Despite its global importance, cybersecurity remains a relatively young industry—one that is evolving rapidly as it matures. Today, that evolution is being accelerated by a powerful force: regulation.
According to the SANS | GIAC 2026 Cybersecurity Workforce Report, 95% of cybersecurity managers say directives now impact their organization—up from just 40% a year ago. What was once a secondary consideration has quickly become a primary driver of how security teams are structured, hired, and validated.
This shift is reshaping the workforce in meaningful ways. Roles are becoming more standardized, skills validation is gaining urgency, and cybersecurity leadership is increasingly integrated into executive decision-making. In many organizations, compliance is no longer a downstream activity—it is influencing workforce strategy from the start.
The reality is that many of these directives are still new—some only a few years old, others less than a year. In many cases, the full consequences of non-compliance have yet to be realized. But governments worldwide are moving quickly, with the shared goal of protecting citizens and ensuring that cybersecurity practices—and the people behind them meet defined standards.
Examples of these directives include:
- NIS2 – Expands requirements across critical infrastructure in the European Union, including incident reporting and operational visibility into security teams.
- DORA – Strengthens cybersecurity expectations specifically within the financial sector for the European Union.
- CMMC – Establishes mandatory cybersecurity standards for U.S. Department of Defense contractors.
- DoD 8140 – Defines role-based workforce requirements and skills validation across more than 75 cybersecurity roles for the US military and contractors.
- SEC Cyber Disclosure Rules – Require publicly traded companies to disclose material cyber incidents, increasing accountability at the executive level.
At the same time, new frameworks are emerging globally. In the United Kingdom, efforts to formalize professional standards are already taking shape. The GIAC Certified Incident Handler (GCIH) has been approved under the new Associate Cyber Security Professional (ACSP) designation—enabling practitioners to join the UK Cyber Security Professional Register and signal government-recognized competence and ongoing development.
Further changes are expected as the UK Cyber Security and Resilience Bill progresses, alongside similar efforts across the EU, Japan, the UAE, and beyond.
Historically, regulatory frameworks take years to fully mature. GDPR, for example, required nearly a decade before consistent global enforcement took hold. But the pace of today’s directives suggests a faster trajectory—one where organizations must prepare not only for compliance, but for continuous validation of workforce capability.
As these directives expand, one thing is becoming clear: cybersecurity is no longer just a technical discipline, it is becoming a regulated profession. Certifications and validated skills play an increasingly central role in demonstrating readiness, supporting audits, securing contracts, and even obtaining cyber insurance.
As part of SANS ecosystem, organizations can access both expert guidance on navigating frameworks and directives, as well as GIAC certifications that provide globally recognized, independent validation of real-world cybersecurity skills helping organizations demonstrate workforce readiness in an increasingly regulated environment.
For more information, including insights from the SANS | GIAC 2026 Workforce Report, visit: https://www.sans.org/frameworks-and-directives.