybersecurity
International(18)
NIST AI Risk Management Framework hub and critical infrastructure profile concept note
NIST’s AI RMF hub now highlights a new April 7, 2026 concept note for a trustworthy AI profile in critical infrastructure, indicating the framework’s next expansion area for high-consequence sectors.
ISO/IEC JTC 1/SC 27/WG 1 N 3298 auditing practices note on SoA
This ISO committee note clarifies how scope and control coverage are handled in a Statement of Applicability, which can affect how AI-related controls are documented inside an existing ISO/IEC 27001 certification.
CSA maps AI Controls Matrix to ISO/IEC 42001 and ISO 27001/27002
CSA has published a mapping between its AI Controls Matrix and ISO/IEC 42001, with references to ISO/IEC 27001 and 27002, giving compliance teams a practical bridge between AI governance and existing security control programs.
BSI publishes BS ISO/IEC 42006:2025 for AI audit and certification bodies
BSI has published BS ISO/IEC 42006:2025 for bodies auditing and certifying AI management systems, raising the bar for certification quality and making auditor selection and readiness reviews more urgent for organizations pursuing ISO/IEC 42001 certification.
ISO/IEC 42001:2023 AI management systems
ISO/IEC 42001:2023 is now published as the first AI management system standard, so organizations developing or using AI-based products or services should treat it as an operational baseline for governance, certification, and audit readiness.
US Federal(12)
FISA Amendments Act extension enacted
Congress enacted a law extending the authorities of Title VII of FISA through 2026-04-30, so organizations reliant on US intelligence-collection authorities should refresh legal and vendor-risk assumptions before the extension lapses.
National Defense Authorization Act for Fiscal Year 2026
Congress enacted the National Defense Authorization Act for Fiscal Year 2026 on 2025-12-18, creating a new public law reference point for federal AI and cybersecurity compliance monitoring.
Consolidated Appropriations Act, 2026
Congress enacted the Consolidated Appropriations Act, 2026 on February 3, 2026, but the source material does not identify an AI-specific compliance change beyond the broader enacted law status.
HIPAA Security Rule NPRM and HHS AI/health data initiatives
HHS’s HIPAA Security Rule NPRM and related AI health-data initiatives signal tougher cybersecurity and data-governance expectations, so covered entities and vendors should prepare for more prescriptive controls before final adoption.
HIPAA Security Rule NPRM to strengthen cybersecurity for ePHI
HHS proposed major HIPAA Security Rule changes on 2024-12-27 to strengthen cybersecurity for ePHI, directly affecting AI systems that train on, process, or log health data.
Switzerland(6)
FINMA guidance on governance and risk management when using artificial intelligence
FINMA’s 18 December 2024 guidance says supervised institutions must adapt governance and controls to the materiality and probability of AI risks, including operational, model, data, IT/cyber, third-party, legal, and reputational risks.
FINMA guidance on AI governance and risk management
FINMA’s AI guidance highlights operational, model, cyber, data-quality, third-party, legal, and reputational risks, so Swiss financial institutions should formalize AI governance and oversight now.
BSI publishes G7 SBOM for AI guidance
BSI released a G7-developed guideline setting minimum requirements for a Software Bill of Materials for AI, so organizations should tighten AI component inventory and supply-chain traceability practices.
FINMA Guidance on Governance and Risk Management When Using Artificial Intelligence
FINMA published AI governance guidance on December 18, 2024, making governance, model risk, data quality, cyber risk, third-party dependence, and legal/reputational risk explicit supervisory priorities for Swiss financial institutions using AI.
FINMA Guidance on AI Governance and Risk Management
FINMA’s AI supervisory guidance highlights operational, model, data, cyber, third-party, legal, and reputational risks, so Swiss financial institutions should treat AI governance as an immediate supervisory issue.
European Union(5)
ESAs publish first annual report on DORA major ICT-related incidents
On 2026-06-03, the EBA, EIOPA and ESMA published their first annual overview of major ICT-related incidents under DORA, underscoring that borderless ICT and AI-driven risks now require financial entities to tighten cybersecurity and incident-reporting readiness.
ESAs spring risk update on geopolitical pressures and private finance risks
The ESAs’ spring risk update flags elevated geopolitical and private finance risks on 27 March 2026, signaling tighter supervisory scrutiny for firms with material market, liquidity, and concentration exposures.
ESMA supervisory briefing on algorithmic trading
ESMA issued a supervisory briefing on 2026-02-26 to steer national supervisors on algorithmic trading oversight, which means firms should align their controls and documentation with the latest supervisory expectations now rather than waiting for a new binding rule.
CNIL recommendations on GDPR compliance for AI system development
CNIL published its first detailed recommendations for AI system development under the GDPR, clarifying how training, scraping, reuse, retention, rights handling, and DPIAs must be operationalised for AI projects that process personal data.
AI Act serious-incident reporting template for systemic-risk GPAI
The Commission has published a reporting template for serious incidents involving systemic-risk GPAI, operationalizing Article 55 reporting duties and making incident-report readiness immediately relevant for model providers.
United Kingdom(4)
FCA, Bank of England and Treasury joint statement on frontier AI models and cyber resilience
The FCA, Bank of England, and HM Treasury said firms must be able to identify, monitor, and manage external AI-related applications, libraries, and services integrated into their networks, raising the bar for cyber and third-party resilience.
FCA, Bank of England and Treasury issue frontier AI cyber resilience statement
UK authorities issued a joint statement on frontier AI model cyber resilience, so regulated firms and FMIs should now align AI governance with existing operational resilience and cyber controls.
ICO guidance on AI security and data minimisation
The ICO’s AI security and minimisation guidance is being reviewed after the Data (Use and Access) Act came into law on 19 June 2025, but it already requires organisations to harden AI pipelines against privacy attacks and excessive data collection.
ICO AI and data protection guidance under review after new UK law
The ICO’s AI guidance is under review because the Data (Use and Access) Act came into law on 19 June 2025, so organisations relying on the current AI guidance should expect changes and should not assume the present text is stable.
California(2)
CA SB1011: Energy: Utility Infrastructure AI Safety, Oversight, and Workforce Protection Act
California SB1011 was set for hearing on May 14, 2026, putting AI safety and oversight obligations for utility infrastructure uses under active legislative review and warranting immediate stakeholder monitoring.
California SB 1011: Utility Infrastructure AI Safety, Oversight, and Workforce Protection Act
California SB 1011 was set for hearing on May 4, 2026, so utility and critical infrastructure operators using AI should expect potential new safety, oversight, and workforce requirements.
France(1)
Germany(1)
Weekly digest — coming soon
Leave your email to get the first issue when it ships. Free, no account required.
We use your email only for the digest. Privacy policy