Parent Page Home
Parent Page News & Insights
Parent Page Spotlight on Cyber Threats and Tech Advances 2026
Parent Page Resilience Reimagined
Case Study - When Regulations Tighten and Data Rules Diverge

Case Study: When Regulations Tighten and Data Rules Diverge

Global cyber and AI regulation is tightening fast. As lawmakers formalise new expectations around security, transparency and accountability, organisations face a growing, and often conflicting, set of obligations.

The result is a fragmented regulatory terrain: clearer rules, but far more complexity for any business operating across borders.

“Differences in how cyber risk is perceived across regions are often less about the objective threat landscape, which is global and interconnected, and more about experience, exposure, and institutional maturity.

“Guidance and supervisory expectations, especially in regulated sectorsCse St, now emphasise explainability, governance, data integrity, and cyber resilience, even where formal AI-specific legislation is absent.” Nathalie David, Partner, Clyde & Co.

Regulators worldwide are raising the bar on governance, explainability, data integrity and cyber resilience, even where no formal AI-specific law yet exists.

Regulatory borders are redrawing operational risk

Different jurisdictions are now setting their own standards, creating a maze of compliance requirements.

Europe: Mandatory resilience and strict oversight

European rules²⁹ focus on digital resilience, supply chain integrity and rapid incident reporting. Key regulations include:

NIS2³⁰ – stricter network and information security

Cyber Resilience Act³¹– hardware and software security requirements

DORA³² – financial sector resilience and operational continuity

Any business operating in the EU must meet these obligations, regardless of headquarter locations.
United States: Disclosure, transparency and data access

US regulation operates differently:

SEC cyber disclosure rules³³ – material incidents must be disclosed publicly, within strict timelines.

Annual governance reporting – mandatory transparency into cyber oversight

US CLOUD Act³⁴ – US authorities can access data handled by US-based providers, even when stored overseas .

This complicates cross border operations, especially when data sovereignty laws clash.

US federal obligations for critical sectors

Additional legislation includes:

CIRCIA³⁵ – major breaches must be reported to CISA within 72 hours.

CFAA – longstanding federal law governing computer misuse.

United Kingdom: Unified standards and executive accountability

In the UK:

FCA’s unified operational resilience framework³⁶ standardises reporting and expectations
Cyber Security and Resilience Bill³⁷outlines what executives must know, how they must prepare, and how fast they must report

Failures may lead to director & officers’ liability (D&O) claims, increasing personal exposure for senior executives.

Data sovereignty: The new battleground

France’s commitment to build a domestic video conferencing tool (“Visio”) by 2027 adds another layer, pushing any firm operating in France to rethink its reliance on non-European platforms in any work involving sensitive communication³⁸.

This move reflects a deeper strategic shift – video conferencing is no longer ‘just software as it generates:

Meeting content
Metadata
Transcripts
Organisational memory³⁹
AI training material

These are now considered strategic assets akin to energy, telecom, and semiconductors.

Sovereignty is now industrial strategy

France (and increasingly the EU) sees jurisdictional risk as real:

US providers fall under US law.
This can conflict with GDPR.
Sensitive data hosted outside Europe may be subject to foreign authority.

Hosting communications locally keeps the AI value chain and security control within European borders.

Geopolitics now shapes tech stacks

For years the model was simple:

US builds → Europe buys → efficiency increases.

Now, procurement includes a new question:

What if access to essential software becomes political?

Governments increasingly view data as a strategic asset:

They are asserting authority over where data lives

They are controlling how it moves

They are questioning which laws govern access

They are requiring sovereign alternatives
A routine incident can quickly turn complex when:

Jurisdictions demand conflicting actions

Local rules override global policies

Data location becomes a liability

Technology choices have become geopolitical decisions.

“The key lesson here is that compliance and resilience are no longer competing priorities. Firms that treat data sovereignty as a core governance issue ... are better positioned to meet cross-border obligations and maintain trust in an increasingly fragmented regulatory landscape.” Ian Birdsey, Partner, Clyde & Co.

The Goal - Make Complexity Manageable, Not Minimal

Complexity cannot be eliminated – but it can be managed. Resilience depends on reducing friction between:

Regulatory expectations
Operational capability
Geopolitical pressure
Data sovereignty constraints

The winning organisations will be those who build governance models that expect change, absorb new rules and adapt without disruption.

Where to start:

Bring cyber, legal, procurement and operations under one governance model that:

Maps data locations and legal jurisdictions

Tracks cloud and AI system dependencies

Documents data flows and escalation routes

Enables fast action when regulators demand responses
Evaluate suppliers based on:

Sovereignty exposure

Jurisdictional requirements

Compliance risk

Contingency options

Maintain preapproved fallback tools and sovereign-hosted alternatives.
Active dialogue with:

Regulators

Cloud providers

Strategic partners

provides early warning on policy changes, access shifts or compliance updates.
As cross-border obligations multiply, cyber insurance provides:

Legal guidance

Forensic expertise

Crisis management

Cross-jurisdictional response support

Insurance becomes a strategic resource, not just a financial one.