Towards international coherence of cybersecurity regulations

The fragmentation of cybersecurity regulation has significant implications for public and private stakeholders. In today’s heavily interconnected environment, where infrastructure, services, and threats span borders and sectors, inconsistent or overlapping cybersecurity rules can undermine the effectiveness, efficiency, and coherence of cybersecurity efforts. Beyond technical and legal complexity, fragmentation can impose substantial operational, economic, and strategic burdens on organisations. This section outlines the key consequences of regulatory fragmentation across several dimensions.

Organisations frequently report that one of the most immediate and tangible consequences of fragmentation in cybersecurity regulation is the growing compliance burden they face (CSO, 2025[2]; GSMA, 2025[13]). Businesses operating across multiple jurisdictions must navigate a patchwork of legal and regulatory requirements, each with distinct definitions, reporting obligations and enforcement mechanisms. In the absence of mutual recognition agreements or coherent frameworks, such firms are often required to navigate a multitude of processes, controls and documentation, resulting in significant operational complexity and administrative overhead. This fragmentation not only strains financial and human resources but diverts attention and capacity from innovation and core business activities, particularly for SMEs.

The implementation of the revised EU Directive on the Security of Network and Information Systems (NIS2) illustrates the scale of this burden (European Union, 2022[14]). NIS2 is expected to impact over 160 000 businesses in Europe and potentially more than one million globally due to its extraterritorial reach through interconnected supply chains (Laxmikant, 2024[15]). The average cost of achieving full compliance for a medium-sized enterprise is estimated to be between EUR 200 000 and 500 000 (Laxmikant, 2024[15]), with the total compliance costs across the European Union projected at EUR 31.2 billion annually (Frontier Economics, 2023[16]). Within three to four years of NIS2’s implementation, ICT security spending is anticipated to increase by 12% in sectors previously covered by NIS and by up to 22% in sectors newly brought into scope under NIS2 (European Commission, 2020[17]). Moreover, according to an EU survey collecting data from 1350 organisations from all 27 EU Member States, 89% of organisations report needing to hire additional cybersecurity staff to meet NIS2’s regulatory obligations (ENISA, 2024[18]). However, 34% of SMEs indicate that they will not have the additional resources required to comply with NIS2. Similar resource pressures are expected for compliance with other EU legislation, such as the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the EU Artificial Intelligence Act.

European institutions have begun to recognise challenges related to the multiplication of cybersecurity regulations, both between EU-level and Member-State-level regulations, and across EU regulations. In its 2024 Conclusions on the future of EU cybersecurity policy, the Council of the European Union cautioned against fragmentation, duplication, and overlap of EU cybersecurity rules, urging the European Commission to ensure coherence and map the interplay of horizontal and sectoral frameworks. The Council also recognised implementation challenges across Member States, particularly for incident reporting, and called on ENISA, the EU Cybersecurity Agency, and relevant networks to support consistent application (Council of the European Union, 2024[19]). Areas identified as requiring further coherence include cybersecurity certification, incident reporting and security-by-design requirements (ENISA, 2024[20]).

In Japan, the Cyber Response Capability Strengthening Act, enacted in May 2025, introduced mandatory cyber incident reporting obligations for critical infrastructure operators and other designated entities. Businesses subject to the law must notify government authorities promptly when significant cybersecurity incidents occur, enabling co-ordinated national response. The Act also established new requirements for operational co-ordination and information sharing between private entities and public agencies to improve situational awareness and resilience. Overall, these measures target businesses whose systems are critical to national security and economic stability, concentrating obligations on the operations whose compromise would have the most severe consequences (Dobell and O’Neill, 2025[21]; Digital Policy Alert, 2025[22]).

In the United States, the Government Accountability Office (GAO), National Security Telecommunications Advisory Committee (NSTAC), and Office of the National Cyber Director (ONCD), as well as hearings conducted by the US House Committee on Oversight and Accountability’s Subcommittee on Cybersecurity, Information Technology, and Government Innovation (Committee on Oversight and Government Reform, 2024[23]) have documented a similar proliferation of regulatory requirements and their possible negative effects. Drawing on stakeholders’ input, they recognised the overall positive impact of cybersecurity regulations on risk reduction but highlighted that unco-ordinated and inconsistent multiplication of regulatory requirements across federal and state levels can impose significant administrative burdens and divert resources from core cybersecurity activities. They noted for example that multiple regulators overseeing similar requirements may create overlap and duplicative demands, introduce vague or conflicting definitions, and require repeated assessments requesting substantially the same information, thereby increasing compliance costs without commensurate gains in security outcomes (US GAO, 2025[24]). Furthermore, they highlighted that unprioritised regulatory requirements at the domestic, sectoral and international levels exert significant strain on organisational cybersecurity budgets, resources, and priorities, and create a burden on stakeholders and produce suboptimal outcomes (US NSTAC, 2024[25]). However, these agencies generally primarily focused on domestic rather than international fragmentation of cybersecurity regulations, although cross-border aspects were also mentioned.

Firms have limited resources for cybersecurity. Every expense, each unit of staff time or expertise devoted to cybersecurity without reducing cybersecurity risk through concrete technical, operational, or organisational measures represents a potential opportunity cost. A recent industry survey covering 500 large enterprises in the United States and the United Kingdom found that 92% of respondents increased their cybersecurity budgets, with over one-third reporting budget increases of 20-49% and nearly one-quarter seeing increases above 50%. Yet only 40% believed they had made investments sufficient to comply with relevant regulations, while 19% admitted to having made minimal progress (Swimlane, 2024[26]). These figures suggest a mismatch between regulatory expectations and organisational capacity, underscoring the potential value of more coherent and interoperable policy approaches that would reduce compliance costs and improve security outcomes.

These challenges are not limited to the private sector. Public authorities also face increasing implementation demands, including the recruitment of specialised IT personnel to administer and monitor bespoke regulatory compliance. This poses a significant cost and capacity challenge, particularly as governments compete with the private sector for scarce cybersecurity expertise (Frontier Economics, 2023[16]).

National cybersecurity regulations are designed to strengthen firms’ security posture, for example by imposing minimum requirements and incentivising better risk management. In principle, the associated compliance costs constitute a contribution to cybersecurity risk reduction, as they reflect investments that support more robust security practices. However, when these regulations are fragmented across jurisdictions, they generate additional compliance costs. These costs absorb financial, human, and managerial resources that might otherwise be invested in the effective implementation of the obligations themselves or in concrete cybersecurity measures. In economic terms, regulatory fragmentation can therefore create allocative inefficiencies: instead of enhancing security outcomes, it may redirect resources towards administrative adaptation and legal alignment. This raises a critical policy question as to whether, and to what extent, international fragmentation of cybersecurity regulations becomes counterproductive, potentially weakening the very cybersecurity efforts that such regulations are intended to support.

In the summary of its 2023 Request for Information on cybersecurity regulatory harmonisation1, the US ONCD reflected respondents’ views that the lack of harmonisation among federal, state, and, in some cases, international regulations harms cybersecurity outcomes while increasing compliance costs. Many stakeholders stressed that resources devoted to compliance were consequently diverted from core cybersecurity programmes, with some CISOs reporting that 30% to 50% of their time is spent on regulatory compliance. Respondents also indicated that investments in compliance across multiple regulatory regimes intended to control the same risk often resulted in a net reduction in programmatic cybersecurity spending (US Office of the National Cyber Director, 2024[27]).

Similarly, according to the NSTAC, duplication of and conflicts between regulated cybersecurity-related requirements cause significant confusion and strain on organisational cybersecurity budgets, resources, and priorities. In practice, many regulated and industry standards require organisations to implement and operate the same or similar cybersecurity controls. Individual organisations’ security and compliance teams are frequently left to decide which controls to implement based on which offer the least negative regulatory consequences, rather than on how controls appropriately mitigate cybersecurity risks (US NSTAC, 2024[25]).

Furthermore, during US House congressional hearings, witnesses and members similarly emphasised that duplicative and inconsistent regulations force firms to divert manpower and resources to compliance at the expense of cybersecurity capability enhancements (Committee on Oversight and Government Reform, 2024[23]). Consistently, GAO acknowledged that handling overlapping, duplicative, or conflicting federal cybersecurity regulations can divert resources from securing systems. In addition to financial costs, these regulations affect staff time, for example, identifying duplicative rules, confirming definitions, filling out multiple reporting requirements, and meeting differing deadlines, forcing senior leadership and key personnel to split their attention between incident response and compliance tasks. Staff expertise is also affected, as internal personnel hired for cybersecurity skills may be reassigned to complete compliance obligations (US GAO, 2025[24]).

While cybersecurity regulatory fragmentation extends to businesses of all sectors and sizes (US NSTAC, 2024[25]), the impact is different depending on the organisation size. Small organisations often face the same regulatory obligations as larger entities but may lack dedicated compliance staff and may not be fully aware of cybersecurity regulations they are subject to. For them, compliance cost may easily deplete the limited resources, affecting their core business capacity. Large organisations typically have more resources for compliance. However, the cost may increase considerably as firms become subject to additional regulatory requirements, depending on their sector and whether they operate internationally (US GAO, 2025[24]).

While these challenges primarily relate to domestic fragmentation, their impact is not contained within national borders. They add complexity for firms that are subject to multiple domestic regulatory frameworks, and firms are required to simultaneously reconcile overlapping jurisdictions, substantive divergences, and procedural misalignments. This transforms compliance from a technical standardisation problem into a multi-layered legal, operational, and strategic governance challenge, further amplified due to differences in language, legal and regulatory cultures. Furthermore, regulation alone is insufficient; effective cybersecurity policy requires regularly assessing sectoral maturity levels and providing guidance so that regulatory requirements reflect organisations’ varying levels of preparedness.

These findings also point to a potential risk for innovation and competitiveness. Although there are no studies directly quantifying the impact of cybersecurity regulatory fragmentation on firms’ innovation, broader economic research indicates that complex regulatory environments can constrain innovation and reduce efficiency. The OECD has noted that overly complicated rules and high compliance costs can undermine efficiency, innovation, and growth, creating competitive disadvantages for firms relative to simpler and better-designed regulatory frameworks (OECD, 2025[28]). When firms must allocate scarce resources to satisfy overlapping or divergent regulatory requirements, they may divert attention and investment away from developing new products, improving technologies, or enhancing operational capabilities. This suggests that regulatory fragmentation in cybersecurity, through duplication, inconsistency, or conflicting obligations, could similarly reduce organisations’ capacity to innovate and compete effectively, even if the precise impact in the cybersecurity domain remains to be empirically measured.

Cybersecurity threats frequently transcend national and sectoral boundaries, yet fragmented regulatory environments can hinder timely co-operation and collective responses. Differences in information sharing rules, incident classification or enforcement practices can obstruct joint investigations, threat intelligence exchanges and co-ordinated crisis management across borders (Sedenberg and Dempsey, 2018[29]).

Without interoperable frameworks or shared standards, trust between stakeholders may erode. For example, a company certified under one national regime may not be recognised under another, requiring redundant certification efforts and limiting cross-border service provision. This also reduces the efficiency of collective security efforts and complicates public-private co-operation in responding to large-scale incidents.

Fragmentation can also create blind spots where incidents falling outside the scope of one jurisdiction’s rules are not reported or addressed, weakening situational awareness at the global level. For instance, research on cybersecurity in connected vehicles shows that while many international standards and regulations exist, they diverge in scope, technical specificity, and treatment of risks such as security-by-design or personal data protection. This uneven coverage leaves certain vulnerabilities unaddressed in some jurisdictions, illustrating how fragmented rules can undermine global awareness and hamper the collective management of emerging cross-border threats (Hegyi and Erdődi, 2025[30]).

Fragmentation in cybersecurity regulation can incentivise regulatory arbitrage, where companies strategically locate their digital operations, such as data hosting, product development, or service delivery, in jurisdictions with the least stringent rules. By doing so, they seek to minimise compliance burdens and reduce costs. For example, variations in how countries implement cybersecurity directives such as the NIS2 or GDPR can drive firms to shift infrastructure and services to more permissive jurisdictions to avoid duplication and uncertainty (Walden and Michels, 2022[31]).

In parallel, some companies can go further by limiting their market presence or withdrawing entirely from regions where regulations are perceived as excessively burdensome (Wright, 2025[32]). Markets with comparatively high compliance costs, disproportionate documentation or staffing requirements and fragmented enforcement structures are less attractive, especially to smaller or resource-constrained firms. When firms deliberately reduce their participation in relatively heavily regulated markets, it may not only harm competition there but may also slow technological diffusion and the development of cybersecurity capacity, potentially leaving such markets more vulnerable in the long term.

Eventually, regulatory arbitrage could lead to a “race to the bottom”, in which jurisdictions compete to attract business by lowering cybersecurity standards. This would undermine efforts to raise global baseline protections and put companies that invest in robust security practices at a competitive disadvantage, although there would be a countervailing possibility that having better security practices would put them at a competitive advantage. In any event, without international co-ordination and mutual recognition mechanisms, the fragmentation of regulatory environments may incentivise the avoidance, not the adoption, of high standards, weakening collective cyber resilience.

Finally, regulatory fragmentation can weaken trust in public institutions and in the digital economy more broadly (OECD, 2025[28]). When stakeholders are confronted with inconsistent rules or unco-ordinated responses to incidents, confidence in the predictability and fairness of regulatory systems may decline. It can discourage engagement with authorities and reduce the transparency of risk management practices, and lead businesses and consumers to question whether regulations are applied equitably. Over time, such uncertainty may also undermine public confidence in digital services and the broader digital ecosystem, particularly when similar incidents are treated differently across jurisdictions, giving the impression of uneven protection standards. Fragmented approaches may also erode trust between governments, slowing the development of co-ordinated strategies for addressing global cyber threats.

For governments, fragmentation undermines the ability to assess policy effectiveness, identify systemic risks and benchmark progress. Divergent regulatory frameworks increase the risk of duplication, overlapping mandates, and inconsistent enforcement, which can complicate policy evaluation and decision-making. This can also complicate international dialogue and make the pursuit of global or regional agreements more difficult (CEPR, 2022[33]). Divergent rules and inconsistent enforcement across jurisdictions require negotiators to reconcile multiple, sometimes conflicting, regulatory approaches before reaching consensus. This slows the development of coherent frameworks, reduces the likelihood of mutually recognised standards and may result in compromises that weaken the overall effectiveness of agreements. In turn, governments may struggle to co-ordinate cross-border responses to emerging cyber threats, share threat intelligence efficiently or implement joint resilience measures, ultimately limiting the collective ability to strengthen cybersecurity at a regional or global level.