Organizations are moving more data than ever between on-premise systems, cloud environments and third-party partners. As that ecosystem expands, regulators are tightening expectations around how data is transmitted, logged and stored. Several significant standards and laws that affect secure file transfer are entering new phases of enforcement in 2026.
This guide highlights the updates that matter most for security, compliance and IT operations teams, and what to check in your file-transfer environment as these rules come into effect.
PCI DSS 4.0: Future-dated requirements became fully enforceable in 2025
PCI DSS 4.0 introduced a series of “future-dated” requirements — controls that organizations had several years to prepare for before they became mandatory. These requirements became fully enforceable on March 31, 2025, and many teams spent 2024-2025 updating their security configurations in anticipation.
Several of the changes directly affected how organizations transmit, access and monitor payment-related files:
- Encrypted transmission of cardholder data using strong, modern protocols.
Cerberus by Redwood supports strong cipher suites and modern TLS versions, including TLS 1.2+ and AES-256 encryption. - Expanded access-control expectations for any account interacting with PCI-regulated files. Cerberus offers role-based access controls, password-policy enforcement, multi-factor authentication options and granular user/group permissions — features that support PCI DSS Requirements 7 and 8.
- More detailed activity logging, including protections against log tampering. Cerberus includes comprehensive audit logging, tracking file uploads, downloads, authentication attempts, administrative changes and configuration updates. Logs are cryptographically signed and can be exported to external SIEMs, aligning with PCI DSS Requirement 10 for log integrity and retention.
Organizations that handle cardholder data have already updated their file-transfer workflows to align with PCI DSS 4.0, but ongoing maintenance remains critical. Reviewing encryption settings, account permissions, logging configurations and retention policies ensures continued compliance as audits and enforcement evolve.
HIPAA: Increased scrutiny on encryption and audit logging
HIPAA Security Rule requirements haven’t changed, but recent audits from the Office for Civil Rights (OCR) and the Office of Inspector General (OIG) have highlighted consistent gaps in two areas directly connected to file transfer:
- Inconsistent encryption for PHI transmitted within internal systems or between external partners
- Incomplete or unreliable audit trails that fail to document who accessed files and when
Healthcare organizations have been cited for both issues in recent evaluations. Cerberus helps organizations address these risks by providing secure, encrypted file-transfer protocols, detailed audit logging and access controls designed to support HIPAA-aligned workflows.
Cerberus also offers features such as TLS 1.2+ support, AES-256 encryption, event logging, IP whitelisting/blacklisting, file-access auditing, user/group permissions and automated policy enforcement, which align with best practices for HIPAA-compliant data transfer.
As enforcement activity increases, covered entities and business associates should ensure that all PHI-related file transfers use secure, encrypted channels and that logs are complete, tamper-resistant and retained according to policy.
ISO/IEC 27001:2022 transition reaching its final phase
ISO/IEC 27001:2022 introduced updated controls and a required transition away from the 2013 framework, with most organizations needing to complete the shift by October 31, 2025.
Several of the revised controls directly affect how sysadmins secure and manage file-transfer systems:
- Secure data transmission
Requires strong encryption for all data in transit. Cerberus supports TLS 1.2+, AES-256 encryption and hardened cipher suites to meet these expectations. - Cryptographic key management
Calls for secure key handling and rotation. Cerberus provides certificate management and integrates with trusted CAs to simplify secure key workflows. - System and activity monitoring
Requires detailed visibility into access and file operations. Cerberus offers comprehensive audit logs, event notifications and SIEM integrations to support monitoring and investigations. - Change management for security-relevant configurations
Mandates tracking of administrative changes. Cerberus logs all configuration updates and admin actions, so teams can maintain accountability and meet audit requirements.
These controls map closely to secure file-transfer operations, making it important for sysadmins to review protocol settings, encryption defaults, certificate usage and audit-log retention. Configuring Cerberus with strong protocols, detailed logging and controlled admin access helps organizations align with ISO/IEC 27001:2022 as the transition window closes.
US state privacy laws: More states adding data-movement requirements
More than 20 US states have now passed comprehensive privacy laws (and others have narrower, sector-specific requirements). Many of these laws include obligations related to:
- Secure transmission of personal information
- Tracking where data flows within and outside the organization
- Documenting access to sensitive files
- Data retention and minimization practices
While these rules don’t always reference “file transfer” explicitly, they apply whenever personal data moves between systems. As more states introduce similar requirements, organizations should ensure that internal and external file exchanges follow consistent encryption and logging standards. Cerberus supports these needs with Folder Monitor tools that help enforce data retention and minimization policies, detailed logging that documents who accessed what and when and strong encryption (including TLS 1.2+ and AES-256) to protect data during transmission.
EU Data Act: New expectations for data portability and cloud transitions
The EU Data Act went into effect on September 12, 2025, and although it focuses on data generated from connected products and cloud/data-processing provider switching, it also influences how organizations move certain types of data between environments.
Key impacts include:
- Ensuring secure transmission when exporting or transferring regulated data
- Keeping clear records of where data is stored after transfer
- Demonstrating transparency in how access to data is granted and logged
If your organization manages EU-sourced data that must be shared or exported, reviewing transmission security and audit-logging practices is a good step ahead of the enforcement cycle.
Federal guidance: Migration toward NIST SP 800-53 Rev. 5 controls
NIST SP 800-53 Rev. 5 is now the baseline for many federal and defense-contractor cybersecurity programs, with updated controls on encryption, privileged access and auditing for systems handling regulated data. While there’s no single public universal deadline, the expectation is increasing that file-transfer infrastructures align with these controls.
How Cerberus can help meet regulatory requirements in 2026
Across all industries, several themes appear again and again in new regulations:
1. Encryption standards
Ensure all transfers use strong, modern protocols such as SFTP.
2. Access Controls
Review user roles, authentication methods and implement least-privilege configurations.
3. Audit trails
Verify logs capture file access, transfer activity, failed authentication attempts and administrative changes — and that logs are protected from modification.
4. Data residency and retention
Know where transferred files ultimately reside and how long they’re kept.
5. Automation and configuration consistency
Make sure workflows, scripts and scheduled transfers follow the same security standards as manual processes.
Final thoughts
Regulatory updates coming in 2026 place increased focus on how data moves, not just where it sits. File-transfer systems are often a core part of that process, which makes it important to review encryption settings, access controls and logging practices before new requirements come fully into play.
A well-configured, well-monitored file-transfer environment not only supports compliance but also reduces operational risk across the organization.