Cybersecurity is a policy priority across jurisdictions, driven by a rising tide of threats to critical infrastructure, supply chains and digital services. In response, governments and regulators are adopting a wide range of legal and policy instruments to strengthen cybersecurity, enhance resilience and increase accountability (OECD, 2022[1]). These measures reflect national objectives and sector-specific risk profiles that have led to the emergence of a complex and increasingly fragmented regulatory landscape.
That landscape is highlighted in an open letter to OECD Members (CSO, 2025[2]) from a group of Chief Information Security Officers (CISOs) across sectors, raising the alarm that international fragmentation of cybersecurity regulations is raising the cost of compliance and reducing the quality of cybersecurity by creating unnecessary complexities and inefficiencies. The letter calls on the OECD to leverage its multistakeholder convening power and expertise to facilitate regular dialogue among regulators across countries and sectors and to work towards greater international alignment and reciprocity of cybersecurity regulations.
These developments motivated this report, which explores regulatory fragmentation as a potential area of future work for the OECD’s Working Party on Digital Security. Regulatory fragmentation occurs when different jurisdictions or sectors have varying, and at times conflicting, rules for the same or similar activities, services or risks. In the field of cybersecurity, it refers to the growing diversity and complexity of legal, regulatory and technical requirements across countries, regions and industries. Rather than a coherent framework, organisations face a patchwork of obligations that differ significantly by jurisdiction, sector and the authorities that have oversight. The absence of widely accepted definitions and commonly shared approaches to managing cybersecurity risks exacerbates the complexity.
Regulatory fragmentation presents particular challenges in the highly interconnected digital environment. Infrastructure, services, and value chains increasingly operate across borders and sectors, while threats propagate globally and often require co-ordinated responses. In this context, unaligned or duplicative regulations can create legal uncertainty and increase compliance burdens. For organisations, fragmentation complicates risk management and may lead to inconsistent or inefficient implementation of cybersecurity measures.
The scale and complexity of regulatory activity in cybersecurity have accelerated sharply in recent years, with a marked increase in both volume and diversity of cybersecurity regulations worldwide since 2013, reflecting the growing importance of cyber resilience for economic and national security (World Economic Forum, 2021[3]). In the European Union alone, more than 120 legislative instruments adopted or proposed since 2020 contain cybersecurity-related provisions (Figure A A.1). Many of these texts overlap or intersect in areas such as security-by-design, critical infrastructure, data protection and digital services, creating an increasingly complex and fragmented regulatory environment that is challenging for regulators and regulated entities to navigate. Globally, the rapid expansion of rules without a unifying framework further complicates compliance and underscores the need for international dialogue and greater co-ordination.
This report supports policymakers and other stakeholders in better understanding the drivers and impacts of fragmentation in cybersecurity regulation, provides a preliminary analysis of the topic and reviews existing efforts to promote greater coherence and alignment. It also suggests potential next steps that the OECD could take towards addressing the problem.