This report illustrates that regulatory fragmentation in cybersecurity is a systemic problem, driven by multiple, overlapping factors and with tangible consequences for organisations. The drivers often reflect legitimate domestic priorities and include asynchronous policy development, sector-specific approaches, and national sovereignty. Their cumulative effect produces a regulatory landscape whose very complexity is itself becoming a challenge to enhanced cybersecurity. While more immediate and direct effects include the increased compliance costs and diversion of human and financial resources away from effective risk reduction, in the longer term, fragmentation risks undermining the positive effects of cybersecurity regulation, fuelling a downward regulatory arbitrage, slowing down efforts to reduce cybersecurity risk, discouraging innovation, and eroding trust in digital systems and institutions.
The current moment represents an inflection point. The pressure to address cybersecurity risks is unlikely to abate. Emerging risks, rapid technological change and deepening digital dependencies continue to expand the policy agenda and increase expectations for regulatory action. In this context, the OECD is well placed to serve as a neutral forum to convene stakeholders, consolidate evidence on impacts and costs, and support the development of practical tools to foster greater coherence across jurisdictions. In the absence of timely and deliberate action to manage both current and emerging fragmentation, counterproductive effects are likely to compound over time, reinforcing, and in some cases worsening, existing challenges. As domestic and regional initiatives gain momentum, early co-ordination supported by the OECD can help steer new measures towards greater coherence.