1 Introduction

Today, the term “cybersecurity” often evokes images of malicious hackers, intricate malware, and sophisticated cyberattacks. These threats, while significant and on the rise [120], are just one aspect of broader challenges in cybersecurity. Beneath the surface lies a complex and, at times, overlooked challenge: the evolving landscape of cybersecurity regulations. As governments and businesses strive to secure cyber-physical assets, they are concurrently tasked with navigating a complex web of rules, guidelines, and standards designed to support this very purpose.

While these regulations play a crucial role in creating a secure digital environment, they can also have unintended consequences [30] and introduce complexities that hinder innovation, place burdens on businesses, and even potentially create new vulnerabilities [51]. This intricate balance between their intended protective role and the potential challenges they introduce highlights the need for an in-depth understanding of how changes in cybersecurity regulations and uncertainty about the future regulatory environment can impact business performance and investment in cybersecurity measures.

The discourse on cybersecurity investment has become critically important, heightened by rapid technological advancements and an evolving regulatory environment [43, 69, 99]. Investments in cybersecurity are essential not only for the protection of data and infrastructure but also for the compliance with stringent data protection laws. Noncompliance risks severe penalties, financial liabilities, and loss of customer trust. Regulators face the challenge of incentivizing necessary cybersecurity investments [55, 116]. Translating these regulations into clear investment directives is complex, especially as regulatory landscapes shift to address emerging threats and vulnerabilities [65]. Such changes, while enhancing security, introduce uncertainty about their future stability, posing regulatory risks for organizations.

Regulatory risks reflect the uncertainty behind new or changing regulations over time [128]. The uncertain, and sometimes ambiguous and unpredictable nature of regulatory schemes about cybersecurity introduces a high level of risks, regarding the economic performance of businesses when evaluating the return on their cybersecurity investments. They must consider the costs of implementing regulatory requirements and the risks of noncompliance. Consequently, decision-makers facing a high level of uncertainty may alter their strategies, leading to lower or delayed investments and lost opportunities [65, 138] and potentially rendering those policies less effective [42]. For instance, IBM reported that 56% of CEOs are currently delaying at least one major investment due to a lack of consistent regulations and standards in emerging areas such as data and privacy.Footnote 1

Building on this foundation and recognizing the importance of this category of risks, this paper poses two research questions. First, what are the key determinants and implications of regulatory risks associated with cybersecurity, and what controls can be employed to effectively navigate and mitigate these risks? Second, how does uncertainty about the future cybersecurity regulatory environment influence cybersecurity investment decisions in organizations? To address these questions, our research employs a mixed-methods approach. It begins with a review of academic literature and practitioner-oriented reports, supplemented by case study analysis to understand the drivers and repercussions of regulatory risks associated with cybersecurity. This qualitative analysis is further enriched by a quantitative investigation using a stochastic econometric model, designed to quantify the effects of regulatory uncertainties on cybersecurity investment behaviors. The contributions of this study are twofold:

  • Through a detailed examination of the determinants and implications of regulatory risks in cybersecurity, the study broadens both an academic and a practical understanding of this risk type. The responses to the first research question lay the groundwork for the development of an effective risk management framework to integrate the interplay between regulatory and cybersecurity risks, thereby fortifying organizational cybersecurity postures. Additionally, the study proposes a comprehensive list of preventive and mitigative measures. While this list may not be exhaustive, it offers invaluable insights for formulating robust risk management strategies tailored to the cybersecurity context.

  • The development of the econometric model offers a tool for quantitatively assessing the impact of regulatory changes on investment strategies. This research contributes to the theoretical understanding of cybersecurity investment under regulatory risks and provides insights for organizations, regulators, and researchers.

The paper is organized as follows: Section 2 provides a foundational understanding of the subject by defining and discussing the importance of regulatory risks in cybersecurity. Section 3 employs the bowtie method to systematically explore the determinants and implications of regulatory risks, as well as outline various preventive and mitigative controls. The development and findings of the econometric model are detailed in Section 4. Section 5 synthesizes the key insights of the paper and provides a conclusion. Finally, Section 6 recognizes the study’s limitations and proposes directions for future research.

2 Definition and significance of regulatory risks associated with cybersecurity

This section presents the definition and significance of cybersecurity-related regulatory risks. In general, regulatory risks refer to potential consequences that businesses may encounter due to changes in laws or regulationsFootnote 2 enacted by various governmental entities at the international, national, or local levels, as well as by industry regulators and international organizations [16, 128]. These risks are inherently connected to the application and enforcement of diverse regulations governing business activities, encompassing areas such as environmental protection, labor standards, data privacy, and financial reporting, operating both at the broader economic level and within specific industries or projects [123].

In the context of cybersecurity, regulatory risks stand distinct from other risk categories frequently discussed in the literature, such as cybersecurity risks and compliance risks. While each type of risk originates from unique sources, they can intersect in their impact on organizations. Regulatory risks stem from potential or actual changes in legal frameworks and regulations that might affect business operations or strategies. On the other hand, cybersecurity risks are centered on the threats and vulnerabilities linked to digital infrastructure, networks, and dataFootnote 3 [103]. Compliance risks involve potential legal penalties for failing to adhere to laws or regulations, whereas governance risks arise from inadequate or ineffective leadership structures and decision-making processes [83]. It is crucial to understand and differentiate between these risks, as each demands specific mitigation strategies and management approaches.

The regulatory requirements that businesses must comply with can be complex and continuously evolving, making it challenging for them to keep up with changing regulations. According to Gartner’s survey on enterprise risk perception, regulatory risks rank as the highest source of concern, slightly edging out cybersecurity risks [45]. Supporting this finding, previous surveys conducted by the Economist Intelligence Unit [38] and Ernst & Young [41] have consistently highlighted that firms consider regulatory risks as one of the most critical types of business risks.

In light of the increasing importance of regulatory risks, local and international businesses are paying more attention to changes in cybersecurity regulations in various countries or regions that can significantly impact their operations, data protection measures, and overall risk management strategies. To highlight this, we analyzed the Google search trends for the keywords “NIS Directive” and “NIS 2 Directive” 6 months before and after their respective implementations in August 2016 and January 2023. Figure 1 demonstrates the level of interest and engagement surrounding these two regulatory frameworks. As it reveals, the interest in NIS 2 Directive (EU) 2022/2555 is more substantial compared to NIS Directive (EU) 2016/1148 during the observed period surrounding the introduction of these regulations. Several factors may contribute to this disparity in search interest.

Fig. 1
figure 1

The comparative Google search trends for the keywords “NIS Directive” and “NIS 2 Directive” over 6 months before and after their implementations. The horizontal axis is centered at 0, representing the implementation months of August 2016 for NIS Directive and January 2023 for NIS 2 Directive, with the months leading up to and following these dates plotted along the axis. The vertical axis quantifies the search interest

Full size image

First, the passage of time between the implementation of the initial NIS Directive and the subsequent NIS 2 Directive may have contributed to increased recognition of regulatory risks and the need for more proactive understanding and adapting to regulatory changes that can affect business operations. Consequently, businesses are actively seeking to understand and adhere to the stipulations of the updated NIS 2 Directive to ensure that their operations remain uninterrupted, safeguard their reputation, and avoid stringent penalties. This has generated more interest in understanding the details of this directive.

Second, the global business landscape has evolved with companies now having more cross-border operations than ever before. Therefore, international regulations like the NIS 2 Directive hold significant relevance for a larger pool of businesses, leading to a broader interest in its stipulations. Third, lessons learned from the initial implementation of the NIS Directive might have stimulated businesses to seek more information and be better prepared for the NIS 2 Directive. They may have experienced challenges or setbacks due to a lack of understanding or compliance with the initial directive and were keen to avoid similar pitfalls with the subsequent one.

Overall, the surge in Google search trends for the “NIS 2 Directive” compared to the “NIS Directive” provides a clear indication of the growing emphasis businesses are placing on cybersecurity regulations. It underscores the growing awareness among businesses and governments of the crucial role that cybersecurity regulations play in safeguarding their operations, data, and reputation. However, businesses are subject to varying degrees of regulatory risk exposure, which is influenced by factors such as the industry in which they operate, the geographical locations of their operations, the nature of their products or services, their compliance with applicable regulations, and the stringency of cybersecurity regulations enforced by regulators overseeing their operations.

To highlight this variation, Fig. 2 visually depicts the search trends associated with “GDPR”, “NIS Directive”, and “NIS 2 Directive” from 2016 onward. The illustration shows a marked contrast in the search popularity of these three regulations. Notably, while GDPR (Fig. 2a) has drawn significant attention not only from EU member states but also from non-EU countries, the search interest for the NIS Directives remains relatively localized. The widespread interest in GDPR underscores its global resonance, extraterritoriality, and far-reaching implications. The Cisco 2019 Data Privacy Benchmark StudyFootnote 4 reports that organizations worldwide have sought clarity on GDPR to ensure compliance, recognizing its potential impact even outside the EU’s jurisdiction. Another reason for this universal attention is that the GDPR has served as a regulatory blueprint for several countries, including Brazil [57]. Furthermore, economic powers like China and the US, given their extensive trade and business dealings with the EU, have shown substantial interest in understanding and adhering to GDPR.

Fig. 2
figure 2

Geographical distribution of Google search trends from 2016 onward for a “GDPR”, b “NIS Directive”, and c “NIS 2 Directive”. The maps illustrate the global prominence of GDPR compared to the more localized interest in the NIS Directives. The intensity of the color indicates the level of interest, with stronger colors representing higher interest. Regions with interest levels below 20 are not considered

Full size image

In contrast, the NIS Directive and NIS 2 Directive, due to their specific focus on European networks and information systems, have attracted interest predominantly from countries within the European domain. However, as the figure indicates, there has been an increase in the number of countries showing interest in the NIS 2 Directive compared to the NIS Directive. This increase in attention can potentially be attributed to the same factors that we outlined earlier.

This analysis highlights a rising focus on shifts in cybersecurity regulations over time. Such growing attention underscores the evolving landscape of cybersecurity and its associated implications. While the significance of cybersecurity regulations is well acknowledged in the existing literature [55, 77, 95], the consequences of their alterations, coupled with the risks stemming from change and uncertainty, remain relatively unexplored. Specifically, the influence of these regulatory risks on aspects like cybersecurity investments and related domains warrants further examination. In this study, we address this gap by first identifying the drivers and implications of these changes in a broader context. Subsequently, we investigate how the perception of such risks influences investment behavior within the context of cybersecurity.

3 Determinants and implications of regulatory risks

In this section, we explore the determinants and implications of regulatory risks associated with cybersecurity.Footnote 5 To visualize the causal relationships between the determinants and implications and structure of our discussion, we utilize the bowtie diagram. This tool effectively showcases determinants on the one side and consequences on the other, with preventive controls that can change the likelihood of the event, and mitigative controls reducing the impact should an event occur. Bowtie analysis is a common approach to map the risks associated with undesired events [11]. In our context, the undesired event that we focus on is termed the “top event”, which represents the disruption of established cybersecurity practices due to regulatory changes. Figure 3 provides a comprehensive view of this bowtie diagram. In the following sections, we discuss each element in more detail.

Fig. 3
figure 3

The bowtie diagram of the determinants and implications of regulatory risks associated with cybersecurity. The suggested preventive (P) and mitigative (M) controls are explained in Sect. 3.3

Full size image

3.1 Determinants

The left-hand side of a bowtie diagram represents the causes or determinants leading up to the top event. These can include various factors, triggers, or conditions that, if left uncontrolled, might increase the likelihood of the top event happening. In this section, we identify the determinants of changes in cybersecurity regulations. By highlighting the interplay and interconnectedness of these determinants, we underscore the potential synergies among them and demonstrate how they can intensify the risk of disruption of established cybersecurity practices due to regulatory changes.

3.1.1 Evolving cybersecurity regulatory landscape

As governments, international bodies, and regulatory agencies respond to the dynamic challenges of the digital age, cybersecurity regulations are continually evolving, primarily due to factors such as emerging threats [17], technological advancements [131], increasing reliance on digital systems in various industries [85], and growing awareness of privacy concerns [15]. While this evolution is necessary to ensure robust protection mechanisms, uphold data integrity, and instill public trust in digital platforms, it also introduces challenges such as uncertainty and complexity in compliance for businesses [86].

The uncertainty becomes particularly evident as new regulations are introduced in different regions and sectors. In the United States, for instance, the pace and number of cybersecurity legislative efforts vary widely among states. As our data in Table 1 presents, over 2019–2022, the number of cybersecurity legislation (whether enacted, failed, vetoed, or pending) has been substantial. New York spearheads the movement with an impressive 116 legislative attempts in the last 4 years, while New Jersey and Maryland are not far behind with 107 and 87 efforts, respectively. On the opposite end of the spectrum, Wyoming and South Dakota have shown minimal activity, with, respectively, only one and two legislative efforts over the same period. Furthermore, states such as Texas and Vermont have exhibited significant year-to-year variations, suggesting that external factors or shifts in regional priorities may influence legislative outputs. The reasons behind these fluctuations might be influenced by incidents, shifts in state leadership priorities, or reactions to national trends. Regardless, such variances in regional cybersecurity efforts highlight the challenge businesses face in predicting the future state of the regulatory environment.

Table 1 Number of new legislations in US states from 2019–2022. Data extracted from National Conference of State Legislatures (NCSL)
Full size table

Hoffmann et al. [65] characterize this situation as regulatory uncertainty. This uncertainty is not solely derived from the fluctuating count or status of regulations – ranging from those that are enacted to those still pending or those that have failed. Another significant source of uncertainty stems from the constantly changing group of stakeholders engaged in regulatory regimes [72, 80]. The way in which these actors perceive, interpret, and define issues such as privacy and security can introduce additional layers of unpredictability to the regulatory landscape. For instance, within the EU, there are 22 interconnected actors responsible for delivering 18 distinct cybersecurity functions, as delineated in an institutional map by the European Union Agency for Network and Information Security (ENISA)Footnote 6. While not all of these actors play a direct role in regulatory settings and enactment, the institutional path-dependencies and fragmentation of authority resulting from the diversity and heterogeneity of these actors contribute significantly to regulatory uncertainty [37]. Moreover, the varying degrees of influence and jurisdiction each actor holds lead to overlapping responsibilities and potential conflicts in enforcement [105].Footnote 7

To complement the qualitative insights provided by the literature regarding the conceptual understanding of regulatory uncertainty, we empirically measured the fluctuations in regulatory sentiment and uncertainty in cybersecurity. Figure 4 illustrates the fluctuations in the daily index of regulatory sentiment and uncertainty surrounding cybersecurity from October 25, 2012, to October 17, 2023. To quantify this index, we employed the text-based measurement methodology suggested by [122]Footnote 8. Our analysis encompasses 3930 articles sourced from Infosecurity Magazine. The magazine’s acclaimed editorial content offers in-depth features that delve into the strategy, insights, and technological facets of cybersecurity. We specifically focused on articles under the “Compliance” category, given their direct relevance to regulations. As depicted in the figure, there is a noticeable sense of uncertainty concerning cybersecurity regulations. Notably, on November 25, 2016, the uncertainty index peaked at 1. Below, we have highlighted a segment from an article published on that very day, which encapsulates the prevailing uncertainty of the time.

The EC and the European Union (EU) are dealing with a number of cyber-related issues at the moment. Top of the agenda is the potential impact of Brexit on cybersecurity across the region, as well as incoming data protection laws. The European General Data Protection Regulation (GDPR) comes into force in May 2018, but there is plenty of work ahead for businesses and governments before that deadline.Footnote 9

Fig. 4
figure 4

Measuring regulatory uncertainty through news analysis from Infosecurity Magazine (from October 25, 2012, to October 17, 2023)

Full size image

This integration of empirical data with theoretical insights allows for a deeper understanding of the complexities involved in navigating decision-making processes in the face of evolving regulatory environments. The existing body of literature on decision-making under regulatory uncertainty presents dichotomous outcomes. On one hand, evidence suggests that when decision-makers are confronted with a high level of uncertainty, they tend to adopt a wait-and-see approach, holding off on investments until a clearer, more reliable forecast emerges [14, 138]. Conversely, other studies indicate that this high uncertainty does not invariably lead to delayed decisions or investments. Instead, some decision-makers might proceed with investments and even benefit from investments if they gain a first-mover advantage [6].

In addition to regulatory uncertainty, another challenge that is posed by the evolving regulatory landscape is the increasing complexity. Such complexity can arise from the proliferation of regulations, their interconnectedness, or even the shifting nuances within them. An illustration of increasing complexity can be observed in the transition from the NIS Directive to the NIS 2 Directive. Table 2 displays the directives and regulations cited within both Directive 2016/1148 (NIS) and Directive 2022/2555 (NIS 2), along with their respective frequencies. In the NIS Directive, references to other directives and regulations were limited, but in NIS 2 Directive, the references had expanded considerably. This demonstrates that the updated directive is situated within a more intricate web of legislation and highlights the expanding interconnectivity and scope of cybersecurity considerations across various areas of regulation and incorporating more facets of societal, technological, and economic activities. It is also worth noting that Regulation (EU) 2016/679, known as GDPR, is referenced 17 times in the NIS 2 Directive. The GDPR is a cornerstone regulation that focuses on personal data protection. Its frequent mention underlines the confluence of cybersecurity and data protection regulations and stresses the imperative of aligning cyber practices with privacy obligations.

Table 2 The references cited in NIS Directive and NIS 2 Directive. The list excludes the directives and regulations that have been repealed or amended.
Full size table

3.1.2 Inadequate or outdated cybersecurity regulations

As a natural response to the constantly evolving cyber threat landscape and rapid technological advancements, regulations that are seen as inadequate or outdated inevitably become primary candidates for, sometimes abrupt, updates or revisions [86, 98]. The uncertainty introduced by such swift regulatory changes can disrupt long-term planning, strain resources, and potentially place businesses at a competitive disadvantage, especially if they are unprepared.

Many pre-existing regulations may not be tailored sufficiently to counter the increasing sophistication of attack vectors and the evolving cyber threat landscape [34]. Take supply chain attacks, for instance. ENISA, in its 2018 assessment, identified supply chain attacks as a significant threat. This view was further cemented in their 2021 report, where such attacks were highlighted as a prime threat. While the NIS directive of 2016 and preceding regulations and directives overlooked this essential aspect, the NIS2 directive took a more proactive stance. Article 21(2) of NIS2 designates supply chain cybersecurity as an integral part of cybersecurity risk management.

Parallelly, as our societies are undergoing rapid digital transformations, regulators have been pivoting to ensure their regulatory responses remain contemporary and agile. This adaptability is especially vital when facing security challenges posed by emergent technologies, which are often unanticipated by regulations before the widespread adoption of these technologies.Footnote 10 For example, the use of generative AI across businesses will be affected by AI regulations, particularly concerning bias, discrimination, misinformation, and unethical uses. Recent directives including the Blueprint for AI Bill of RightsFootnote 11 from the White House, China’s proposed measures for the management of GenAI servicedFootnote 12, and the draft European Union AI ActFootnote 13 emphasize ethical and secure AI services. Reflecting these concerns, the results of a survey by PwCFootnote 14 shows that 95% of the respondents expect that the costs of compliance will be moderate to significant. Furthermore, 39% of them responded that they will need to make major changes in their business to comply with regulatory changes within the context of AI.

Finally, deficient frameworks and approaches for crafting regulations can act as a determinant for regulatory risks. Although all the states in the US have legislated cybersecurity, Kuhn [75] and Hyla [67] argue that the piecemeal approach adopted by the states is inadequate and can lead to a patchwork of regulations that is challenging for businesses operating across multiple states. This approach not only complicates compliance but also elevates the risks associated with potential noncompliance penalties. Several scholars have called for an integrated, harmonized approach, endorsed at a federal level, to mitigate such risks and provide a stable and transparent regulatory environment for businesses [21, 80, 129]. Should such a shift in strategy be realized, businesses would confront a new set of regulatory challenges and risks.

3.1.3 Fragmented cybersecurity regulatory landscape

Foundational cultural and regional differences, varying levels of cybersecurity capabilities and preparedness, diverse economic and political incentives, and discrepancies in the methods used to devise and enforce regulations give rise to a fragmented cybersecurity-related regulatory environment [87, 24, 84, 87]. Consequently, businesses find themselves navigating a myriad of regulations across different jurisdictions. Such scenarios lead to compliance efforts that might not necessarily translate into enhanced security. This not only burdens businesses with inefficient compliance tasks but also poses challenges in ensuring sustainable cybersecurity measures across the ecosystem.

In the European Union, the introduction of the General Data Protection Regulation (GDPR) was a significant step towards achieving harmonization of data protection laws[119]. Nevertheless, this attempt at unification has introduced its own set of regulatory risks stemming from ambiguities in implementation [108, 136], operational overheads (i.e., the need for businesses to hire Data Protection Officers, conduct regular impact assessments, and ensure constant compliance)[134], interplay with other regulations [3], data transfer challenges [88], and unanticipated business model impacts [81]. An example of the latter is the GDPR’s stringent consent requirements, which affected sectors like online marketing, where the traditional models of targeted advertising are now under scrutiny [118].

Building upon this harmonizing strategy, the EU introduced the Cybersecurity Act, aiming to avoid the fragmentation of the internal market concerning cybersecurity certification schemes, and the Joint Cyber Unit, to strengthen cooperation among EU institutions, agencies, bodies, and the authorities in the Member States. Moreover, different public–private or sector-specific partnerships have been established to harmonize the regulations across certain domains. For example, in the ICT sector, G5 collaborative regulationFootnote 15 is a human-centered regulatory framework that is based on significant cooperation of regulators and numerous stakeholders in developing harmonized regulations across sectors that rely on ICT [59]. While a comparative study of many partnerships in the area of cybersecurity by [20] shows that these forms of cooperation often remain at the rhetorical level because they have little to offer to the private side, observing the potential advantages of such harmonizations, other regions are similarly advancing towards unification through different partnerships [19, 112, 117]. Although this process is beneficial, it inadvertently introduces its own set of regulatory risks and uncertainties.

3.1.4 Industry-specific cybersecurity regulations

Certain sectors, including healthcare, finance, telecommunications, and aviation, are subject to specialized cybersecurity regulations. These industry-specific requirements can be more stringent and complex, reflecting the unique vulnerabilities and critical nature of services in these domains. For instance, in the healthcare sector, the availability of medical services and protection of patient data is paramount; in aviation, ensuring the security of navigation and communication systems is vital.Footnote 16 Consequently, these regulations are tailored to address the distinct challenges posed by each sector.

Furthermore, the imposition of cybersecurity regulations can lead to a profound transformation within industries. As discussed by [93], such regulations have the potential to reconfigure the governance structure of certain sectors, like the water industry. By introducing new regulatory requirements, traditional industry priorities can be realigned, prompting a shift in strategic focuses. This can result in industries emphasizing cybersecurity concerns even over their conventional operational challenges. In the long run, while such a shift enhances the security posture of an industry, it also necessitates continuous adaptation against an evolving regulatory landscape.

3.1.5 Public awareness and demand for cybersecurity

The implications of cyberattacks extend beyond the immediate boundaries of businesses and permeate into the broader society. These incidents can lead to detrimental consequences such as the compromise of sensitive personal information, resulting in potential identity theft, financial losses, and a breach of privacy. Such breaches can inflict emotional distress on individuals, manifesting as embarrassment, anxiety, or a reduced trust in digital systems [2, 28, 125]. Consequently, cybersecurity is not just about protecting business interests or infrastructure; it is about safeguarding human rights and personal and societal well-being.

Although there are rights-based dilemmas concerning the extent of government interference in civic life, the results of a survey by CiscoFootnote 17 reveals that consumers value government’s role in regulating the use of data, and they view the EU’s GDPR very favorably. Moreover, the findings of an experiment by [124] suggest that exposure to different types of cyberattacks heightens cyber threat perceptions and shifts towards favoring stricter regulations. Therefore, increasing sensitivity to the importance of privacy and security, and public demand for government intervention in cybersecurity has led to a more proactive regulatory environment. The pace at which these regulatory changes are implemented to respond to this demand and their scope and level of granularity can significantly challenge businesses and heighten regulatory risks.

3.1.6 Increasing security breaches and high-profile cyberattacks

Target Data Breach in 2013, Sony Pictures hack in 2014, Equifax data breach and WannaCry ransomware attack in 2017, Cambridge Analytica Scandal in 2018, SolarWinds hack in 2019, among numerous other significant cyberattacks, not to mention the multitude of smaller, daily cyber incidents, have stimulated regulators worldwide into action, working to draft and implement resilient cybersecurity regulations, strengthen their breach notification laws, and mandating stringent compliance requirements for businesses [64, 73, 115, 121, 124, 139]. Furthermore, according to a report by ENISA, the ChoicePoint case in 2005 and some other high-profile security breaches led to the California Consumer Privacy Act (CCPA) being followed by further laws in at least 34 other states [5]. These regulatory shifts underscore the critical role that past cyber incidents play in shaping the future landscape of cybersecurity regulations [51].

Within the European context, a review of the EU Cybersecurity Strategy and regulations such as the NIS and NIS 2 Directives, Cybersecurity Act, and Cyber Resilience Act reveals a consistent theme of concern regarding the increasing number, magnitude, sophistication, frequency, and repercussions of cyber incidents. The preamble of these documents underscores the view that such threats pose significant risks to the smooth functioning of networks and information systems. By explicitly highlighting these challenges, regulators demonstrate their awareness and recognition of the rapidly transforming cyber threat environment. The emergence of these regulations reflects a proactive attempt by regulators to anticipate and counteract these threats, ensuring the safety, security, and reliability of digital infrastructures across sectors and geographies. However, the agility of cyber threats, which often advance faster than current regulatory measures, means that this proactive stance amplifies regulatory risks emerging from the potential for overregulation, the complexities of harmonizing across jurisdictions, and the inadvertent stifling of innovation due to stringent compliance requirements. Consequently, businesses face the challenge of adapting to these regulations, often at significant costs, both in terms of financial investment and operational adjustments.

3.1.7 Rapid technological advancement and innovation

The technological landscape has experienced unprecedented growth and change in recent decades. Among different types of risk (e.g., market risk, technological, organizational, financial, and societal) that are present in the adoption of innovative technologies, an important question arises: How will regulators respond to the latest technologies? As per data from the ITU DataHub, the percentage of countries with established cybersecurity legislation/regulation surged from 24.1% in 2009 to 57.1% in 2021.Footnote 18 Delving deeper into the datasets provided by this organizationFootnote 19, we observed a marked uptick in the number of countries formulating strategies, policies, or initiatives centered on emerging technologies.

As illustrated in Fig. 5, in 2022 compared to 2019, there was a marked rise in policies focusing on AI, IoT, Blockchain, and 5G/6G. This proliferation in policy formulation is indicative of global recognition of the implications and potential risks of these technologies. However, the challenge lies in the evolving nature of the regulatory landscape. The anticipation, volatility, and unpredictability of how regulators will engage, be it the introduction of new regulations, amendments to existing ones, or repealing outdated ones, can significantly affect the operational dynamics for businesses and the experiences of their clients.

Fig. 5
figure 5

The growth in focus on emerging technologies such as AI, IoT, Blockchain, and 5G/6G

Full size image

Regulatory change and technological dynamics are intertwined, with regulations influencing technological directions and technological innovations necessitating regulatory adaptations [9, 12, 46, 114]. Advances in artificial intelligence, IoT, and big data analytics, for instance, have intensified the debate on how to ensure proper balance in regulatory frameworks [58]. Concurrently, as technology and novel business models evolve, they tend to outpace regulation controls [32]. To maintain relevance in this changing landscape, regulators are shifting towards more flexible approaches like regulatory sandboxes, outcome-based regulation, risk-weighted regulation, and adaptive regulation [91]. While this evolving regulatory paradigm offers organizations the opportunity to influence regulations and align their compliance mechanisms, it also introduces multifaceted regulatory risks that can jeopardize their operational stability, strategic objectives, and economic growth.

3.1.8 Global regulatory trends and policy shifts

In the 1990s and early 2000s, the EU adopted a more reserved approach towards cybersecurity regulation. Rather than leveraging robust regulatory instruments or placing emphasis on centralized, union-driven governance, the strategy centered on non-legally binding instruments at the national level [63]. The primary aim was to instill a sense of cybersecurity autonomy and responsibility within Member States. However, as the digital era progressed, coupled with an increase in high-profile cyberattacks and the evolving nature of threatsFootnote 20, the EU began to recognize the need for a more assertive and unified stance. This shift in the EU’s policy not only led to the introduction of more stringent regulations and proactive measures to strengthen its cybersecurity posture but also signaled a broader global trend, emphasizing the importance of holistic and cooperative cybersecurity strategies across regions [20, 26].

Additionally, macroeconomic factors have emerged as significant influencers in shaping these regulatory paths. For instance, global economic downturns can make nations more protective and cautious, leading to tightened regulations to guard domestic businessesFootnote 21. Conversely, periods of economic growth and globalization might promote more open policies, but with an emphasis on standardized cybersecurity practices to facilitate cross-border digital trade [1, 113]. Geopolitical tensions, such as those arising from international cyber-espionage or state-backed cyberattacks, further underscore the need for robust, agile, and responsive regulatory frameworks [61]. Given the interplay and complexity of these factors, it becomes paramount for regulations to remain dynamic, adapting to the multifaceted challenges and opportunities that lie ahead. However, such adaptability can introduce regulatory risks such as misalignment with global standards, barriers to emerging industries like fintech [79] or biotech [94] due to overcaution, or even the unintended consequence of creating regulatory loopholes that can be exploited [25]. It is equally possible that rapid policy shifts could lead to confusion, with businesses struggling to stay compliant, thereby affecting their competitive landscape.

3.1.9 Cross-border data flows

Over the past few years, data has become the most valuable asset for businessesFootnote 22. To maintain a competitive edge, businesses have delved deep into data collection, storage, analysis, utilization, monetization, and sharing. While these practices facilitate the creation of personalized products and services, more efficient business processes, and new revenue streams, they also raise concerns surrounding data usage, transparency, control, accuracy, ethics, security, reliability, and privacy. This point of view resonates with national and global regulators, reaching the institution of data protection regulations in over 160 countries, along with regional frameworks like the EU’s GDPR and collaborative initiatives such as the APEC CBPR SystemFootnote 23.

Figure 6 provides a comprehensive overview of how countries have adjusted their data transfer regulations from 2014 to 2022. The information presented is extracted from the OECD Regulatory DatabaseFootnote 24, which covers the Digital Services Trade Restrictiveness Index of 85 countries. At a glance, the most dominant policy adopted by countries pertains to permitting cross-border transfers of personal data when certain private sector safeguards are in place, with an upward trend observed over the years. In contrast, there is a declining trend for countries allowing free cross-border transfers based on the accountability principle. Furthermore, a growing number of countries are mandating that certain data be stored locally, and a few have adopted policies where data transfers are subject to approval on a case-by-case basis. However, the number of countries like Eswatini and Saudi Arabia where data transfer is completely prohibited, though small, has shown a slight increase in recent years. The chart indicates the evolving nature of data privacy and protection norms globally, reflecting the complexities businesses face in an ever-changing digital world.

Fig. 6
figure 6

A comparative analysis of regulatory stances of cross-border data transfer, emphasizing private safeguards, accountability principles, and stricter controls across 85 countries (2014–2022). Data extracted from OECD Regulatory Database

Full size image

To gain the trust of consumers, regulators are revisiting their conventional strategies to effectively address emerging data risks. However, to support innovation, regulators must seek the right balance between free-market development and regulation. [10] characterize the cross-border data flow regulations by the inconsistency of laws among countries, different levels of social responsibility, and business competition. Such characterization introduces several challenges including increased regulatory scrutiny over data handling practices, challenging strategic choices like potentially backing away from data monetization opportunities to maintain stakeholder trust, and obligatory requirements driven by regulations to build a risk-aware organizational culture to respect the privacy of customers [101].

3.1.10 Market incentives

Businesses may prioritize time-to-market and cost-effectiveness over implementing robust security measures, which necessitates increased regulatory oversight. This profit-driven focus risks bypassing the “security by design” principle, potentially leaving vulnerabilities unaddressed. This issue is explicitly highlighted in the US National Cybersecurity Strategy 2023:

Markets impose inadequate costs on–and often reward–those entities that introduce vulnerable products or services into our digital ecosystem. Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance. Software makers can leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.

Additionally, the role of market incentives has been investigated in real-world cyber incidents. According to [111], it was short-term profit motives and cost-cutting measures that contributed to the vulnerabilities leading up to the SolarWinds cyberattack in 2020. In the aftermath of this breach, the Biden administration issued two executive orders aimed at improving cybersecurity practices across industriesFootnote 25. Furthermore, other global regulatory bodies initiated reviews and proposed tighter regulations to ensure that companies prioritize security at every stage of product and software development [100]. The highlighted case emphasizes that neglecting cybersecurity, often due to market-driven motivations, exposes businesses not only to cyber threats but also to unexpected and possibly severe regulatory risks.

3.2 Implications

This section delineates the implications of regulatory risks associated with cybersecurity once the determinants surpass the preventive and mitigative barriers, as depicted in Fig. 3. It is essential to note that the implications associated with regulatory risks in cybersecurity are not unique. They often overlap with issues stemming from other risk categories, such as cyber risks and compliance risks. This interconnectedness not only underscores the complexity of navigating the regulatory and cybersecurity landscape but also emphasizes the need for a holistic approach to assessing and managing these risks and formulating cybersecurity policies and strategies. Businesses and regulators alike must recognize these overlapping domains and collaboratively develop frameworks that address multifaceted challenges [68].

3.2.1 Noncompliance penalties

Within the context of regulatory risks associated with cybersecurity, noncompliance penalties stand as one of the most immediate and tangible repercussions faced by businesses. These penalties, caused by not adhering to changing cybersecurity regulations, encompass both financial and legal implications. Financially, companies can incur substantial fines. For instance, immediately after GDPR came into effect on May 25, 2018, the Austrian organization “None Of Your Business” and the French NGO “La Quadrature du Net” filed complaints against Google. These complaints cited various GDPR violations, including lack of transparency (Article 5), insufficient information (Articles 13/14), lack of legal basis (Article 6), and obtaining “unambiguous” rather than “specific” consents (Article 4, number 11). In 2019, France’s data protection authority, CNIL, imposed a 50 million euro fine on Google as a result of these complaints.

On the legal front, organizations might find themselves entangled in prolonged lawsuits, further escalating their costs. These lawsuits can lead to operational consequences, such as service restrictions, business suspensions, or even the revocation of operational licenses. For instance, Zoom faced legal action for allegedly collecting data when users installed or launched the application, then purportedly sharing this data without adequate disclosure with third parties, including Facebook Inc. This practice was challenged as a violation of the California Consumer Privacy Act (CCPA), a few weeks after it took effect on January 1, 2020.

3.2.2 Operational disruptions/increased operation cost

Adapting to new or evolving regulations often necessitates considerable changes in systems, leading to both disruptions and increased expenses. For instance, the advent of GDPR demanded businesses across various sectors to rethink their data storage and processing paradigms. Such a shift was substantial, with compliance costs for Fortune 500 companies approximated at around $7.8 billionFootnote 26. Moreover, the financial and operational impact of GDPR forced some businesses to either modify or entirely discontinue specific services. A notable example includes Uber Entertainment, an online gaming company, choosing to shut down a multiplayer video game to bypass GDPR compliance costsFootnote 27. On a broader scale, industry giants like Facebook have been struggling with regulators regarding their facial recognition features in the EU for more than 6 yearsFootnote 28, while Google prompted Google Analytics users to amend their data retention configurations.

The evolving regulatory environment not only amplifies operational costs but also reshapes market dynamics. Regulatory demands can inadvertently set high barriers to entry[50], which is particularly challenging for startups and smaller entities lacking ample resources for compliance. This could lead to reduced market competition, favoring larger or more financially equipped organizations. For instance, the fallout of GDPR echoed in the Merge and Acquisition (M&A) space, with a Euromoney survey revealing that 55% of over 500 M&A practitioners across Europe, the Middle East and Africa (EMEA) aborted transactions due to concerns regarding data protection and GDPR compliance.Footnote 29 This apprehension was even more pronounced in regions like Germany, the Nordics, and the UK.

In the broader picture, the continuous need to adapt to regulations can impede companies from fully utilizing data, potentially limiting technology adoption, stifling productivity growth, and placing businesses at a competitive disadvantage. The synthesis of these challenges underscores the delicate balance businesses must maintain between compliance and competitiveness in a dynamic regulatory landscape.

3.2.3 Uncertainty in investment decisions

In the cybersecurity context, at its core, each firm aims to minimize the risk associated with cyberattacks. Regulations can be an effective instrument to achieve this goal by incentivizing businesses to invest in cybersecurity [49, 95, 96]. [55] developed an economic-based analytical framework for assessing the impact of regulations designed to offset the tendency to underinvest in cybersecurity by the private sector. They found that success depends on the firms’ (i) ability to determine the optimal mix of inputs to cybersecurity and (ii) ability and willingness to increase their cybersecurity investments.

However, [78] points out that rapidly evolving cybersecurity regulations complicate cybersecurity management and significantly increase cybersecurity investment costs. This situation directly impacts businesses’ ability to determine the optimal levels of cybersecurity investment and, in some cases, affects their ability and willingness to increase their cybersecurity investments. According to the Cisco 2023 Data Privacy Benchmark Study, investment in privacy at larger organizations remained relatively unchanged after steep increases from 2019 to 2020. While the reasons are not clear in this study, it may suggest a plateau in investment growth due to regulatory uncertainties. After substantial investments to comply with GDPR and in response to the expanding cybersecurity legislation in the US since 2019 (see Table 1), many organizations are now grappling with the complexities and uncertainties brought about by the rapidly evolving regulatory landscape. This constant state of flux in regulations presents significant challenges for businesses in predicting future requirements and effectively measuring the returns on their current and future cybersecurity investments.

In such an uncertain environment, a wait-and-see approach often becomes an attractive option for businesses [13, 27, 56]. Hesitant to commit to substantial, irreversible investments that might soon become obsolete or misaligned with new regulations and convert into sunk costs, firms may opt to temporarily hold off on significant cybersecurity spending. This cautious stance allows them to more accurately gauge the direction of regulatory changes and adapt their cybersecurity strategies in a more informed manner. However, this approach is not without its risks, notably the potential vulnerability of their systems to emerging cyber threats during this period of observation and delayed action. Consequently, achieving a balance between the need for immediate, robust cybersecurity measures and the strategic foresight to adapt to future regulatory changes is a critical element of effective cybersecurity planning. Section 4 presents our model designed to delve into the interplay between regulatory risks and cybersecurity risks and investigate how various regulatory environments influence cybersecurity investment behavior.

3.2.4 Increased future regulatory scrutiny

Businesses that suffer data breaches are often subjected to heightened regulatory scrutiny in the aftermath. While this scrutiny is closely related, it should not be confused with routine compliance checks. The latter, typically carried out by regulatory enforcement agencies such as the Federal Trade Commission (FTC) or National Data Protection Authorities, focuses on ensuring that businesses adhere to set standards or regulations at a given point in time. On the other hand, regulatory scrutiny refers to the focused evaluation by regulators on the cybersecurity practices, standards, and behaviors, and assessing their impact on businesses and consumersFootnote 30. It is worth noting that this intensified scrutiny is not just a repercussion of data breaches or using new technologies, but can also emerge as a direct consequence of shifts and evolutions in cybersecurity regulations.

When new cybersecurity regulations are introduced or when existing ones undergo significant changes, regulatory bodies might proactively scrutinize organizations to ensure their understanding and compliance with the new standards. Throughout this process, regulators are actively seeking information to understand and set parameters around the expanding number of ways that businesses can collect and use consumer data. Their focus also extends to confirming the robustness of safeguards designed to maintain data privacy and security. As highlighted by a KPMG studyFootnote 31, primary domains of regulatory scrutiny encompass data privacy and security, data collection and usage, transparency and consumer rights, and tackling model and algorithmic bias.

On October 16, 2023, the Division of Examinations (EXAMS) under the Securities and Exchange Commission (SEC) issued its 2024 Examination PrioritiesFootnote 32. The 2024 Priorities reflect the Commission’s continued scrutiny of information security and operational resiliency at registrants and the risks posed by third-party service providers, as well as new attention to emerging financial technology. In this issue, it is mentioned that:

The Division will focus on registrants’ policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks. Part of this review will consider whether registrants adequately train staff regarding their identity theft prevention program and their policies and procedures designed to protect customer records and information.

This signifies heightened regulatory scrutiny, emphasizing the importance of both proactive measures and responsive actions within the context of cybersecurity and data protection. Nevertheless, this uptick in oversight can also come with its own set of challenges and potential drawbacks for businesses. Such challenges may include increased operational costs, business delays, disproportionate resource allocations, and discouraging businesses from adopting novel technologies or business models for fear of potential noncompliance or regulatory backlash.

3.2.5 Reputational damage and loss of customer trust

Beyond the immediate legal and financial penalties, businesses face the profound risk of damaging their reputation and losing customer trust, especially when they fail to adapt to new regulations. This can lead to a serious long-term impact, with consumers likely to switch to competitors they perceive as more trustworthy in handling their data. The Forbes and PwC survey reveals this reality, showing that only 25% of consumers believe companies handle their personal information responsibly, leading 87% to consider moving to a competitor if they lose trust in a company’s data handling abilities.Footnote 33

Compounding this issue, the Cisco 2023 report emphasizes that since 2019, loyalty and trust have been at the forefront of consumer expectations from privacy investments. The fact that 92% of consumers expect companies to proactively protect data, according to the Forbes and PwC surveyFootnote 34, instead of just reacting to government regulations, sets a high bar. Today, consumers are increasingly aware of privacy issues and expect stringent cybersecurity practices. Failure to adapt to new regulations can lead to public perception of negligence or disregard for customer data security. Regulatory risks further compound these challenges, making businesses more vulnerable to reputational harm and erosion of trust if they fail to navigate and adhere to the evolving cybersecurity regulations.

3.3 Preventive and mitigative controls

The third essential component of the bowtie methodology is the identification of barriers. As illustrated in Fig. 3, barriers are positioned on both sides of the top event, serving distinct yet complementary roles. On the left-hand side, the barriers are designed to either eliminate potential threats or prevent the escalation of such threats leading to the top event. These are proactive measures aimed at decreasing the likelihood of the occurrence of the top event in the first place. On the right-hand side of the top event, the barriers focus on recovery and mitigation. In case the top event does occur, these barriers are instrumental in lessening the severity of the consequences and aiding in the swift recovery from the incident. Sections 3.3.1 and 3.3.2 provide an exploration of the preventive and mitigative controls depicted in Fig. 3, respectively.

3.3.1 Preventive controls

Preventive controls are proactive measures aimed at preempting and mitigating potential regulatory risks before they arise. These controls are crucial for businesses striving to remain proactive, enabling them to adapt to changes in the regulatory landscape with informed foresight. Our study proposes seven such preventive controls, each designed to reduce the probability of the top event’s occurrence. It is important to note that this list is not exhaustive, and the efficacy of each control may be subject to future debate. Moreover, while we have aligned each preventive control with one or more specific determinants as illustrated in Fig. 3, this alignment does not preclude their applicability to other determinants.

P1: Regulatory horizon scanning is a strategic process where businesses continuously monitor and analyze the current and upcoming regulatory landscape to identify potential changes that could impact their operations [110]. By doing so, organizations can adapt to regulatory changes proactively rather than reactively, which can serve as a preventive barrier against potential disruptions. Horizon scanning not only enhances time-to-compliance, facilitates the avoidance of penalties, and contributes to the reduction in compliance costs, but it also offers a strategic market advantage. Firms that are agile in adapting to new regulations can leverage this responsiveness as a competitive edge [132]. For example, companies that were early adopters of GDPR compliance were able to market their services in the EU more effectively [48, 82].

P2: Feedback loops with regulators and collaborative policy development are essential mechanisms for businesses to not only understand and adapt to regulatory changes but also to influence the creation and modification of regulations. By actively engaging with regulators and industry groups across multiple jurisdictions, businesses can advocate for the harmonization and modernization of regulations. Such engagement can lead to a reduction in the complexity of compliance and enable a more dynamic and cooperative approach to cybersecurity regulation. This is supported by literature such as [74] and [135], which highlight the benefits of collaborative regulatory development. Furthermore, [30] emphasizes the need for regulations that are adaptable and responsive to the fast-evolving nature of cyber threats and technologies. Engagement in policy development not only helps businesses stay ahead of regulatory changes but also allows them to contribute their expertise and practical insights, leading to more effective and implementable regulations. This collaborative approach can result in regulations that balance the need for security with the realities of business operations and technological innovation. Consequently, such a proactive stance can help mitigate the regulatory risks that businesses face and enhance their ability to respond effectively to the evolving cybersecurity landscape.

However, as noted by [4], regulatory actions are often subject to a myriad of political and lobbying influences, pulling in different directions. To counteract potential biases and ensure transparency, procedural instruments can be implemented to restrict attempts to influence decision-making through back-door lobbying. In the United States, for example, transparency is enforced by requiring that all communications between third parties and regulators concerning proposals are placed on official record [106]. Similarly, in the European Union, Article 11 of the Treaty on European Union provides a legal framework for interest representation, and there are stringent guidelines and mechanisms to ensure that the regulatory process is transparent and inclusive of various stakeholders’ viewpoints [40].

P3: Public relations and communication strategies that anticipate and address public concerns about cybersecurity can preempt threats to business disruption by maintaining an informed and trusting customer base, positioning the company as a reliable entity amidst regulatory changes, and ensuring that the public demand for security is met with adequate and well-communicated measures. Well-designed public relations and communication strategies not only address the consequences of cybersecurity incidents [71] but also establish proactive preventive barriers against the adverse effects of regulatory uncertainties by fostering stakeholder trust, positively influencing market perception, enhancing customer retention, and minimizing the risk of noncompliance penalties.

P4: Adaptive governance and dynamic investment strategies enable businesses to proactively address the uncertainty of regulations that arise from the rapid pace of technological evolution, escalating cyber threats, and shifts in policy and global trends [7, 17]. This preventive control fosters an environment of resilience and agility, allowing businesses to stay ahead of regulatory changes that are often influenced by socio-technical factors [30]. Adaptive governance provides a framework for continuous policy review and adjustment, ensuring compliance with current and anticipated regulatory requirements. Meanwhile, dynamic investment strategies allocate resources effectively to areas most impacted by these changes, such as cybersecurity enhancements, technology updates, and compliance training programs. This comprehensive approach not only mitigates the risks associated with regulatory uncertainties but also positions organizations to capitalize on new opportunities and navigate the complexities of a rapidly changing global landscape.

In addition to dynamic investment strategies, diversifying investments can be particularly effective as a preventive control. Regulatory risks belong to the category of unsystematic risks, meaning that these are specific risks unique to a sector, region, or firm [22]. By diversifying cybersecurity investments, businesses can spread their risk exposure across different areas that may be impacted differently by regulatory changes. This approach reduces the potential negative impact of regulatory changes on any single aspect of businesses’ cybersecurity strategy. It allows for more flexible adaptation to regulatory environments that are often variable and unpredictable, enhancing the overall resilience of their cybersecurity infrastructure.

Utilizing an optimal mix of inputs to cybersecurity in the analytical framework developed by [55] suggests that a diversified approach to cybersecurity investments can be beneficial in adapting to various regulatory scenarios. This diversification can be implemented at different levels within an organization’s cybersecurity strategy: (1) technological solutions, investing in a range of cybersecurity technologies, such as firewalls, intrusion detection systems, and encryption tools, ensures comprehensive protection against various types of cyber threats, (2) geographical considerations, diversifying cybersecurity practices to comply with regional regulatory frameworks can mitigate the risk of noncompliance in different jurisdictions, and (3) operational areas, diversification across different operational areas, including network security, data management, and staff training, ensures a holistic defense mechanism against cyber threats and regulatory changes. Diversification allows businesses to create and sustain value, not just protect it, helping them to adapt to evolving threats while enhancing cost management and revenue growth [104].

P5: Scenario planning involves envisioning various future regulatory landscapes and anticipating potential changes and their impacts on cybersecurity practices. This systematic approach requires businesses to construct detailed scenarios based on plausible regulatory changes, including stricter data protection laws, shifts in policies and trends, and compliance requirements for new technologies and innovations [8]. Through this method, businesses can evaluate their risk exposure levels under diverse regulatory scenarios, identifying potential weaknesses and areas for improvement in their cybersecurity frameworks [109].

Moreover, scenario planning facilitates the development of contingency plans, equipping businesses to respond effectively to regulatory changes [107]. It also encourages cross-functional collaboration, integrating insights from legal, IT, compliance, and risk management teams to ensure a holistic view of potential regulatory impacts. Consequently, businesses can strengthen their defenses against cybersecurity threats in alignment with changing regulations and gain strategic insights that drive informed decision-making and long-term resilience in a dynamic regulatory environment.

P6: Cross-jurisdictional regulatory mapping and engagement with local regulatory bodies function as preventive barriers, particularly in contexts where businesses operate across multiple regions or countries. In these scenarios, organizations must comply with a diverse range of legal and regulatory frameworks and manage the complexities that arise from being influenced by varying global and regional trends, cultural norms, and enforcement practices [36]. This comprehensive mapping enables businesses to identify and understand each jurisdiction’s regulatory environment. Hence, they can develop tailored strategies to ensure compliance in every region they operate. This approach is particularly effective in preempting legal issues and avoiding the penalties associated with noncompliance [44].

Additionally, cross-jurisdictional regulatory mapping is instrumental in strategic planning and decision-making [89]. It allows businesses to assess the regulatory implications of entering new markets, launching new products, or altering their operations. This level of insight is invaluable for mitigating risks and capitalizing on opportunities in a globally interconnected business landscape. Furthermore, this mapping aids in harmonizing organizational policies and practices across different jurisdictions. By identifying commonalities and differences in regulatory requirements, businesses can create streamlined, yet adaptable compliance frameworks. This not only optimizes resources but also ensures a consistent and coherent approach to compliance and corporate governance.

P7: Market incentive realignment refers to the strategic adjustment of market incentives to mitigate the regulatory uncertainties that can disrupt business operations and established cybersecurity practices. As we discussed before, market incentives might initially drive businesses towards cost cutting or rapid innovation, potentially at the expense of compliance or security. This can lead to vulnerabilities and misalignments with evolving regulatory standards, thereby motivating regulators to introduce new regulations or modify existing ones. To address this, market incentive realignment involves reshaping these incentives to prioritize regulatory compliance and robust cybersecurity practices. This realignment process aims to recalibrate these incentives, aligning them with long-term regulatory compliance and robust cybersecurity measures. It involves encouraging businesses to adopt a forward-thinking approach, where compliance and security are integral to their operational strategy, rather than seen as hindrances to innovation or cost efficiency.

3.3.2 Mitigative control

The second category of controls, on the right-hand side of Fig. 3, includes six mitigative controls that act as reactive mechanisms to counteract and manage the ramifications of sudden regulatory changes or oversights. They serve as contingency plans to address and rectify issues arising from sudden regulatory changes or compliance oversights. Together, these barriers form a comprehensive shield, fortifying businesses against the uncertainties and challenges of the ever-evolving cybersecurity regulatory domain.

M1: Accountability structures refer to the frameworks and systems put in place within an organization to ensure that the appropriate teams and individuals are empowered, responsible, and trained for mapping, measuring, and managing risks [102]. Accountability structures establish a framework within which businesses can rapidly and effectively adapt to regulatory changes, minimizing disruptions and maintaining robust cybersecurity practices [47]. Well-implemented accountability structures can significantly reduce the risks and costs associated with noncompliance and operational disruptions in the face of regulatory changes. It can also create incentives for businesses to adhere to existing regulations. For example, when data quality standards are not met, action needs to be taken to ensure that the root cause for the data quality issues is remediated and that sustainable data stewardship programs are in place at the data owner level. This can be accomplished by utilizing effective accountability policies [33].

M2: Legal expertise and counsel in the context of regulatory risks is essential, particularly when considering the potential for regulatory chill. This term refers to the apprehension and restraint experienced by businesses due to the uncertainty or ambiguity of regulatory expectations and enforcement [133]. Governments and regions like the EU wield substantial power to implement various measures aimed at protecting their digital sovereignty and the rights of their citizens within their territorial boundaries. In such a dynamic and often intricate legal landscape, effective legal advice is indispensable for businesses [29]. It aids them in navigating these multifaceted regulatory environments, ensuring adherence to laws and regulations while minimizing the risk of unintentionally provoking regulatory actions. This kind of expertise is vital to maintain operational integrity and promote a forward-looking stance in anticipation of, and adaptation to, evolving regulatory demands and shifts. This proactive approach is not only about compliance but also involves understanding the broader implications of regulations on business strategy and long-term planning.

M3: Contingency funding and planning are critical strategies to ensure business continuity and minimize disruptions to established cybersecurity practices due to regulatory changes. Just as cybersecurity risks necessitate these measures, the same applies to the context of regulatory risks in cybersecurity [130]. Contingency funding ensures that an organization has allocated resources to address unexpected regulatory changes. For example, implementing GDPR was a significant undertaking for organizations, with the implementation time and costs being considerable. According to McKinseyFootnote 35, the cost could exceed €10 million depending on the company’s starting position, and 45% of major European companies would need to make substantial investments in basic tools to comply with GDPR requirements. Strategically established contingency funds and plans act as critical financial and operational safety nets, safeguarding business continuity and resilience against rapid adaptation and unexpected costs, particularly those that are difficult to anticipate.

M4: Financial strategy adaptation enables businesses to respond to the dynamic regulatory environment, ensuring that their investment strategies remain robust and aligned with both current and future compliance requirements. Such adaptation can include various approaches such as portfolio rebalancing, strategic divestment, and resource reallocation. Portfolio rebalancing stands as a cornerstone of this approach. It involves careful analysis and adjustment of investment portfolios to mitigate risks and capitalize on opportunities arising from new regulations. This process is critical for maintaining an optimal balance between risk and return in the face of regulatory shifts. By regularly reviewing and adjusting their asset allocation, organizations can reduce exposure to areas negatively impacted by regulatory changes while increasing investments in more favorable or compliant areas.

Strategic divestment complements rebalancing by enabling organizations to exit investments that become untenable or less profitable due to regulatory shifts. This proactive step involves identifying and selling off assets or business segments that are likely to underperform or pose compliance risks under the new regulatory framework. For example, an organization chooses to divest from third-party vendors or partners that fail to comply with new privacy regulations like GDPR or CCPA. This measure not only minimizes the risk of noncompliance but also redirects capital towards partnerships with entities that demonstrate robust compliance and data security practices, thereby strengthening the organization’s overall cybersecurity posture.

Finally, resource reallocation is about strategically directing investments toward emerging areas of growth that align with the new regulatory landscape. This can involve investing in new technologies, markets, or sectors that are expected to benefit from the regulatory changes. This could also extend to reallocating human resources, like hiring more cybersecurity professionals specialized in regulatory compliance or investing in employee training programs focused on understanding and implementing new cybersecurity regulations.

M5: Regulatory gap analysis equips businesses with the tools to pinpoint discrepancies between their current operational practices and the established or expected regulatory frameworks [31]. This proactive approach not only facilitates timely compliance adjustments but also circumvents potential pitfalls associated with regulatory noncompliance. By consistently conducting regulatory gap analysis, businesses can stay ahead of evolving regulations, effectively mitigating the risk of unforeseen regulatory challenges and the consequent negative repercussions such as heightened scrutiny, legal sanctions, or financial penalties.

Furthermore, regular implementation of regulatory gap analysis positions a business as a compliance-forward entity, enhancing its reputation among stakeholders, customers, and regulatory bodies. It also fosters a culture of continuous improvement and readiness within the organization [60], ensuring that regulatory compliance is not just a one-time endeavor but an ongoing commitment. This ongoing process aids in strategically aligning business operations with regulatory expectations, thereby reducing the likelihood of operational disruptions and fostering a stable, predictable environment for business growth and innovation.

M6: Transparency and disclosure protocols serve not only to comply with regulatory requirements but also to enhance investor confidence, guide corporate governance, and address reputational risks. Drawing from the economics perspective outlined by [95], transparency and disclosure play crucial roles in mitigating information asymmetry and adjusting misaligned incentives between businesses and their stakeholders, including investors, customers, and regulatory bodies. [95] argues that transparency gives credibility to the claim that improving cybersecurity is taken seriously at the entity (e.g., government) level.

Moreover, these protocols enable businesses to preemptively address potential regulatory changes by anticipating regulatory trends, building a compliance-ready culture, engaging proactively with regulators and stakeholders, facilitating thorough risk assessment and management, and ensuring detailed documentation and evidence of compliance [77, 90]. By maintaining openness in their cybersecurity practices, businesses can adapt more swiftly and effectively to new regulations, thereby reducing the risk of penalties and maintaining stakeholder trust. As such protocols align with existing regulations like GDPR and SEC Rules and Disclosure RequirementsFootnote 36, this strategic approach to transparency and disclosure is not merely a compliance measure but a critical element in managing cybersecurity risks and ensuring business resilience in a dynamic regulatory environment.

4 Cybersecurity investment under regulatory risks

Addressing our first research question, we identified the determinants and implications of regulatory risks in cybersecurity. Now, turning to our second question, we focus on how these risks influence cybersecurity investment behavior. This section presents a dynamic model that analyzes a firm’s investment strategies, encompassing both regulatory and cybersecurity risks. While existing cybersecurity investment models primarily assess the likelihood of a breach and its related cybersecurity risks [43, 52], our study offers a new perspective by incorporating regulatory risks into these decisions. Studies like [55] and [54] have explored the impact of government regulations and incentives on cybersecurity investment, particularly addressing externalities and underinvestment. However, these studies primarily focus on the economic externalities of cybersecurity breaches, not directly on the regulatory landscape. Our model represents an advancement in directly integrating regulatory risks into the decision-making process for cybersecurity investments, addressing a critical gap in current research.

This model integrates stochastic processes to simulate regulatory changes and assesses the impact of these changes on the firm’s perceived uncertainty. This perception is critical, as it directly impacts strategic decision-making related to investments [35, 65]. We consider both the likelihood of data breaches occurring and the severity of penalties associated with noncompliance, integrating these factors into the following multi-objective maximization problem:

$$\max_{{I_{t}}}\mathbb{E}\left[\int_{0}^{T}e^{-\delta t}\pi(I_{t},R_{t})dt\right],$$
(1)

where \(t\in[0,T]\) represents the time horizon. Furthermore, we introduce \(\delta\) as the discount factor, which plays a pivotal role in our analysis. The discount factor \(\delta\) is used to translate future costs and benefits into present value terms, reflecting the time value of money and the preference for immediate benefits over future ones. In the context of cybersecurity investment, this means that costs and benefits occurring at a future time \(t\) are “discounted” back to the present value. Typically, \(\delta\) is a value between 0 and 1, where a lower \(\delta\) indicates a higher present value placed on future costs and benefits.

The maximization problem in Eq. (1) seeks to balance several competing priorities: minimizing the risk of data breaches, optimizing compliance with dynamic regulations, and ensuring cost-effective allocation of resources towards cybersecurity measures. To achieve this, the model quantifies the trade-offs between increased investment in cybersecurity and the corresponding reduction in both regulatory risks and the potential damage from data breaches. To address this, we have formulated the payoff function of the problem as follows:

$$\pi(I_{t},R_{t})=S(I_{t})-C(I_{t},R_{t})-\theta_{t}\eta-(P_{b}(t)\times L).$$
(2)

In this function:

  • \(I_{t}\) denotes the level of investment in cybersecurity at time \(t\).

  • \(R_{t}\) is the level of regulatory requirements at time \(t\).

  • \(P_{b}(t)\) denotes the firm’s cybersecurity breach function at time \(t\).

  • \(\theta_{t}\) represents the firm’s perception of regulatory uncertainty at time \(t\).

  • \(\eta\) characterizes the penalties for misalignment between the firm’s cybersecurity investment and the regulatory requirements.

  • \(L\) represents the loss from a cybersecurity breach.

We incorporated \(S(I_{t})\) and \(C(I_{t},R_{t})\) to capture the complex dynamics and trade-offs in cybersecurity investment decisions. \(S(I_{t})\) represents the positive outcomes of investment, both in terms of risk reduction and business benefits, while \(C(I_{t},R_{t})\) represents the cost implications, taking into account both the investment and compliance aspects. \(S(I_{t})\) increases with \(I_{t}\) but at a decreasing rate, reflecting diminishing returns on investment (\(S^{\prime}> 0\) and \(S^{\prime\prime}<0\)) [55]. A common form for this function is logarithmic [62]. For simplification, we implemented this function as \(S(I_{t})=\lambda.log(1+I_{t})\), where \(\lambda\) is a parameter that adjusts the scale of returns.

\(C(I_{t},R_{t})\) encompasses all the direct expenditures associated with implementing and maintaining cybersecurity measures. This component also reflects costs related to compliance with cybersecurity regulations, such as costs incurred to align systems and processes with regulatory requirements. Given its dual focus, \(C(I_{t},R_{t})\) is a function of both the level of investment in cybersecurity \(I_{t}\) and the prevailing regulatory requirements \(R_{t}\). The interdependencies and externalities inherent in cybersecurity investments significantly influence this function [43, 52]. Moreover, the relationship between investment and costs is not always linear. Increased investment in cybersecurity can lead to economies of scale, where the cost per unit of security decreases as the scale of investment grows.

On the other hand, overly stringent regulatory requirements might lead to diminishing returns, where each additional unit of investment results in a disproportionately small reduction in compliance costs. However, in our implementation of the model, we have simplified the function \(C(I_{t},R_{t})\) and chose to exclude interdependencies and non-linearity for ease of computation and to focus on the primary dynamics of cybersecurity investment and regulatory compliance. Therefore, we implemented this function as \(C(I_{t},R_{t})=I_{t}+|R_{t}-I_{t}|\).

To accurately represent the dynamic nature of regulatory changes in the cybersecurity domain, our model incorporates the term

$$dR_{t}=\alpha(R^{*}-R_{t})dt+\sigma dW_{t},$$
(3)

where \(R^{*}\) represents the target level of regulations, which might be influenced by determinants identified in Sect. 3.1, the coefficient \(\alpha\) represents the rate at which actual regulatory requirements adjust towards the target level \(R^{*}\)Footnote 37, the parameter \(\sigma\) captures the volatility or uncertainty in the regulatory changes, and \(dW_{t}\) is a Wiener processFootnote 38.

A higher value of \(\alpha\) indicates a faster adaptation of regulatory standards, reflecting a more responsive or agile regulatory environment. This could be indicative of sectors where rapid changes in technology or threat landscapes necessitate quicker regulatory responses. \(\sigma\), however, represents the extent to which regulatory changes can deviate unexpectedly from the anticipated path due to unforeseen events, such as sudden technological breakthroughs, political shifts, or high-impact cyber incidents.

As regulations evolve, the firm updates its perception of regulatory risk \(\theta_{t}=f(\Delta R,\sigma,|R_{t}-I_{t}|)\) where \(f\) is a function influenced by the rate and unpredictability of regulatory changes as well as the firm’s alignment with these regulations. \(\Delta R\) represents the average rate at which regulatory requirements are changing. A higher \(\Delta R\) indicates a more rapidly evolving regulatory landscape, which could increase uncertainty. Another component of this function is the gap in current investment and regulatory requirements \(|R_{t}-I_{t}|\). If a firm’s investment closely aligns with the current regulatory requirements (\(I_{t}\) is close to \(R_{t}\)), this could reduce uncertainty from a compliance perspective [97, 128]. The firm is confident that it meets the regulatory standards, reducing the risk of noncompliance and any associated penalties or reputational damage. Conversely, a larger gap (\(|R_{t}-I_{t}|\) is significant) could indicate that the firm is either underinvesting or overinvesting relative to regulatory standards [27]. While underinvesting increases the risk of noncompliance, overinvesting might lead to unnecessary expenditure and inefficiency. In both cases, the firm faces uncertainty, either about potential regulatory actions or about the cost-effectiveness of its investments.

The probability of breach \(P_{b}(t)\) in Eq. (2) is influenced by the firm’s investment in cybersecurity and the regulatory environment. \(P_{b}(t)=g(I_{t},R_{t})\) decreases with higher investment in cybersecurity and increases with a larger gap between regulatory requirements and actual investment [55, 56]. Hence, \(g\) is a function that:

  • \(\frac{\partial g}{\partial I_{t}}<0\): higher investment in cybersecurity reduces the probability of a breach.

  • \(\frac{\partial g}{\partial|R_{t}-I_{t}|}> 0\): a larger gap between regulatory requirements and actual investment increases the probability of a breach.

After a detailed explanation of the model, Fig. 7 illustrates the outcomes of implementing this model, particularly highlighting the effects of the rate of regulatory adaptation (Fig. 7a–c) and uncertainty in the regulatory changes (Fig. 7d–f) on cybersecurity investment level. The figure demonstrates the dynamic interplay between regulatory requirements and investment decisions over time. Initially, the firm’s investment closely aligns with the regulatory requirements, indicating compliance and risk minimization efforts. However, as time progresses, there is a noticeable shift in behavior, with the gap between the investment level and regulatory requirements widening, and a subsequent decrease in the investment level.

Fig. 7
figure 7

Impact of regulatory adaptation rate (\(\alpha\)), uncertainty (\(\sigma\)), and misalignment penalties (\(\eta\)) on cybersecurity investment. a–c focus on how varying adaptation rates influence investment alignment with regulatory requirements. d–f depict the firm’s investment behavior under increasing levels of regulatory uncertainty, highlighting the transition from compliance-oriented to caution-dominated investment strategies. g–i demonstrate how changes in the magnitude of misaligned penalties (\(\eta\)) influence the firm’s cybersecurity investment decisions. The value of \(\alpha\) in these runs is \(0.15\)

Full size image

Furthermore, as volatility or uncertainty in the regulatory increases (Fig. 7d–f), the firm exhibits volatile investment patterns more quickly compared to scenarios where the rate is lower (Fig. 7a–c). This trend indicates a direct impact of regulatory risks on investment behavior, potentially leading to underinvestment. This divergence from regulatory alignment can be attributed to a “wait-and-see” approach adopted by the firm. Firms may adopt a strategic delay in investment under high uncertainty [23, 53, 92]. Hence, as the regulatory environment becomes more dynamic and potentially unpredictable, firms adopt a more cautious investment stance. This is especially plausible if the firm anticipates future regulatory changes that could render current investments less relevant or even obsolete and thus influence its uncertainty perception.

We extended our analysis by modifying the variable \(\eta\), indicative of misaligned penalties. Figure 7g–i reveals a trend: as the value of \(\eta\) increases, the firm tends to align its investment level more closely with regulatory requirements. This indicates a direct relationship between penalties and investment behavior. This pattern corroborates with studies like those by [34] and [70], which affirm the effectiveness of penalties as a deterrent. However, juxtaposing this trend with Fig. 7b reinforces both theoretical and empirical evidence [18, 76] suggesting that firms often exhibit a reactive approach in cybersecurity investment. This approach often results in investments aimed at meeting minimum required standards, rather than striving for the implementation of optimal, comprehensive security practices.

Finally, to delve deeper into the effects of perceived regulatory uncertainty, Fig. 8 provides a visual representation of the changes in the firm’s perception of regulatory uncertainty over time. The peaks in the graph indicate moments of heightened uncertainty. As observed, these correspond to times when there are significant changes in regulatory requirements, increased volatility in the regulatory environment, or when the firm’s investment substantially deviates from the regulatory requirements. The lower levels of uncertainty occur during periods when the firm aligns its investment with the regulatory requirements or when the regulatory environment is relatively stable. These periods signify successful adaptation and effective compliance efforts by the firm. The figure additionally shows that despite increases in regulatory requirements, the investment level remains relatively constant (after \(t> 400\)). This observation aligns with our discussions in Sect. 3.2.3, where we explored the impact of regulatory uncertainty on investment behaviors.

Fig. 8
figure 8

The changes in the firm’s perception of regulatory uncertainty over time. Peaks in the graph correspond to heightened uncertainty, often coinciding with significant regulatory shifts or deviations from regulatory compliance in investment. Troughs indicate periods of lower uncertainty, typically associated with stable regulatory environments or periods of high compliance. This figure aids in understanding the correlation between regulatory changes and the firm’s adaptive investment strategies in the cybersecurity domain

Full size image

5 Discussion and conclusion

This paper aimed to deepen our understanding of the regulatory risks associated with cybersecurity and to examine how perceived regulatory uncertainty and the risk of future regulatory changes affect the cybersecurity investment behavior of organizations. To this end, we identified a range of determinants and implications associated with cybersecurity-related regulatory risks. While acknowledging that these sets are not exhaustive, they highlight the diverse factors that contribute to the regulatory risks faced by organizations and the potential consequences that could disrupt their business operations and established cybersecurity practices.

In exploring the determinants of regulatory risks, our research employed sentiment analysis to measure the levels of regulatory uncertainty in the cybersecurity domain. This analysis is important in quantifying the general sentiment and uncertainty surrounding current and potential future regulations. The findings from this analysis revealed a significant degree of uncertainty towards cybersecurity regulations. This uncertainty can be attributed to several factors, including the rapid pace of technological change, the emergence of new cybersecurity threats, and the evolving nature of global data protection and privacy laws. As a result, organizations often find themselves in a challenging position, trying to anticipate and prepare for potential regulatory shifts while maintaining compliance with current standards.

We expanded our study by identifying additional determinants that contribute to the complexity of regulatory risks in cybersecurity. Collectively, these determinants create a continuously evolving regulatory risk landscape in cybersecurity. Understanding and managing these risks necessitates not only a reactive compliance approach but also a proactive strategy that anticipates future changes and adapts accordingly. Organizations that fail to adequately address and adapt to these regulatory risks in cybersecurity are at a heightened risk of facing not only legal and financial repercussions but also significant damage to their reputation and operational integrity. In an environment where cybersecurity threats are continuously evolving, and regulatory landscapes are in flux, a passive or noncompliant stance can lead to severe vulnerabilities. These vulnerabilities can manifest in various forms, from data breaches and loss of customer trust to disruptions in business operations and costly penalties for noncompliance. Moreover, organizations that lag in adapting to new regulations may find themselves struggling to catch up with industry standards, thereby losing competitive advantage and market trust.

Regulatory risks, as we have found, can be mitigated but not eliminated. Mitigation does not come from eliminating or weakening regulations. Rather, it requires a collaborative effort from both regulators and organizations. In line with the suggested preventive and mitigative controls in this paper, it should not be seen as paradoxical that regulation itself can be a remedy to regulatory risk. A well-crafted and competent regulatory framework provides stability and certainty, offering mechanisms that not only minimize this risk but also preserve vital functions while remaining adaptable to evolving conditions.

These mechanisms can range from clear guidelines and transparent compliance requirements to robust monitoring and enforcement protocols. They may also include flexible provisions to accommodate technological advancements and changing cybersecurity threats. Furthermore, these frameworks can implement feedback loops, where businesses can contribute their insights and experiences, thereby ensuring that regulations remain relevant and effective. On the procedural front, these frameworks should incorporate stringent measures to prevent undue influence on decision-making processes, such as back-door lobbying regulations and strict conflict-of-interest policies. This is vital to maintain the integrity of the regulatory process and ensure that decisions are made in the best interest of public safety and cybersecurity, rather than being swayed by private interests.

In parallel, businesses are tasked with developing adaptive strategies and establishing robust compliance systems. These systems must be agile enough to respond effectively to regulatory changes, ensuring compliance without stifling innovation or operational efficiency. This dual approach–where regulators provide clear, stable, and adaptable frameworks, and businesses respond with agile and comprehensive compliance strategies–creates a dynamic yet secure environment. This environment is conducive to managing and mitigating regulatory risks effectively, ensuring that cybersecurity practices remain robust and responsive in a constantly evolving digital landscape.

After identifying the determinants and implications of regulatory risks associated with cybersecurity, our study progressed to examine how uncertainty about future cybersecurity regulatory environments influences investment decisions in organizations. To address this, we developed a quantitative model that analyzes investment patterns in relation to regulatory risks. The results from our model indicated that regulatory uncertainty has a direct and significant impact on cybersecurity investment behavior. Specifically, the model revealed a trend where organizations tend to reduce or defer their investments in cybersecurity infrastructure when faced with regulatory uncertainty. This cautious approach, often characterized as a “wait-and-see” strategy, is typically adopted due to concerns that future regulatory changes might render current investments obsolete or noncompliant.

However, while this approach is understandable from a risk management perspective, it carries its own set of risks. Primarily, it can leave organizations more exposed to emerging cybersecurity threats. In an environment where cyber threats are evolving rapidly, delaying critical cybersecurity investments or underinvestment can result in vulnerabilities that might be exploited by cybercriminals. This trade-off highlights the complex decision-making landscape that organizations must navigate when balancing the need to stay agile and compliant with the imperative to protect against cybersecurity threats.

In summary, our research underscores three critical needs:

  • For organizations: to develop adaptable and forward-thinking cybersecurity investment strategies. This entails a balanced approach where investments are not just prudent, but also flexible enough to adapt to regulatory changes. Investments in scalable, modular cybersecurity solutions and strategies like divestment and diversification are essential to meet future regulatory and cyber threat challenges.

  • For regulators: to understand the broader impact of the regulatory environment, beyond just the regulations themselves, on organizational cybersecurity investment. Our research highlights the need for creating regulatory frameworks that balance predictability with adaptability, ensuring they keep pace with evolving technological and societal changes.

  • For researchers: to prioritize and rigorously integrate regulatory risks into cybersecurity investment models. Recognizing the profound impact of regulatory changes and uncertainties on investment strategies, this approach will enable researchers to offer more comprehensive and realistic guidance for organizations navigating the complex cybersecurity landscape

6 Limitations and future work

Our study acknowledges certain limitations, primarily stemming from its reliance on existing literature, which may not entirely reflect the rapidly changing landscape of cybersecurity threats and regulatory shifts. Furthermore, the stochastic econometric model employed, while providing valuable insights, is based on certain interpretations and assumptions that may not fully encompass the complexity and diversity of regulatory trends, especially across various industries and regions. Future research could enrich this field by incorporating empirical studies that integrate expert opinions and direct business engagements. This approach would broaden the scope of determinants and implications examined, enable a more quantitative assessment of their impacts on regulatory risks, and explore additional preventive and control measures.

Longitudinal studies would enhance our understanding by allowing the tracking and analysis of the evolution of regulatory changes and cybersecurity investments over time. These studies would offer a dynamic, temporal view of the interplay between these factors, uncovering trends not visible in cross-sectional analyses. Future research also presents an opportunity to develop more sophisticated models that more accurately reflect the complex interplay of regulatory and cybersecurity risks, incorporating a wider array of technological, organizational, and socio-economic factors. Such comprehensive and empirically grounded research will be key to deepening our understanding and effectively managing the intricate relationship between regulation, cybersecurity risks, and investment strategies.