Cybersecurity expert and J2 Software CEO John Mc Loughlin

Regulation was designed to protect customers, curb risk, and hold businesses accountable. But today, it’s often doing the opposite - creating impossible trade-offs, punishing transparency, and turning defenders into accidental offenders. Instead of building resilience, rigid laws are breeding fragility, making organisations and consumers more vulnerable than ever.

Gartner’s 2025 research confirms that Security and Risk Management leaders are moving beyond a pure prevention mindset to embed resilience and visibility into how organisations operate. That shift has a direct bearing on how lawmaking should be shaped if regulation is to enable good outcomes rather than force bad ones.

I see this problem in several concrete ways. Laws that create conflicting obligations, for example demanding immediate disclosure of an incident while at the same time restricting the sharing of forensic detail, can turn the act of containing harm into an act of legal exposure.

Prescriptive technical or procedural mandates that assume large budgets and deep specialist teams disadvantage smaller and mid-sized organisations that must prioritise limited resources.

Penalties that ignore intent or mitigation efforts can punish organisations that invested in reasonable defences but were outpaced by an unforeseeable threat. Rules written around yesterday’s technologies do not map cleanly to cloud, artificial intelligence, machine identities, and complex third-party dependencies.

The practical effect is troubling. Organisations are increasingly recognising that prevention alone is insufficient. Resilience, the ability to detect, adapt, recover and learn, must be embedded in people, processes and tooling. At the same time, tool sprawl and disconnected controls reduce visibility and make coherent incident response harder.

When compliance requirements emphasise ticking boxes and prescriptive controls over visibility and recoverability, businesses can become brittle. They are less able to act quickly and transparently in the face of emerging threats.

There are real social and business costs to this dynamic. When regulation creates impossible trade-offs, it produces moral hazard. Honest organisations may hesitate or hide problems to avoid punitive outcomes, while others may be legally advantaged for doing less. Fragility increases because firms that cannot respond rapidly to incidents suffer larger recovery costs and reputational damage.

Worse, criminalisation by circumstance becomes a real risk when the law penalises outcomes without accounting for intent, mitigation, or the realities of rapidly evolving technology. Innovation likewise suffers because firms avoid experimentation when regulatory compliance is too uncertain or costly.

If regulation is to serve its purpose, it must enable the right action. From my perspective, effective legal design should prioritise outcomes rather than prescribe means. Laws should set clear goals such as protecting customer data, enabling timely recovery, and ensuring transparency, while leaving flexibility for organisations to choose technical and operational approaches that fit their size and risk profile.

Safe harbour or good faith provisions are essential. Organisations acting transparently and according to recognised best practices should not face punitive exposure for every imperfect outcome.

Regulatory frameworks should also require and reward visibility. Mandated inventory of systems, dependencies and third-party risk, along with obligations to monitor and report exposures, make resilience operationally possible.

Regulations should permit justified emergency mitigation measures with post-incident reporting and accountability, rather than forbidding actions that could prevent larger harm.

Finally, rules must align with technological realities and allow for adaptive governance so that frameworks remain relevant as cloud architectures, artificial intelligence systems and supply chains evolve.

For executives and boards, this is a policy as well as an operational agenda. We should advocate for outcome-based regulation, seek safe harbour provisions for good faith defenders, and invest in the visibility tools and practices that make resilience demonstrable.

We should engage constructively with policymakers, offering testbeds, data and practical frameworks that show how adaptive governance can protect customers without imposing impractical burdens on businesses. If lawmakers insist on rules that make the right thing legally or commercially impossible, we risk a future where regulatory failure, not moral failure, produces criminal outcomes.

My conclusion is straightforward. Regulation must enable resilience, not block it. Enabling visibility, adaptability and reasonable flexibility will protect customers, sustain innovation, and keep honest businesses in business.