The Security Priorities APAC And EMEA Leaders Doubled Down On — And Deprioritized — In H2 2025

Regulatory momentum across Europe and parts of Asia is reshaping security roadmaps, propelling governance, risk and compliance (GRC) to the summit of executive agendas in H2 2025. Leaders cite mounting obligations—from the EU’s Cyber Resilience Act to emerging data‑privacy statutes—that demand more than checkbox audits. To meet these expectations, organizations are turning to FAIR‑based quantification for business‑case justification, deploying regulatory‑intelligence platforms that automate policy updates, and replacing periodic reviews with continuous control monitoring. This shift not only eases audit fatigue but also translates compliance spend into measurable risk reduction.

Artificial intelligence’s rapid maturation has moved the conversation from adoption to containment, as security chiefs grapple with agentic systems that can act autonomously. The Forrester AEGIS framework offers a pragmatic playbook: map agent capabilities, enforce least‑agency principles, embed policy‑as‑code controls, and establish dedicated AI red‑team exercises. Companies are also revising incident‑response playbooks to include AI‑specific scenarios, ensuring that logs capture agent‑initiated actions and that vendor contracts require demonstrable safeguards. By treating AI as a distinct attack surface, firms can prevent unintended autonomy from amplifying breach impact.

API sprawl and software‑supply‑chain opacity have vaulted application security into the priority lane, especially as SBOM mandates gain traction under the EU’s Cyber Resilience Act. Security teams are integrating API protection with existing web‑application firewalls and DDoS defenses, while leveraging SBOM data to trace component provenance from development through production. Pragmatic DevSecOps practices—such as shift‑left testing and clear ownership matrices—help embed security early without stalling velocity. Meanwhile, regional nuances persist: EMEA’s heightened third‑party risk focus contrasts with APAC’s broader, fragmented risk portfolio, underscoring the need for tailored governance models.