.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Organizations today operate under a substantial number of IT and cybersecurity compliance obligations. By defining requirements for areas such as access control, incident response, encryption, governance, and vendor management, compliance standards help reduce the likelihood and impact of cyberattacks, support regulatory and legal obligations, and build trust in digital ecosystems.
5,000 IT and cyber leaders share their compliance experiences
To shine a light on the IT and cybersecurity compliance reality facing organizations today, Sophos commissioned an independent survey of 5,000 IT and cybersecurity leaders across 17 countries and a broad range of public and private sector industries. Conducted in early 2026, key findings include:
- Multiple regulatory obligations: Respondents report adhering to 5 compliance standards on average (median), underscoring the breadth of regulatory obligations across regions and industries.
- Widespread non-compliance concerns: 82% of leaders are concerned that their organization may not be fully compliant with all necessary regulations and requirements, with almost a quarter (24%) very concerned. Just 18% report being unconcerned about their compliance status.
- Significant resourcing overhead: 39% of the IT and cybersecurity team’s time is spent on compliance-related activities.
- Difficulties keeping up: 79% of organizations find it challenging to keep with changes in compliance requirements, with 19% saying it is “very challenging.”
- Smaller businesses are disproportionately impacted: Smaller companies facing a similar volume of compliance frameworks as larger ones but with fewer resources and expertise to deliver them.
Industry and geography play a role
Across 17 countries in the Americas, EMEA and Asia Pacific and 15 different industries, the most cited regulations include:
- ISO 27001/2: 51.2% of respondents
- GDPR: 40.4% of respondents
- CIS: 29.7% of respondents
- NIST CSF: 23.8% of respondents
- PCI DSS: 23.1% of respondents
- HIPAA: 21.7% of respondents
- DORA: 19.8% of respondents
- NIS2: 16.1% of respondents
While these represent the most frequently cited standards overall, adoption varies significantly by industry and region.
For example, 66% of organizations in the distribution and transport sector cited ISO 27001/2, compared with 38% in state and local government. Similarly, 60% of businesses in Spain aim to comply with ISO 27001/2, compared with 35% in Mexico, and 30% of organizations in the U.S. comply with NIST CSF, compared to 13% in Australia.
Compliance today: Three key takeaways
The survey findings show that the compliance burden on organizations is high and maintaining compliance is an ongoing challenge. Key takeaways for IT and cybersecurity leaders include:
Compliance complexity is outpacing IT capacity
Maintaining compliance with one regulatory standard is tough, managing compliance across five is a huge task for any organization. Many frameworks require similar information, resulting in high levels of duplicative work for those involved. And with eight in 10 organizations (79%) finding it challenging to stay up to date with changes in compliance requirements, it’s clear that IT and cybersecurity teams are struggling to keep up.
Compliance has a major impact on resourcing
Compliance‑related activities can range from understanding regulatory requirements and implementing required controls, to reporting adherence status. With two fifths of the typical IT and cybersecurity team’s time dedicated to compliance efforts, it’s essential that organizations put in place the right level of resourcing to meet their compliance obligations and the wider IT and cybersecurity needs of the business.
Lack of visibility creates compliance and security blind spots
It’s not enough to think you are compliant — you need to know that you are. However, with 82% of IT and cybersecurity leaders concerned that they may not be fully compliant with all necessary regulations and requirements, it’s clear that teams are lacking the visibility they need to be sure of their compliance status. Without full visibility, organizations also run the risk of being blind to security and operational gaps that increase their risk of experiencing cyber incidents and data loss.
Maintaining ongoing compliance with multiple regulatory and compliance standards is a major undertaking for all organizations, and particularly for smaller businesses who are disproportionately impacted by the financial overhead of hiring in additional headcount to manage multiple, evolving regulations. With compliance requirements likely to grow in volume and complexity, organizations should consider how best to support their ongoing compliance obligations, including the possibility of working with external specialists who can provide expertise and resourcing support.