We know from our daily work that countries are influenced by the legal and policy approaches that are taken by other countries to different issues. For example, governments have considered, or are considering, developments in other jurisdictions in relation to the regulation of artificial intelligence and cryptocurrency. Sometimes, there are international agreements that are implemented into national laws. There are also “soft law” instruments, such as guidelines, recommendations, and standards, which might set out best practices that countries can choose to follow in their own policies, or even reference or implement in their legislation. Approaches can evolve based on a combination of all of these external influences, as well as in response to particular challenges or conditions within a country, historical, cultural, and economic factors, and the structure of governments and legal systems themselves.
For a recent report, we looked at whether and how the laws and policies of selected countries may have been influenced by a particular document – the “Cybersecurity Framework” developed by the National Institute of Standards and Technology (NIST) within the U.S. Department of Commerce. This framework is “voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” In particular, we surveyed countries where the language is one of those into which the framework has been translated – Belgium, Brazil, Bulgaria, Chile, Indonesia, Japan, Mexico, Poland, Saudi Arabia, and Ukraine.
In order to see if the NIST framework has had a “direct” impact on regulations in the chosen countries, we first surveyed their cybersecurity laws to find any specific references to the framework. For some countries this involved looking at only a couple pieces of legislation, such as where there is a primary overarching cybersecurity law, while for others the cybersecurity legal framework is made up of multiple laws and regulations, including sector-specific instruments. We did not, however, find direct references to the NIST framework in these laws.
We next looked at government policy documents and other guidance materials produced by government agencies to assist entities to strengthen their cybersecurity arrangements. At this level, we found several references to the NIST framework, including in cross-sectoral and sector-specific guidance documents, policy papers, and technical reports.
Of course, the influence of the NIST framework, or any other cybersecurity standards and best practices, may not only be seen in direct references to it. A more detailed analysis could involve looking at the contents of the laws, regulations, and policies to find similarities in their approach to that in the framework. As always, our report provides references to primary and secondary sources that could be useful to researchers, lawyers, and those operating businesses in the particular countries. (We also offer reference services to all of these groups!) We also link to such sources in our Global Legal Monitor articles, and we have many articles related to cybersecurity and other cyber-related laws.
Subscribe to In Custodia Legis – it’s free! – to receive interesting posts drawn from the Law Library of Congress’s vast collections and our staff’s expertise in U.S., foreign, and international law.