Cybersecurity regulation is fragmenting the global economy — LSE and Sciences Po call for urgent reform
New joint policy paper sets out practical steps to reduce regulatory duplication, cut compliance costs, and strengthen cyber defences across borders.
London / Paris, April 2026. The London School of Economics and Sciences Po Paris today published a joint policy paper arguing that fragmented cybersecurity regulation is suppressing economic growth and undermining national security — and that practical, achievable reforms can change this.
The paper, authored by Alexander Evans (Professor in Practice, LSE School of Public Policy) and Pierre Noro (Adjunct Faculty, Sciences Po Paris), draws on a landmark workshop held in Paris in November 2025 that brought together cybersecurity regulators from OECD member countries, industry leaders, and academic experts. It argues that cyber threats do not respect sectoral or national boundaries but regulations increasingly do.
Medium and large companies now face a complex, overlapping web of incident reporting obligations. A single ransomware attack on a US hospital, for example, can trigger five separate reporting requirements under different federal and state regimes, with deadlines ranging from one hour to 90 days. Companies operating across EU member states may face up to 27 distinct compliance frameworks under NIS2 alone, despite the directive's harmonising intent.
The paper identifies three practical levers for reform: simplifying and aligning incident reporting requirements; pursuing bilateral and multilateral mutual recognition agreements — citing the successful Singapore–South Korea cybersecurity labelling arrangement launched in January 2025 as a model and establishing a dedicated international regulatory forum, with the OECD well placed to lead it.
"The cost of regulatory fragmentation is not abstract," said Professor Evans. "It diverts cybersecurity talent to compliance paperwork, degrades the quality of incident data, and slows coordinated responses to emerging threats at precisely the moment when AI is accelerating the scale and speed of attacks."
The paper calls on governments, regulators, and the OECD to treat regulatory defragmentation as a growth and security priority in 2026.
About the authors: Alexander Evans is Professor in Practice and Associate Dean at LSE School of Public Policy, and a former senior UK diplomat. Pierre Noro is Adjunct Faculty at Sciences Po Paris and Université Paris-Cité, and an adviser to the Sciences Po Tech & Global Affairs Hub. The paper was supported by Microsoft.