Cyber threats are outpacing our ability to govern them. Malicious actors, whether state or non-state, exploit regulatory seams across borders, targeting critical infrastructure, supply chains and sensitive data. National laws and standards alone —no matter how well designed and well intentioned—cannot stem attacks that move across jurisdictions. Such fragmentation ultimately leaves us insecure by weakening collective resilience, slowing coordinated responses to cross-border incidents and raising costs for firms navigating multiple compliance regimes.

A new ASPI report, Curbing the Cost of Cybersecurity Fragmentation: An Agenda for Harmonisation across the Indo-Pacific, argues that the strategic imperative is clear: given the challenges of a fragmented regulatory landscape, Indo-Pacific states need to work towards greater harmonisation on cybersecurity regulation. Done right, this would deliver security and economic dividends.

The Indo-Pacific is home to some of the world’s fastest-growing digital economies, but its patchwork of cyber rules reflects diverse national interests, market sizes, institutional capacities and geopolitical alignments. Divergence is forcing industry—big and small alike— into a trade-off: comply with local rules or focus on real-time security needs. Too often, compliance wins, diverting resources away from genuine resilience. The region doesn’t need uniformity; it needs interoperability—frameworks that respect digital sovereignty while enabling secure and trusted data flows.

The good news is that a model already exists. Instead of relying on a single platform, the Indo-Pacific would benefit from building a lattice of mechanisms. Such a strategy allows different forums to contribute distinct pieces of the puzzle, insulating progress from political deadlock in any one body. It also reflects political reality: no single institution in the region can deliver harmonisation on its own.

The Association of Southeast Asian Nations is the most obvious starting point. Its convening power and legitimacy have already anchored cybersecurity cooperation among member-states, and through the broader ASEAN Regional Forum. But ASEAN’s consensus model and varied capacity levels mean progress will be uneven. Frontrunners such as Singapore will remain essential in pushing initiatives forward.

The Asia-Pacific Economic Cooperation (APEC) forum, by contrast, excels at embedding voluntary standards and facilitating interoperability. Its Cross-Border Privacy Rules system and telecommunications equipment recognition arrangements demonstrate how soft law can reduce friction in digital trade. While APEC cannot enforce harmonisation, its role in developing non-binding norms, guidelines and standards is indispensable in a region concerned about sovereignty and with limited trust in binding commitments.

The Quad dialogue between Australia, India, Japan and the United States offers another piece of the lattice. Through its Senior Cyber Group, it has promoted joint principles on software security, critical infrastructure protection and incident response. But India’s distinct regulatory approach has impeded consensus. The Quad’s greatest value may lie in shaping aspirational benchmarks that can later be piloted with ASEAN or APEC partners, seeding wider regional uptake.

High-trust groupings such as AUKUS and the G7 bring significant technical capacity. AUKUS has already moved to streamline technology-sharing rules and set standards in emerging domains such as AI and quantum. The G7 has coordinated financial-sector cybersecurity measures and ransomware resilience through its Cyber Expert Group. Both, however, face challenges in securing broader Indo-Pacific buy-in, as many countries remain wary of geostrategic blocs. Their contributions will be most useful as technical blueprints and demonstrations of what deeper harmonisation can look like among trusted partners.

Beyond these established forums, the Organisation of Economic Cooperation and Development (OECD) provides valuable policy guidance. Its best-practice principles on international regulatory cooperation and digital security benchmarks can act as baselines for Indo-Pacific states seeking alignment without sacrificing sovereignty.

Issue-specific minilaterals such as the Counter Ransomware Initiative or the Global Marine Transportation System Cybersecurity Forum also show how smaller groups can move quickly on urgent operational issues, offering models for flexible, task-specific cooperation.

Harmonisation is about alignment, not uniformity. It means interoperability, mutual recognition and shared standards where they matter most—enabling collective resilience. Trust-based frameworks can provide templates for differentiating between personal, commercial and national security data. Such a tiered approach respects sovereignty while reducing compliance costs and enabling trusted data flows.

Crucially, harmonisation needs to be reframed as an expression of responsible sovereignty, not an external imposition. Every government has a legitimate right to govern its own digital domain. But sovereignty also carries responsibilities—to reduce vulnerabilities that, left unchecked, can cascade across borders and undermine regional prosperity.

Australia is well placed to lead this agenda. It has credibility in ASEAN, deep partnerships through AUKUS and the Quad, and longstanding involvement in APEC and OECD processes. By pushing for pragmatic, interoperable frameworks, Australia can position itself as a bridge between forums. That means advocating for mutually recognised certifications, piloting projects in critical sectors, and ensuring multistakeholder participation so that industry and civil society can shape workable and trusted rules.

Cybersecurity threats will only grow more complex as technologies such as AI, quantum and the Internet of Things rapidly evolve and become more embedded in critical systems. This means the region cannot afford to let fragmentation persist. A lattice of interoperable frameworks—anchored by ASEAN, supported by APEC and the Quad, benchmarked by the OECD, and reinforced by AUKUS and the G7—offers the best path forward. Australia has an opportunity to lead, strengthening its own resilience while advancing collective security and prosperity by shaping a more secure, connected digital future for the Indo-Pacific.

This article is delivered as part of ASPI’s partnership with Microsoft investigating the nature and consequences of regulatory fragmentation with respect to cyber resilience in the Indo-Pacific.