Microsoft 365 in 2026 and questions regulated firms should be asking

How boards and executives can test whether their Microsoft 365 setup will stand up to regulatory scrutiny

For many regulated organisations, Microsoft 365 sits quietly in the background. Email works, documents are shared, meetings run on time. From a business perspective, the platform feels stable and familiar. 

From a regulatory perspective, that familiarity can be misleading.

By 2026, regulators such as the DFSA and FSRA will expect boards and senior management to demonstrate that Microsoft 365 is not only in use, but actively governed, correctly configured and auditable. The simplest way to test this is not to review settings, but to ask the right questions.

Questions to ask your IT manager or provider 

• Can you explain our Microsoft 365 security posture in business terms? 
• How do we know our configuration matches regulatory expectations? 
• What risks keep you most concerned about our current setup? 
• How often is our configuration reviewed and tested? 
• Who is accountable if something goes wrong?

Start with access and authority

Identity and access are the foundation of Microsoft 365 risk. A useful starting point is to ask:

• How do we control who can access Microsoft 365, and how is that reviewed?
• Are privileged roles limited, monitored and periodically reassessed?
• What happens if an administrator account is compromised?

Clear answers should describe processes, not products. If explanations rely heavily on licences or features, that is often a sign that governance has not been fully considered.

Move to data and visibility 

Email, files and collaboration tools are where most regulatory exposure sits. Senior management should understand: 

• How do we prevent sensitive data from being shared inappropriately?
• Do our data protection rules reflect regulatory obligations or default templates?
• What visibility do we have if something goes wrong? 

Regulators increasingly expect firms to reconstruct events after an incident. If logs are fragmented or retention is unclear, accountability becomes difficult. 

Test incident readiness 

A key regulatory expectation is the ability to respond calmly and decisively when access or data is compromised. Useful questions include:

• How quickly can access be restricted if a user account is suspected of misuse? 
• Who decides when an incident becomes a regulatory issue? 
• What evidence would we be able to provide after an incident?  

These questions help distinguish between technical capability and organisational readiness. 

Ask about change and AI features 

Microsoft 365 evolves continuously. New features, including AI-enabled tools, introduce both opportunity and risk. Boards should ask: 

• How are new features assessed before being enabled? 
• Do we understand where data is processed and stored? 
• Who approves changes that affect data handling or access?

Silence or uncertainty here often indicates unmanaged risk. 

Microsoft 365 can support a strong compliance posture, but only when senior leadership remains engaged. In 2026, regulators will look less at the platform itself and more at the quality of oversight around it. Asking the right questions is often the most effective place to start.