Why economic instability is fuelling the next wave of cybersecurity regulation

Periods of economic volatility, currently driven by issues such as tariffs and geopolitical tensions, often create the ideal conditions for cybercriminal activity to flourish. When national attention shifts toward managing macroeconomic priorities, the focus can turn from cybersecurity to other problems. As a result, today’s climate of uncertainty is not just a cause for concern among investors and policymakers; it’s also a clear signal to bad actors that networks may be vulnerable.

This is playing out in real time. With trade tensions and geopolitical fragmentation undermining supply chains and investor confidence, businesses are scaling back tech investment and delaying key decisions. At the same time, disruptive technologies such as AI are prompting new fears around job displacement, data governance, and regulatory compliance. Add to this a rise in sophisticated cyber threats, and it becomes clear that instability is being felt across every layer of business and infrastructure.

Indeed, a recent study by the World Economic Forum (WEF) says that geopolitical tensions are shaping cybersecurity strategy. According to its analysis, “Nearly 60% of organisations state that geopolitical tensions have affected their cybersecurity strategy. Geopolitical turmoil has also affected the perception of risks, with one in three CEOs citing cyber espionage and loss of sensitive information/intellectual property (IP) theft as their top concern.”

These pressures are already reshaping the way governments respond. Tariffs, in particular, seem to be triggering a tightening of cybersecurity regulations on technology providers. Rather than pressing pause on new legislation, regulators are doubling down by adding new requirements and pushing for higher compliance standards. The climate of uncertainty, far from reducing oversight, is now one of the key drivers behind the expanding regulatory burden facing organisations worldwide.

Keeping pace with change

While the regulatory direction is clear, it’s not developing in a coherent manner. Instead, what we’re seeing is the emergence of a more fragmented global framework, where different regions are setting their own rules. For international businesses, this makes an already complex compliance environment even harder to navigate.

Take the European Union. NIS2 is underway, but instead of a harmonised approach, many member states are expected to introduce additional local requirements. This creates a patchwork of obligations to which international businesses must comply; each adding new challenges on top of NIS2.

The UK, meanwhile, is moving in parallel with a distinct but equally demanding agenda with the Cyber Security and Resilience Bill. Whilst it is still in Parliament, the bill aims to improve the UK’s cybersecurity framework by strengthening its national cyber defences for critical infrastructure and essential services. In addition, a consultation on ransomware payment bans is currently in progress, alongside plans for a new national cybersecurity framework being led by the Home Office. The draft bill signals a clear intent to tighten regulatory oversight and introduce targeted measures.

What’s important to recognise is that these frameworks aren’t being developed in isolation or in response to a single event. They are the product of long-term strategic planning that is now accelerating in response to global uncertainty.

For international businesses, the implications are significant. Data localisation and sovereignty requirements are becoming more prominent, pushing businesses to rethink where and how data is stored, processed, and accessed. This, in turn, is driving greater demand for region-specific infrastructure and technology stacks that can support compliance at a local level.

Engaging with the process

For businesses everywhere, especially those operating across multiple jurisdictions, adopting a reactive approach to compliance is a dangerous strategy. Instead, they must focus on staying ahead of regulatory requirements, many of which are well understood years before becoming law.

This starts with strengthening internal compliance functions and ensuring they’re equipped to handle regulatory divergence. Businesses with cross-border operations should assess their existing capabilities and identify where additional expertise or support is needed. This should include working with regulatory technology providers to track upcoming developments and accurately forecast risk.

Businesses need to examine their IT infrastructure closely. As localisation requirements become more stringent, understanding the location of data and relevant data flows is essential. This assessment is critical when considering cloud vendors and technology partners, as their capacity to support data sovereignty may impact compliance in specific regions.

Vendor selection is no longer just a matter of cost or performance; it’s about regulatory alignment. The right partners will be those that can demonstrate clarity on localisation, encryption, access control, and audit readiness – all of which underpin regulatory risk.

There’s also an opportunity for businesses to engage more directly with the regulatory process. Governments are increasingly seeking industry input through consultation exercises on proposed laws and updates. For example, the UK’s current ransomware payment consultation is a chance for organisations to contribute to the direction of national cybersecurity policy. Participating in these discussions allows businesses to shape the landscape they’ll later have to navigate and to make sure it reflects operational realities on the ground.

Facing the challenge

Economic volatility remains a persistent challenge for the technology sector, particularly as it seems to fuel increasing complexity of the regulatory demands. In this climate, cybersecurity and data governance are under heightened scrutiny, compelling organisations to reassess their compliance strategies with renewed urgency.

The rapid evolution of cybersecurity regulations calls for a forward-looking, integrated approach – one that embeds compliance within the core of business operations. Organisations that proactively strengthen their internal compliance capabilities and collaborate with technology partners aligned with regulatory best practices will not only meet emerging requirements but also enhance organisational resilience.

As regulatory expectations continue to escalate, IT leaders who move decisively to embed compliance into their strategic frameworks will be best positioned to maintain operational agility and stakeholder trust. In an environment defined by uncertainty, a strong compliance posture becomes not just a necessity, but a competitive advantage.

‍