Regulatory risk in 2026 is dominated by three intersecting themes:

1. AI regulation,

2. Data privacy and cybersecurity, and

3. ESG and supply chain transparency.
   These changes impact not only compliance departments but also product design, data strategy, and board‑level risk oversight.

4. AI Regulation: EU AI Act and US State/Local Laws
   EU AI Act (global impact)

• The EU AI Act is entering its implementation phase, with key obligations for high‑risk AI systems taking effect by August 2, 2026.[1][4][7]

• For many companies (including non‑EU firms offering AI services in the EU), this means:

  • mandatory risk assessments and mitigation,

  • transparency and explainability requirements,

  • data governance, human oversight, and logging obligations, and

  • potential penalties up to a high percentage of global annual turnover for severe non‑compliance.[7]
    US AI regulations and guidance

• A 2026 preview from Wilson Sonsini notes a rapidly thickening landscape of US AI rules, including:

  • state AI transparency and impact assessment laws,

  • sector‑specific guidance (e.g., for financial services, health, and employment), and

  • emerging federal bills such as the Protecting Consumers From Deceptive AI Act (introduced April 23, 2026) targeting deceptive AI marketing and deepfakes.[2][5]

• California's 2026 AI/privacy laws (e.g., SB 942, in effect Jan 1, 2026) impose:

  • latent AI disclosures in synthetic images, video, and audio,

  • 30‑day breach notification requirements,

  • mandatory cybersecurity audits for certain AI/data‑intensive businesses, and

  • heightened rules for automated decision‑making technologies (ADMT).[2][5]
    Business impact:

• AI‑using companies must treat AI compliance as a product and engineering requirement, not a legal afterthought—documenting model training data, fairness, testing, and monitoring.

• Non‑compliance risks include fines, injunctions, and loss of market access (especially in the EU).

1. Data Privacy: Patchwork of State Laws and Higher Enforcement
   Expansion of US state privacy laws

• By early 2026, twenty US states have comprehensive privacy laws in effect, with new laws launching in Indiana, Kentucky, and Rhode Island, among others.[3][6][8]

• These laws introduce or expand:

  • rights to access, correct, delete, and port data,

  • opt‑out rights for targeted advertising, profiling, and certain automated decisions,

  • obligations around sensitive data (health, biometrics, geolocation), and

  • detailed notice, purpose‑limitation, and contract requirements.[3][6]
    Heightened enforcement

• Data privacy and AI enforcement is intensifying:

  • European GDPR enforcement continues, with 2025 breach notifications up 22% YoY (443 incidents per day) and regulators increasingly targeting AI, adtech, and cross‑border transfers.[4]

  • US regulators (FTC, state AGs) are bringing more actions on deceptive data practices and misrepresentations about AI or privacy protections.
    Business impact:

• Companies operating in multiple states must harmonize policies and consent flows to meet the strictest common denominator or build region‑specific experiences—both can be costly.

• Data mapping, vendor risk management, and automated consumer‑rights response processes become operational necessities.

1. ESG, Climate, and Supply Chain Transparency
   ESG/climate disclosures

• SEC climate disclosure rules (finalized late 2025, applying to fiscal years starting 2026 for larger filers) require:[4]

  • detailed reporting on climate‑related risks, governance, and strategy,

  • greenhouse gas emissions (including Scope 3 in many cases), and

  • enhanced attestation and data‑quality expectations.

• EU's Corporate Sustainability Reporting Directive (CSRD) and Corporate Sustainability Due Diligence Directive (CSDDD) further raise the bar for many global businesses on ESG transparency and due diligence.[4]
  Sanctions and supply chain transparency

• Dun & Bradstreet's 2026 compliance report highlights:

  • expanding sanction regimes and rules like BIS "50% rule" extensions, which require screening not just direct counterparties but also affiliates and beneficial owners.[9]

  • increasing pressure to trace goods, data, and ownership through entire supply chains, not just tier‑1 suppliers.[9]
    Business impact:

• Companies must invest in ESG data collection systems, supplier due‑diligence workflows, and sanctions screening tools that can map ownership and control structures.

• Board and C‑suite exposure grows: some regimes contemplate executive liability for egregious sanctions or ESG reporting failures.

1. Cross‑Cutting: Cybersecurity Rules

• Global and sectoral guidelines (e.g., NIST CSF 2.0 updates, EU NIS2, SEC cybersecurity disclosure rules) converge on higher expectations for:

  • timely breach identification and notification,

  • board‑level oversight of cyber risk, and

  • documentation of incident response and resilience measures.
    Business impact:

• Cybersecurity is now deeply intertwined with privacy and AI regulation; failure in one domain often creates liability in the others (e.g., an AI‑driven decision system compromised via a data breach).

Which Changes "Most Affect" Businesses?

In 2026, the most impactful regulatory shifts are those that:

• have broad scope (affecting most mid‑to‑large companies),

• create material penalties or litigation exposure, and

• require structural changes to technology and governance.
  By these criteria, the top three are:

1. EU AI Act and US AI rules – because they reshape how AI is designed, documented, and deployed, with high penalties and extraterritorial reach.

2. Proliferation of state privacy laws and elevated enforcement – due to their breadth across industries and the complexity of compliance in 20+ jurisdictions.

3. ESG/climate and supply chain transparency regimes – especially for public or cross‑border companies, which must build new reporting and due‑diligence infrastructures.