For much of the past two decades, multinational companies operated under a working assumption that, despite local variation, global regulation was slowly moving toward convergence. Accounting standards aligned, privacy regimes diffused, sustainability frameworks multiplied with harmonization as their stated aim and competition authorities expanded cross-border cooperation. That assumption is no longer reliable. During 2026, boards of directors will necessarily confront a landscape defined less by convergence than by regulatory divergence: overlapping but inconsistent regimes governing sustainability, artificial intelligence (AI), data protection, antitrust and national security. Regulatory divergence is not only increasing compliance burdens, but it is also reshaping perceived enterprise risk and offering activist investors a new source of strategic leverage.

Divergence as a Persistent Condition and a Strategic Vulnerability

It seems safe to say that the current regulatory environment is increasingly turbulent, particularly for companies that operate in multiple jurisdictions. The forces driving divergence such as geopolitical competition, domestic political polarization, skepticism of global institutions and rapid technological change are structural. Jurisdictions are asserting regulatory sovereignty in ways that embed local political and economic priorities into law, irrespective of whether they align or are consistent with other jurisdictional considerations. Sustainability-related reporting regimes, for instance, increasingly intersect with industrial policy and public-order priorities. Likewise, AI governance is tied to national competitiveness and social control. Data regulation is deeply linked to sovereignty and security. Antitrust enforcement reflects domestic views about markets, competition and labor.

For boards of directors, this means regulatory divergence must be treated as a standing enterprise risk rather than a transitional compliance project. It also means that regulatory exposure increasingly shapes activist narratives. What once might have been framed as a technical compliance issue is now readily reframed by activists as evidence of strategic drift, governance weakness or flawed capital allocation. Public litigation and enforcement actions tied to these divergent regimes can quickly become fodder in activist campaigns.

Sustainability Regulation: From Reporting Obligation to Activist Pressure Point

Sustainability and climate-related regulation illustrate how divergent legal regimes impose significant costs and strategic complexity for global corporations. In the European Union (EU), sustainability and climate disclosure obligations cascade through multiple regimes, including corporate sustainability reporting and corporate due diligence directives that require companies to, for example, identify and address human rights and environmental harms throughout global value chains. Although EU officials are making efforts to streamline and simplify these reporting and disclosure obligations, achieving a simplified regulatory framework remains elusive¹. Recent history underscores how sustainable-law divergence can become politically contested. For example, the EU agreed in late 2025² to significantly scale back a proposed supply-chain sustainability directive following pushback (notably from the U.S. and even within the EU itself), reducing its scope, delaying compliance deadlines and loosening substantive obligations, with the pushback illustrating how regulatory design can become a geopolitical flashpoint. These international political tensions will likely continue to spill into the regulatory landscape as the EU and the U.S. remain misaligned on how to tackle sustainability.³

This divergence is noticeable not just in substance but in philosophy. Many U.S. policymakers and stakeholders disparage comprehensive sustainability mandates as undue interference in company decision-making. Boards therefore may oversee compliance in some jurisdictions while publicly justifying more permissive positions elsewhere. These tensions are detectable in public risk disclosures and board commentary, particularly as investors and proxy advisors widen scrutiny beyond traditional financial metrics.

Activist investors concerned about environmental, social and governance (ESG) issues are increasingly using this fragmentation to pressure boards. When disparate sustainability obligations complicate corporate strategy, activists may argue that boards lack a coherent long-term plan to manage transition risk, harmful externalities or inconsistent disclosures across markets. Their argument is only strengthened in the context of increasing market practice for corporations to have, at least outwardly, some form of climate-related strategy or target.⁴ Networks of institutional investors, such as the Farm Animal Investment Risk and Return (FAIRR) (which coordinates engagement on environmental and governance risks across food and agriculture sectors), as well as collaborations such as the Principles for Responsible Investment (PRI), illustrate how coordinated investor pressure on sustainability issues can operate globally.

In the U.S., state attorneys general increasingly are using antitrust theories to challenge what they view as private ESG overreach. For instance, a coalition of six states, led by Florida, recently accused the advocacy group Ceres of operating a “climate cartel” by pressuring banks to limit financing for fossil‑fuel and other high‑carbon assets. Likewise, a Texas‑led group of states has sued BlackRock and other asset managers, alleging they conspired to raise coal prices by encouraging producers to cut output for environmental reasons.

In addition to state attorneys general, activists skeptical of ESG initiatives have sharpened their focus on sustainability compliance costs and purported operational inefficiencies. Regulatory complexity offers such activists a means to argue that sustainability compliance drains investment from core growth areas, particularly when many “net-zero” targets and environmental policies are impracticable to achieve and difficult to implement in the first-place,⁵ or introduces reputational risk in jurisdictions with political resistance to ESG. This seems particularly true in the increasingly polarized U.S., with “red” and “blue” states taking markedly different statutory and regulatory approaches to these issues.⁶ In the U.K., the political parties also have different views as to how ESG should be addressed and what regulations should be adopted to implement ESG-aligned principles.

For example, several states, including Florida, Idaho, North Dakota, Tennessee, Texas, Utah and Wyoming, have enacted laws that limit ESG‑based decision‑making by private companies, particularly in the financial and insurance sectors. These laws typically prohibit banks, insurers or other financial institutions from denying services or otherwise “discriminating” against customers based on specific industries, expressly covering fossil fuel, mining, timber, agricultural and firearms and ammunition businesses, or based on perceived non‑adherence to ESG standards. Texas also has restricted the ability of proxy advisory firms to recommend shareholder votes based on non‑financial considerations, including ESG factors.⁷ While no state law affirmatively requires private companies to incorporate ESG considerations into corporate strategy, boards may nonetheless view such factors as relevant to risk management or valuation considerations. This divergence exposes companies to competing forms of activist pressure, particularly from ESG‑skeptical actors who may challenge sustainability‑based decisions as exclusionary, inefficient or politically motivated.

Data Privacy and Cybersecurity: Regulatory Complexity as Governance Critique

Data governance presents a similar dynamic. Companies increasingly operate across privacy, cybersecurity and data-transfer regimes that diverge not only in technical details but in underlying legal philosophy. The EU–U.S. Data Privacy Framework, which aims to facilitate transatlantic data flows, follows decades of ineffective transfer regimes (e.g., Privacy Shield) and still leaves unresolved compliance ambiguity for U.S. companies dealing with EU data rights enforcement. Moreover, global analyses portray data law as an arena of competing national strategies. Some observers describe the global data, cyber and AI rulebook as “fractured,” with the EU historically driving enforcement-centric approaches while the U.S. has prioritized innovation, in particular through a national security lens, and the Asia-Pacific (APAC) region pursues localized frameworks.⁸ Such fragmentation can impact product and services development and distribution, increase compliance costs, compel duplicative infrastructure and complicate digital transformation.

For example, the Cyber Resilience Act in the EU, which introduces mandatory cybersecurity requirements for products with digital elements (a broad category encompassing virtually any software or hardware that connects to a network), requires timely board attention, as security-by-design, product vulnerability remediation programs and supply chain (components) diligence will need to be developed now to avoid delays in digital products distribution on the EU market.⁹ This is coupled with proposed regulations such as the Cybersecurity Act 2 and the Digital Networks Act, which have extra-territorial impact and address cyber issues through the prism of high-risk third party suppliers and promoting cloud-based computing infrastructures in the EU that enable AI development and deployment.¹⁰

In the U.S., states like California and Texas have adopted broad privacy laws carrying penalties of up to $7,500 per violation. California’s Privacy Rights Act applies to companies meeting revenue or data‑volume thresholds and reaches any business handling Californians’ personal information, regardless of location.¹¹ It also includes a private right of action, making California a litigation hotspot. Texas’s Data Privacy and Security Act is enforced solely by the state attorney general but has no revenue or data‑volume thresholds, giving it even broader jurisdictional reach.¹² As a result, companies operating in states with lighter privacy rules (or even outside the U.S.) who do business in states with privacy laws must still account for varied state regimes to avoid significant fines.

Activists have begun to integrate these governance issues into campaigns, especially where cyber incidents or regulatory actions accentuate weaknesses in enterprise risk management. A surge in AI, cybersecurity and data privacy disclosures among major corporations underscores the materiality of these risks; according to one report, 72% of S&P 500 companies now flag AI-related risks in public filings, up sharply from prior years.¹³ Activists may tie such disclosures to broader critiques of management competency, inadequate oversight or misaligned investment priorities. Data governance, intertwined with AI governance, thus becomes not merely a compliance burden but a strategic metric. Boards that lack clear enterprise risk frameworks for privacy and cybersecurity may find themselves targeted in campaigns that question oversight capabilities, enterprise resilience and disclosure integrity. This may be especially true where high-profile incidents coincide with earnings or other strategic milestones.

Artificial Intelligence: Divergence, Product Risk and the Activist Technology Thesis

AI regulation exemplifies the intersection of regulatory divergence, strategic risk and shareholder activism. Jurisdictions are rapidly developing AI frameworks, often with distinct philosophical, political and policy approaches and enforcement priorities.¹⁴ The European Union’s Artificial Intelligence Act¹⁵ employs risk tiering, aiming to address the risks generated by specific uses of AI, as well as obligations on general purpose AI systems regardless of their use. Certain AI systems are prohibited in the EU, and there are extensive compliance requirements for the development and deployment of “high-risk” AI systems, including risk assessments, technical documentation, human oversight and registration in a publicly available database. In contrast, the United States currently relies on siloed, sector-specific enforcement through agencies like the Federal Trade Commission and state laws, creating a patchwork compliance landscape. Objectives differ further internationally, with many countries in the Asia-Pacific region advancing data localization, national-security and usage governance that diverge sharply from Western norms.¹⁶ With rapidly shifting geopolitical priorities, legislation is being adopted, amended and revisited constantly: for example, the EU has announced a Digital Omnibus proposal that would simplify some of the EU AI Act requirements and delay implementation of certain provisions, as well as address the usage of personal data in relation to the development of AI tools.¹⁷

While the U.S. government continues to (un)regulate AI through a piecemeal approach, states are moving ahead with regulatory efforts and, in some cases, drawing directly from the EU’s leadership. For instance, Colorado’s Artificial Intelligence Act adopts an EU‑style risk‑based model for high‑risk systems used in areas such as housing, insurance and healthcare. However, Colorado already has delayed implementation of its statutory scheme to June 2026 in light of parallel discrimination laws percolating through the California and Illinois legislatures, as well as industry pushback. The result is a complex, interdependent regulatory environment in which companies must track multiple state rulemaking processes.

Beyond technical regulation, global governance discussions have produced statements on AI principles such as the AI Action Summit’s “Statement on Inclusive and Sustainable Artificial Intelligence for People and the Planet.”¹⁸ That Statement was signed by 58 countries; however, key players like the U.S. and U.K. declined to sign, signaling broader normative divergence.

Activist investors are increasingly factoring AI governance into engagement strategies. Shareholder proposals concerning AI risk both in developing and deploying AI tools, transparency and accountability have been rising, reflecting investor expectations that boards consider not only innovation opportunity but regulatory exposure, ethics and risk mitigation (including, for example, through the exponential rise of AI-enhanced cybersecurity risks). The rapid expansion of AI risk disclosure in corporate filings demonstrates that boards and executives recognize the salience of these issues for investors. For activists, regulatory fragmentation amplifies uncertainty about product and services viability, market access and compliance costs, making AI governance a potential lever to question leadership strategies. When boards provide disclosures perceived as vague or insufficient regarding AI governance risk management, activists may intensify demands for board expertise, independent review or strategic refocusing.

Antitrust, Investment Screening and the Activist Deal Thesis

Antitrust enforcement and foreign-investment review regimes further show how regulatory complexity shapes activist tactics. Competition policy is increasingly shaped by domestic political and economic priorities, leading to diverse enforcement postures across jurisdictions. Dialogue between U.S. and EU regulators suggests that consistent approaches to mergers and digital competition could facilitate cross-border activity, but substantive policy differences remain. This may be particularly true in the U.S., where federal officials seem less keen to enforce competition laws in relation to mergers and acquisitions, especially in relation to cyber and digital assets.

As previously discussed in the ESG context, state attorneys general increasingly are filling the gap left by federal officials, advancing novel antitrust theories to challenge business conduct they view as misaligned with state policy priorities, sometimes including actions companies take in response to activist‑investor pressure. On the investment‑screening side, several states have adopted restrictions for foreign‑owned companies. Texas, for instance, prohibits foreign companies from certain countries (including China, Russia, Iran and North Korea) from acquiring real property, like commercial land, agricultural land and mineral or groundwater rights. These measures complicate cross‑border investment decisions and can be invoked by activists or investors as arguments against particular transactions or capital‑allocation strategies.

Activists are using this complexity as part of “deal theses”, i.e., arguments that transactions are undervalued because regulatory risk is underestimated, or conversely that divestitures would unlock value by reducing exposure to stringent regulatory regimes. These activists may demand that boards reevaluate merger strategies or capital allocation plans in light of divergent antitrust enforcement philosophies and investment-screening outcomes.

Evolution of Shareholder Activism: A Broader Context

The broader shareholder activism landscape reinforces the importance of regulatory considerations. Recent reporting highlights how activists have secured record board representation gains, even amid shifting market conditions, underscoring the intensity of governance challenges boards may face during 2026 and beyond. Research also shows that the immediate impact of activist campaigns can depress profitability, particularly where activists contest strategic direction or leadership control, further emphasizing the stakes of activist engagements tied to regulatory debates.

Governance Implications for Boards

The combined effect of regulatory fragmentation and activist scrutiny elevates regulatory oversight from a compliance function to a core governance responsibility. Several imperatives are now evident:

• Strategic Regulatory Monitoring: Boards must ensure robust systems that track legal developments across jurisdictions, assess enterprise-wide impact and inform strategic decision-making. Regulatory monitoring cannot reside solely within functional risk teams; it must be integrated into enterprise risk frameworks that inform strategic planning and investor communication.
• Alignment of Policy and Practice: Divergent law often produces inconsistent implementation. Boards should evaluate whether global policies, e.g., on sustainability, AI ethics or data governance, can be operationalized coherently across regions and whether escalation protocols exist for reconciling conflicts.
• Risk-Oversight Structures: Regulatory divergence increases the risk that localized issues (e.g., breaches, investigations and enforcement actions) have enterprise-wide consequences. Committees and reporting lines should be structured to surface cross-border regulatory risk early and integrate it into enterprise risk reporting.
• Disclosure and Litigation Risk: Inconsistent or poorly contextualized disclosures can become focal points for regulators and activists alike. Directors should oversee cross-functional disclosure controls and ensure disclosures reflect the nuanced implications of divergent legal regimes.
• Strategic Integration of Regulatory Risk: Market entry decisions, digital strategy, capital allocation and portfolio reviews increasingly hinge on regulatory feasibility. Boards should expect management to articulate how divergence affects long-term value creation and how value creation strategies mitigate activist-relevant vulnerabilities.

Looking Ahead

Cross-border regulatory divergence stands out as a structural reality for multinational governance. It reshapes compliance obligations, complicates operational models and can reframe enterprise strategy. It also reshapes shareholder activism. Regulatory fragmentation provides activists with new narratives and levers: for instance, whether to question leadership competence, strategy execution, capital allocation or all of the above.

For corporate directors, the task is twofold. First, boards must oversee the substantive management of regulatory divergence. Second, and equally important, they must understand how divergence reframes investor expectations and activist tactics. In an environment where law increasingly reflects national priorities and geopolitical realities, effective boards will treat regulatory architecture as a core element of enterprise strategy and activist resilience as a dimension of regulatory preparedness.

^{1 Read our article here on the EU decision to amend Sustainable Finance Disclosure Regulations following feedback that the program is overly complex. Further attempts at simplification are changes to taxonomy disclosures (see our article here) and wider changes to EU Sustainability Reporting (see our article here).}

^{2 See, e.g., https://www.akingump.com/en/insights/alerts/summary-simplification-of-eu-sustainability-reporting.}

^{3 See our article here: The Growing Climate Rift Between the EU and the US.}

^{4 See our article here, which details the increasing adoption of net-zero targets by companies.}

^{5 See, e.g., here on Deforestation Regulation (EUDR)}

^{6 See, e.g., https://www.nbcnews.com/politics/politics-news/policy-divide-blue-red-states-keeps-widening-rcna230162 and https://www.washingtonpost.com/education/2024/04/04/education-laws-red-blue-divide/.}

^{7 In 2025, Texas enacted SB 2337, a law intended to regulate how proxy advisory firms provide services, including proxy recommendations, to companies operating in the state. Several parties, including the Interfaith Center on Corporate Responsibility, Institutional Shareholder Services (ISS) and Glass Lewis, filed legal challenges against SB 2337, arguing that, among other things, SB 2337 violates the First Amendment. A federal district court judge in Texas has enjoined enforcement of SB 2337. The Texas Attorney General, Ken Paxton, had appealed that decision; however, last November, Mr. Paxton abandoned efforts to revive the statute. We wrote about SB 2337 here.}

^{8 See, e.g., https://globalpi.org/research/ai-regulation-across-the-atlantic-eu-ai-act-vs-u-s-ai-governance/ and https://www.corporatecomplianceinsights.com/navigating-apac-mixed-approach-ai-regulation/.}

^{9 See our article here: What International Companies Should Do to Comply With the E.U. Cyber Resilience Act.}

^{10 See our alert here: EU Cyber and Connectivity Proposals with Extra-Territorial Impact: Cybersecurity Act 2 and Digital Networks Act Go to Negotiations.}

^{11 See our article here: CPRA Rivals GDPR’s Privacy Protections While Emphasizing Consumer Choice.}

^{12 See our article here: Texas Data Privacy Act: What Businesses Need to Know.}

^{13 New Study: 7 in 10 Big US Companies Report AI Risks in Public Disclosures.}

^{14 See our AI Law & Regulation Tracker to access to the latest in AI across regulatory developments, legal and policy issues, and industry news.}

^{15 See our alerts here on the Final Approval of Ground-breaking EU AI Act and here on the EU AI Act published in the EU Official Journal, as well as subsequent alerts here and here. EU officials have established an AI-related hub providing up-to-date legal and regulatory developments and analyses of the EU AI Act. https://artificialintelligenceact.eu/.}

^{16 See, e.g., https://www.interglobixmagazine.com/apacs-data-localization-requirements/.}

^{17 See our article here: Navigating the EU’s Digital Omnibus on Privacy, Cyber, Data and AI and Next Steps.}

^{18 Statement on Inclusive and Sustainable Artificial Intelligence for People (...) - France ONU.}