Cybersecurity is a policy priority worldwide, as rapid digital transformation requires increased efforts by governments to protect critical infrastructure, secure digital services, and build trust. Consequently, governments have enacted a wide range of laws, regulations and standards across jurisdictions. These measures reflect crucial objectives and varied risk profiles. However, the measures have often been siloed, leading to unintended consequences for the effectiveness of cybersecurity and the cost of compliance. This report provides an overview of the complex patchwork of cybersecurity policies and regulations, the forces driving their proliferation and divergence, their consequences, and existing efforts to address them. It provides a preliminary outline of work that the OECD could undertake in response.
Regulatory fragmentation occurs when different jurisdictions or sectors have varying, and possibly conflicting, rules for the same or similar activities, services, products or risks. In practice, it is characterised by diverging national laws, inconsistent sectoral requirements, overlapping mandates among regulators, and the absence of shared definitions or approaches. In this context, organisations face multiple compliance regimes that often do not interoperate well or at all. Regulatory fragmentation is exacerbated by factors such as differing national security priorities, sector-specific risk environments, varied legacy frameworks, protectionist measures, and reactive policymaking.
The impacts of regulatory fragmentation can be wide-ranging:
Additional compliance costs: Businesses operating across multiple jurisdictions must interpret, implement, and manage multiple overlapping regulatory regimes instead of one consistent framework, leading to duplication, legal expenses, operational adjustments and administrative burden.
Diversion of resources from core cybersecurity functions: Fragmentation forces organisations to spend scarce time and budget on multiple compliance processes, diverting resources away from core security activities that directly enhance cybersecurity. Small and medium-sized enterprises (SMEs) are particularly affected, as they often lack the human and financial resources to manage overlapping requirements.
Weaker international co-operation: Divergent information sharing and reporting requirements can hinder joint investigations, crisis management and public-private co-operation.
Adverse effects on market incentives: Inconsistent and overlapping regulations can incentivise firms to prioritise markets with lighter and simpler obligations. This may discourage firms from entering more demanding jurisdictions, which may distort competition over time and weaken incentives to strengthen cybersecurity standards.
Erosion of institutional trust, policy effectiveness and international policy coherence: Inconsistent regulatory responses can reduce confidence in the predictability of regulatory systems and complicate benchmarking, risk assessment, and international agreements.
Efforts to increase coherence of cybersecurity regulations are beginning to emerge at the domestic, regional, bilateral and international levels, although they vary considerably in their development and reach. At the domestic level, for instance, the United States has introduced initiatives aimed at improving coherence across regulatory and sectoral requirements. At the regional level, initiatives such as those undertaken in the European Union seek to promote greater coherence across its Members. Bilateral arrangements can also help foster practical co-ordination and reduce friction between jurisdictions. By contrast, international efforts remain comparatively limited, although international technical standards continue to provide important support for greater consistency and interoperability.
Taken together, these developments reflect growing recognition among policymakers, regulators and industry stakeholders of the need for greater regulatory coherence to reduce unnecessary compliance burdens, support cyber resilience and facilitate cross-border co-operation. Against this backdrop, the OECD is well positioned to provide a trusted setting for dialogue, deepen the evidence base on impacts and costs of fragmentation, and help translate emerging experience into practical guidance and policy tools for jurisdictions seeking to enhance coherence.