**Security testing requirements:** Nearly all modern frameworks now require or recommend regular security testing - **Risk-based approaches:** Frameworks are shifting from prescriptive controls to risk-based requirements - **Incident reporting:** Timelines are converging around 72 hours for initial