What Regulators Expect in 2026: The Direction of Travel on Cyber Governance

Across the regulatory bodies that govern cyber security in the UK and Europe, a single direction of travel has become unmistakable. Regulators are no longer satisfied with evidence that organisations have security programmes. They want evidence that boards are governing them. The distinction is fundamental, and most organisations have not yet understood what it requires of them in practice.

This shift has been building for several years. The FCA's operational resilience policy, published in 2021 and now fully in force, places board accountability for the identification and management of operational risk, including cyber risk, at the centre of its expectations. DORA, which entered application in January 2025, goes further, specifying direct management body accountability, mandatory training obligations, and personal liability for governance failures. NIS2 echoes the same principles across a significantly wider range of sectors and organisations.

What regulators will find when they examine an organisation's cyber governance is becoming increasingly predictable. Having sat in the advisory groups that inform the FCA's cyber thinking and contributed to the NCSC's strategic engagement with regulated sectors, I have a direct read on the expectations that matter, how they have shifted, and where they are heading next.

What the FCA expects in 2026

The FCA's approach to cyber security has evolved from a technical compliance orientation to a governance orientation over the past four years. The supervisory focus is now on whether boards are equipped to govern cyber risk, whether the structures exist to surface material risks to board level before they crystallise, and whether accountability for cyber governance is clearly defined and demonstrably discharged.

The FCA expects boards to have approved, not just received, a cyber risk appetite that is expressed in business terms and that connects to investment and operational decisions. It expects to see evidence that the board has considered its significant operational dependencies, including third-party technology providers, and has satisfied itself that those dependencies are adequately managed.

The FCA's SYSC rules on operational resilience, and its expectations under PS21/3, require firms to have identified their important business services, mapped their dependencies, set and tested impact tolerances, and ensured that their cyber security controls are designed around protecting those services. This is a board-level governance obligation, not a technology function obligation, and the FCA's supervisory approach reflects that expectation.

The direction of travel is toward active supervision of governance quality, not just compliance documentation. Firms that can produce comprehensive policy suites but cannot demonstrate that those policies are actively governing the business, that the board is genuinely informed, that risk appetite is meaningfully applied, will find themselves subject to increasing supervisory attention.

DORA: the governance obligations that are already active

DORA entered application in January 2025 and its supervisory regime is now operational across financial entities in scope across the EU and, through the extraterritorial reach of its critical ICT third-party provider provisions, affecting many UK-based organisations with EU operations or EU client relationships.

The management body obligations under DORA are explicit and non-delegable. Management bodies must define the ICT risk appetite and strategy, approve the ICT risk management framework, and be informed of major ICT-related incidents in near-real time. They must allocate adequate budget for ICT security and resilience, and they must undergo training sufficient to maintain competence in ICT risk governance.

DORA supervisors are particularly focused on three areas in 2026: the adequacy of incident classification and escalation frameworks, the governance of critical third-party ICT providers, and the quality of board-level oversight. Firms that have implemented DORA at the operational level without addressing the management body governance provisions are carrying a material compliance risk that supervisory engagement will surface.

The NCSC's evolving position and its practical implications

The NCSC's role is not primarily enforcement. It is guidance, intelligence sharing, and technical support. But the NCSC's strategic communications have become increasingly direct about the governance expectations it believes organisations should be meeting, and its guidance increasingly shapes what other regulators consider the baseline for adequacy.

The NCSC's Cyber Assessment Framework, now in its revised form, explicitly addresses governance as a foundational component of good cyber security, not an add-on to technical controls. Organisations seeking to demonstrate alignment with NCSC guidance, and those operating in sectors where NCSC guidance is directly referenced in regulatory expectations, will find that the governance dimension is no longer secondary to the technical one.

The NCSC's position on AI and emerging technology risk is also developing rapidly. Its guidance for organisations adopting AI at scale, including on the security risks of AI systems and the governance frameworks appropriate to manage them, will increasingly be referenced by the FCA and sector-specific regulators as they develop their own AI governance expectations. Boards that are ahead of this curve in 2026 will have a meaningful advantage when formal regulatory expectations arrive.

Where the direction of travel leads

The convergence of regulatory expectations across the FCA, DORA, NIS2, and the NCSC framework points clearly toward a future in which boards will be held directly accountable for cyber governance in the same way they are currently held accountable for financial governance. This is not a distant prospect. The legal architecture is already in place. The supervisory capability is being built. The enforcement precedents are being set.

Boards that position themselves ahead of this trajectory, by investing in genuine cyber expertise at board level, by building the governance structures and reporting frameworks that regulators expect to find, and by treating cyber risk as a strategic governance discipline rather than an operational technology matter, will have a material advantage both in regulatory relationships and in the organisational resilience that follows from governing risk well.

Boards that wait for enforcement to drive change will find that the trajectory has already moved past the point where voluntary action looks like leadership. In regulatory terms, reacting to enforcement is the evidence that governance was inadequate. Getting ahead of that dynamic is the work of 2026.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former advisory member at the FCA Financial Services and Insurance Sector Cyber Coordination Group (ISCCG) and Strategy Advisor at the NCSC. He advises boards and executive teams on regulatory compliance, cyber governance, and the strategic management of emerging regulatory obligations.