Tech policy trends to watch in 2026

As 2026 gets underway, the fault lines shaping the next phase of digital governance are becoming clearer. From youth online safety battles that raise new questions about consent and children's rights, to state-driven AI legislation and the emerging quantum race that is redefining national security and the future of encryption, the year ahead will test how quickly lawmakers and the tech industry can adapt to rapidly shifting technological risks. This report brings together insights and predictions from legal experts, academics and industry executives, who shared with S&P Global Market Intelligence which regulatory trends are poised to reshape privacy, security and digital infrastructure.

Front lines of digital privacy, safety legislation expand for children

Online safety for children is positioned to remain one of the most durable tech policy issues in 2026. Cobun Zweifel-Keegan of The International Association of Privacy Professionals Inc. expects Congress to continue debating dozens of youth privacy and online safety proposals. Some, such as the Kids Online Safety Act, are returning with new momentum, while others introduce rules aimed at emerging harms, including generative AI chatbots used by minors. Age verification, First Amendment limits and defining age-appropriate content will be central points of contention. Zweifel-Keegan said 2026 may be the year a COPPA 2.0 package advances.

"The focus on young people, including both children and teens, will continue to raise questions about whether such protections for this vulnerable group should also be extended to other consumers," Zweifel-Keegan said. "For example, why should harms from chatbots only be addressed for these users and not others?"

Sonia Livingstone, a scholar of children's digital rights at The London School of Economics and Political Science, said policymakers must recognize that effective regulation requires both understanding how children perceive digital environments and what capacities they have to meaningfully consent. Her warning reflects growing global pressure for online safety frameworks that incorporate children's developmental needs rather than treating them as miniature adults.

"With growing concerns over children's online privacy and the commercial uses of their data, it is vital that children's understandings of the digital environment, their digital skills and their capacity to consent are taken into account in designing services, regulation and policy," Livingstone wrote.

Enforcement trends are also shifting as all 19 comprehensive US state privacy laws activate. Zweifel-Keegan expects several attorneys general to distinguish themselves despite uneven budgets. On the federal level, the Federal Trade Commission (via the Take It Down Act, which obliges the removal of explicit adult content) and US Department of Justice (via rules governing foreign access to personal data) could bring cases under these new parameters for the first time in 2026. Zweifel-Keegan's IAPP colleague Joe Jones noted regulators and individuals are increasingly turning to narrower laws such as the Electronic Communications Privacy Act and Stored Communications Act of 1986 and the 1988 Video Privacy Protection Act, even without a federal privacy statute.

"A lack of consensus on how to implement age verification technologies in a way that's effective, privacy-preserving, and without burdensome friction in the online experience is all going to grow in complexity," Jones said.

An accelerated timeline for AI governance

The battle over how states can or should regulate AI started in 2025 — but it will largely play out in 2026.

In December 2025, US President Donald Trump signed an executive order titled "Ensuring a National Policy Framework for Artificial Intelligence" that directs multiple federal agencies to take steps to challenge or preempt state AI laws and regulations. The order also directs Congress to pass federal legislation that both preempts certain state laws while still ensuring that "children are protected, censorship is prevented, copyrights are respected, and communities are safeguarded."

Yakir Golan, CEO of Kovrr, a cyber risk assessment tool that financially quantifies cyber and AI risk, noted that a single national standard would simplify an increasingly fragmented system of state and local requirements. A unified framework would also raise the bar for enforcement.

"Once federal expectations are unified, regulators will demand evidence that AI governance programs function at scale across the entire enterprise, which will likely be problematic for organizations that only have written policies," Golan said. "They will, instead, need verifiable insights regarding their AI assets, including what data they interact with and the maturity of the safeguards that surround them."

Even without a comprehensive federal AI framework in effect yet, firms are preparing for a more demanding regulatory year. Amid expected legal challenges to the executive order and carve-outs in its language, Robert Cruz, vice president of information governance at Smarsh Inc., expects US states to continue driving AI legislation.

"We are seeing firms face AI sprawl, with different teams adopting tools independently and creating fragmented systems," Cruz said. "That makes it harder to oversee compliance and increases the chance of errors or manipulation. In 2026, the strongest firms will be those that prioritize data lineage and integrity as much as they focus on the tools themselves."

While the order specifically calls out Colorado's AI Act — the nation's first comprehensive AI law at the state level — as problematic, the order exempts state AI laws relating to child safety, AI compute and data center infrastructure, state government procurement and use of AI.

Meanwhile, enterprises are not sitting still, with the operationalization of AI governance accelerating in 2025. Chanley Howell, partner at Foley & Lardner LLP, said clients moved from drafting internal policies to embedding governance through workflows, contracting standards and risk-scoring frameworks. In-house legal teams became the gatekeepers for AI use, with growing demand for contractual disclosures, bias testing warranties and audit rights. Howell also pointed to the growing intersection between AI governance and infrastructure planning, including energy needs, data center constraints and ESG considerations.

Looking to 2026, Howell expects contractual requirements for AI governance to strengthen and third-party AI assurance providers to become more prominent.

"Important developments will center around contractual requirements for AI governance, the rise of third-party AI assurance providers, and the emergence of unauthorized AI use — 'shadow AI' — as increasingly contributing to compliance challenges," Howell said.

Quantum competition, regulation enters pivotal period

Quantum networking, post-quantum security and international competition are poised to become central regulatory issues in 2026. Qunnect Inc. CEO Noel Goddard noted that quantum networking is already moving from lab systems to real operational deployments on existing telecom fiber. Federal investment, however, still leans heavily toward computing research rather than networking hardware, she added. Goddard also emphasized that China invested in quantum communications long before the US and now holds a meaningful lead in secure network infrastructure.

"Policy wise, it's time for the US to have capability as a nation across all quantum verticals," Goddard said, "especially those in which we know that our technology is going to be competing directly with those of other nation states."

This gap is a strategic concern for John Prisco, a quantum consultant at Toshiba Corp. and CEO of Safe Quantum. While he acknowledged the US currently leads in quantum computing hardware, he echoed Goddard's assessment that China is well ahead in building Quantum Key Distribution (QKD) networks, which was underscored by a Congressional report from the US-China Economic And Security Review Commission. Prisco also argued that the expiration of the 2018 Quantum Act in 2023 weakened federal momentum and that a renewed framework could be enacted in 2026. He warned that government agencies are focused almost entirely on post-quantum cryptography (PQC), even though many critical sectors lack the capacity to deploy PQC at scale without QKD as a complementary layer.

"It's about being proactive, not reactive," Prisco said. "Congress has the opportunity to act by reenacting the National Quantum Initiative Act and making sure American innovation and national security don't fall behind in the quantum race."

Chris Hickman, chief security officer of Keyfactor Inc., reinforced the urgency of quantum-era risk for businesses. Nearly half of enterprises report that they are unprepared for this risk, and only 42 percent are actively addressing it, he said.

Hickman expects more vendors to release products with post-quantum capabilities — encryption schemes designed to resist quantum cyberattacks — in 2026, which will reveal sharp differences between organizations that have been planning for cryptographic migration and those that have delayed action.

"The window for a safe, cost-efficient transition is closing faster than most realize," Hickman said. "Forward-leaning enterprises have already accepted that the technology is here — and are shifting from developing algorithms and building technology stacks to meeting compliance requirements and strengthening cybersecurity resilience by becoming more agile with cryptography."