As national security enforcement intensifies, a new report from Eversheds Sutherland highlights a critical gap: many U.S. companies are still unprepared to navigate complex compliance risks tied to cybersecurity, cross-border operations, and evolving regulatory demands. The 2025 U.S. National Security Compliance Risk and Readiness Report, based on a survey of more than 100 compliance executives and legal professionals, highlights significant disconnects across industries and organizational functions, particularly in how companies identify, manage, and assign ownership of national security risks.

Below, we break down the key findings that compliance teams should be aware of now.

A Complex Risk Landscape

The report outlines a growing compliance challenge shaped by global instability, rapid innovation, and expanding regulatory mandates. Despite this, more than a third of surveyed companies, regardless of size or industry, say they are not fully prepared to address the national security risks facing their organizations.

What’s more, nearly 25% of compliance professionals cannot fully articulate their company’s national security risk profile, a foundational gap that can impact everything from budgeting to board engagement.

Notably, executives and in-house counsel disagree on who holds ultimate responsibility for national security compliance, with each group pointing to their own function, creating ambiguity that can slow down decision-making and response times.

Cybersecurity & Data Protection: The Most Pressing Risk

Cybersecurity and data protection were cited as the most urgent compliance concerns in the report, and for good reasons. With rising threats from nation-backed cyberattacks, ransomware gangs, and large-scale data breaches, firms are under growing pressure to safeguard sensitive data while navigating a complex patchwork of state, federal, and international privacy regulations.

84% of companies said cybersecurity and data protection present a moderate or high compliance risk.

Yet only 66% say they are “very prepared” to address these risks, leaving a significant gap between awareness and operational readiness.

This shortfall isn’t just about outdated tools it’s a governance issue. The report suggests many companies are still relying on fragmented controls, unclear escalation paths, or legacy systems that weren’t designed to meet today’s evolving threat landscape.

To get your firm’s Cybersecurity training on track, learn more about Quest CE’s available training, here.

Expanding Operations? Expect Expanded Risk

The report found that companies with international operations are encountering significantly more compliance demands, particularly in areas like sanctions, export controls, and anti-bribery enforcement.

This trend signals that global operations bring heightened regulatory scrutiny, and for U.S. firms exploring overseas growth, it’s a reminder that national security compliance programs must be adaptable across jurisdictions.

Even for domestic firms, global enforcement patterns can shape U.S. expectations, meaning now’s the time to future-proof your controls and reporting processes.

Missed Opportunities for Oversight & Support

Despite increasing pressure, more than half of companies are not investing in foundational risk management actions, including:

  • Increasing board or executive oversight (72% have not)
  • Allocating more budget toward national security compliance (56% have not)
  • Engaging external legal or compliance advisors (55% have not)

This lack of escalation, especially in high-risk sectors, raises concerns about how risks are being prioritized and addressed across leadership teams.

Why Compliance Teams Should Pay Attention

The Eversheds Sutherland report isn’t just a data summary; it’s a clear call to action. As national security concerns become more intertwined with regulatory enforcement, reputational risk, and operational continuity, compliance teams are being asked to step into a more strategic role.

Here’s what the report underscores:

  • National security compliance is no longer niche, it’s a cross-functional, board-level concern.
  • Ownership ambiguity and resource gaps are real vulnerabilities that can hinder response and recovery efforts.
  • Technical risks (like data protection) must be backed by strong governance, documented processes, and clear accountability.

For compliance teams, that means aligning more intentionally with legal, IT, security, and executive leadership, not just to stay ahead of penalties, but to build a durable, scalable compliance foundation that protects the business long-term.

📄 Access the full 2025 U.S. National Security Compliance Risk and Readiness Report for more information.