Despite the global importance of cybersecurity, it is also a relatively young industry, and it is evolving rapidly as it matures. Today, that evolution is being accelerated by a powerful force: regulation.
According to the 2026 Cybersecurity Workforce Research Report by SANS | GIAC, 95% of cybersecurity managers say directives now impact their hiring practices, up from just 40% a year ago. What was once a secondary consideration has quickly become a primary driver of how security teams are structured, hired, and validated.
This shift is reshaping the workforce in meaningful ways. Roles are becoming more standardized, skills validation is gaining urgency, and cybersecurity leadership is increasingly integrated into executive decision making. In many organizations, compliance is now influencing workforce strategy from the start, rather than being a downstream activity.
The reality is that many of these directives are still new; some are only a few years old, and others less than a year old. In many cases, the full consequences of non-compliance have yet to be realized. However, governments worldwide are moving quickly, with the shared goal to protect citizens and ensure that cybersecurity practices and the people behind them meet defined standards.
These are some examples of current directives:
- NIS2 expands requirements across critical infrastructure in the European Union, including incident reporting and operational visibility into security teams.
- DORA strengthens cybersecurity expectations specifically within the financial sector for the European Union.
- CMMC establishes mandatory cybersecurity standards for U.S. Department of Defense contractors.
- DoD 8140 defines role-based workforce requirements and skills validation across more than 75 cybersecurity roles for the US military and contractors.
- SEC Cyber Disclosure Rules require publicly traded companies to disclose material cyber incidents, increasing accountability at the executive level.
At the same time, new frameworks are emerging globally. In the United Kingdom, efforts to formalize professional standards are already taking shape. The GIAC Certified Incident Handler (GCIH) certification has been approved under the new Associate Cyber Security Professional (ACSP) designation. This enables practitioners to join the UK Cyber Security Professional Register and signal government-recognized competence and ongoing development.
Further changes are expected as the UK Cyber Security and Resilience Bill progresses, alongside similar efforts in the EU, Japan, the UAE, and other governments worldwide.
Historically, regulatory frameworks take years to fully mature. GDPR, for example, required nearly a decade before consistent global enforcement took hold. But the pace of today’s directives suggests a faster trajectory, where organizations must prepare for continuous validation of workforce capability.
As these directives expand, one thing is becoming clear: cybersecurity is becoming a regulated profession. Certifications and validated skills play an increasingly central role in demonstrating readiness, supporting audits, securing contracts, and even obtaining cyber insurance.
As part of the SANS ecosystem, organizations can access expert guidance on navigating frameworks and directives, as well as GIAC certifications that provide globally recognized, independent validation of real-world cybersecurity skills, helping organizations demonstrate workforce readiness in an increasingly regulated environment.
For more information, visit https://www.sans.org/frameworks-and-directives, and gain in-depth insights on regulation from the 2026 Workforce Research Report by SANS | GIAC.