Why boards are questioning their email providers in 2026
The question of which email platform a company uses has rarely been a boardroom agenda item. It fell to IT departments, was resolved years ago in favour of whatever the dominant
free or bundled option happened to be at the time, and was subsequently left unchanged. That comfortable inertia is coming under pressure in 2026, and the scrutiny is coming from
an unexpected direction: the board itself.
A confluence of factors—tightened data protection regulation, high-profile breaches at major providers, the growing commercial sensitivity of digital communications and a sharper focus on supply chain risk—has elevated email infrastructure from an IT consideration to a governance one. Boards are asking questions they haven't asked before, and the answers
are prompting action.
The governance case for reviewing email providers
A company's choice of email providers is a risk management decision, and risk management is a board-level responsibility. The email platform is the channel through which M&A discussions are conducted, through which legal correspondence flows, through which personnel decisions are made and through which the most commercially sensitive
information in the organisation passes every day. The idea that this channel should be evaluated with less rigour than, say, the choice of legal counsel or audit firm is increasingly
hard to defend.
The specific concern is around data sovereignty and encryption. Most major free and legacy email providers process message content — for advertising, for training AI systems, or as
conditions of government requests. End-to-end encrypted providers cannot do any of these things because the content of messages is technically inaccessible to them. For
organisations handling material non-public information or operating in sensitive sectors, this distinction is material.
What good looks like in 2026
The ICO's guidance on strong passwords and MFA is part of a broader framework for organisational information security that boards should be familiar with. End-to-end encrypted
email, mandatory multi-factor authentication on all accounts and regular security audits of communication infrastructure represent the current baseline expectation for organisations
taking their data protection obligations seriously.
Leading organisations are going further by implementing zero-trust network architectures, conducting regular third-party penetration testing and building data protection considerations into procurement processes across the supply chain. Email infrastructure is one piece of this picture, but it's an unusually important one given the volume and sensitivity of the information it handles.
Making the transition at scale
For large organisations, migrating email infrastructure is a significant programme of work. But the direction of travel is clear, and the organisations that begin planning now will be
better positioned than those that wait for a regulatory prompt or a security incident to force the issue. Services like Proton Mail offer enterprise tiers with the management tools and
compliance features that larger organisations require.
The boards asking questions about email providers in 2026 are not being alarmist. They are applying to a long-neglected area of operational infrastructure the same rigour they bring to
other material risks. The companies that respond thoughtfully to those questions will be better governed, better protected and better positioned for the regulatory environment that is
continuing to evolve around them.
