The increasing fragmentation of cybersecurity regulations across jurisdictions and sectors is the result of multiple, overlapping drivers. The cumulative effect is a regulatory environment that lacks coherence, creates unnecessary complexity and hinders collective progress on improving cybersecurity.
The main drivers of cybersecurity regulatory fragmentation are:
National sovereignty and strategic autonomy: Cybersecurity is closely linked to national security, economic resilience and security, and public trust. As a result, many governments are often reluctant to reference or incorporate external frameworks or international standards in their regulations and prefer to develop their own approaches. That can lead to diverging national laws and policies, particularly when regulations are shaped by domestic priorities such as protecting critical infrastructure, enhancing law enforcement capabilities, or achieving industrial policy goals. Efforts to strengthen “digital sovereignty” or “strategic autonomy” have further reinforced this trend in several jurisdictions (Timmers, 2024[4]).
Differing threat perceptions and risk tolerance: Economic sectors experience cyber threats in differing ways. The frequency, scale, and sophistication of cyber incidents vary across geographies and industries, influencing how governments and regulators assess risk and determine appropriate responses. For example, jurisdictions experiencing major cyberattacks may adopt more prescriptive and far-reaching regulatory measures. Others may favour risk-based or voluntary frameworks. Differences in exposure to incidents and in levels of risk tolerance shape the development of national or sectoral cybersecurity policies and contribute to the fragmentation of regulatory requirements (World Economic Forum, 2024[5]).
Sector-specific approaches and legacy frameworks: In many jurisdictions, cybersecurity regulation has evolved sector by sector, often under the authority of regulators with specialised mandates (e.g. finance, energy, health, and telecommunications). These sectoral approaches respond to specific operational contexts and regulatory traditions but can lead to significant inconsistencies in obligations, reporting thresholds, enforcement mechanisms and implementation timelines. In some cases, overlapping rules apply to operators that are active in multiple sectors, resulting in duplicative or even conflicting requirements (RiskInsight, 2023[6]). In addition, legacy regulatory frameworks that were not designed for today’s interconnected digital landscape may remain in place and contribute to regulatory complexity.
Economic protectionism and digital trade barriers: Some cybersecurity-related regulatory measures, intentionally or not, favour domestic firms over foreign competitors. Requirements such as local incorporation, data localisation, mandatory technology transfer and the use of certified national suppliers can act as non-tariff barriers to digital trade (OECD, 2022[7]). Notwithstanding that these measures are often framed in terms of national security or upholding public interest, they can contribute to regulatory fragmentation (Akça, 2024[8]). This complicates efforts to achieve interoperability and mutual recognition of standards and may further discourage cross-border collaboration and investment.
Absence of widely accepted definitions and common taxonomies: Cybersecurity regulation frequently suffers from a lack of common terminology (OECD, 2024[9]). Key concepts such as “cyber incident,” “critical infrastructure,” and “essential services” may be defined differently across jurisdictions or left undefined altogether (Ramirez and Choucri, 2016[10]). The lack of a common cybersecurity “language” undermines mutual understanding, hampers co-ordination among regulators and creates confusion for organisations operating in multiple jurisdictions. It also limits the interoperability of reporting mechanisms and impedes the aggregation and comparison of incident data at the international level.
Asynchronous policy development and crisis-driven regulation: Cybersecurity policies and regulations are often developed in response to major incidents, policy cycles, or legislative opportunities, rather than through co-ordinated national or international processes. This asynchronous development leads to regulatory divergence over time, even among jurisdictions with similar cybersecurity objectives (Ruohonen, 2024[11]). Crisis-driven regulations may also prioritise quick action over coherence or international compatibility, increasing the risk of fragmentation. In some cases, new measures are introduced without adequate alignment with existing instruments, both domestically and internationally.
Multiplicity of regulatory actors and overlapping mandates: Within governments, the governance of cybersecurity may involve multiple ministries, regulators, and oversight bodies (OECD, 2019[12]). The absence of a clear lead authority or effective co-ordination mechanisms can result in fragmented or inconsistent rules, particularly when different agencies pursue overlapping objectives (e.g. national security, consumer protection, data privacy, or competition policy). This intra-governmental fragmentation may be exacerbated in decentralised settings, with subnational authorities adopting their own requirements independently of national frameworks.
Recognising and understanding these drivers of cybersecurity regulatory fragmentation is a critical first step towards identifying opportunities for greater alignment and co-ordination. The drivers are often rooted in other important policy aims and institutional realities, creating a complex landscape that has concrete and potentially far-reaching consequences for organisations, markets, and international co-operation, including undermining the effectiveness of cybersecurity efforts and placing unnecessary burdens on organisations. These issues are explored in the next section.