Defragmenting international cybersecurity regulations: a joint LSE - Tech Hub paper

Accelerated by AI technologies and renewed geopolitical conflicts, cybersecurity threats grow in scale and sophistication. The rules adopted by States and regional organizations to counter them now make a complex patchwork of overlapping, sometimes inconsistent norms, to a point where this fragmentation paradoxically risk becoming a problem of its own. The latest publication of the PSIA Tech & Global Affairs Innovation Hub, "Defragmenting International Cybersecurity Regulations," co-authored by Alexander Evans, Professor in Practice and Associate Dean at the London School of Economics School of Public Policy, and Pierre Noro, Adjunct Faculty at Sciences Po Paris and Advisor to the Hub, addresses this issue.

In this brief, that draws on a joint workshop co-organized by the Hub, LSE and Business at OECD in Paris in November 2025, bringing together cybersecurity regulators, industry leaders, and academic experts, the co-authors document how the rapid proliferation of national and regional cybersecurity frameworks—however well-intentioned—has generated a fragmented and increasingly burdensome regulatory landscape. A single cyberattack on a cross-border organization can now trigger overlapping, inconsistent, and sometimes conflicting reporting obligations towards different authorities. The cost of navigating this complexity is steep and growing, especially for businesses operating internationally. 

The harmonization of legal frameworks is also crucial to reinforce cybersecurity as a common good by enabling faster, more synchronized responses to emerging cyber threats: from AI-enabled attacks autonomously scanning and exploiting vulnerabilities or rewriting themselves, to new botnets underlying DDoS campaigns of unprecedented scale. Defragmentation is thus both a financial (some experts project cybercrime costs to reach $10.5 trillion in 2025 alone) and global security matter.

Rather than proposing sweeping overhauls, the authors identify practical, proven pathways for greater international coordination:

• Streamline and align incident reporting, reducing duplication and error while improving the speed and quality of information shared across authorities
• Pursue mutual recognition agreements between national regulatory frameworks, following the model of the landmark 2025 Singapore–South Korea arrangement on cybersecurity labelling for consumer smart products, and harnessing broader multilateral momentum, including within the African Union (Malabo Convention), ASEAN, and the emerging EU–US trade framework
• Empower the OECD, especially its Digital Security Working Party, to serve as a convening hub for regulatory dialogue, standard-setting, and the design of blueprint mutual recognition agreements, building on its existing work on digital security risk management
• Launch an international regulatory sandbox to test new standards through simulated or real incident reporting
• Establish an annual conference on cyber regulation convergence open to all countries, particularly those driving regional frameworks

At a time when multilateral institutions face shrinking resources and political headwinds, this brief makes the case that meaningful regulatory coordination is both achievable and urgent. Universities and neutral convening spaces—like the LSE–Sciences Po partnership that produced this work—have a significant role to play in hosting these conversations.

Learn more by reading the full policy brief: Defragmenting international cybersecurity regulations (PDF, 890Ko)