March 2026 Compliance Calendar

Updated national standards governing cross-border data transfers take effect on March 1, 2026. Data processors in China must satisfy at least one compliance pathway: passing CAC security assessment or obtaining personal information protection certification.

Large accelerated filers with December 31, 2025 fiscal year-end must file Form 10-K including mandatory cybersecurity disclosures under Item 106 of Regulation S-K. Must include cybersecurity risk management processes, board oversight description, management role in cybersecurity, and whether risks have materially affected the company.

All PCI DSS 4.0.1 requirements become mandatory. Organizations must be fully compliant with all new requirements that were previously best practices.

Quarterly external vulnerability scan by an Approved Scanning Vendor (ASV) required for PCI DSS compliance.

Quarterly user access review for SOC 2 compliance.

Annual review and update of privacy notices to ensure they accurately reflect current data processing activities.

Q1 quarterly vulnerability scanning as recommended by NIST SP 800-53 RA-5.

Annual internal audit of the Information Security Management System required under ISO 27001 Clause 9.2.

Q1 quarterly authenticated vulnerability scanning for all FedRAMP systems.

Financial entities must submit their Register of Information (RoI) detailing all contractual arrangements with ICT third-party service providers to their national competent authority by March 31, 2026. Data must reflect status as of December 31, 2025. Submissions must be in xBRL-CSV format.

FedRAMP 20x Phase 2 pilot expected to conclude by Q2 FY26 (March 31, 2026). The pilot tests the new cloud-native authorization framework emphasizing machine-readable packages, continuous evidence, and automated monitoring. After this phase, FedRAMP plans to stop accepting new Rev5-based agency authorizations.