Home

Geopolitical pressures across the Middle East are generating legal and regulatory exposure that many businesses have yet to fully map. Sanctions realignments, conflict-driven capital flows and supply chain fragility are converging rapidly and the consequences of inaction are significant. This briefing flags eight areas where we are seeing acute client exposure. It is not a compliance guide. It is a prompt to ask the right questions.

UK regulators have not yet fully exercised the breadth of their powers to address shortcomings in organisational cyber‑security measures—but that restraint is unlikely to continue. The policy statements published on 18 March 2026 by the FCA, PRA and Bank of England, introducing a new single regime for operational incident and third‑party reporting, signal the direction of travel. The framework—under which firms must report serious cyber and operational incidents through a unified portal and provide structured information on their critical third party (CTP) dependencies—reflects the UK regulators’ sharpened focus on digital risk, system resilience, and their recognition of the vulnerabilities inherent in  complex technological supply chains. This shift sits alongside the UK government’s broader agenda. As the Cyber Security and Resilience (Network and Information Systems) Bill (NIS Bill) progresses and HM Treasury (HMT) prepares to designate major technology providers as CTPs using its FSMA powers, firms can expect a step‑change in supervisory expectations. Cyber‑security, data protection and operational resilience disciplines must now operate as a single, evidence‑based ecosystem capable of withstanding assertive regulatory challenge. The coming year will require firms not only to demonstrate alignment on paper, but to evidence—consistently and credibly—that controls work in practice. This article is the first in our three part Emerging Themes in Financial Regulation & Disputes 2026 series. We examine the evolving regulatory and risk landscape shaping cyber and operational resilience expectations for the year ahead—and set out practical priorities for financial services firms seeking to respond proactively. Our accompanying articles will examine (i) the evolving cyber litigation risks facing financial services firms and (ii) operational resilience and the growing influence of CTP designations.

On 30 March 2026, the Dubai Executive Council approved a package of economic support measures totalling AED 1 billion (approximately USD 272.3 million), aimed at strengthening business resilience and easing financial pressures on companies operating in Dubai. The measures were approved by His Highness Sheikh Hamdan bin Mohammed bin Rashid Al Maktoum, Crown Prince of Dubai and Chairman of the Dubai Executive Council.