In the second half of 2025, security and risk leaders in APAC and EMEA continued to grapple with familiar pressures, but they reprioritized how they address them. While AI, governance, risk and compliance (GRC) and third-party risk management (TPRM) stayed stubbornly on top of the charts, application security and security organization structure resurfaced with new urgency, and topics such as quantum security and human risk management took a back-seat, for now. These shift reflect a constantly changing reality: intensifying regulatory expectations in Europe, the emergence of agentic AI with less predictable behavior and an expanding software supply chain driven by accelerated AI and low-code adoption. Our latest Executive Spotlight: Top Priorities For APAC And EMEA Security And Risk Leaders, H2 2025, analyses hundreds of requests for guidance from our security and risk (S&R) Forrester Decisions clients to reveal where leaders doubled down, and where they deprioritized (see Figure 1).
The Top Three Cross‑regional Priorities
While leaders faced many of the same pressures now as they did in the first half of 2025, the nature of their guidance requests shifted toward stronger governance, sharper AI risk management, and a renewed focus on application and software supply chain security. Three areas define the priorities for APAC and EMEA security & risk leaders in H2 2025:
GRC rises to the top as regulatory pressure accelerates. Many may be surprised to hear AI slipped from top position, making way for GRC as the top priority for EMEA and APAC S&R leaders. GRC dominated the headlines as leaders face accelerating regulatory obligations and geopolitical instability. Many are frustrated by GRC tech that is expensive, difficult to implement, and underinvested in automation and AI. Their questions focus on which technologies meaningfully improve governance, how to quantify cybersecurity program value, and how to report risk and performance to boards.
To make progress despite tooling limitations, S&R leaders should use FAIR‑based quantification to articulate program value, adopt regulatory intelligence to streamline compliance workflows, and implement continuous control monitoring to replace outdated periodic audits.
AI risk evolves from adoption to securing agentic systems. While AI stays on top of the priority charts, it shifted from leaders wanting to know how to adopt generative AI safely in H1 to H2’s key challenge: securing agentic AI. This shift reflects deeper operational and threat‑surface concerns. Leaders are asking how to design guardrails that prevent excessive autonomy, how to red‑team AI systems, and how to prepare for AI‑specific incident response.
Use Forrester’s AEGIS framework as a practical way to map agent risks, enforce least agency, implement policy‑as‑code controls, and monitor agent‑initiated access. Review your vendor‑provided agents to ensure vendors have implemented adequate safeguards.
API and software supply chain security surge in urgency. API sprawl, SBOM mandates (such as the EU Cyber Resilience Act), and stalled DevSecOps advancement have pushed application security onto the priority list in both regions. Leaders want to distinguish meaningful API protection from vendor noise, integrate API security with WAF and DDoS capabilities, and manage component risk as software moves from development to production.
Map required API capabilities to their architectures, use SBOMs for transparency and compliance, and adopt pragmatic DevSecOps practices that embed security earlier and clarify team responsibilities.
Geographic Differences That Matter
My team and I work across five countries and three continents, which gives us front-row seat to how geography continues to shape security and risk priorities. While APAC and EMEA leaders shared five of the top six priorities in H2 2025, regional regulatory pressure, operating models and team capacity still influenced how these priorities were weighted and sequence. Two differences stood out in particular:
TPRM splits the regions. EMEA leaders are heavily prioritizing third‑party risk management due to DORA, NIS 2, GDPR, and rising litigation pressure. In APAC, where third‑party risk is typically addressed through outsourcing or operational resilience guidelines rather than prescriptive regulation, organizations feel more able to deprioritize it. Smaller S&R teams also make the procedural weight of TPRM difficult to absorb.
APAC priorities are more fragmented. EMEA submitted 170 H2 requests clustered around about a dozen themes, making it easier to identify clear priority areas. Not so for APAC leaders who submitted 81 questions spread across 42 themes ranging from application to endpoint to quantum to IoT and cloud. This breadth indicates that APAC CISOs are often required to address a wider set of risks simultaneously, increasing the importance of deliberate prioritization.
Let’s Connect
Use these insights to benchmark your roadmap against these priorities, and refocus your efforts, and strengthen sequencing. Forrester’s APAC and EMEA S&R clients who have questions about risk-, security-, or privacy-related topics can connect via inquiry or guidance session to our experts: Jinan Budge, Paul McKay, Tope Olufon, Madelein van der Hout, Enza Iannopollo, and Meng Liu.
