Cybersecurity Regulations for Financial Services for 2026 and Beyond

Financial services remain among the most targeted industries globally for cyberattacks. According to recent research, the sector experienced a dramatic escalation in 2025, with cyber incidents more than doubling from 864 in 2024 to 1,858 in 2025—representing roughly 18-19% of all cyberattacks worldwide. The sector also saw a 65% ransomware attack rate in 2024, the highest level since tracking began, with financial services accounting for 27.7% of all phishing attempts.

This intensity is understandable considering the high-value outcomes of successful attacks and the sensitive data financial institutions hold. Despite supposed security improvements, attacks remain highly effective: research shows that organizations hit by ransomware saw data successfully encrypted in 49% of cases in 2024, though this represents an improvement from 81% in 2023. More concerning, attacks increasingly involve AI-powered social engineering, deepfake authentication bypass, and sophisticated supply chain compromises.

Data breaches don't just affect the institution that's compromised—they erode confidence in the sector as a whole. The International Monetary Fund has highlighted the significant threat that weak financial services cybersecurity poses to global financial stability. Potential outcomes range from deposit outflows at affected banks to widespread economic instability if critical payment systems or clearinghouses are disrupted.

That's why global cybersecurity regulations have been significantly ramped up over recent years. These regulations strengthen the security posture of individual firms and the industry overall. Here we'll examine the most important financial services cybersecurity regulations for 2026 and beyond, with particular focus on new enforcement actions, compliance deadlines, and emerging requirements around AI governance and third-party risk management.

New York — NYDFS Part 500

One of the US's most important pieces of cybersecurity legislation is the New York Department of Financial Services cybersecurity regulation, technically known as 23 NYCRR Part 500. Originally enacted in 2017, the regulation was significantly strengthened by the Second Amendment (adopted in November 2023), which introduced phased compliance requirements through November 2025. As of 2026, all Second Amendment requirements are now in full effect, and NYDFS has pivoted to active enforcement mode.

Part 500 affects any firm that operates under the banking, insurance, or financial services laws of New York—which encompasses most financial services firms operating in the United States. It requires firms to implement a comprehensive cybersecurity program covering data governance, access controls, and consumer privacy protection.

What Has Changed for 2026 

As of 2026, financial institutions subject to Part 500 must meet the following key requirements:

• Universal Multi-Factor Authentication (MFA): MFA is now required for ALL individuals accessing ANY information system—not just remote access or privileged accounts. This broadening covers cloud applications (Microsoft 365, Google Workspace, SaaS tools), on-premise systems, third-party applications, and vendor/contractor access. NYDFS has stated unequivocally that 'all access should be secured, not just access by personnel.
• Comprehensive Asset Inventory: Organizations must maintain detailed asset inventories tracking owner, location, classification/sensitivity level, vendor support expiration dates, and recovery time objectives for every asset—including non-material assets. For example, firms must document each server's owner, physical location, data classification, vendor support end date, and maximum tolerable downtime.
• Access Privilege Reviews: Financial institutions must conduct regular reviews of user access privileges, with particular scrutiny on privileged accounts and access to non-public information.
• Quarterly CISO Board Reporting: Chief Information Security Officers must report directly to the board of directors at least quarterly on the organization's cybersecurity program, risks, and incidents.
• Enhanced Incident Reporting: The scope of reportable incidents now explicitly includes ransomware attacks and other cybersecurity events, not just confirmed data breaches.
• Annual Cybersecurity Awareness Training: All personnel must complete annual training with specific focus on ransomware and social engineering threats.
• Vulnerability Management: Organizations must conduct annual penetration testing and implement ongoing vulnerability scanning programs.

Critical Third-Party Service Provider (TPSP) Requirements

On October 21, 2025, NYDFS issued a major Industry Letter clarifying third-party service provider risk obligations. This guidance is critical and many firms remain unaware of its implications:

• Covered entities cannot delegate Part 500 compliance obligations to vendors or service providers. The financial institution retains responsibility for ensuring TPSPs meet Part 500 requirements.

• Contracts with TPSPs must explicitly require the implementation of MFA to the same standard as internal users—universal MFA for all system access.

• Organizations must conduct due diligence on TPSP cybersecurity programs and maintain ongoing oversight through audits, questionnaires, and monitoring.

•  TPSP relationships must be documented in the organization's risk assessment and cybersecurity policy.

Enforcement and Compliance Milestones

• April 15, 2026: First annual certification covering the November 2025 universal MFA and asset inventory provisions. Entities that fail to certify risk immediate enforcement action.

• NYDFS published highly prescriptive FAQ guidance (FAQs 18–23) in late 2025 specifically addressing MFA implementation questions and what examiners will scrutinize during audits.

• Enforcement is accelerating: NYDFS entered a $2 million civil penalty consent order in 2025 for Part 500 violations. Fines of up to $30 million have been levied in past enforcement actions.

• Ongoing non-compliance can result in fines of $250,000 per day.

•  NYDFS hosted a webinar on MFA requirements in February 2026, signaling continued regulatory attention on authentication controls

Key Deadline: April 15, 2026; First annual certification covering universal MFA and asset inventory provisions. Entities that are not certified risk enforcement action.

Pro tip: Consider implementing passwordless, phishing-resistant MFA, based on FIDO standards, to ensure that only cryptographically verified identities can access sensitive financial systems and prevent phishing attacks. These technologies can help companies improve compliance with stringent and evolving regulatory requirements such as NYDFS Part 500.

US — Gramm-Leach-Bliley Act (GLBA)

The GLBA has a specific Privacy of Consumer Financial Information Rule that directly affects financial services cybersecurity. This concerns non-public personal information (NPI) that a company will collect when informing about or providing a financial product or service. Fines for non-compliance can be up to $100,000 per violation and five years in prison for complicit directors. 

Fines for non-compliance can reach $100,000 per violation, with criminal penalties of up to five years in prison for directors who knowingly violate the law. The Federal Trade Commission enforces GLBA primarily through the Safeguards Rule (covered below), which imposes specific technical security requirements. GLBA's privacy provisions remain critical for customer consent management and data handling practices.

The penalty structure remains unchanged for 2026. The FTC has continued active enforcement of the Safeguards Rule as the primary vehicle for GLBA cybersecurity enforcement against non-banking financial institutions, with particular focus on mortgage lenders and auto dealers in recent enforcement actions.

US — Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act was originally enacted in 2002 to improve financial reporting transparency and corporate governance. It obligates all publicly traded companies in the US and their wholly-owned subsidiaries to maintain accurate financial records and implement internal controls over financial reporting. While not originally a cybersecurity law, SOX has evolved to encompass cybersecurity considerations as digital systems became central to financial operations.

Section 404 of SOX requires companies to assess and report on the effectiveness of internal controls, which now includes IT systems, data security controls, and access management. Section 302 requires CEOs and CFOs to personally certify the accuracy of financial reports, creating direct executive accountability for cybersecurity failures that could affect financial statement integrity.

SEC Cybersecurity Disclosure Rules

In July 2023, the SEC adopted comprehensive cybersecurity disclosure rules (Regulation S-K Item 106) that now represent a major SOX-adjacent compliance obligation for public companies. These rules became effective in December 2023 and are actively being enforced in 2025-2026:

• Material Cybersecurity Incidents: Companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality. This includes ransomware attacks, data breaches, and system compromises that could affect operations or investor decisions.

• Annual Cyber Risk Management Disclosure: Companies must describe their cybersecurity risk management processes, governance structure, and board oversight in annual 10-K filings. This includes detailing how management assesses and addresses cyber risks and how often the board receives cyber briefings.
• Board Expertise: Companies must disclose any cybersecurity expertise held by board members and explain how the board oversees cyber risk.

The SEC's 2025 Examination Priorities (released October 2024) flagged cybersecurity governance as a top focus area. SEC examiners are looking for evidence of meaningful board-level cyber risk oversight, management involvement in incident response, and alignment between cyber risk disclosures and actual practices. Public companies must demonstrate that their cyber governance statements in SEC filings reflect operational reality.

Pro tip: Ensure secure employee identity proofing during onboarding by using a combination of background checks, strong authentication that includes secure cryptographic protocols and biometric validation to comply with Know Your Employee (KYE) regulations. This reduces insider threat risk and satisfies SOX internal control objectives.

US — FFIEC Standards

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that sets standards for all federally supervised financial institutions, including their subsidiaries. The FFIEC cybersecurity best practices includes guidance on effective authentication and access risk management practices. The FFIEC authentication standards emphasize multi-factor authentication (MFA) as a critical security control against financial loss and data compromise, similar to the PSD2 Strong Customer Authentication mandate.

It includes references to NIST standards SP 1800-17 and SP 800-63B, which provide implementation guidelines for passwordless MFA based on FIDO specifications.

Transition from CAT to NIST CSF 2.0

The FFIEC Cybersecurity Assessment Tool (CAT) was officially sunset on August 31, 2025. As of 2026, financial institutions are directed to use the NIST Cybersecurity Framework 2.0 (CSF 2.0) and CISA's Cybersecurity Performance Goals as their primary self-assessment and risk management tools.

NIST CSF 2.0 represents a significant evolution from the original framework, adding a 'Govern' function to the original five functions (Identify, Protect, Detect, Respond, Recover). The Govern function emphasizes accountability at the board and executive level, requiring institutions to:

• Establish clear cybersecurity roles and responsibilities at all organizational levels
• Integrate cyber risk into enterprise risk management (ERM) frameworks
• Maintain active oversight of third-party ICT service providers and supply chain risks
• Align cybersecurity strategy with business objectives and risk appetite
• Ensure adequate resources and budget allocation for cybersecurity programs

Financial institutions should note that the FFIEC continues to issue periodic guidance on specific topics such as ransomware response, third-party risk management, and authentication controls. The CAT retirement does not signal reduced regulatory attention—rather, it directs institutions toward more comprehensive, mature frameworks like NIST CSF 2.0 and CISA Cybersecurity Performance Goals.

US — FTC Safeguards Rule

The FTC Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, auto dealers, and payday lenders, to implement a comprehensive security program to keep their customers’ information safe. The FTC Safeguards Rule had several new provisions that went into effect in 2023. Among the new statutes is a mandate for multi-factor authentication for anyone accessing customer information. It should be noted that this includes MFA for desktop and server access, not just applications.

Several provisions of the Safeguards Rule went into effect in 2023 and remain the operative standard in 2026. Key requirements include:

• Multi-Factor Authentication: MFA is required for anyone accessing customer information, including desktop and server access—not just web applications. This means MFA must extend to SaaS platforms, cloud workstations, virtual desktops, and administrative access to on-premise servers.

• Encryption: Customer information must be encrypted both in transit and at rest.

• Designated Qualified Individual: Organizations must designate a qualified individual responsible for overseeing the information security program.

• Security Awareness Training: All personnel must receive regular cybersecurity training appropriate to their roles.

• Incident Response Plan: Organizations must develop, implement, and test incident response plans.

• Annual Risk Assessments: Comprehensive written risk assessments must be conducted at least annually.

US — NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework (NIST CSF) was originally designed as voluntary guidance for businesses of all industries and sizes to manage cybersecurity risk. Published in 2014, the framework rapidly became a de facto global standard. The updated version, CSF 2.0, was released in February 2024 and addresses the evolution of technology toward cloud migration, SaaS adoption, and distributed work environments.

CSF 2.0 is particularly relevant for financial organizations that rely heavily on cloud infrastructure, third-party technology services, and hybrid workforce models. The framework provides a common language for discussing cybersecurity risk across business units, boards of directors, and regulatory agencies.

The New Govern Function

CSF 2.0 introduces a sixth function "Govern", which sits at the center of the framework and informs all other functions. Govern emphasizes:

• Cybersecurity governance structure and accountability chains

• Risk management strategy aligned with business objectives

• Cybersecurity supply chain risk management (C-SCRM)

• Roles, responsibilities, and authorities for cybersecurity activities

• Policies, processes, and procedures to manage cybersecurity risk

• Oversight of cybersecurity initiatives and performance

Implementation Resources

In 2025, NIST released extensive companion resources to support CSF 2.0 implementation, including:

• Implementation examples organized by use case

• Quick-start guides tailored to specific industry sectors, including a Financial Services Sector Profile that provides ready-made mappings for banks and fintech firms

• Community profiles that align CSF 2.0 with other frameworks like ISO 27001, DORA, and NIS2

• Searchable online resources for security leaders to identify relevant control

NIST's Financial Services Sector Profile maps CSF 2.0 controls to common financial sector risks such as payment fraud, insider threats, supply chain compromise, and regulatory compliance obligations. This profile significantly reduces the effort required for financial institutions to adopt CSF 2.0.

Additionally, NIST finalized SP 800-63-4 (Digital Identity Guidelines) in late 2024, updating authentication assurance levels and providing detailed guidance on passkeys, FIDO-based authentication, and phishing-resistant credentials. Financial institutions should reference SP 800-63-4 when implementing MFA to ensure alignment with federal best practices.

While NIST CSF is a US framework, it has become a de facto global standard. Financial institutions in Europe, Asia, and Latin America increasingly adopt CSF 2.0 for interoperability with US partners and alignment with international standards like ISO 27001. The framework's flexibility and common language make it valuable for multinational organizations managing compliance across multiple jurisdictions.

Pro tip: Implement continuous authentication to validate user identity in real-time, ensuring security throughout the entire session. This type of adaptive authentication defends against risks related to stolen credentials and unauthorized access. 

California — California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) which took effect in 2023, provides comprehensive privacy protections for California residents. CCPA/CPRA affects any company doing business with California residents that meets one of the following thresholds:

• Has gross annual revenues exceeding $25 million
• Buys, sells, receives, or shares personal information of 100,000 or more consumers or households annually (increased from 50,000 under original CCPA)
• Derives 50% or more of annual revenues from selling or sharing consumers' personal information

Expanded Rights and Obligations

CPRA significantly expanded CCPA by introducing:

•  New consumer rights including the right to correct inaccurate personal information and the right to limit use of sensitive personal information

• Sensitive Personal Information (SPI) category with heightened protections for data such as Social Security numbers, financial account credentials, precise geolocation, biometric data, and health information

• Risk assessments required for high-risk processing activities

• Opt-out preference signals: Organizations must honor Global Privacy Control (GPC) browser signals

• Creation of the California Privacy Protection Agency (CPPA) with dedicated enforcement authority

Updated Penalties

As of 2025, intentional violations carry fines of $7,988 per violation (adjusted for inflation), while negligent violations carry fines of $2,663 per violation. These amounts are adjusted annually based on inflation. Critically, the 30-day cure period has been eliminated for intentional violations—the CPPA may assess fines immediately for willful non-compliance without providing an opportunity to remedy the violation.

Violations are calculated per affected consumer, meaning a single data breach affecting thousands of customers can result in multi-million dollar penalties.

Global Privacy Control Requirement

California and seven other states now require businesses to honor Global Privacy Control (GPC) signals—browser-based opt-out preferences that consumers can enable to communicate their privacy choices automatically. Financial institutions with consumer-facing websites and mobile apps must implement technical infrastructure to:

• Detect GPC signals from browsers and devices

• Process opt-out requests automatically without requiring manual consumer action

•  Apply the opt-out preference across all services and platforms

• Document GPC signal handling in privacy policies

Broader US State Privacy Landscape

As of 2026, 20 US states have enacted comprehensive consumer privacy laws modeled on CCPA/CPRA, including Virginia, Colorado, Connecticut, Utah, Montana, Oregon, Texas, Delaware, Iowa, Indiana, Tennessee, Nebraska, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Rhode Island, and Maine. Financial institutions operating nationally should implement a unified privacy program that meets the strictest state requirements to ensure compliance across all jurisdictions.

EU — Payment Services Directive (PSD3) and Payment Services Regulation (PSR)

The European Union is advancing a major update to its payment services framework through a two-part package: the Payment Services Directive 3 (PSD3) and the companion Payment Services Regulation (PSR). The European Parliament and Council reached a provisional political agreement on November 27, 2025. A provisional political agreement means the institutions have agreed on the legislative text, but it still requires formal adoption and publication in the Official Journal of the EU.

Two-Part Structure

The updated framework consists of:

1. PSD3 (Directive): Focuses on licensing, supervision, and payment system access rules. As a Directive, member states must transpose PSD3 into national law, allowing some flexibility in implementation.
2. PSR (Regulation): Directly applicable EU-wide without transposition, covering Strong Customer Authentication (SCA), fraud prevention, liability rules, and consumer rights. As a Regulation, PSR will have immediate legal effect in all member states once it enters into force.

Key Changes Under PSR

• Mandatory Payee Name Verification: Payment service providers must implement real-time name-IBAN matching systems for all credit transfers. If the payee name does not match the associated IBAN, the PSP must refuse the payment and inform the payer. This is designed to combat authorized push payment (APP) fraud, where criminals trick victims into sending money to fraudulent accounts.
• Enhanced PSP Liability: If a payment service provider fails to implement appropriate fraud prevention mechanisms, it will be fully liable for covering customers' losses from unauthorized transactions. This shifts liability from consumers to PSPs when security controls are inadequate.
• Stricter Data Access Rules: The PSR clarifies rules around open banking API access, third-party provider obligations, and consent management for account information services.
• Updated Strong Customer Authentication: The PSR maintains and refines SCA requirements introduced under PSD2. SCA requires at least two of three authentication factors: something you know (password/PIN), something you have (mobile device/token), or something you are (biometric). This is why EU consumers routinely use mobile app confirmations or fingerprint scans for online payments.

Implementation Timeline

Final PSD3/PSR texts are expected to be published in the Official Journal of the EU in the first half of 2026. Once published, an 18-21 month implementation and transition period will begin. Full enforcement is therefore not expected until late 2027 or early 2028.

The mandatory payee name-IBAN verification requirement will require payment service providers to invest significantly in new infrastructure. This is particularly complex for cross-border payments and will necessitate integration with national IBAN registries and real-time verification systems. Payment service providers should begin infrastructure planning now to meet the expected 2027-2028 enforcement deadlines.

Key Deadline: H1 2026: Final PSD3/PSR texts expected to be published in the Official Journal. Formal enforcement not expected until approximately late 2027 after the transitional period.

EU — Network and Information Security Directive 2 (NIS2)

NIS2, or the Network and Information Security Directive 2, is an updated regulation from the European Union designed to strengthen cybersecurity across multiple industries. It became effective on October 17, 2024, but the transposition picture is complex and uneven. As of early 2026, approximately half of EU member states have completed transposition, while the rest remain in progress.

Key Requirements

NIS2 expands on the original NIS Directive by widening scope and imposing stricter rules on security practices and incident reporting. Under NIS2, entities in covered sectors must implement:

• Effective cyber risk management processes integrated with enterprise risk management
• Strong authentication and access controls, including multi-factor authentication (MFA) for internet-facing systems and VPN access
• Real-time threat monitoring and security operations capabilities
• Rigorous incident reporting to national Computer Security Incident Response Teams (CSIRTs) within 24 hours of detection (early warning), 72 hours (incident notification), and a final report within one month
• Business continuity and crisis management plans
• Security in network and information systems development and maintenance
• Supply chain security measures and third-party risk management

Importantly, NIS2 Article 21(2)(j) explicitly requires the use of multi-factor authentication and continuous authentication to protect network and information systems. The directive impacts not only major financial institutions but also smaller financial entities, payment services, and digital wallet providers.

ENISA Implementation Guidance

In June 2025, the European Union Agency for Cybersecurity (ENISA) published nearly 200 pages of detailed technical guidance clarifying what NIS2 compliance looks like in practice. This guidance covers:

• Specific MFA implementation standards for different system types

• Vendor oversight and supply chain security assessment methodologies

•  Incident response plan templates and testing requirements

• Vulnerability management and patch deployment timelines

• Security monitoring and detection capabilities

Financial institutions should review ENISA's Technical Guidelines as a practical roadmap for achieving NIS2 compliance. The guidelines provide actionable detail that national authorities reference during inspections and audits.

EU Simplification Proposals

In January 2026, the European Commission proposed targeted amendments to NIS2 as part of the Digital Omnibus package, aimed at reducing compliance burden for approximately 28,700 companies, including 6,200 micro and small enterprises. Key proposals include:

• 'Report once, share many' single incident reporting mechanism consolidating NIS2, GDPR, eIDAS, DORA, and CER reporting obligations into a unified portal
• Streamlined registration processes for small entities
• Harmonized enforcement practices across member states

These simplification measures are expected to be finalized in 2027-2028 and would significantly reduce duplicate reporting burdens for financial institutions subject to multiple EU frameworks.

Key Deadline: April 2026: German entities must register with the BSI. Other member state deadlines vary—organizations should track requirements for each jurisdiction where they operate.

HYPR saves customers millions of dollars, with a 324% ROI. Read the Forrester report.

EU — Digital Operational Resilience Act (DORA) 

The Digital Operational Resilience Act (DORA) entered full application on January 17, 2025, making it one of the most significant pieces of financial services regulation in recent years. DORA is targeted specifically at increasing the operational resilience of the financial sector for businesses in the European Union and those serving EU-based customers.

DORA establishes a comprehensive framework for managing Information and Communication Technology (ICT) risk, which has become central to financial operations as institutions increasingly rely on cloud providers, software vendors, and outsourced technology services for core business functions.

Core Requirements

DORA imposes five categories of obligations on financial entities:

• ICT Risk Management: Financial entities must implement comprehensive ICT risk management frameworks covering governance, risk identification, protection and prevention, detection, response and recovery, learning and evolving, and communication.

• ICT-Related Incident Management and Reporting: Institutions must establish processes for monitoring, logging, categorizing, and reporting ICT-related incidents to competent authorities. Major incidents must be reported within tight timeframes.

• Digital Operational Resilience Testing: Regular testing is required, including vulnerability assessments, scenario-based testing, and—for systemically important entities—threat-led penetration testing (TLPT).

• ICT Third-Party Risk Management: Financial entities must establish frameworks for managing risks arising from third-party ICT service providers, including due diligence, contract requirements, and ongoing monitoring.

• Information Sharing: Arrangements for sharing cyber threat intelligence and best practices among financial entities.

Critical ICT Third-Party Provider (CTPP) Oversight

One of DORA's most significant innovations is direct regulatory oversight of Critical ICT Third-Party Providers (CTPPs). On November 18, 2025, the European Supervisory Authorities (EBA, EIOPA, ESMA) designated the first list of CTPPs—a landmark development that brings major cloud providers and technology vendors under direct EU supervision.

CTPPs are subject to:

•  Direct oversight by the European Supervisory Authorities, including on-site inspections and audits

• Mandatory reporting on services provided to EU financial entities

• Requirement for non-EU ICT providers to establish an EU subsidiary within 12 months of designation

• Potential fines of up to EUR 5 million (or EUR 500,000 for individuals) for non-compliance

• Daily periodic penalty payments of up to 1% of average daily worldwide turnover for ongoing non-compliance 

Threat-Led Penetration Testing (TLPT)

DORA mandates threat-led penetration testing (TLPT) at least every three years for systemically important financial entities. TLPT represents a more demanding standard than traditional penetration testing. It simulates realistic attack scenarios using tactics, techniques, and procedures (TTPs) observed in actual advanced persistent threat (APT) campaigns.

TLPT engagements typically involve:

• Red team operations simulating sophisticated attackers attempting to compromise critical systems

• Blue team defensive operations testing detection and response capabilities

• Testing of people, processes, and technology across the entire kill chain

• Scenarios based on intelligence about real threat actors targeting the financial sector

Financial institutions designated as systemically important should engage qualified TLPT providers and budget appropriately for these comprehensive assessments.

ICT Third-Party Registers

Financial entities were required to submit registers of all ICT third-party contractual arrangements to their national competent authorities by April 30, 2025. These registers must document:

• All ICT service providers and the services they provide
• Classification of services as critical or important
• Risk assessments for each third-party relationship
• Contract details including exit strategies and data recovery provisions

Organizations must maintain and update these registers on an ongoing basis as new vendors are onboarded or contracts change.

Penalties

DORA imposes significant penalties for non-compliance:

• Financial institutions: fines up to 2% of total global annual turnover

• CTPPs: fines up to EUR 5 million (or EUR 500,000 for individuals)

   

   

• Ongoing violations: daily fines of up to 1% of average daily turnover

Given these penalty levels and the January 2025 effective date, 2026 will see active supervisory oversight begin in earnest, including CTPP oversight activities, on-site inspections, and regulatory examinations of financial entities' ICT risk frameworks.

Key Deadline: DORA has been fully in effect since January 17, 2025. 2026 marks the first full year of enforcement, with supervisory oversight activities now underway

EU — General Data Protection Regulation (GDPR)

All companies processing the data of European Union citizens are affected by the GDPR. The law determines how data is used and protected and governs how consent must be used for collecting it. Along with data usage, timely reporting of breaches is also obliged if it affects EU citizens.

For financial services cybersecurity, adhering to GDPR is essential. Total cumulative GDPR fines have exceeded EUR 6.7 billion as of December 2025. TikTok received a EUR 530 million fine in May 2025 for illegal data transfers to China.

The EDPB has announced its 2026 coordinated enforcement action will focus on transparency and information obligations under Articles 12-14. The EU AI Act's general-purpose AI provisions became effective August 2, 2025. High-risk AI system provisions become fully enforceable in 2026.

UK — Data Protection Act and UK GDPR

After the UK left the EU, it kept the GDPR which it passed into law as the Data Protection Act (2018). It is roughly the same as the EU-GDPR (just amended for UK citizens) but still carries the same requirements around data safety, consent and reporting, and fines for non-compliance. 

Global - Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS covers the processors of payments from major credit and debit card companies. To achieve compliance, financial services cybersecurity programs must meet several obligations, such as protecting cardholder data, encrypting data in storage and transmission, and authenticating access to all system components. Breaches of the PCI DSS may result in fines and restrictions in using major credit cards.

PCI DSS 4.0.1 is the current operative version as of December 2024. It introduces no new requirements but clarifies formatting, typographical corrections, and interpretation guidance. All 51 previously future-dated requirements are now mandatory (since March 31, 2025). The '90-day password reset' and expanded MFA requirements cited in the article are now fully enforced.

New mandatory requirements include:

• Payment page script controls (Requirement 6.4.3) requiring organizations to control all scripts running in consumer browsers;
• Automated technical solutions for public-facing web applications;
• Quarterly vulnerability scans for SAQ-A e-commerce merchants by an Approved Scanning Vendor (ASV)

Key Deadline: March 31, 2025: All PCI DSS 4.0.1 requirements are now mandatory. Organizations still operating on 3.2.1 are in violation. PCI 3.2.1 was retired March 31, 2024.

Pro tip: Ensure compliance with standard 8.3.3 by using automated, high-assurance identity verification methods when resetting user credentials / authentication factors. This standard requires user identity verification before modifying authentication to prevent attacks that target this reset process.

Singapore — Monetary Authority of Singapore Notices on Cyber Hygiene

The Monetary Authority of Singapore (MAS) regulates financial institutions in the banking, capital markets, insurance and payments sectors. The MAS has issued a collection of notices on cyber hygiene, which are a set of legally binding requirements that financial institutions must take to mitigate the growing risk of cyberthreats.

The cyber hygiene notices cover six key areas, which include securing administrative account access, regular vulnerability patching and mitigation controls for systems that cannot be patched, written and regularly tested security standards, perimeter defense systems, malware protection and multi-factor authentication for any system used to access critical information.

MAS issued Technology Risk Management (TRM) Guidelines updates and published a new Circular on the Responsible Use of AI in Finance in 2024. The cyber hygiene framework is evolving in alignment with global standards. MAS has emphasized third-party and supply chain risk management as a priority area, consistent with DORA and NIS2 themes globally.

Various U.S. State Biometric Laws

Multiple U.S. states have biometric privacy laws — such as the Illinois Biometric Information Privacy Act (BIPA) — that affect any company doing business with a resident of that state. These laws regulate collection and storage of biometric information, such as face scans, fingerprints, or voiceprints. The statutes point out that biometric identifiers are different from other types of sensitive information as they are biologically unique to the individual, and cannot be changed once compromised.

Consequences of Non-Compliance with Financial Cybersecurity Regulations

When businesses fail to comply with these financial cybersecurity regulations, they are subject to monetary penalties, increased regulatory scrutiny, and a higher risk of cybersecurity incidents. For example, the fines for NYDFS non-compliance can be $250,000 a day for ongoing non-compliance. These penalties and security incidents due to non-compliance also affect customer trust and the value of the brand. In 2022, Uber’s stock went down by 5% after its third data breach in three months. 

Along with operational disruption and a loss in revenue, cybersecurity incidents may result in legal action months or even years after the incident, as in the case with the class action suit against CDK consumers from the MOVEit data breach. 

Achieve Regulatory Compliance with Identity Assurance

The financial services sector is at high risk of cyberattacks due to the value of successful data breaches or account takeover attacks. To combat this, state, national and supranational governments and industry groups have introduced several financial services cybersecurity regulations to ensure best practice is deployed throughout the industry. 

A common thread throughout much of the financial services cybersecurity regulations worldwide is the protection of data and stronger identity security systems. Financial services organizations globally, including two of the top four banks, rely on HYPR  to secure their systems and achieve regulatory compliance.

HYPR combines FIDO2 passwordless MFA, continuous adaptive risk response and automated identity verification to secure finance organizations while improving user experience. Learn more about HYPR’s security certifications and how our identity assurance platform helps you comply with financial cybersecurity regulations worldwide.

Key Takeaways:

As financial institutions navigate the 2026 regulatory landscape, several themes emerge:

• 2026 is a major enforcement year: NYDFS Part 500, PCI DSS 4.0.1, and DORA are all in full enforcement mode with no grace periods remaining. Financial institutions should prioritize compliance audits, gap assessments, and remediation plans now.
• Universal MFA is table stakes: Across NYDFS, PCI DSS, NIS2, and other frameworks, multi-factor authentication is no longer optional for any access to any system. Passwordless, phishing-resistant MFA based on FIDO2 standards is rapidly becoming the expected baseline.
• Third-party risk is under the microscope: Regulators globally—through NYDFS TPSP guidance, PCI DSS TPSP requirements, DORA CTPP designations, and NIS2 supply chain obligations—are demanding active, ongoing vendor oversight. Financial institutions must map, assess, and continuously monitor all third-party ICT providers with access to systems or data.
• The EU regulatory landscape is converging: NIS2, DORA, GDPR, PSD3, and the EU AI Act all interact and overlap. Institutions operating in the EU should implement unified compliance programs that address all applicable frameworks in an integrated manner rather than treating each regulation in isolation.
• AI governance emerges as a new compliance domain: The EU AI Act, MAS AI Circular, and GDPR enforcement on algorithmic transparency signal that AI systems are now subject to regulatory scrutiny. Financial institutions using AI for credit scoring, fraud detection, or customer profiling must implement governance frameworks, fairness testing, human oversight, and explainability controls.
• Enforcement authorities are sophisticated and coordinated: Regulators share information, coordinate enforcement actions across jurisdictions, and increasingly use data analytics to identify non-compliant organizations. Compliance can no longer be approached as a checkbox exercise—it requires mature, risk-based cybersecurity programs with genuine board and executive oversight.

The regulatory trajectory is clear: cybersecurity requirements will continue to expand, enforcement will intensify, and penalties will grow more severe. Financial institutions that invest proactively in robust cybersecurity programs, modern identity security, and comprehensive third-party risk management will be best positioned not only to meet regulatory requirements but to protect their customers, their operations, and their reputations in an increasingly hostile threat landscape.