Over the past five years, security and risk (S&R) professionals have experienced a flood of new cybersecurity regulations, with 170 countries now boasting cybersecurity and data protection laws. Leaders are left to decide which regulations apply, identify gaps, and implement controls — an onerous task as regulatory volume and the pace of change accelerate. Manual approaches leave many teams overwhelmed, risking noncompliance. To address these challenges, S&R leaders are increasingly adopting regulatory intelligence solutions. Regulatory intelligence solutions — a subset of the broader regulatory technology (regtech) market — automate the discovery, review, and analysis of regulatory obligations, highlighting regulatory developments and supporting the ongoing maintenance of compliance.
In the past, regulatory intelligence solutions acted as static regulatory content feeds into governance, risk, and compliance (GRC) platforms, leaving users to manually interpret requirements and determine actions. Our latest research, Use Regulatory Intelligence To Manage The Proliferation Of Cybersecurity Regulations, found that generative AI (genAI) has transformed this model: Users can now query and interrogate regulatory content directly and receive proactive, actionable guidance aligned to their GRC program. In 2026, regulatory intelligence:
Is moving from static regulatory research to faster and deeper AI-enabled understanding. GenAI allows real‑time delivery of regulatory updates, generating structured lists of obligations and enabling interactive exploration of regulatory intent. Many solutions now allow S&R professionals to query regulations using AI‑powered chatbots, significantly improving productivity and understanding. These capabilities enable teams to move away from static regulatory research to more dynamic, structured regulatory change management.
Sets the bar for how risk intelligence should be used across risk domains. Leading platforms embed regulatory risk intelligence, which analyzes enforcement actions, regulatory communications, and supervisory signals. This intelligence helps organizations anticipate regulatory priorities, which in turn leads them to proactively respond to regulator events. Most other enterprise risk domains, such as GRC, lack this level of signal-driven insight and struggle to translate risk signals into adaptive controls and mitigation plans. For example, enforcement reports are among the most widely used outputs, helping S&R professionals focus resources on the most important regulatory issues.
Is expanding beyond traditional FS into additional verticals and emerging regions. One Middle Eastern telecoms industry customer said regulatory intelligence firms were only starting to realize that they must expand beyond financial services (FS) into multiple languages and emerging markets, becoming viable replacements for manual research. Regulatory intelligence providers are expanding beyond their FS roots and adding new industry verticals and countries to the range of regulations they can support. Regulatory intelligence vendors have belatedly recognized that regulated critical-infrastructure sectors — such as utilities, transport, and telecoms — face similar regulatory burdens to their original FS customers. They also recognize that GRC vendors relying on their platforms need regulatory content providers to be able to service non-FS customers.
Is shifting from regulatory change monitoring to direct compliance enablement. Historically, regulatory intelligence focused on the initial components of regulatory change management: identifying and assessing changes in laws, regulations, and regulatory expectations. These vendors are now extending their scope to support policy-, control-, and operations-level compliance analysis against regulatory obligations. Adoption remains constrained by poor data quality across controls, policies, and risks within many GRC platforms, limiting the effectiveness of automated mapping. As GRC vendors improve risk data quality by investing in AI, this convergence will fully or partially remove significant compliance-related manual drudgery and misery.
Forrester customers can access the full report here or schedule a guidance session to discuss how these capabilities can supplement their GRC programs.
This blog post was written with Zaklina Ber, senior research associate.
