Global Cyber Resilience Regulations
Cyber resilience is no longer defined by a single standard or geography. It is shaped by a growing ecosystem of regulations, supervisory expectations, and industry frameworks that converge on a shared objective: to ensure organizations can anticipate, withstand, respond to, and recover from cyber disruption while protecting critical services, the economy, and society.
This page curates the most influential cyber resilience instruments worldwide. The list is not exhaustive; it reflects regulations and frameworks that have materially shaped modern thinking on operational and cyber resilience and that inform the Cyber Resilience Manifesto and CR-CMM.
European Union – Core Regulations
Digital Operational Resilience Act (DORA)
Sector-specific regulation for financial services establishing requirements for ICT risk management, incident reporting, resilience testing, and third-party oversight.
EU Cyber Resilience Act (CRA)
Lifecycle cybersecurity requirements for products with digital elements, embedding security and vulnerability management by design.
NIS2 Directive
Strengthened obligations for essential and important entities across sectors, focusing on governance, risk management, and incident reporting.
EU Critical Entities Resilience (CER) Directive
Protection and continuity requirements for critical infrastructure beyond cyber alone, aligning physical and digital resilience.
Sector-specific regulation for financial services establishing requirements for ICT risk management, incident reporting, resilience testing, and third-party oversight.
- 🔗 https://www.digital-operational-resilience-act.com/DORA_Articles.html
- 🔗 https://www.esma.europa.eu/sites/default/files/library/esma50-165-2155_-_trv_-_operational_resilience_for_financial_institutions.pdf
EU Cyber Resilience Act (CRA)
Lifecycle cybersecurity requirements for products with digital elements, embedding security and vulnerability management by design.
- 🔗 https://www.european-cyber-resilience-act.com/
NIS2 Directive
Strengthened obligations for essential and important entities across sectors, focusing on governance, risk management, and incident reporting.
- 🔗 https://www.nis-2-directive.com/
- 🔗https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance
EU Critical Entities Resilience (CER) Directive
Protection and continuity requirements for critical infrastructure beyond cyber alone, aligning physical and digital resilience.
- 🔗 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2557
UK & Ireland
Prudential Regulation Authority (PRA) – Operational Resilience Policy
- Requirements for financial institutions to identify important business services, set impact tolerances, and prove they can remain within them during severe but plausible disruptions.
- 🔗 https://www.bankofengland.co.uk/prudential-regulation/prudential-and-resolution-policy-index/banking/operational-resilience
- Obligations to map dependencies, perform scenario testing, and ensure consumer harm is minimized during technology and cyber incidents.
- 🔗 https://www.fca.org.uk/firms/operational-resilience
Bank of England – Cyber Resilience Questionnaire
- Supervisory assessment of resilience capabilities in the financial sector
- 🔗 https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/cyber-resilience-questionnaire.xlsx
Scottish Government – Cyber Resilience Framework
- National model for organizational preparedness and maturity
- 🔗 https://www.gov.scot/publications/cyber-resilience-framework/
- Whole-of-defence approach to sustaining operations under cyber attack
- 🔗 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1073315/20220425-Cyber_Resilience_Strategy_for_Defence.pdf
- Forward-looking legal framework to strengthen national resilience
- 🔗 https://www.gov.uk/government/consultations/proposal-for-legislation-to-improve-the-uks-cyber-resilience/proposal-for-legislation-to-improve-the-uks-cyber-resilience
United states
The U.S. approach to cyber resilience is generally less prescriptive and less centralized than the EU and UK models. Obligations are largely driven by market transparency, sector regulation, and critical infrastructure reporting rather than a single horizontal resilience law.
- SEC Cybersecurity Disclosure Rules
Public companies must disclose material cyber incidents and describe governance and risk management practices, reinforcing board accountability. - Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
Mandatory reporting of significant incidents to CISA for owners and operators of critical infrastructure, aimed at national situational awareness. - Sector-Specific Resilience Requirements
Long-standing regimes such as HIPAA (healthcare) and GLBA (financial services) embed continuity, safeguards, and incident response expectations within their industries.
Global & Multilateral Perspectives
BIS CPMI – Guidance for Financial Market Infrastructures
- International baseline for systemic cyber resilience
- 🔗 https://www.bis.org/cpmi/publ/d146.pdf
World Bank – Operational Cyber Resilience
- Framework supporting emerging markets and financial ecosystems
- 🔗 https://thedocs.worldbank.org/en/doc/189821576699037673-0130022019/original/FIGIECBOperationalCyberFinalWeb1213.pdf
- Sector-wide preparedness and incident response programs
- 🔗 https://www.hkma.gov.hk/eng/news-and-media/press-releases/2020/11/20201103-4/
- Emphasis on cyber exercises and operational readiness
- 🔗 https://www.cm-alliance.com/cybersecurity-blog/singapores-monetary-authority-mas-advises-cyber-exercises-in-its-revised-trm-guidelines
- Requirements for portfolio managers and market participants
- 🔗 https://www.sebi.gov.in/legal/circulars/mar-2023/cyber-security-and-cyber-resilience-framework-for-portfolio-managers_69521.html
- Expectations for federally regulated institutions
- 🔗 https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/adv-prv/Pages/icrt-tcfr.aspx
australia
ACSC Critical Infrastructure Resilience Guidance
- Operational benchmark for preparedness, scenario exercises, and service restoration during and after cyber attack.
- 🔗 https://www.cyber.gov.au/business-government/critical-infrastructure
Security of Critical Infrastructure Act (SOCI) – Positive Security Obligations
Cyber Incident Review Board – Cyber Security Act
- National framework requiring critical infrastructure operators to manage systemic risk, map dependencies, and maintain the ability to withstand and recover from severe cyber disruption.
- 🔗 https://www.legislation.gov.au/Series/C2018A00029
Cyber Incident Review Board – Cyber Security Act
- Post-incident mechanism focused on root cause, recovery effectiveness, and cross-sector learning to strengthen national resilience.
- 🔗 https://www.homeaffairs.gov.au/cyber-security-subsite/Pages/cyber-security-act.aspx
comparative analysis
A useful high-level comparison of UK, EU, and US approaches is available here:
🔗 https://www.whitecase.com/insight-our-thinking/financial-regulatory-observer-2022-operational-resilience-uk-eu-and-us
🔗 https://www.whitecase.com/insight-our-thinking/financial-regulatory-observer-2022-operational-resilience-uk-eu-and-us
Note: The Cyber Resilience Manifesto does not promote any specific firm or commercial analysis. We welcome additional analyst perspectives and independent research to enrich this knowledge base.
