NCC Group identifies sovereignty, AI oversight, and board accountability as cyber policy drivers

A new NCC Group report says cyber regulation is becoming more closely tied to geopolitics, national security, and executive oversight.
NCC Group graphic illustrating cyber policy, digital security, and regulation themes from the Global Cyber Policy Radar report

NCC Group has released the fifth edition of its Global Cyber Policy Radar, noting that cyber policy is no longer treated solely as a technical or compliance issue but is increasingly shaped by geopolitics, national security, and economic strategy.

The report identifies three trends driving that shift:

  • Digital sovereignty;
  • The use of existing cyber and digital rules to address AI security;
  • Growing board-level accountability for cyber risk.

NCC Group says governments are asserting greater control over data, digital infrastructure, critical technologies, and supply chains, while also placing more direct responsibility on senior leadership.

On AI, the report says governments are not necessarily creating entirely new legal frameworks, but are increasingly embedding AI-related expectations into existing cyber resilience, procurement, and digital safety rules. It points to developments including the EU AI Act, the UK Cyber Assessment Framework, and updates to public-sector procurement rules in Australia.

The report also says offensive cyber capabilities are moving closer to the centre of national security strategy. It points to recent US operations and policy developments in several European countries as signs of a broader shift towards more active cyber postures, while warning that differing national approaches could further fragment international cooperation.

Katharina Sommer, director of Government Affairs and Analyst Relations at NCC Group, said: ‘Cyber policy has become an extension of geopolitics. As trust between states erodes, cyber regulation is increasingly shaped by national security concerns, supply-chain risk and the use of cyber capabilities as a strategic tool.’

The report also lists regulatory frameworks, including NIS2, the Digital Operational Resilience Act, the Cyber Resilience Act, the EU AI Act, and the Cyber Incident Reporting for Critical Infrastructure Act, among the measures shaping the compliance landscape.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.