---
id: "question-regulatory-evolution"
type: "open-question"
source_timestamps: ["§ Compliance Isn't Security"]
tags: ["regulation", "policy"]
related: ["contrarian-regulations-lack-value", "claim-regulators-poorly-positioned"]
resolutionPath: "Longitudinal studies comparing the operational security outcomes of organizations under strict new regulatory regimes versus those driven purely by market incentives."
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# Can Cybersecurity Regulations Evolve to Provide Actual Value?

## Open question

Can government frameworks be reformed to genuinely **incentivize resilience** and provide value to mature organizations — rather than acting as a baseline compliance burden?

## Context

The authors heavily criticize current cybersecurity regulations as bureaucratic, ill-timed, and punitive ("shoot the wounded"; see [[quote-shoot-the-wounded]], [[contrarian-regulations-lack-value]], and [[claim-regulators-poorly-positioned]]). Whether regulation *can* be adaptive and value-adding remains unsettled — and the enrichment evidence on principles-based regimes (NIST CSF 2.0, NIS2, DORA) suggests the answer may be evolving toward "yes."

## Suggested resolution path

Longitudinal studies comparing the operational-security outcomes of organizations under strict new regulatory regimes versus those driven purely by market incentives.
