John McLoughlin | CEO | J2 Software | mail me |
Regulation is meant to protect customers, curb risk and keep businesses accountable. However, too often, today’s laws do the opposite. They create impossible trade-offs, criminalise good-faith defenders and punish organisations that try to do the right thing.
Instead of enabling resilience, rigid rules and prescriptive mandates can turn compliance into fragility. As a result, both businesses and consumers become more vulnerable than before. This puts cyber resilience at risk.
How lawmakers are undermining cyber resilience
Gartner’s 2025 research confirms a critical shift. Security and risk management leaders are moving beyond a pure prevention mindset. They are embedding resilience and visibility into how organisations operate. This shift has a direct bearing on how lawmaking should evolve. If regulation is to enable good outcomes, it must avoid forcing bad ones.
I see this problem in several concrete ways. Some laws create conflicting obligations. For example, they demand immediate disclosure of an incident while simultaneously restricting the sharing of forensic details. This conflict can turn an attempt to contain harm into an act of legal exposure.
Prescriptive technical or procedural mandates also create problems. They often assume large budgets and specialist teams. Smaller and mid-sized organisations, which must prioritise limited resources, are disadvantaged as a result.
Penalties that ignore intent or mitigation efforts can also do harm. They punish organisations that invested in reasonable defences but were outpaced by an unforeseeable threat.
Moreover, rules written for outdated technologies do not translate cleanly to modern environments. These include cloud computing, artificial intelligence, machine identities and complex third-party dependencies. In such cases, cyber resilience is at risk from regulation that hasn’t kept pace with change.
Hiding problems to avoid punishment
The practical effect of such regulation is troubling. More and more organisations are recognising that prevention alone is not enough. Resilience, the ability to detect, adapt, recover and learn, must be embedded in people, processes and tools.
At the same time, tool sprawl and disconnected controls are making visibility worse. They reduce situational awareness and make a coherent incident response much harder.
When compliance requirements focus on ticking boxes and enforcing prescriptive controls, rather than prioritising visibility and recoverability, the result is brittleness. Businesses become less able to act quickly and transparently when new threats emerge. This dynamic brings real social and business costs.
When regulation creates impossible trade-offs, it introduces moral hazard. Honest organisations may hesitate or hide problems to avoid punishment. Meanwhile, others may gain a legal advantage by doing less.
Fragility increases under these conditions. Firms that cannot respond quickly to incidents suffer higher recovery costs and greater reputational damage. This regulatory approach puts cyber resilience at risk across the ecosystem.
Worse still, regulation can criminalise circumstances. When laws penalise outcomes without considering intent, mitigation, or the pace of technological change, risk becomes unavoidable. Innovation also suffers. Organisations may avoid experimentation when regulatory compliance feels too uncertain or too costly.
Good faith provisions are essential
If regulation is to serve its intended purpose, it must enable the right actions. From my perspective, effective legal design should focus on outcomes rather than prescribing specific means.
Laws should set clear goals, such as protecting customer data, enabling timely recovery, and ensuring transparency. However, they should also give organisations the flexibility to choose technical and operational approaches that suit their size and risk profile.
Safe harbour or good faith provisions are essential. Organisations that act transparently and follow recognised best practices should not face punitive consequences for imperfect outcomes.
Regulatory frameworks should also mandate and reward visibility. Requiring inventories of systems, dependencies and third-party risks, along with obligations to monitor and report exposures, makes operational resilience possible. Regulations should allow emergency mitigation measures when justified. Post-incident reporting and accountability can follow. This approach is better than forbidding actions that might prevent greater harm.
Finally, rules must align with technological realities. They should support adaptive governance to ensure relevance as cloud architectures, artificial intelligence, and supply chains evolve.
For executives and boards, this is both a policy and operational agenda. We should advocate for outcome-based regulation. At the same time, we must seek safe harbour provisions for good faith defenders. We should also invest in the visibility tools and practices that make resilience measurable and demonstrable.
Furthermore, we should engage constructively with policymakers. Offering testbeds, sharing data, and proposing practical frameworks can help show how adaptive governance protects customers without placing impractical burdens on business.
In conclusion
If lawmakers insist on rules that make the right action legally or commercially impossible, then we risk a future where regulatory failure, not moral failure, produces criminal outcomes.
My conclusion is straightforward. Regulation must enable resilience, not block it. Enabling visibility, adaptability and reasonable flexibility will protect customers, sustain innovation, and keep honest businesses in business.
