Only One-Third of Businesses Feel Fully Prepared for Future Regulatory Requirements, IO Research Finds

While nearly all businesses say they are ready for upcoming regulations, only 35% of cybersecurity managers believe their current compliance model is fully prepared and able to scale, and 33% say human oversight remains essential when interpreting complex regulatory requirements

LONDON, U.K. –  17 July 2026 - With new information security, data privacy and AI governance regulations continuing to emerge across industries and regions, organisations are under increasing pressure to adapt their compliance programmes.

For financial institutions, scalable compliance has become increasingly important as organisations manage digital transformation, AI adoption, cyber resilience, and cross-border regulatory obligations. Banks and fintech firms are expected to maintain governance frameworks that can adapt to evolving supervisory requirements while supporting innovation and operational resilience.

New research from business resilience specialists, IO, reveals that while most organisations feel prepared for upcoming regulatory requirements, far fewer are confident that their current compliance model can scale effectively as demands continue to evolve.

Despite widespread confidence among businesses about their readiness for new regulations (85%), only 35% of cybersecurity managers in UK organisations believe their existing compliance model is robust enough to scale effectively. In contrast, nearly half (50%) say they are ‘mostly’ prepared, but their model will need adjustments, while 15% feel underprepared in that at the very least, notable changes will be required.

The findings reflect broader industry trends. Research from organisations including the World Economic Forum, Deloitte, and the Bank for International Settlements has highlighted that financial institutions are facing growing regulatory complexity as digital transformation, AI adoption, cyber risk, and cross-border operations continue to evolve. Increasingly, organisations are seeking governance models that can support multiple regulatory frameworks rather than responding to each new requirement independently.

These statistics reveal a key issue: the gap between perceived and actual readiness is where resilience either holds or breaks. Organisations that build compliance into how they operate, rather than bolting it on in response to each new regulation or requirement, are the ones best placed to absorb what comes next.

Chris Newton-Smith, CEO of IO, explains, “Regulations are continuing to expand, and this isn’t going to slow down anytime soon. Real resilience depends on having governance, oversight and compliance processes that can adapt as requirements change, allowing organisations to respond without repeatedly rebuilding their approach from scratch.

“The organisations best positioned for what's next are not treating each new regulation as a separate project. Instead, they're building governance and compliance capabilities that can support multiple frameworks and evolving requirements over time. This means new requirements don't arrive as a crisis but are absorbed into an existing structure. That's what enables organisations to keep operating, continue growing and maintain trust with customers, partners and regulators.” he adds.

Human expertise is still essential when it comes to new regulations

Human expertise is essential when absorbing new regulations into an existing compliance structure because the new rules rarely apply in a purely mechanical way. IO’s research shows that when interpreting complex regulatory requirements, 33% of respondents believe human oversight is needed – a figure highlighting that while automation can support efficiency, organisations still rely on human expertise to interpret regulatory requirements and apply them in the context of their specific operations.

Experienced practitioners play an important role in interpreting ambiguity, identifying potential compliance gaps, assessing operational impact and ensuring that compliance activities align with both regulatory obligations and broader business objectives.

This need for human input extends beyond individual expertise to how the wider organisation is structured. IO’s research found that practitioners ranked clear executive accountability for compliance (26%) the second strongest indicator of genuine compliance resilience, with a further 22% pointing to experienced human oversight from employees, signalling that resilience is built through people and ownership, not technology alone.

As Newton-Smith points out, “The fact practitioners themselves rank executive accountability and human oversight among the top markers of resilience, is proof that compliance isn’t just a technology problem. New regulations demand new skills, processes and ownership across the business. Automation speeds that up; it doesn’t replace it. The organisations that build the human capability, alongside the tools, are the ones ready to scale.

“New regulations, security incidents and customer requests for assurance are no longer occasional events, they are ongoing tests of an organisation's ability to adapt and respond. The organisations best positioned to respond are those building scalable, adaptable compliance models proactively, rather than being forced to react under pressure. The question organisations need to answer is whether compliance is being treated as a project to be managed or a capability to be built. Organisations that have invested in scalable governance structures are generally better positioned to absorb new requirements as they emerge”, adds Newton-Smith.

As regulatory expectations continue to evolve, organisations that build governance, compliance, and operational resilience into their core operating models are likely to be better positioned to support sustainable growth while maintaining trust with customers, regulators, and business partners.

Frameworks such as ISO 27001 can help organisations address this challenge by providing a structured, risk-based foundation that supports multiple regulatory requirements. Close alignment with complementary standards, including ISO 27701 for privacy and GDPR obligations, ISO 22301 for business continuity and resilience requirements such as DORA and NIS2, and ISO 42001 for emerging AI governance demands, can further help organisations reduce duplication, improve consistency and respond more efficiently as new obligations emerge.

Technology Dispatch

You can add a great description here to make the blog readers visit your landing page.