Forget AI Attacks. The Real Threat in 2026 is the Attack on Regulators

Two elephants in the room

In the cybersecurity and risk management domains, there are two elephants in the room that are receiving insufficient attention. One is the increasingly intense undermining of regulators, and the other is over-dependence on a few hyperscalers.

Why regulators matter

Cybersecurity, privacy, child safety, and effective market competition all depend on regulators having the power and capacity to act. Regulators play a critical role in setting guardrails in advance, establishing baseline expectations for security, resilience, privacy, transparency, and fair competition that protect both businesses and consumers. These guardrails reduce systemic risk, create predictability for enterprises, and prevent dominant platforms from entrenching monopolistic positions that suppress choice, innovation, and consumer protection. Increasingly, regulators lack the authority, resources, and political backing to perform these functions effectively.

The hyperscaler dependence trap

The second issue is the growing dependence on a small number of hyperscalers. Governments and enterprises have concentrated critical workloads, sensitive data, and core digital services inside the infrastructure of a handful of providers. This concentration is becoming harder to justify at a time when both the US federal government and the Chinese government increasingly treat major technology platforms as strategic national assets. It raises uncomfortable questions about jurisdiction, control, and whether critical systems can securely remain dependent on platforms that are subject to the policy priorities of a single nation.

The AI-amplified vicious cycle

These two elephants in the room reinforce each other. As regulators weaken, more breaches go undetected, regulatory enforcement falters, and oversight of tech monopolies diminishes. At the same time, rapid advances in AI increase risk enormously. Weakened regulation materially exacerbates AI risk. AI systems operating at scale require strong oversight, transparency, and enforcement to ensure explainability, integrity, and security, and to prevent misuse. When regulatory authority erodes, managing AI risk at scale becomes increasingly difficult.

Even the EU is under pressure

Even where regulators retain formal authority, particularly in the EU, that power is now under sustained political and legal attack as recent enforcement actions against major platforms (note the recent X fine) demonstrate.

Four targeted regulator types

Four types of regulatory bodies face simultaneous pressure:

·       Privacy and cybersecurity authorities

·       Online safety and child protection agencies

·       Competition and antitrust regulators

·       Consumer protection and disinformation oversight bodies

Six attack vectors

The attacks come in multiple forms, typically from:

·       Aggressive lobbying, increasingly from nation states

·       Budget cuts

·       Jurisdictional challenges

·       Legal stalling tactics

·       Narrative warfare (“regulation harms innovation and freedom of speech”)

·       Technical obstruction by platforms

The assault is already happening

The erosion of regulatory power is already underway across multiple jurisdictions, with the possible exception of the EU, which nevertheless is under sustained political and commercial attack.

United States: cyber transparency in retreat

The United States illustrates how quickly cyber regulation can advance and then unravel under political and commercial pressure. After the SEC introduced stronger cybersecurity disclosure rules in 2023, major financial and industry groups swiftly lobbied for their dilution or repeal. By mid-2025, the SEC had withdrawn a more prescriptive set of cybersecurity and risk management rules altogether, marking a clear retreat from stronger oversight and accountability.

At the same time, several proposed measures aimed at countering foreign interference in critical infrastructure and digital operations stalled or were deprioritised. These reversals suggest that moves toward transparency and national security resilience are rolled back as soon as they threaten powerful commercial or political interests. In the U.S. system, regulators are increasingly outmatched by lobbying pressure, litigation threats, and partisan pushback.

The trend accelerated further in December 2025, when President Trump signed an executive order directing federal agencies to establish a single national AI framework and to challenge state-level AI laws that conflict with it. The order significantly curtails states’ ability to regulate AI independently, consolidating authority at the federal level, while undermining state sovereignty and regulatory independence.

These developments signal a decisive shift away from cyber transparency, decentralised oversight, and proactive risk management, at a time when systemic digital and AI-driven risks are increasing rapidly.

United Kingdom: Online Safety Act (OSA)

The OSA was designed to protect children and reduce online harm. Instead, its enforcement has been systematically undermined. Critics frame it as regulatory overreach and delay it through political and industry pressure.

Implementation has come under attack from opposite directions. Advocacy groups argue progress is too slow and too weak to address genuine harm, while major technology firms and the US government claim the measures risk over-censorship and freedom of speech. The UK government, meanwhile, is pushing for faster action, underscoring how contested and fragile the enforcement mandate has become. The result is a regulator (Ofcom) caught in a political dispute, rather than delivering clear, consistent, online-safety outcomes.

Canada: stalled reform and regulatory paralysis

Canada’s attempt to modernise privacy and platform regulation through Bill C-27 collapsed under intense lobbying and political delay. The CPPA and the country’s first federal AI law were both abandoned when Parliament was prorogued in early 2025, eliminating years of reform.

The political context matters. Once the Trump administration took power, Washington signalled that moves by allies to tax or tightly regulate dominant US technology firms could trigger trade retaliation, including higher tariffs. For Canadian policymakers, that threat reinforced the message that any constraints on US tech monopolies carry economic and political risks.

Australia: privacy enforcement with shrinking resources

Australia has faced a surge in major data breaches and government cyber incidents, yet the Office of the Australian Information Commissioner (OAIC) has been constrained by years of budget pressure. The laws exist, but the regulator lacks the capacity to enforce them. In effect, this is a form of regulatory weakening by underfunding rather than statute.

Frustration with platform self-governance is growing. In December 2025, the federal government introduced a national ban on social media access for children under 16. This blunt policy move reflects declining confidence in existing regulatory tools. Major technology firms are lobbying to dilute the ban, repeating the pattern seen globally. Whenever and wherever governments attempt strong action, platforms mobilise to neutralise it.

The weaponisation of digital infrastructure

Recent developments across multiple jurisdictions show how access to essential digital infrastructure can be restricted through nation state policy, with immediate operational impact. In recent years, sanctions regimes, export controls, and government directives have resulted in organisations and individuals losing access to cloud services, enterprise software, collaboration platforms, and financial systems, often with little notice.

These cases span international oversight bodies, research institutions, public sector organisations, and private enterprises. The common factor is not the nature of the organisation, but its dependence on commercial digital platforms that sit within the legal and policy reach of a single government. When those platforms are designated as part of a broader national strategy, access can be constrained or withdrawn for reasons unrelated to cybersecurity performance or operational risk.

The significance lies less in any individual case than in the precedent now established. Digital infrastructure is no longer a neutral utility. Cloud platforms, productivity tools, and payment systems are increasingly used as instruments of state policy, whether through sanctions enforcement, export restrictions, or compliance with national security law. For regulators, governments, legal professionals, and enterprises alike, this creates a structural vulnerability.

Even the EU remains structurally dependent on platforms based in a foreign jurisdiction. EU regulators face increasing foreign political interference while confronting highly litigious, tech monopolies.

The uncomfortable truth is that regulation drives cybersecurity

Although organisations will always implement the minimum controls required to keep their businesses operating, they rarely invest in strong data protection purely out of intrinsic motivation. Serious investment usually comes when regulation turns data protection into a board-level concern. Strong regulation attaches consequences to poor data handling and holds senior decision-makers accountable.

GDPR drove the biggest global cybersecurity improvement in decades, effectively setting global best practice for data protection. It introduced mandatory breach notification, strict vendor controls, encryption expectations, DPIAs, data minimisation, and formal accountability structures like DPOs, backed by real penalties for non-compliance. Companies adopt these measures because they are mandatory and the regulator has strong enforcement powers.

When regulators weaken, cybersecurity, privacy and safety (often child safety) deteriorate. Critically, AI risk accelerates, because systems operating at scale without strong regulatory guardrails can cause significant damage.

In parallel, we are seeing tech monopolies shift towards rent extraction as regulatory pressure diminishes. This is being manifested in substantial cloud price increases, AI compute charges, bundling that suppresses competition, reduced transparency, and arbitrary product discontinuation.

The structural risk of dependence on hyperscalers

When regulatory oversight is weak and major platforms face little constraint, dependence on hyperscalers becomes a structural vulnerability for a range of reasons including:

·       Pricing, access and terms can change quickly with no recourse

·       Enterprises have limited transparency into how data is used or moved

·       National regulators cannot reliably audit systems controlled by powerful foreign vendors

·       AI services become bundled into the systems of a small number of providers.

Governments and enterprises will, in 2026, need to examine ways of reducing their dependence on a handful of hyperscalers, at least for critical workloads, sensitive data, and national infrastructure. Sovereign clouds, and selective repatriation strategies will become essential tools to manage risk and ensure digital sovereignty.

Implications for governments, boards and risk leaders

All technology stakeholders are being impacted by the undermining and stymying of regulations. Enforcement power will be contested more aggressively, politically, legally and financially.

·       EU, UK, Canadian, Australian, and other regulators will face an onslaught of political, narrative, and financial attacks, while US regulatory capability is being significantly constrained.

·       For CISOs and risk managers, scenario planning needs to recognise that regulation and enforcement will lag further behind real-world risk, making organisations and consumers more exposed to technology risk, than they have ever been.

·       Boards and executives may view regulatory retreat as short-term relief. In reality, it shifts cyber and privacy risk onto enterprises and consumers (often children) without clear guardrails or shared accountability.

·       Non-US governments are seeing a rapid erosion of their digital sovereignty. They need both strong regulators and diversified infrastructure if they are to maintain any semblance of independence from foreign pressure. For many enterprises and governments, dependence on a small set of US or Chinese platforms is now a major strategic vulnerability, not simply a procurement choice. Digital services taxes are another major flashpoint.

Even within the United States, both government and industry will need to reconsider how much critical national capability resides inside private technology firms whose interests do not always align with either national security or democratic accountability.

Confronting the unavoidable risks of 2026

2026 will be a year when regulators face relentless attacks across political, legal, financial, and commercial fronts. This weakening of regulatory power is likely to expose the risks inherent in reliance on a few US or Chinese technology platforms and will force governments worldwide to confront the erosion of their digital sovereignty. They will need to strengthen their regulators and diversify their infrastructure.

Organisations cannot wait for regulators to recover. Risk management in 2026 and beyond will require:

·       Reduced single-country and single-vendor dependence. Critical workloads, data and capabilities will need to move away from reliance on a small number of US hyperscalers (and in some cases Chinese tech stacks) to avoid exposure to policy shifts and foreign political pressure. This will increasingly involve cloud repatriation for specific high-risk workloads and data, and diversification across jurisdictions and providers for the rest.

·       Stronger data and digital sovereignty strategies. Organisations will need greater transparency on where their data sits, whose laws apply, which jurisdictions can compel access, and how to keep intellectual property and sensitive data within trusted environments.

·       Explicit protection against nation-state threats. Security programs will need to assume that hostile states will seek to sabotage infrastructure or acquire data and IP through covert action and supply chain intrusion.

The organisations that act early will be the ones that optimise their cybersecurity postures and resilience.