IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
IO finds UK cyber managers doubt compliance model scales

IO finds UK cyber managers doubt compliance model scales

Wed, 15th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

IO has published research showing that only 35% of UK cybersecurity managers believe their current compliance model can scale to meet upcoming regulations. At the same time, 85% of organisations say they are prepared for new compliance requirements.

The findings point to a gap between broad confidence in regulatory readiness and confidence in the systems used to manage that workload over time. Among those surveyed, 50% said they were mostly prepared but would need to adjust their model, while 15% said notable changes would be required.

The study was based on a survey of 251 UK cybersecurity managers and senior practitioners. It examined readiness for new information security, data privacy and AI governance rules as businesses face growing regulatory demands across sectors.

Readiness gap

The figures suggest many businesses may be overestimating their ability to handle future compliance pressures. IO argued that organisations are more resilient when compliance is built into day-to-day operations rather than treated as a response to each new rule.

Chris Newton-Smith expanded on that view in comments accompanying the research. "Regulations are continuing to expand, and this isn't going to slow down anytime soon. Real resilience depends on having governance, oversight and compliance processes that can adapt as requirements change, allowing organisations to respond without repeatedly rebuilding their approach from scratch.

"The organisations best positioned for what's next are not treating each new regulation as a separate project. Instead, they're building governance and compliance capabilities that can support multiple frameworks and evolving requirements over time. This means new requirements don't arrive as a crisis but are absorbed into an existing structure. That's what enables organisations to keep operating, continue growing and maintain trust with customers, partners and regulators," said Chris Newton-Smith, Chief Executive Officer, IO.

The results also indicate that technology alone is not seen as enough to manage growing compliance complexity. When asked about interpreting complex regulatory requirements, 33% of respondents said human oversight is needed.

That reflects a continued reliance on specialist judgement in areas where rules may be open to interpretation or need to be applied to a company's specific operating model. The research also found that 26% of practitioners ranked clear executive accountability for compliance as the second strongest sign of genuine compliance resilience, while 22% pointed to experienced human oversight from employees.

Human oversight

These responses suggest that organisational structure and leadership remain central to compliance efforts. Senior ownership, experienced staff and internal governance were all presented as markers of whether a compliance programme can withstand new regulatory demands.

Newton-Smith said practitioners were signalling that point directly through their responses. "The fact practitioners themselves rank executive accountability and human oversight among the top markers of resilience is proof that compliance isn't just a technology problem. New regulations demand new skills, processes and ownership across the business. Automation speeds that up; it doesn't replace it.

"The organisations that build the human capability, alongside the tools, are the ones ready to scale. New regulations, security incidents and customer requests for assurance are no longer occasional events; they are ongoing tests of an organisation's ability to adapt and respond. The organisations best positioned to respond are those building scalable, adaptable compliance models proactively, rather than being forced to react under pressure. The question organisations need to answer is whether compliance is being treated as a project to be managed or a capability to be built. Organisations that have invested in scalable governance structures are generally better positioned to absorb new requirements as they emerge," said Newton-Smith.

The research comes as UK organisations face overlapping obligations in cybersecurity, privacy, operational resilience and AI governance. Companies are increasingly expected not only to meet current requirements, but also to update policies, controls and reporting processes as rules evolve.

IO pointed to established standards such as ISO 27001 as one route to structuring compliance activity across multiple requirements. It also cited links with ISO 27701 for privacy and GDPR obligations, ISO 22301 for business continuity and resilience requirements, including DORA and NIS2, and ISO 42001 for AI governance.

For businesses, the survey raises a broader question: are current compliance programmes designed to adapt, or simply to satisfy the next audit? Only around one in three cybersecurity managers said their present model is ready to scale.