Cybersecurity

EU, Japan, Australia Move From Voluntary Cyber Guidelines to Binding Law

Australia recorded a cybercrime report every six minutes, up from one every ten minutes two years ago.

Akul Saxena

Akul Saxena

3 min read
EU, Japan, Australia Move From Voluntary Cyber Guidelines to Binding Law
Photo of (from left) Chris Inglis, former U.S. national cyber director; Despina Spanou, European Commission's head of cybersecurity policy; Yoichi Iida, director of Japan's National Cyber Security Office; and Jessica Hunter, Australia's ambassador for cyber affairs and critical technology, on Wednesday, March 25, 2026.

SAN FRANCISCO, March 26, 2026 —  Senior cyber officials from the European Union, Japan and Australia told the RSA Conference Wednesday that binding regulation, mandatory reporting, and coordinated defense structures are replacing a decade of voluntary frameworks that panelists said have run their course.

Japan's three-pillar strategy

Japan concluded a new national cybersecurity strategy late last year anchored in three pillars, said Yoichi Iida, Japan's national cyber director.  The first covers deterrence and defense against state-sponsored cyber actors. The second builds societal resilience by requiring small and medium-sized enterprises to implement their own baseline cybersecurity measures.

The third includes new legislation that gives the government authority to monitor internet traffic and requires 300 critical infrastructure operators to report incidents directly to the government. Japan stood up a new National Cybersecurity Office to lead the effort and a public-private partnership council to keep industry in the loop, Iida said.

CTA Image

Learn more about the Broadband Community...

Start Your Broadband Journey Here

Europe’s security union

The European Union has pursued three parallel tracks, said Despina Spanou, the bloc's head of cybersecurity policy. The first established common norms across all 27 member states requiring critical infrastructure operators to meet the highest security standards and report incidents to the government under NIS2, the EU's binding network and information security law.

The second extended those protections through the Cyber Resilience Act, taking force later this year and requires every product sold in the EU market to build security into the design process, with requirements tiered by risk level. The third addresses undersea cable sabotage, drone disruption of transport networks, and cybersecurity tools to counter both.

To build a deployable workforce, the EU created the Cybersecurity Skills Academy, drawing pledges from major technology companies, to train workers across professions beyond computer science. It also stood up the EU Cyber Reserve, a vetted pool of public and private sector professionals who can deploy to any member state facing a large-scale incident.

All 27 nations conduct joint cyber exercises alongside the North Atlantic Treaty Organization, and collective threat assessment hubs financed by the EU allow member states to pool intelligence before incidents escalate across borders.

Australia's shift to national preparedness

Australia has moved its national posture from awareness to preparedness, said Jessica Hunter, Australia's ambassador for cyber affairs and critical technology. The Australian Signals Directorate, the country's signals intelligence and cybersecurity agency, recorded a 27 percent increase in publicly disclosed vulnerabilities.

Cybercrime reports surged to one every six minutes, up from one every ten minutes two years ago. The economic cost to individual citizens rose 50 percent. Nearly 20 million Australians had personal records exposed through data breaches.

Australia responded by legislating detailed asset-level security standards for critical sectors and introducing internet-of-things labeling schemes so consumers do not have to evaluate device security themselves. The government committed $80 million to help Indo-Pacific neighbors adopt trusted technology and build resilient networks.

When a ransomware attack disabled the Kingdom of Tonga's health system for two full days, Australia deployed industry partners to support recovery. Australia and New Zealand jointly identified the actors responsible for the attack and disclosed their findings publicly.

Workforce and private sector trust

The United States is short roughly 300,000 workers across cybersecurity and IT roles, said moderator Chris Inglis, the former National Security Agency deputy director. Workers across law, health care, and every other sector carry cyber responsibilities they have not been trained to recognize.

"Humans remain at the center of this proposition," Inglis said.

Post tagged in
Cybersecurity RSA Conference Japan European Union Australia Despina Spanou Cyber Resilience Act Cybersecurity Skills Academy EU Cyber Reserve NATO Jessica Hunter Kingdom of Tonga New Zealand Chris Inglis National Security Agency

Member discussion

Read more

Popular Tags

CBRS Proponent Studies: Changes to Shared Band Would be Disruptive FCC They Came Not to Bury, But to Praise the Telecom Act of 1996 Broadband's Impact Corning Exec Says AI, Broadband Driving Surge in Fiber Demand BEAD NTIA’s Arielle Roth Urges Early Push for U.S. Leadership in 6G NTIA Larger Municipal Networks Outperforming on Upload Speeds: Ookla Infrastructure CBRS Proponent Studies: Changes to Shared Band Would be Disruptive AT&T