Data protection has become a defining priority for organizations and governments alike, as it increasingly impacts consumer trust, economic growth, and national security.

Globally, regulations have expanded at unprecedented speed. As of January 2025, 144 countries had enacted national data privacy laws, placing 82% of the world’s population—approximately 6.64 billion people—under some form of statutory data protection, according to the IAPP’s Global Privacy Law and DPA Directory.

As regulations proliferate, data protection is becoming a top organizational priority. Nearly 56% of compliance and risk professionals ranked data privacy, protection, and security as their most important compliance issues in Navex Global’s 2025 State of Risk & Compliance Report, and 51% of business and risk leaders identified cybersecurity and data protection as their top compliance priorities in PwC’s Global Compliance Survey 2025.

With data protection featuring so prominently on regulatory and business agendas, it’s important to understand what to expect in 2026 and the years ahead. Below, we break down key trends and what they mean for organizations navigating an increasingly complex global environment.

Trend 2: US data protection and privacy laws become even more fragmented, particularly around AI

While the EU is moving toward consolidation, the United States is accelerating in the opposite direction: data protection and privacy laws are becoming increasingly fragmented, especially when it comes to AI.

In 2024 and 2025, the US experienced its most active period of privacy legislation ever, with:

• Nearly 20 new state privacy laws activated or taking effect
• New AI governance laws enacted in states such as Alabama, Arizona, California, Colorado, and dozens more
• Over 150 state AI bills introduced
• Failed efforts to include a 10-year federal moratorium on state AI regulations

According to White & Case, 2025 alone saw five new privacy laws come into force, with three more scheduled for activation later in the year. 

As the US continues to accumulate a patchwork of state-specific data protection laws, businesses operating across states or deploying and employing AI face enormous operational complexity. According to the World Economic Forum's Global Cybersecurity Outlook 2025:

• 76% of CISOs say regulatory fragmentation significantly impacts their ability to maintain compliance.
• 69% report regulations are too numerous or too complex—or or have difficulty verifying whether third-party suppliers are compliant.
• 28% cite “changes in regulations that are missed in our program” as their top AI-related compliance risk

With federal consensus unlikely in the near term, US organizations should expect more fragmentation in 2026, especially as states continue to enact laws aimed at regulating AI.

Trend 4: Enforcement of some data protection regulations is intensifying, resulting in landmark settlements and fines

While some data protection rules are being delayed or phased in gradually, others are being enforced with unprecedented intensity.

2025 has already broken multiple non-compliance enforcement records to date, including:

• HHS set a new record for the most HIPAA violation settlements in a single year by May.
• GDPR fines exceeded the €5 billion mark for the first time.
• CPPA issued the largest penalty ever over CCPA violations—also the first to address privacy rights for job applicants.
• DOJ announced 7 False Claims Act settlements related to cybersecurity non-compliance as of September—three more than the year before.

After years of delayed enforcement and uneven regulatory action, regulatory bodies are sending a clear message: compliance must be real, operationalized, and continuously demonstrated. Regulators are investing in deeper investigative capabilities, cross-border collaboration, and targeted crackdowns in high-risk sectors to ensure it.

This heightened enforcement is especially visible in industries that routinely handle sensitive or regulated data—such as healthcare, retail, technology, finance, and defense—where the consequences of non-compliance can trigger widespread consumer, economic, or national security harm.

Trend 5: Data protection requirements are tightening for government contractors

Even as the US government pursues deregulatory initiatives, data protection requirements for sensitive government information are expanding.

This is happening first in the defense sector, but similar standards are expected to extend across the broader federal ecosystem by the end of 2025—as illustrated by two major developments:

1. CMMC Final Rule (Defense Sector)

On September 10, 2025, the Department of Defense published its final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement CMMC. This rule, which went into effect November 10, requires any contractor or subcontractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to meet strict cybersecurity standards and obtain certification so Department program managers and primes can verify compliance before awarding contracts and during contract periods.

These requirements will continue rolling out across the defense supply chain through 2029, eventually applying to an estimated 220,000 organizations in the Defense Industrial Base (DIB).

2. FAR CUI Rule (Government-Wide)

In January 2025, the federal government proposed the first ever government-wide rule for the protection of CUI. The FAR CUI rule would apply to all executive branch contracts, not just defense. According to the FAR Council’s Spring 2025 regulatory agenda, it is scheduled for finalization by the end of the year.

Image source: FAR Case 2017-016 on Reginfo.gov

Together, these regulations indicate a new era of US federal data protection that is focused on safeguarding national security information across the full contractor ecosystem and throughout the entire lifecycle of contract performance.

Trend 6: Ensuring data protection across the supply chain is a top risk—and priority

Data protection is no longer confined to an organization’s internal systems or employees. It now extends across suppliers, partners, cloud platforms, managed service providers, and every third party with access to business-critical data. As global supply chains become more interconnected, the weakest link is often not inside the target organization—but several layers downstream.

This shift is being driven by several forces:

• Multi-tier global supply chains with thousands of components and contributors
• Increased dependency on third-party SaaS, cloud, and data processors
• Expanding regulatory requirements related to third-party and vendor risk
• National security concerns, particularly across defense and critical infrastructure

For many industries—especially manufacturing—even a minor compliance gap at one supplier can result in a security incident or capability loss that delays shipments, halts production lines, or triggers regulatory investigations that lead to costly settlements.

Leaders are increasingly feeling the strain of managing supply chain risk. According to the World Economic Forum's Global Cybersecurity Outlook 2025 and Gartner for Legal, Risk & Compliance Leaders July 2025 Survey:

• 48% say ensuring third-party compliance is their biggest challenge to effectively implementing cyber regulations.
• 41% cite lack of visibility into third-party dependencies as their top supply chain cyber risk.
• 40% said strengthening third-party risk management processes and/or technology was one of their top five priorities.

The flowdown requirements in CMMC are a clear example of how organizations are being tasked with greater accountability for their supply chains. By 2029, primes will be responsible for ensuring all their subcontractors meet appropriate CMMC requirements. While large primes like Lockheed Martin have already started putting pressure on their subcontractors, many are unsure how to enforce or validate compliance. 

One main reason for this confusion is that access to assessment results and scores in SPRS is limited to the entity that owns the certification and the Department. This means primes must build new processes for confirming subcontractor compliance before contract awards and throughout contract periods.

With adversaries increasingly targeting supply chain partners and regulatory expectations for the supply chain continuing to expand, supply chain risk management and vendor compliance is expected to become a defining challenge—and differentiator—in the coming years.

Regulatory Compliance Checklist for 2026

With new data protection rules, expanding supply chain obligations, and increasing enforcement pressure, preparation is essential. Download our 2026 Regulatory Compliance Checklist to understand and track the essential tasks and priorities every organization should prepare for in the year ahead.

The future of data protection is automation

One conclusion cuts across all these trends: technology and automation will become indispensable for managing compliance and strengthening data protection in the years ahead.

The data protection landscape is evolving faster than human teams can keep up. Regulations are more numerous, more complex, and more interconnected across global supply chains. Enforcement is rising. And regulators increasingly expect organizations to prove continuous compliance through real-time security data and reporting, not once-a-year audits.

To meet these demands, organizations are increasingly leveraging technology and automation. 2025 is the first year in which a majority of organizations (66%) of organizations said they use purpose-built technology to manage compliance risk in Navex Global’s annual State of Risk & Compliance Report. 

And the business impact is clear: According to PwC’s Global Compliance Survey 2025, organizations said that investments in technology have helped them:

• Gain better visibility of risks and risk management activities (64%) 
• Identify and respond to compliance issues faster (53%)
• Increase productivity, efficiencies and cost savings (43%)
• Identify and respond to regulatory changes more quickly (42%)

As a result of these and other benefits, 82% of companies plan to invest more in technology to drive compliance activities.

Organizations that take a proactive, technology-first approach to data protection—rather than a reactive, obligatory approach—will be best positioned to navigate the next decade of regulation, innovation, and global risk.

Request a demo with one of our product experts to see why thousands of organizations choose Secureframe can to simplify compliance and safeguard their data.