Top of page

The cover page of a 2023 Law Library of Congress report titled Impact of Translations of the NIST Cybersecurity Framework
Cover page of Law Library report on the Impact of Translations of the NIST Cybersecurity Framework.

New Law Library Report Examines Cybersecurity Laws of Several Countries

Share this post:

We know from our daily work that countries are influenced by the legal and policy approaches that are taken by other countries to different issues. For example, governments have considered, or are considering, developments in other jurisdictions in relation to the regulation of artificial intelligence and cryptocurrency. Sometimes, there are international agreements that are implemented into national laws. There are also “soft law” instruments, such as guidelines, recommendations, and standards, which might set out best practices that countries can choose to follow in their own policies, or even reference or implement in their legislation. Approaches can evolve based on a combination of all of these external influences, as well as in response to particular challenges or conditions within a country, historical, cultural, and economic factors, and the structure of governments and legal systems themselves.

For a recent report, we looked at whether and how the laws and policies of selected countries may have been influenced by a particular document – the “Cybersecurity Framework” developed by the National Institute of Standards and Technology (NIST) within the U.S. Department of Commerce. This framework is “voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” In particular, we surveyed countries where the language is one of those into which the framework has been translatedBelgium, Brazil, Bulgaria, Chile, Indonesia, Japan, Mexico, Poland, Saudi Arabia, and Ukraine.

In order to see if the NIST framework has had a “direct” impact on regulations in the chosen countries, we first surveyed their cybersecurity laws to find any specific references to the framework. For some countries this involved looking at only a couple pieces of legislation, such as where there is a primary overarching cybersecurity law, while for others the cybersecurity legal framework is made up of multiple laws and regulations, including sector-specific instruments. We did not, however, find direct references to the NIST framework in these laws.

We next looked at government policy documents and other guidance materials produced by government agencies to assist entities to strengthen their cybersecurity arrangements. At this level, we found several references to the NIST framework, including in cross-sectoral and sector-specific guidance documents, policy papers, and technical reports.

Of course, the influence of the NIST framework, or any other cybersecurity standards and best practices, may not only be seen in direct references to it. A more detailed analysis could involve looking at the contents of the laws, regulations, and policies to find similarities in their approach to that in the framework. As always, our report provides references to primary and secondary sources that could be useful to researchers, lawyers, and those operating businesses in the particular countries. (We also offer reference services to all of these groups!) We also link to such sources in our Global Legal Monitor articles, and we have many articles related to cybersecurity and other cyber-related laws.

Subscribe to In Custodia Legis – it’s free! – to receive interesting posts drawn from the Law Library of Congress’s vast collections and our staff’s expertise in U.S., foreign, and international law.

Comments

  1. Excellent and very insightful article, indeed.

Add a Comment

This blog is governed by the general rules of respectful civil discourse. You are fully responsible for everything that you post. The content of all comments is released into the public domain unless clearly stated otherwise. The Library of Congress does not control the content posted. Nevertheless, the Library of Congress may monitor any user-generated content as it chooses and reserves the right to remove content for any reason whatever, without consent. Gratuitous links to sites are viewed as spam and may result in removed comments. We further reserve the right, in our sole discretion, to remove a user's privilege to post content on the Library site. Read our Comment and Posting Policy.


Required fields are indicated with an * asterisk.