State of Guide

The State of Compliance 2026: A CISO's Guide to SOC 2, ISO 27001, NIS2, DORA and Cyber Insurance

The state of compliance in 2026: SOC 2, ISO 27001, NIS2, DORA, EU AI Act, cyber insurance. Where each framework stands and what CISOs should prioritise.

Permanent URL · Annually refreshed

The State of Compliance 2026: A CISO’s Guide to SOC 2, ISO 27001, NIS2, DORA and Cyber Insurance

Compliance in 2026 has passed a threshold that most CISOs will feel but few will name. The frameworks are no longer the destination — they are the price of entry. The real question, and the one that separates functioning security programs from theatrical ones, is whether the controls underneath the certifications actually reduce loss.

This is the honest state of enterprise compliance heading into mid-2026: a landscape where SOC 2 has become table stakes for B2B SaaS, ISO 27001 has completed its messy 2022 transition, NIS2 is enforceable across the EU for the first time, DORA has moved from dry-run to active supervision, the EU AI Act enters its most consequential phase in August, and cyber insurers have quietly become the most effective compliance enforcement body in the western economy.

What follows is a framework-by-framework audit of where each one stands, what changed in the past twelve months, and where the compliance programs that will still exist in 2028 are putting their attention. The summary at the top for the time-pressed CISO: if you have to pick two frameworks to invest in over the next twelve months, pick the one your regulator will fine you over and the one your insurer will price you on. The rest is deferred work, not optional work.

The compliance landscape at a glance

FrameworkStatus in 2026Enforcement postureAdvertiser/vendor maturityWhere to focus
SOC 2 Type IIMature, commoditisedMarket-driven (customer contracts)Very high (Vanta, Drata, Secureframe, Thoropass)Evidence automation and scope discipline
ISO 27001:2022Post-transition, operationalCertification body auditsHighAnnex A control mapping and SoA maintenance
NIS2Enforceable across EU for the first timeRegulator-driven, real finesMedium, growing fastArticle 21 measures and incident reporting
DORAActive supervision modeRegulator-driven, ICT-focusedHigh (financial services advertisers)RoI quality and TLPT readiness
EU AI ActMajor obligations apply 2 Aug 2026Regulator-driven, uncertain teethLow but risingRisk classification and documentation
Cyber insuranceHardened market, control-driven pricingContract-driven (premiums, claims)Very high (Coalition, At-Bay, Cowbell, broker market)MFA, immutable backups, EDR, tested IR
HIPAAActive OCR enforcementFederal regulatorHigh (healthcare-specific vendors)Security Rule safeguards, healthcare ransomware exposure
CMMCRollout continuing, contract-linkedDoD contract clausesMediumLevel 2 assessment readiness for prime and sub contractors

The pattern across this table is what matters. Frameworks where the enforcement body is a regulator with fine authority (NIS2, DORA, GDPR, HIPAA) and frameworks where the enforcement body is a paying party (cyber insurers, enterprise customers) now drive real behaviour. Frameworks where enforcement is primarily reputational or self-asserted drive paperwork.

SOC 2: table stakes, and that is the problem

SOC 2 in 2026 is not a competitive differentiator. It is a precondition for being considered. Every B2B SaaS vendor of any size has a Type II report. Every procurement team asks for one. The platforms that automate it — Vanta, Drata, Secureframe, Thoropass, Sprinto, Scytale, AuditBoard — have collectively raised the floor on the operational work required to get certified, which means more companies are certified, which means SOC 2 conveys less signal than it did three years ago.

Take a clear position on this: a SOC 2 Type II report today tells a buyer that the vendor was capable of assembling evidence for 100 or so controls over a twelve-month window. It does not tell them that the vendor has a mature security program, that engineering practices are disciplined, or that incidents are handled well. Buyers who conflate the two are mispricing risk. Vendors who produce a clean SOC 2 report and believe they have a security program are deceiving themselves.

The most important development in the SOC 2 ecosystem over the past year has been the quiet tier-splitting of what a “real” SOC 2 program looks like. At the low end, a startup with Secureframe or Sprinto and a competent fractional CISO can go from kick-off to Type II in six to nine months for under $15,000 all-in on the platform side, plus $20,000 to $30,000 for the audit. At the high end, a mid-market company on Drata or AuditBoard with deep integration into HRIS, identity, and cloud platforms is running a continuous-monitoring program that costs more than $100,000 annually but produces artefacts that actually inform security decisions.

Both get the same-looking certificate. Buyers cannot tell the difference from the report.

For most companies, our guidance through 2026 is straightforward. Use SOC 2 as the forcing function for building internal controls you needed anyway — access reviews, change management, vendor review, incident response runbooks. Do not use it as a substitute for them. The platform choice matters less than people think; the deeper questions are scope discipline (what is in scope, and why), evidence automation (which integrations are genuine vs theatre), and auditor selection (is the audit firm doing real testing or rubber-stamping).

We cover the platform choice in depth in our SOC 2 Type II platform comparison. The short version: Secureframe is the cost-effective choice for startups and small teams, Vanta is the integration-rich default for mid-market, Drata is the right call when you need an audit-firm-plus-platform bundle, and AuditBoard is where enterprise GRC programs end up when SOC 2 is one of many frameworks in scope. All four will get you a report. None of them will build your security program for you.

ISO 27001:2022: post-transition, and now what?

The ISO 27001:2013 to 2022 transition deadline has passed. Certified organisations are now operating under the new Annex A control set (93 controls organised into four themes: organisational, people, physical, technological), and the initial pain of remapping the Statement of Applicability is largely behind the mature programs.

What this means for 2026: ISO 27001 is the quietest framework on this list. Which is a compliment. It works. The 2022 revision modernised the control set in sensible ways — adding threat intelligence, information security for cloud services, data masking, secure coding, and monitoring activities as explicit controls — without breaking the framework’s structure. Organisations that treated the transition as an opportunity to rebuild their SoA and kill genuinely obsolete controls emerged stronger. Organisations that treated it as a find-and-replace exercise emerged with the same program and new paperwork.

The honest reading on ISO 27001 in 2026 is that it remains the best all-purpose framework for organisations operating internationally, particularly those with European customer bases or regulatory exposure. It is comprehensive without being prescriptive, internationally recognised, and pairs cleanly with NIS2 (as we cover below) and with sector-specific extensions like ISO 27701 for privacy or ISO 27017/27018 for cloud.

Where ISO 27001 is not the right answer: US-centric SaaS selling to US enterprises should pick SOC 2 first. Healthcare needs HIPAA regardless. Financial services in the EU will have DORA on top. ISO 27001 is a foundation that other frameworks build on, not an alternative to them.

The cross-mapping question — how much overlap exists between ISO 27001 Annex A and NIS2 Article 21 measures — deserves more attention than it gets. The answer is: substantial, but not complete. An organisation certified to ISO 27001:2022 has roughly 70% to 80% of what NIS2 requires. The gap is in incident reporting timelines, management body training specifics, and supply chain governance depth. Treating ISO 27001 as your NIS2 baseline is sensible. Treating it as your NIS2 compliance, without the gap analysis, is a mistake. Detailed mapping guidance is in our NIS2 Article 21 deep-dive.

Our guidance for programs considering ISO 27001 in 2026: if you already have it, the cost of maintaining it is low and the strategic value is high. If you do not have it and you need something else (SOC 2, NIS2, DORA), start with what you need. Retrofitting ISO 27001 over a mature program is doable; building all frameworks simultaneously is wasteful.

NIS2: the year the EU got serious

NIS2 is the framework where the gap between paper and reality is narrowing fastest. The directive required transposition into national law by 17 October 2024. Most member states missed that deadline, which led the European Commission to open infringement proceedings against 23 member states by late 2024, and to send reasoned opinions to 19 of them in May 2025.

The landscape in mid-2026 is this: all EU member states are now either enforcing NIS2 or in the final stages of making it enforceable. Countries at “maturity level 4” — approved law with finalised cybersecurity framework — include Belgium, Germany, Italy, Hungary, Greece, Czech Republic, Slovakia, Slovenia, Latvia, Lithuania, and Croatia. Austria’s NISG 2026 was adopted in December 2025 and enters full force on 1 October 2026. Ireland is still at maturity level 1, having only initiated transposition work. The UK, though no longer an EU member state, has its own Network and Information System Security Act regime with a similar October 2026 enforcement window.

The practical reality for CISOs of in-scope organisations — and NIS2’s scope is wider than NIS1’s, covering 18 sectors and an estimated 160,000 entities across the EU — is that the October 2026 date represents the point at which “we are working on it” stops being an acceptable answer. From that date:

  • Incident reporting obligations apply with teeth: 24-hour early warning, 72-hour incident report, one-month final report, with regulators cross-checking against supervisory data.
  • Article 21’s ten minimum cybersecurity measures must be evidenced, not just asserted.
  • Management body members face personal liability, including temporary bans from leadership roles for serious failures.
  • Administrative fines of up to €10 million or 2% of global annual turnover are on the table for essential entities, €7 million or 1.4% for important entities.

Take a clear position: NIS2 is the most consequential cybersecurity regulation in force anywhere in the world in 2026. Not because the fine ceiling is unprecedented — it isn’t — but because the combination of broad scope, personal management liability, and coordinated enforcement across 27 jurisdictions creates accountability pressure that GDPR took years to develop and that neither SOC 2 nor ISO 27001 have the structural teeth to produce.

There is one caveat worth flagging. On 20 January 2026, the European Commission proposed targeted amendments to NIS2 as part of a new cybersecurity package. The stated aim is to simplify compliance for 28,700 companies, including 6,200 micro and small enterprises. These amendments do not change the core obligations, but they do signal that the Commission is willing to adjust the directive in light of implementation feedback. CISOs should not wait for the amendments; they should build for the current text and adjust if the amended text materially changes things. Our full NIS2 compliance checklist covers the Article 21 measures and reporting obligations in detail.

The most common mistake we see is treating NIS2 as an IT project rather than a governance project. Article 20’s management body training obligation is not a footnote. When regulators start handing out personal liability findings, they will start with the organisations where management training was undocumented.

DORA: from paperwork to supervision

DORA — the Digital Operational Resilience Act — became applicable on 17 January 2025. 2026 is its first year of active supervision mode, and the picture is more revealing than the legal text suggests.

The 2025 Register of Information (RoI) dry-run exposed the weakness: only 6.5% of nearly 1,000 firms across the EU successfully passed all 116 data quality checks. The 2026 submission cycle, with national deadlines running from early February through late March and a consolidated ESA deadline of 31 March 2026, has been measurably better but still far from clean. Deloitte’s DORA wave surveys consistently find that 46% of financial institutions cite the RoI as the most challenging compliance obligation, and that number has not moved materially between the 2025 and 2026 cycles.

The submission mechanics tell their own story. The RoI must be submitted in xBRL-CSV format (spreadsheets are explicitly discouraged by the ESAs), covering 15 templates, with strict validation rules that flag incomplete subcontractor mapping, missing LEI codes, absent exit strategies, and inconsistent provider identification. Regulators are now using automated cross-referencing tools to catch inconsistencies between firms reporting on the same provider — if your Tier 1 cloud provider classification differs from your peer’s, you will both receive a query.

Where DORA really bites is in the five pillars that sit underneath the RoI: ICT risk management, incident reporting, digital operational resilience testing (including Threat-Led Penetration Testing for larger firms), third-party risk management, and information sharing. TLPT is the under-discussed pillar. For significant financial institutions, TLPT is not optional, not every-five-years, and not something your existing pen test vendor can necessarily deliver. The TIBER-EU framework underpins national TLPT regimes, and the qualified-provider requirements are stringent.

Take the clear position: DORA is the most technically demanding financial services cybersecurity regulation ever produced. Firms that treated the 2025 RoI submission as the finish line are now discovering that RoI is the easiest part. Continuous third-party monitoring, subcontractor chain transparency, four-hour initial incident reporting for critical incidents, and TLPT cadence are the real workload.

For in-scope firms, our guidance for 2026 is:

  1. Move from spreadsheet-based RoI maintenance to a live, queryable inventory. Spike Reply, Panorays, Thomas Murray, and others offer tooling; internal build is viable with enough engineering. Manual approaches will not scale.
  2. Validate subcontractor coverage down the chain. The most common gap in 2026 RoI submissions was incomplete fourth-party mapping.
  3. Align exit strategies with actual contractual terms. Many 2025 submissions had exit plans that were theoretically defensible but practically undeliverable — regulators have started noticing.
  4. Start TLPT scoping now if you are in scope. The qualified-provider market is small and capacity constrained; 2026 and 2027 slots are filling.

The first wave of Critical Third-Party Providers (CTPPs) was designated in November 2025 — the first 19 providers — and they are now under direct ESA oversight. This will reshape the cloud and SaaS landscape in financial services more than any regulatory move since GDPR. Our DORA compliance deep-dive covers the RoI mechanics, TLPT scoping, and CTPP designation implications in detail.

EU AI Act: the regulation everyone is pretending to be ready for

The EU AI Act entered into force on 1 August 2024. Prohibited AI practices and AI literacy obligations have been applicable since 2 February 2025. Obligations for providers of general-purpose AI models (GPAIMs) applied from 2 August 2025. And the main event — application of the bulk of the regulation, including the compliance framework for high-risk AI systems — arrives on 2 August 2026.

If you are reading this in April 2026, you have approximately four months. Most organisations we encounter are not ready, and a meaningful fraction do not yet understand that the regulation applies to them.

Here is the diagnostic test. Your organisation is likely to be affected if any of the following are true:

  • You develop AI systems used in hiring, credit scoring, education access, essential services access, law enforcement, migration, or critical infrastructure. These are likely Annex III high-risk systems.
  • You embed AI in regulated products covered by existing EU harmonisation legislation — toys, medical devices, machinery, civil aviation. These are Annex I high-risk systems (with a later deadline of 2 August 2027).
  • You develop or substantially modify general-purpose AI models placed on the EU market.
  • You deploy any AI system that interacts directly with natural persons in the EU. Article 50 transparency obligations apply.
  • You deploy emotion recognition, biometric categorisation, or generate synthetic content (deepfakes, synthetic audio, image, video, or text). Article 50 disclosure obligations apply.

The grandfathering provision gives a narrow reprieve: AI systems placed on the market before 2 August 2026 get longer transitional runway, and GPAIMs placed on the market before 2 August 2025 have until 2 August 2027 to comply. This is a softer landing than most regulations provide, and it is being used as an excuse for inaction. It should not be.

Take a clear position: the EU AI Act is the regulation where the compliance gap between what the law requires and what organisations have prepared is the widest. Most firms cannot currently produce a full inventory of AI systems in use across the business. They cannot distinguish between AI systems they provide, deploy, distribute, or import. They do not know which of their vendors’ AI features are in scope. When 2 August 2026 arrives, many will simply not be compliant, and they will be hoping that enforcement in the first twelve months is soft.

Our guidance, which doubles as the structural argument in our EU AI Act compliance guide:

  1. Start with AI mapping. A documented, replicable process for identifying AI systems and GPAIMs across the organisation is the non-negotiable first step. Spreadsheets are acceptable for the first pass; they will not survive.
  2. Classify role before you classify risk. Are you a provider, deployer, importer, distributor, or product manufacturer for each system? Obligations vary substantially.
  3. Risk-classify each system. Prohibited, high-risk (Annex I or III), limited-risk (Article 50 transparency), or minimal-risk.
  4. For high-risk systems: conformity assessments, technical documentation, post-market monitoring plans, CE marking, EU database registration. This is a substantial workload; it should be resourced and scheduled.
  5. Do not defer the security team’s role. Under Article 15, high-risk AI systems must be designed and developed to achieve “an appropriate level of accuracy, robustness, and cybersecurity.” The security team owns this. If the AI governance program is running without security involvement, it will produce non-compliant outcomes.

The NIST AI Risk Management Framework (NIST AI RMF) and ISO 42001 are the two frameworks that pair cleanly with EU AI Act compliance. NIST AI RMF is the more operational framework; ISO 42001 is the certifiable alternative. Most mature AI governance programs end up using both: NIST AI RMF as the operating model, ISO 42001 as the external attestation.

Cyber insurance: the quiet regulator

If the regulatory frameworks above are the public face of compliance, cyber insurance is the private enforcement mechanism that now shapes more real-world security spending than any regulator on earth. The insurance market hardened dramatically between 2020 and 2023, softened slightly through 2024 and 2025, and is now in a stable, control-driven pricing regime.

The mechanics are simple. Insurers — Coalition, At-Bay, Cowbell, Beazley, CFC, Hiscox, and the broker market intermediated by Marsh, Aon, WTW, and Howden — no longer write coverage without detailed pre-bind questionnaires. Those questionnaires ask about specific technical controls, and the answers affect premium, retention, sub-limits, and coverage scope. The controls insurers now functionally require for mid-market and above coverage include:

  • Multi-factor authentication on all privileged access, all remote access, and all email.
  • Endpoint detection and response (EDR) deployed to all endpoints, not just servers.
  • Immutable backups with tested recovery — the 3-2-1-1-0 pattern is now the insurer-expected baseline.
  • Email security with AI-driven BEC detection, not just legacy SEG.
  • Tested incident response plan with defined escalation paths.
  • Privileged access management with session recording for administrative accounts.
  • Patch management with documented SLAs for critical vulnerabilities.
  • Network segmentation between operational technology and corporate IT (where applicable).

This is where it gets interesting. The insurer-required control set is, in substance, equivalent to or stronger than the technical controls required under NIS2 Article 21, SOC 2’s security trust services criteria, and ISO 27001:2022 Annex A. The difference is that insurers check. Regulators issue fines after incidents; insurers deny coverage before them.

Take the position: cyber insurance has become the most effective compliance enforcement body for mid-market cybersecurity in the western economy. Not because insurers are better than regulators, but because the financial feedback loop is faster. Premium goes up the next renewal; fines come three years after an incident.

The 2026 dynamics to watch:

  • Ransomware sub-limits are tightening again. Following the 2025 ransomware volume surge (7,902 victims on leak sites, up from 6,129 in 2024), several carriers have reintroduced or tightened ransom payment sub-limits.
  • OFAC sanctions exposure is now standard in the coverage conversation. Post the Treasury sanctions on multiple ransomware operators, carriers and brokers are walking clients through the legal implications of ransom payment scenarios.
  • Deepfake and AI-driven BEC is emerging as a distinct coverage question. Traditional computer fraud and social engineering endorsements have coverage gaps for AI-assisted fraud that brokers are now flagging at renewal.
  • Business email compromise frequency is outpacing ransomware in claim count, if not in claim severity.

Our cyber insurance 2026 guide covers the carrier landscape, the premium math, and which controls move the needle most. The short summary: the seven controls listed above, in that order, deliver roughly 80% of the premium reduction available to a typical mid-market buyer. Everything past that is diminishing returns, though still often sensible security investment.

Third-party risk: where all roads converge

Every framework on this page now has a third-party risk component. NIS2 Article 21 requires supply chain security. DORA makes third-party ICT risk management a pillar. ISO 27001 Annex A 5.19–5.23 covers supplier relationships. SOC 2 CC9.2 requires vendor risk management. The EU AI Act makes AI value chain obligations explicit.

And for good reason. IBM X-Force’s 2026 threat intelligence indicates supply chain compromises quadrupled over the past five years. The Salesloft/Drift OAuth chain incident of 2025 demonstrated how a single third-party compromise can cascade across hundreds of enterprises with trusted SaaS integrations. Snowflake customer breaches in 2024 had the same pattern with credentials rather than OAuth tokens.

The honest reading is that third-party risk management as most organisations practise it today is not fit for purpose. Annual vendor questionnaires collect paper that is mostly ignored. Security ratings from BitSight, SecurityScorecard, or Panorays tell you what attackers can see externally, which is useful but incomplete. Continuous monitoring is often continuous only in name.

What functional TPRM looks like in 2026:

  1. A live inventory of vendors, their access scope, the data they process, and their criticality tier.
  2. OAuth token inventory specifically — the Salesloft lesson is that OAuth grants are vendors, and most organisations did not treat them as such.
  3. Continuous monitoring that triggers action on material changes, not just data that sits in a dashboard.
  4. Contractual provisions that enforce specific controls, with audit rights and breach notification windows.
  5. Fourth-party visibility for critical vendors. The “who are your key subcontractors” question should have a real answer.
  6. Exit strategy testing. Contractually required, operationally overlooked.

TPRM platform options have consolidated. OneTrust and AuditBoard dominate the enterprise GRC end. SecurityScorecard and BitSight own the ratings end. Whistic, Panorays, and Prevalent occupy the questionnaire-automation middle. Our third-party risk management 2026 guide walks through vendor selection and program design, including the specific OAuth hardening lessons from the Salesloft incident.

Sector-specific: HIPAA, PCI-DSS, and CMMC

Three sector-specific frameworks deserve brief status updates.

HIPAA remains active and consequential. OCR enforcement against healthcare organisations continues at pace, with ransomware incidents routinely generating HIPAA Security Rule investigations. Healthcare has been one of the top three targeted sectors by ransomware groups for three consecutive years, with Qilin specifically targeting healthcare providers and having attacked Synnovis (disrupting NHS blood testing across London) in mid-2024. The intersection of HIPAA Security Rule requirements, state-level breach notification laws, and cyber insurance requirements now produces the most complex compliance stack in any industry. Our HIPAA cybersecurity compliance guide covers the technical safeguards and breach notification mechanics.

PCI-DSS 4.0 entered full enforcement in March 2025, and the future-dated requirements that were optional until then became mandatory. The big ones: multi-factor authentication on all access to the cardholder data environment, customised approach documentation for deviations from defined approach, targeted risk analyses, and authenticated vulnerability scanning. For organisations that treated 4.0 as a box-tick migration from 3.2.1, 2026 is the year the pain arrives.

CMMC (Cybersecurity Maturity Model Certification) continues its multi-year rollout for defence contractors. CMMC 2.0 Level 2 assessments are now occurring at scale, with the phased contract-clause integration from the Department of Defense continuing through 2026 and 2027. Prime contractors are pushing Level 2 requirements down their subcontracting chain, which is reshaping the sub-contractor landscape in the defence industrial base. Level 3 is still rare and high-consequence.

What the frameworks collectively miss

An honest state-of-compliance report has to acknowledge what compliance does not cover.

Ransomware recovery is not a framework control. It is an operational capability. The organisations that recover from ransomware in hours rather than weeks are not the ones with the most framework certifications; they are the ones that have tabletopped the scenario, tested their immutable backups, and have a retained incident response firm on contract.

Agentic AI security is not yet a framework concern. Gartner’s top 2026 cybersecurity trend is agentic AI oversight, and neither NIS2, DORA, SOC 2, ISO 27001 nor the EU AI Act has control language that genuinely addresses autonomous AI agents as first-class identities. This will change, but the regulatory lag is real. Our agentic AI security playbook covers the governance framework; the frameworks will catch up in 2027 or 2028.

Deepfake-enabled social engineering is not covered meaningfully by any current framework. Technical controls against BEC are in scope under most frameworks; the specific controls that defeat voice cloning and synthetic identity scams are not.

Nation-state threats against critical infrastructure — Volt Typhoon, Salt Typhoon, and others — are covered by NIS2 at the sectoral level and by CISA/NCSC guidance operationally, but no compliance framework currently produces meaningful defensive capability against a competent state-sponsored actor. This is not a criticism of the frameworks; it is an acknowledgement of scope.

The twelve-month ahead view

For the CISO reading this in mid-2026, here are the five developments to track through the next twelve months.

  1. NIS2 first enforcement actions. The first material fines under NIS2 will emerge in the second half of 2026. They will establish enforcement tone, and organisations that are behind on transposition will need to be very quickly ahead.

  2. EU AI Act 2 August 2026 application. Expect a compliance scramble from Q2 into Q3, followed by a quieter enforcement posture for twelve months, followed by the first material enforcement actions in mid-2027.

  3. DORA supervisory maturity. Year two of DORA supervision produces the first real pattern of regulator findings, enforcement actions, and the practical shape of what “supervision mode” actually means.

  4. Cyber insurance post-Qilin pricing. Ransomware volume in Q1 2026 (2,165 victims across three months, annualising to roughly 8,660 — an 18% increase over 2025) will work through to reinsurance pricing and front-line premiums by late 2026.

  5. Post-quantum cryptography guidance hardening. NIST has finalised the first PQC standards. Expect NIS2 and financial services regulators to start referencing PQC migration expectations in supervisory guidance during 2026 and 2027, even without formal control language.

The position worth taking

Most compliance programs spend too much time on the frameworks they are certified to and not enough on the frameworks that will fine them or price them. The balance that works in 2026 looks like this: NIS2 or DORA (pick based on sector) as the regulator-facing anchor. SOC 2 as the customer-facing anchor. ISO 27001 as the international operational anchor. Cyber insurance posture as the financial discipline. EU AI Act as the new frontier requiring dedicated attention through the August 2026 deadline.

Everything else is either a sub-case of one of the above (HIPAA, PCI, CMMC are sectoral instances), a supporting input (TPRM is a capability every framework now requires), or a future concern (post-quantum, agentic AI governance).

The programs that will age well over the next three years are the ones that stop treating compliance as a checklist to clear and start treating it as a structural expression of a security program that would exist anyway. The ones that will age poorly are still buying platforms to automate evidence collection for frameworks they do not really understand.

Frequently asked questions

How do SOC 2, ISO 27001, NIS2, and DORA overlap? Substantially. All four cover access control, incident response, risk management, supplier security, and cryptographic controls. The overlap between ISO 27001:2022 Annex A and NIS2 Article 21 is roughly 70% to 80%. SOC 2 Trust Services Criteria map cleanly to about two-thirds of ISO 27001 controls. DORA’s ICT risk management pillar aligns with ISO 27001 and extends it with financial-services-specific obligations around TLPT and third-party ICT provider oversight.

Is SOC 2 enough if I also have ISO 27001? For most B2B SaaS vendors with international enterprise customers, yes — until a specific customer or regulator asks for something more. The risk is not that SOC 2 plus ISO 27001 is inadequate; it is that customers in regulated sectors will ask for additional evidence (HIPAA, PCI, FedRAMP, or industry-specific attestations) that neither SOC 2 nor ISO 27001 covers.

What happens if my organisation misses the NIS2 October 2026 enforcement window? It depends on your member state and your classification. Essential entities face administrative fines up to €10 million or 2% of global annual turnover. Important entities face €7 million or 1.4%. Management body members face personal liability, including potential temporary bans from leadership roles. More immediately, regulators will likely issue compliance orders with defined remediation timelines before escalating to fines. The organisations that get hurt worst are those who cannot demonstrate a credible transition path when the regulator asks.

Do I need to comply with the EU AI Act if I am not based in the EU? If your AI system is placed on the EU market, or its output is used in the EU, probably yes. The extraterritorial scope of the AI Act is similar to GDPR’s — targeted at effect in the EU rather than establishment in the EU. US-headquartered AI providers selling into the EU are squarely in scope.

What is the most underrated compliance risk in 2026? Management body liability. NIS2’s Article 20 and DORA’s governance provisions create personal liability for board and senior management members for compliance failures, and they create training obligations that many organisations have left undocumented. When the first enforcement actions come, “we did not train the board on cybersecurity” will be a very expensive finding.

How should a small-to-mid business prioritise compliance investments? Start with cyber insurance requirements — the seven controls insurers functionally require are the baseline security program you need regardless of framework. Add SOC 2 Type II if you sell B2B SaaS. Layer ISO 27001 if you operate internationally. Add NIS2 preparation if you are in scope. Everything else is sector-specific and customer-driven.

This is the State of Compliance 2026 hub. It is updated annually each Q4. For the deep dives on each framework, see our compliance category. For questions about scope or applicability to your organisation, our editorial standards page explains how we cover this beat and where we draw the line between journalism and advice.