Due to my academic interests and my profession, I often read policy papers, regulations, strategies, and many other documents with fancy names that revolve around cyber politics.
When I try to explain what I actually study for my PhD, people often do not understand the difference between regulations and policies, or they simply disagree with me and tell me that I am wrong.
These reactions are interesting to me because cyber politics is not the only field in which governments or international organizations create both regulations and policies.
We have maritime, trade, energy, and so on.
Since my field is cyber politics, I wanted to write something about this, with the intention of sending the article to anyone who asks me about the difference again.
According to Merriam-Webster:
Regulation:
1. The act of regulating.
2.The state of being regulated.
Policy:
1. Prudence or wisdom in the management of affairs.
2. management or procedure based primarily on material interest..
But what do they mean in my field?
Cyber Policy
High-level direction & strategy
- A national cybersecurity strategy
- Company policy prioritising zero trust architecture
- A state’s stance on responding to cyber attacks internationally
Cyber Regulations
Specific, enforceable rules
- GDPR requiring companies to protect personal data
- NIS Directive for critical infrastructure security
- Breach notification laws (report within X hours)
Cyber policy sits at the strategic level. It shows how a government or organization thinks about cybersecurity, what it prioritizes, and how it plans to act.
At its core, policy answers broad questions like “What are we trying to protect?” and “How do we respond to cyber threats?” or “What role should we play in the global cyber environment?”
For example, a national cybersecurity strategy might emphasize resilience, deterrence, or international cooperation. Similarly, a company might adopt a policy centered on data privacy or zero trust architecture. These are not detailed instructions but guiding frameworks that shape decision making.
Because of that nature (not being detailed) cyber policy is less about enforcement and more about direction.
On the other hand, cyber regulations operate at a much more concrete level. They translate those broad policy goals into specific, enforceable requirements.
Instead of asking what should be done, regulations define what must be done.
Legal frameworks such as GDPR or the NIS Directive impose clear obligations on organizations such as requirements to protect personal data, implement security controls, or report breaches within a fixed timeframe.
Just by looking at these basic definitions, we can easily state that many national strategies published by countries all around the globe on cybersecurity are not actually strategies. They are just regulations, written in a vague language. But that’s not our topic here.
One approach I see quite often, and to be honest this is a path I took as well, is mistaking regulations for strategic views or policy views of the authorities.
In this path, people say “Well, we can look at a regulation and say how a government or organization thinks about cybersecurity, what it prioritizes, and how it plans to act.”
It looks logical and smart at first. Probably some big names talked about the strategy behind closed doors, then regulations started to pop, and if we don’t have any access to any official policy document, then why don’t we reverse engineer the whole process?
Unfortunately this is wrong because regulations are not always enforced properly.
- A government may impose strict requirements for incident reporting, data protection, or infrastructure security, yet lack the institutional capacity, political will, or technical capability to enforce them consistently.
- The second issue is signaling. Regulations are sometimes designed to send messages rather than to be fully implemented. They can signal alignment with international norms, reassure domestic audiences, or attract investment by projecting an image of maturity and control. A country might adopt frameworks that resemble those of the EU or other advanced regulatory environments, not because it intends to enforce them properly, but because doing so carries reputational benefits. Reading these texts as direct evidence of strategic intent can be misleading.
- Third, regulations are shaped by negotiations. What ends up in the final text is rarely a clean expression of a single, coherent strategy. The clearest reflection of this in real-life examples is the distribution of responsibilities among different agencies with conflicting or overlapping priorities.
- Most importantly, behavior matters more than text. If a government claims to prioritize critical infrastructure protection but repeatedly tolerates weak security practices, or if the penalties are not enough, its true priorities are revealed through inaction. Or if it enforces data protection aggressively in some areas but ignores others, that selectivity also tells a story.
This does not mean regulations are useless as analytical material. They are valuable, but they must be treated carefully. Rather than reading them as direct expressions of strategy it is more accurate to see them as one signal among many.
To understand how an authority actually thinks and acts in cyberspace, regulations need to be read alongside enforcement, institutional capacity, budget, and public statements. If possible, observing behavior is one of the best ways to understand the mindset of an authority (though it often comes too late).