Every country has a unique approach to legislation and regulation. From a procedural perspective, legislation is produced by a legislature (e.g. the parliament), while regulation (aka secondary legislation, delegated legislation or subordinate legislation) is issued by the bureaucracy. However, whether a particular cybersecurity direction needs to be issued in the form of legislation or regulation depends upon each country’s political and legal tradition.
Furthermore, countries are not the only source of cybersecurity regulation: it can also come from higher level international bodies. For example, the World Forum for Harmonization of Vehicle Regulations adopted UN Regulations on software cybersecurity in vehicles in 2020. In the African context, the African Union (AU) adopted the Convention on Cyber Security and Personal Data Protection—also known as the Malabo Convention, in 2014. This was followed by the release of the Personal Data Protection Guidelines for Africa, a collaborative measure between the Internet Society and the AU in 2018.
In many cases, national governments are free to choose whether they adopt internationally negotiated regulations into their domestic law and regulations. However, governments may have already agreed to adopt all the regulations issued by a particular international body. There are also strong economic incentives to adopt international industry standards: for example, if a country wants to export cars, its companies must follow international standards for car safety.
One way to simplify the approach to legislation and regulation is to start with the national strategy. The strategy should set the national vision and goals for cybersecurity. When producing the strategy, officials consider what legislation and regulation will be needed to achieve these goals and whether there are any gaps or weaknesses in the legal and regulatory framework that already exists. Where there are large gaps or big changes needed, then the strategy can direct that these be addressed, for example, by tasking a ministry with preparing and presenting to parliament a draft law by a certain date.
The Guide to developing a national cybersecurity strategy describes several elements of the legal and regulatory framework that an NCSS might give direction on:
(Source: Guide to developing a national cybersecurity strategy, p.40,46)