This report documents the width and depth of fragmentation of cybersecurity regulation in the Indo-Pacific – focusing on Australia, Japan, South Korea and Indonesia. It investigates whether the divergent regulatory burdens placed on the private sector is creating a systemic vulnerability and therefore deserves a strategic policy response. The shared principles among the four Indo-Pacific nations offer a sound base to pursue a targeted harmonisation agenda. 

Cyberspace and technology are borderless but their infrastructure and operations are bound by national laws shaped by differing threat perceptions and governance models. That has created a mishmash of regulatory obligations, particularly in regions lacking a common market such as the Indo-Pacific.

The paper concludes that there is a strong degree of coherence in the principles and overall approaches to cybersecurity governance, but fragmentation arises primarily at the level of implementation. This is creating negative effects on corporate cybersecurity culture, operational efficacy and responsiveness. It also creates barriers to innovation and international cooperation. Taken together, the paper concludes the issue deserves a strategic policy response by Indo-Pacific policymakers.