Cybersecurity policy making requires a delicate balance between economic and social as well as national security, defense, technical and cybercrime law enforcement aspects. While policy makers in these areas may share the same overarching goal, their approaches, ministries, agencies, and cultures are different. To facilitate the adoption of policies that mutually reinforce rather than undermine each other, the OECD Policy Framework on Digital Security helps policy makers understand the economic and social dimension of cybersecurity and how it is different from national security and other aspects. 

More specifically, the Framework equips policymakers to use OECD digital security Recommendations in developing better policies. These Recommendations cover digital security risk management, national strategies, the digital security of critical activities and infrastructure, and of products and services, the treatment of vulnerabilities as well as cryptography and electronic authentication. 

Digital security policy making is a multifaceted area, which requires a strategic approach based on a clear vision to ensure that all stakeholders, from government agencies to public and private sector organisations, and individuals, join forces in a coherent and consistent manner. The OECD Recommendation on National Digital Security Strategies provides high-level guidance to achieve this goal and create a culture of digital security throughout the economy and society.

It includes guidance on how to develop or update the strategy, how to shape the institutional framework for digital security policy making and implementation, and on the nine areas where national strategies should provide clear objectives, ranging from cybersecurity skills, to the protection of critical activities and international co-operation. 

OECD analysis shows that market failure often prevents stakeholders from optimally valuing the digital security of products and services that contain or rely on software code. Market incentives alone are unlikely to rectify gaps in digital security risk management. 

The OECD Recommendation on the Digital Security of Products and Services includes guidance on policies to realign market incentives and empower stakeholders to enhance the digital security of products and services. It outlines areas of action for policy makers, such as measures aiming to ensure that suppliers take responsibility for the digital security of their products and services (“duty of care”), including ensuring security by design and by default, treating vulnerabilities, and adopting responsible end-of-support policies. 

Most cyberattacks exploit vulnerabilities in software or information systems. So-called “white hats” or “ethical hackers” find vulnerabilities and report them to the software developers and system owners who can mitigate them, significantly contributing to risk reduction. However, as shown in OECD analyses, they are often threatened with legal proceedings rather than welcomed and encouraged. This creates a chilling effect, ultimately benefiting criminals and other illegitimate actors rather than helping to reduce risk. 

The OECD recommends that governments encourage security researchers and other stakeholders to co-ordinate the disclosure of vulnerabilities. Governments should adjust legal frameworks to create safe harbours for “ethical hackers” who follow good practice (vulnerability researchers). The OECD report on Good Practice Guidance on the Co-ordination of Digital Security Vulnerabilities provides more details on vulnerability treatment in practice while avoiding technical jargon and detailed considerations. 

The Recommendation on Digital Security Risk Management was adopted by the OECD Council on 26 September 2022 on the proposal of the Committee on Digital Economy Policy (CDEP) and launched at the CDEP Ministerial meeting on 14 December 2022. The Recommendation aims to assist Adherents in devising or updating digital security strategies and policies to strengthen digital security without inhibiting economic and social prosperity.

The Recommendation of the Council on National Digital Security Strategies was adopted by the OECD Council on 26 September 2022 on the proposal of the Committee on Digital Economy Policy (CDEP) and launched at the CDEP Ministerial meeting on 14 December 2022. The Recommendation aims to assist Adherents in devising or updating digital security strategies and policies to strengthen digital security without inhibiting economic and social prosperity.

The Recommendation on the Digital Security of Products and Services was adopted by the OECD Council on 26 September 2022 on the proposal of the Committee on Digital Economy Policy (CDEP) and launched at the CDEP Ministerial meeting on 14 December 2022. The Recommendation aims to assist Adherents in devising or updating digital security strategies and policies to strengthen digital security without inhibiting economic and social prosperity.

The Recommendation on Digital Security of Critical Activities was adopted by the OECD Council on 11 December 2019 on proposal of the Committee on Digital Economy Policy (CDEP). It replaces the 2008 OECD Recommendation on the Protection of Critical Information Infrastructure.

The Recommendation on the Treatment of Digital Security Vulnerabilities was adopted by the OECD Council on 26 September 2022 on the proposal of the Committee on Digital Economy Policy (CDEP) and launched at the CDEP Ministerial meeting on 14 December 2022. The Recommendation aims to assist Adherents in devising or updating digital security strategies and policies to strengthen digital security without inhibiting economic and social prosperity.

The Recommendation on Electronic Authentication was adopted by the OECD Council on 12 June 2007 on the proposal of the Committee for Information, Computer and Communications Policy (later called Committee on Digital Economy Policy). The Recommendation reaffirms the important role of electronic authentication in building trust online, thus helping the continued development of the digital economy. It encourages efforts by Adherents to establish compatible technology-neutral approaches for effective domestic and cross-border electronic authentication of persons and entities.

The Recommendation concerning Guidelines for Cryptography Policy was adopted by the OECD Council on 27 March 1997 on the proposal of the Committee for Information, Computer and Communications Policy (later called Committee on Digital Economy Policy).