From the journal

Five Eyes Agencies Issue Joint AI Cyber Threat Statement, June 22, 2026

CISA (US), NCSC (UK), ACSC (Australia), CCCS (Canada), and NCSC-NZ jointly published a cyber security statement on June 22, 2026. The agencies assess that AI will accelerate the speed, scale, and sophistication of cyber threats, with frontier models expected to exceed current defensive assumptions within months. The statement directs organizations to treat cyber risk as a board-level concern and strengthen foundational controls without delay.

2 min read

On June 22, 2026, the cybersecurity agencies of the United States (CISA), the United Kingdom (NCSC), Australia (ASD's ACSC), Canada (CCCS), and New Zealand (NCSC-NZ) published a joint statement titled Five Eyes Cyber Security Agencies Statement. The statement is advisory in character, representing a formal coordinated government assessment that constitutes regulatory guidance to critical infrastructure operators and senior organizational leadership.

The statement assesses that the timeline for AI-driven cyber threat escalation is measured in months, not years. Frontier AI models are anticipated to exceed current industry-standard defensive assumptions and to alter both offensive and defensive cyber capabilities. The agencies direct organizations to take three actions: assess AI-driven cyber risk at board and executive level; prioritize foundational controls including patching, identity management, and incident response; and empower chief information security officers with authority and resources commensurate with the threat environment.

Critical infrastructure operators, financial institutions, telecommunications providers, and AI deployers are the primary addressees of the statement. Organizations in those sectors should treat this Five Eyes guidance as a signal of forthcoming regulatory expectations. Joint advisories from CISA, the NCSC, and peer agencies have in prior supervisory cycles preceded enforceable obligations, and the explicit urgency language in this statement amplifies that risk.

The statement does not impose specific mandatory controls or direct legal obligations. Its regulatory significance is forward-looking: all five jurisdictions' regulators are expected to scrutinize AI cyber risk governance and cyber resilience investment in forthcoming supervisory cycles. The NCSC published a companion piece, The AI shift in cyber risk: why leaders must act now, concurrently, elaborating on the technical threat assessment underlying the joint statement.

We may advise on cyber regulatory positioning across the Five Eyes jurisdictions and have a partner network with specialist counsel. Organizations reviewing their AI cyber risk posture are invited to contact us. Work we undertake includes cyber regulatory advisory, AI security governance, critical infrastructure compliance, and board-level cyber risk briefings.

Source: Five Eyes Cyber Security Agencies Statement, CISA, June 22, 2026

AI Regulatory

More from the journal

See all

New York UCC Revision Act Takes Effect June 2026, Creating Digital Asset Commercial Law Rules

New York Senate Bill S1840A (the UCC Revision Act) took effect on June 3, 2026, amending New York's Uniform Commercial Code to govern digital assets through a new Article 12. The legislation creates rules for the transfer of controllable electronic records, security interest perfection, and priority disputes, and extends good-faith purchaser protections adapted from Articles 3 and 7 to digital instruments.

President Trump Signs Executive Order 14409 on AI Innovation and Security, June 2, 2026

President Trump signed Executive Order 14409, Promoting Advanced Artificial Intelligence Innovation and Security, on June 2, 2026. The order establishes a voluntary AI cybersecurity clearinghouse, directs priority upgrades to national security systems within 30 days, and requires protocols for secure frontier AI model deployment within 60 days. It was published in the Federal Register on June 5, 2026 (91 Fed. Reg. 34565).

MiCA Grandfathering Period Ends July 2026: Unauthorized CASPs Must Cease EU Operations

The maximum 18-month MiCA transitional period expired on 1 July 2026, closing the grandfathering window across all EU and EEA member states. Any crypto-asset service provider that operated under pre-MiCA national regimes must now hold MiCA authorisation or suspend services. ESMA confirmed that national competent authorities are expected to enforce compliance, with pending applicants permitted to continue only where an NCA issues an express individual determination.