Building boundaries in borderless world. Adapting the international regulations to local laws.

In cybersecurity, if You look for a benchmark, you look either at a local and international regulation (in that order) or a framework. Both consists of practices which will help you achieve resilience. In previous article, I discussed regulations as guardian of trust. To summarize - major foreign players will be more interested to invest in a country which entities obey laws and regulations. So… if international rules and regulations are the widely considered good standard... why translate them into local ones??

For example in Poland governing Data Protection Law is GDPR but there's also a local one - Act of May 10, 2018, on the Protection of Personal Data.

I find 5 reasons for this “local alignment” of international security standards in IT:

1. Each country has its own legal system and regulatory framework. Local versions of international regulations ensure that the principles and requirements of the international standard fit within the existing national legal context.
2. Different countries have varying cultural norms and societal values that can impact the implementation and interpretation of regulations. Reflecting local norms bring greater acceptance and compliance.
3. Local versions can take differences in economic conditions and the structure of industries into account, providing guidelines that are practical and feasible for local businesses and organizations.
4. Countries need regulations that are enforceable within their own legal systems and by their own regulatory bodies. Truth is that administrative capacities and operational practices of regulatory bodies differ across countries.
5. Countries may have specific national interests or security concerns that necessitate deviations or additional provisions compared to the international regulation.

Knowing the above the national governments introduce a layer of regulation adjusted to local law - to assure that while international standards are complied with, no local one is left out or tampered with in a wrong way.?

Examples:

• ISO/IEC 27001 being adapted in US as ANSI/ASIS/ISO/IEC 27001-2013
• NIST SP 800 Framework being adapted in Australia as Australian Government Information Security Manual (ISM)

The differences usually cover either the entities you need to report the incidents to, scope and form of what you need to report or consequences of harmful actions. Every country, even in Schengen zone, cares about its borders.

And it is the local regulation - based off international one - where You should start building Your cybersecurity from.

In borderless world of digital - governments draw the lines with thicker pen.