Cybersecurity policy is no longer confined to theory or high-level debate. It directly shapes how organizations operate and, in turn, the skills cybersecurity professionals need to meet evolving requirements. Around the world, governments are responding to rising cyber threats by expanding their focus from protecting data to safeguarding critical infrastructure, life and safety.
In the recent ISC2 webinar, “Global Cybersecurity Regulations: What’s New and What’s Next,” Philip Stupak, Sr. Director of Advocacy, ISC2, and Patrick Bataillon, Director, U.S. Advocacy, ISC2, explored what these shifts mean for the cybersecurity workforce. A central theme emerged: organizations must meet expanding regulatory demands despite skills shortages, limited resources and unclear or changing guidance.
The Cybersecurity Skills Shortage Behind the Regulation Gap
As Stupak explained, the challenge is not just the rise in regulation, but the lack of clarity around the skills needed to meet those requirements. Governments are prioritizing Zero Trust, cloud security, AI and post-quantum cryptography, yet often fail to define the workforce capabilities required to implement them.
“We’re defining systems, but we’re not really defining them for people,” Stupak said. This gap creates uncertainty for professionals tasked with meeting evolving expectations without clear benchmarks for success.
This issue is where advocacy and the voices of ISC2 members play a critical role in helping shape more practical, workforce-aligned policy.
U.S. Cybersecurity Regulations: A Shift to Skills and State-Level Action
In the United States, responsibility for cybersecurity is increasingly shifting from the federal government to the states. As Stupak noted, federal agencies like CISA may play a reduced central role as states take on more control. This shift creates a “laboratory of democracy,” with different approaches emerging across jurisdictions.
Some state-level policies remain broad, while others focus more specifically on sectors such as water, energy and healthcare. For cybersecurity professionals, this variability introduces both opportunity and complexity, as requirements, as well as the skills needed to meet them, can differ significantly by location.
At the same time, the federal government is advancing skills-based hiring. Updated Office of Personnel Management (OPM) guidance for GS-2210 roles removes degree requirements and emphasizes demonstrated skills. For ISC2 members, certifications aligned to those skills provide a clearer pathway into federal careers and reflect a broader market trend: skills are increasingly prioritized over traditional credentials.
Canadian Cybersecurity Regulation: A Policy Push with Workforce Implications
Canada is pursuing a more centralized regulatory approach, but it faces similar workforce challenges. Federal legislation such as the C-8 Bill (which passed Parliament and received Royal Assent on June 15, 2026) addresses telecommunications security and critical infrastructure, while provincial efforts like Ontario’s Bill 194 focus on sectors including education and healthcare.
These initiatives expand cybersecurity responsibilities across both government and industry, raising a familiar question: who will carry out the work?
As regulation advances, Canada is placing growing emphasis on workforce development, including certifications and skills-based hiring, to ensure organizations can meet new requirements.
EMEA Cybersecurity Regulations: Expanding Scope and Differing Approaches
Across Europe and the U.K., cybersecurity regulation is accelerating and expanding in scale. In the U.K., updates to frameworks such as the Cyber Security and Resilience (Network and Information Systems) Bill are progressing through Parliament, while the EU’s NIS2 directive significantly broadens the definition of critical infrastructure.
This expansion creates complexity, with some countries facing a dramatic increase in the number of entities under regulatory oversight. At the same time, regional approaches differ. Stupak noted that the Americas tend to favor risk-based models, while the EU often emphasizes compliance and auditing frameworks.
For professionals, these differences shape day-to-day responsibilities. Risk-based environments require judgment and prioritization, while compliance-driven models focus on documentation and adherence to defined standards. Regardless of approach, a consistent challenge remains: clearly defining the cybersecurity workforce skills needed at scale.
APAC Cybersecurity Regulations: Rapid Evolution and Strong Demand for Talent
In the APAC region, regulatory development is diverse and fast-moving:
- India continues to take a sector-by-sector approach, creating variability but also opportunities in mature industries like finance
- Singapore leads in cybersecurity maturity, emphasizing professionalization and clearly defined skills, while still facing strong demand for talent
- Australia is rapidly advancing from strategy to implementation, actively building workforce capability following major cyber incidents
- Japan is undergoing significant policy transformation, with new leadership structures, evolving cyber defense strategies and increased investment in workforce development
Across APAC, the trends are clear: expanding regulation, growing capability and sustained demand for skilled cybersecurity professionals.
What the Global Regulatory Landscape Means for ISC2 Members
Across all regions, one message stands out: cybersecurity is ultimately about people. Governments can establish policies and frameworks, but without a skilled workforce, those efforts cannot succeed.
That is why ISC2 continues to focus on defining roles, mapping skills and incorporating member perspectives into policy discussions. Whether supporting skills-based hiring, developing workforce models or engaging with policymakers, the goal is to ensure regulation reflects the realities of the profession.
Bataillon emphasized the importance of practitioner input: policymakers want to hear directly from those working in the field. ISC2 members bring essential, real-world insight that helps shape more effective and practical regulation.
As he noted, governments are building the future of cybersecurity policy, but that future depends on qualified professionals with the right skills. Ensuring organizations hire and develop that talent is critical.
Ultimately, global cybersecurity regulation impacts not only governments, but every professional responsible for protecting systems, infrastructure and people.
Key takeaways:
- Skills-based hiring is gaining traction globally, particularly in government roles
- Certifications are increasingly aligned to defined workforce needs, helping translate skills into career opportunities
- Regulatory environments will continue to evolve, requiring adaptability and continuous learning
- Practitioner input matters, as policymakers rely on real-world expertise to inform decisions
To hear the full discussion, watch the webinar on demand.
Related Insights:
EU CSA2 and NIS2 Updates: The Proposals and the ISC2 Response
ISC2 Members Voice Views and Feedback on U.K. Cybersecurity Bill
