OECD warns on cybersecurity regulation fragmentation

The Organisation for Economic Co-operation and Development (OECD) has published a policy paper warning that growing fragmentation in cybersecurity regulation is increasing compliance burdens, weakening international cooperation, and potentially diverting resources away from core security work.

The paper, ‘Towards international coherence of cybersecurity regulations’, examines how diverging rules across jurisdictions and sectors are creating a complex regulatory landscape for governments and businesses. It says fragmentation can stem from differing national security priorities, sector-specific frameworks, legacy rules, protectionist measures, crisis-driven policymaking, overlapping mandates, and the absence of shared definitions.

According to the OECD, the consequences include higher compliance costs, duplicated reporting and documentation, weaker cross-border cooperation, distorted market incentives, and reduced trust in regulatory systems. Small and medium-sized enterprises may be especially affected because they often lack the financial and human resources to manage overlapping obligations.

The paper warns that fragmented rules can divert financial, human, and managerial resources from practical cybersecurity measures towards administrative adaptation and legal alignment. It says the growing complexity of cybersecurity regulation is itself becoming a challenge to stronger cybersecurity.

The OECD also highlights the rapid expansion of cybersecurity-related regulation in Europe. Its annex maps enacted and proposed EU legislation with cybersecurity provisions since 2020, covering areas such as incident reporting, security-by-design, critical infrastructure, data protection, digital services, and operational resilience.

The report also maps existing efforts to improve coherence at domestic, regional, bilateral, and multilateral levels. Examples include the US NIST Cybersecurity Framework, the EU initiatives linked to NIS2, bilateral cooperation, mutual recognition mechanisms, and international technical standards.

The OECD concludes that regulatory fragmentation is becoming a systemic challenge and says it is well placed to support dialogue, strengthen the evidence base, and help develop practical tools for more coherent cybersecurity regulation across jurisdictions.

Why does it matter?

The paper highlights a central tension in cybersecurity policy: more regulation can improve resilience, but poorly coordinated rules can also create duplication, raise costs, and divert resources away from practical risk reduction. For companies operating across borders, coherent reporting, shared definitions, and better regulatory alignment could become as important as the rules themselves.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!