Regulatory & Standards Drift: Regulatory Text Presumes Institutional Capacity That Has Not Been Demonstrated

Regulatory architecture is scaling faster than regulatory execution capacity in one jurisdiction. Enforcement authority is scaling faster than operational readiness in another.

The DHS partial shutdown began February 14. CISA dropped to 38% capacity: 888 of 2,341 employees excepted, working without pay. CIRCIA final rule work paused. The agency has lost one-third of its workforce in twelve months and operates without a Senate-confirmed director.

The same week, the EU Cybersecurity Act 2 advanced into parliamentary review. CSA2 introduces a horizontal ICT supply chain framework empowering the Commission to identify "key ICT assets," trigger coordinated risk assessments, and prohibit components from suppliers flagged as high-risk. The instrument does not limit risk assessment to technical factors. Jurisdiction of origin is an explicit criterion. Noncompliance: 7% of global annual turnover.

February 13 to February 25, 2026. CSA2 replaces the 2019 Cybersecurity Act entirely. Structural additions: binding 12-month certification scheme timelines, a "cyber posture" certification for NIS2 compliance, a single entry point for incident reporting, and centralized technical measures blocking member state gold-plating where implementing acts exist.

Regulation S-P smaller entity compliance deadline: June 3, 2026. No extension granted.

The asymmetry is now temporal. Statutory clocks are advancing toward enforcement while rulemaking and operational capacity lag behind them.

CSA2 assigns expanded coordination, certification, and reporting functions to an agency whose current mandate was not designed for centralized supply chain enforcement. Whether these responsibilities arrive with proportional resources is not specified in the proposal.

A CISO in a US critical infrastructure entity is preparing for a reporting regime whose final scope remains unknown, from an agency at reduced capacity, while the statutory basis for threat intelligence sharing expires in seven months.

A CISO in a multinational NIS2 entity is preparing for a supply chain framework where vendor selection may be constrained by implementing acts that do not yet exist, under certification schemes that have not been developed, through a reporting entry point that has not been built.

Regulatory text now presumes institutional capacity that has not been demonstrated.