Towards international coherence of cybersecurity regulations

Efforts to address fragmentation in cybersecurity regulations are developing, with several initiatives emerging at national and regional levels. These initiatives reflect a growing recognition among policymakers, regulators and industry stakeholders of the need for greater coherence in the overall cybersecurity regulation landscape to reduce unnecessary compliance costs, facilitate cross-border operation and enhance cyber resilience.

Some efforts to enhance the coherence of cybersecurity regulation are taking place at the domestic level. In the United States, the NIST Cybersecurity Framework, initially developed in 2014, was explicitly designed as a common voluntary framework to harmonise cybersecurity risk management practices across sectors and levels of government (NIST, 2024[34]). At strategic level, the 2023 National Cybersecurity Strategy pointed out the need for regulators to work together to minimise harms resulting from conflicting, duplicative, or overly burdensome federal regulations, and to harmonise assessments and audits of regulated entities (US White House, 2023[35]). More recently, the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) established a single federal cyber incident reporting regime for critical infrastructure entities, administered by the Cybersecurity and Infrastructure Security Agency (CISA). It creates a centralised reporting mechanism with information sharing across agencies, reducing duplicative reporting burdens. The law was justified in part by overlapping obligations across sectoral regulators, inconsistent timelines and definitions, and duplication of submissions to multiple federal agencies. CISA is directed to issue implementing regulations specifying what must be reported, reporting mechanisms, timelines, and thresholds for reportable incidents. As of February 2026, CISA was carrying out public engagement to draft these rules (US Federal Register, 2026[36]).

A standalone agency may also streamline its own regulatory requirements to enhance coherence. For example, the US Securities and Exchange Commission (SEC) has strengthened requirements for cybersecurity disclosure by publicly traded companies. Early guidance allowed voluntary reporting of cyber risks and incidents, leading to wide variation across firms. In 2023, the SEC adopted a formal rule standardising timelines, content, and board oversight reporting. This ensures comparability, reduces ambiguity, and enhances transparency and accountability in corporate cybersecurity risk management (Securities and Exchange Commission, 2023[37]).

Other efforts have aimed to enhance coherence across cybersecurity requirements affecting federal agencies. The 2022 Federal Information Security Management Act (FISMA) modernisation clarified federal roles, centralised oversight and reporting, and standardised technical baselines (US CISA, n.d.[38]). Complementing this, the Federal Risk and Authorization Management Program (FedRAMP) provides a common framework for authorising cloud services across federal agencies, avoiding duplicative agency-specific assessments. The ongoing FedRAMP 20x initiative further enhances coherence by streamlining authorisations, introducing reciprocity across agencies, and reducing administrative burden, ensuring that agencies can leverage approved cloud services without repeated evaluations (FedRamp, 2026[39]).

The EU provides an example of regional efforts to strengthen cybersecurity in a co-ordinated or harmonised way across its Members. The 2016 NIS Directive and its 2022 successor NIS2 have built a common baseline of cybersecurity requirements, particularly on risk management measures and incident reporting.1 These directives can be understood as instruments that simultaneously enhance coherence and preserve a degree of fragmentation within the EU. Relative to the pre-NIS landscape, characterised by largely unco-ordinated and sometimes absent national cybersecurity regimes, these directives significantly increased coherence by establishing common sectoral scope, baseline risk-management requirements, and incident reporting obligations. NIS2 further deepened this coherence by expanding coverage and clarifying supervisory and enforcement mechanisms. However, because both instruments are directives rather than directly applicable regulations, they require national transposition, allowing for variation in several areas. As a result, while the NIS regime reduces fragmentation compared to the pre-existing baseline, it does not eliminate it entirely: coherence has increased, but residual divergence persists due to the legal nature of the instrument.

In 2024, the Council of the European Union called on the Commission to prepare a mapping of relevant reporting obligations across EU cyber and digital legislation to identify opportunities to reduce administrative burden and encouraged harmonisation and use of common standards to support implementation of EU cybersecurity legislation, including NIS2 and the Cyber Resilience Act. It also strongly cautioned against fragmentation, duplication, or overlapping across sectoral or special‑purpose initiatives (Council of the European Union, 2024[19]). In the following year, the European Commission signaled a shift from adding relatively siloed regulation to making the existing stack function better as a whole.

The Commission’s Digital Omnibus approach seeks to simplify, modernise and harmonise overlapping EU digital rules across multiple regulatory domains including cybersecurity, data protection, digital services, and digital risk management to reduce fragmentation, lower compliance burdens, and strengthen coherence. The Digital Omnibus is expected to make a targeted set of technical amendments across existing instruments to “bring immediate relief” in compliance costs and to “stimulate [the region’s] competitiveness” (European Commission, 2025[40]). In practical terms, for instance, the Commission proposes the creation of a single-entry point for reporting cybersecurity incidents and data breaches and working towards common reporting templates for data breach notifications. It also proposes aligning certification requirements under existing and new digital legislation, such as NIS2, the Cybersecurity Act, and DORA to ensure that a certification granted in one Member is mutually recognised across the EU, reducing duplication of testing and audit processes. At the time of writing (Q1 2026), the Digital Omnibus legislative package is in progress.

Other regional efforts towards enhancing coherence take place at a higher level and focus on coordinating policy approaches rather than regulation. They include the Framework for Securing the Digital Economy of the Asia-Pacific Economic Cooperation’s (APEC) that aims to support interoperability and trust among its 21 member economies (APEC, 2019[41]). Similarly, the African Union’s Convention on cybersecurity supports the development of national cybersecurity strategies and legislation, helping to reduce regulatory gaps between the 55 member countries (African Union, 2014[42]).

A close example of bilateral effort at improving coherence is the US-EU initiative announced in 2024 by the European Commission’s DG CONNECT and the US Department of Homeland Security (DHS) to compare cyber reporting elements with a view to better align their approaches (European Commission, 2024[43]). As a first step, a joint comparative assessment was developed by ENISA and CISA. The report maps similarities and divergences between DHS recommendations on harmonising federal incident reporting and the EU’s incident reporting framework under NIS2 across six areas: definitions and thresholds, timelines and triggers, report contents, reporting mechanisms, aggregation, and public disclosure (European Commission, 2024[44]).

Other bilateral initiatives have tended to incorporate elements of regulatory coherence within a broader agenda of international co-operation on cybersecurity. Related works appear to continue through regular dialogues and exchanges on regulatory developments, partnerships between national cybersecurity agencies, and arrangements such as information-sharing platforms and joint exercises. One example is the US-EU Trade and Technology Council (TTC) established a dedicated working group on ICT security and competitiveness with the aim of identifying areas for regulatory co-operation (European Commission, 2024[45]).

Another example is the UK-Japan Strategic Cyber Partnership refer to promoting “regulatory and standards alignment” as part of efforts to strengthen cyber resilience (GOV.UK, 2026[46]). The Japan-EU Cyber Dialogue has similarly included on its agenda updates and exchanges on recent cybersecurity policy and regulatory developments, including on issues such as critical infrastructure and incident reporting (Ministry of Foreign Affairs of Japan, 2026[47]; European Union, 2026[48]). Similarly, countries such as Australia, Canada, Japan, Korea and the United States, as well as the European Union, have engaged in digital partnerships or dialogues that include cybersecurity and specifically discussions on aligning cybersecurity requirements as central agenda items (European Commission, 2025[49]). These platforms allow for the exchange of best practices and may serve as incubators for more structured alignment over time.

Mutual recognition mechanisms, reciprocity agreements, and trade agreements can also be used as vehicles for enhanced coherence. For example, the Joint Statement on the US-EU Framework on an Agreement on Reciprocal, Fair, and Balanced Trade noted that the United States and the European Union will commit to negotiate a mutual recognition agreement on cybersecurity (European Commission, 2025[50]).

On the multilateral level, regulatory coherence has often been advanced through broader consensus-building process. Co-operation has focused on developing shared policy principles, agreeing on common language and approaches that can indirectly support greater interoperability. Among others, the OECD adopted several Council Recommendations on digital security, including on cybersecurity risk management, the cybersecurity of products and services, and of critical infrastructures (OECD, 2022[1]).

Another multilateral initiative is the United Nations Open-Ended Working Group (OEWG) and its previous Group of Governmental Experts (GGE), which has reached consensus on voluntary norms of responsible state behavior in cyberspace, including the importance of co-operation and information sharing (United Nations, 2021[51]). Although non-binding, such initiatives can serve as shared reference points that can inform domestic regulatory design and support international coherence over time. However, their high-level policy content may be less useful to specifically align detailed regulatory requirements affecting businesses.

International standards can play a crucial role in supporting coherence by providing a common language and framework for cybersecurity risk management. Examples of globally referenced technical standards include the 27000 series on information security of the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) (ISO/IEC, 2022[52]) and recommendations from the International Telecommunication Union (ITU) (ITU, 2025[53]). Other examples of widely recognised standards include the NIST Cybersecurity Framework (NIST, 2024[34]) and ETSI standards.

In parallel, there are growing efforts to co-ordinate conformity assessment and certification schemes. The EU Cybersecurity Certification Framework under the Cybersecurity Act is designed to foster trust and mutual recognition within the EU (European Commission, 2025[54]), and the Common Criteria Recognition Arrangement aims to enable cross-border recognition of certified ICT products (Common Criteria, 2014[55]). Moreover, industry-driven consortium such as the Charter of Trust emphasises the importance of “developing a consistent and harmonized policy framework” in the EU region to ensure the resilience of supply chains and critical infrastructure (Charter of Trust, 2024[56]).

Despite this growing number of initiatives on international coherence in cybersecurity regulations, there remains considerable room for development. Given the non-binding nature of existing standards, they may be interpreted differently across jurisdictions. In addition, some initiatives are explicitly regional in scope, which can limit their applicability at the global level.