Cybersecurity Obligations for Critical Infrastructure: Emerging Legal Norms, Enforcement Gaps, and Governance Challenges

Authors

    Devika Sharma Department of Law, University of Delhi, Delhi, India
    Sandeep Reddy * Department of Private Law, NALSAR University of Law, Hyderabad, India sandeep.reddy@nalsar.ac.in
    Hamza Shahid Department of Law, University of the Punjab, Lahore, Pakistan

Keywords:

Critical infrastructure, cybersecurity law, enforcement gaps, regulatory governance, supply chain security, national security, cyber resilience, international norms

Abstract

Critical infrastructure has become a focal point of global cybersecurity governance as escalating cyber threats increasingly target essential services such as energy, water, transportation, healthcare, and financial systems. This article examines the evolving legal landscape that governs cybersecurity obligations for critical infrastructure, tracing the transition from voluntary, principles-based frameworks toward binding statutory requirements that impose enforceable duties on operators. Through a narrative review and descriptive analysis of national regulations, international norms, sector-specific obligations, and emerging technological considerations, the study maps the diverse instruments shaping current governance models. The analysis highlights significant advancements, including strengthened incident reporting mandates, growing supply chain accountability, and the incorporation of cybersecurity into broader national security strategies. At the same time, the article identifies persistent enforcement gaps and structural weaknesses that undermine regulatory effectiveness. These challenges include fragmented legal approaches, capacity limitations within industry, jurisdictional conflicts in cross-border cyber operations, difficulties in attributing attacks, ambiguous public-private role divisions, insufficient supply chain oversight, and the paradoxical effects of national security secrecy on transparency and accountability. The article argues that while emerging legal norms represent substantial progress, they remain insufficient without coherent enforcement mechanisms, institutional coordination, and supportive operational capacities. Strengthening critical infrastructure cybersecurity will require integrated regulatory architectures, harmonized international cooperation, enhanced public-private collaboration, and adaptive governance capable of responding to rapidly evolving technologies and threat dynamics. The findings offer a foundational understanding of the current state of legal obligations and illuminate the systemic issues that must be addressed to ensure resilient and effective protection of critical infrastructure worldwide.

References

Adegbite, A. O., Akinwolemiwa, D. I., Uwaoma, P. U., Kaggwa, S., Akindote, O. J., & Dawodu, S. O. (2023). Review of Cybersecurity Strategies in Protecting National Infrastructure: Perspectives From the Usa. Computer Science & It Research Journal, 4(3), 200-219. https://doi.org/10.51594/csitrj.v4i3.658

Bakhtiyar, A. C., Rosadi, S. D., & Handayani, T. (2023). Juridical Studies of the Legal Status of Digital Rupiah in the Context of Modernizing Financial Market Infrastructure. Jurnal Poros Hukum Padjadjaran, 5(1), 53-70. https://doi.org/10.23920/jphp.v5i1.1423

Hochstetter, J., Diéguez, M., Fenner, J. L., & Cachero, C. (2023). AIM Triad: A Prioritization Strategy for Public Institutions to Improve Information Security Maturity. Applied Sciences, 13(14), 8339. https://doi.org/10.3390/app13148339

Irawati, J. (2023). Judicial Review of Hospitals' Legal Responsibility of Patients' Rights After the Covid-19 Pandemic. Law Review, 23(1), 16. https://doi.org/10.19166/lr.v23i1.6892

Kashyap, A. K., & Chaudhary, M. P. (2023). Cyber Security Laws and Safety in E-Commerce in India. Law and Safety, 89(2), 207-216. https://doi.org/10.32631/pb.2023.2.19

Malone, M., & Walton, R. (2023). Comparing Canada’s Proposed Critical Cyber Systems Protection Act With Cybersecurity Legal Requirements in the EU. International Cybersecurity Law Review, 4(2), 165-196. https://doi.org/10.1365/s43439-023-00082-1

Nathaniel, A. W. J., Dewi, Y. K., & Sani, S. D. (2022). Third-Party Risk in the Availability Payment: The Palapa Ring Western Package. Journal of Indonesian Legal Studies, 7(1), 339-390. https://doi.org/10.15294/jils.v7i1.55184

Ndubuisi, A. F. (2023). Strengthening National Cybersecurity Policies Through Coordinated Threat Intelligence Sharing and Real-Time Public-Private Collaboration Frameworks. International Journal of Science and Research Archive, 8(2), 812-831. https://doi.org/10.30574/ijsra.2023.8.2.0299

Oluoha, O. M., Odeshina, A., Reis, O., Okpeke, F., Attipoe, V., & Orieno, O. H. (2022). Artificial Intelligence Integration in Regulatory Compliance: A Strategic Model for Cybersecurity Enhancement. Ijfmr, 3(1), 35-46. https://doi.org/10.54660/.ijfmr.2022.3.1.35-46

Orji, U. J. (2022). Interrogating African Positions on State Sponsored Cyber Operations: A Review of Regional and National Policies and Legal Responses. Baltic Yearbook of International Law Online, 20(1), 236-267. https://doi.org/10.1163/22115897_02001_012

S., S. (2023). Assessing the Impact of Environmental Policy, 2006: A Critical Examination. International Journal for Multidisciplinary Research, 5(5). https://doi.org/10.36948/ijfmr.2023.v05i05.6179

Savchuk, S. B. (2023). Institutional and Legal Model for the Formation and Implementation of the State Policy of Combating Cybercrime. Public Policy and Accounting(2(8)), 56-60. https://doi.org/10.26642/ppa-2023-2(8)-56-60

Takuro, K. O. (2023). Exploring Cybersecurity Law Evolution in Safeguarding Critical Infrastructure Against Ransomware, State-Sponsored Attacks, and Emerging Quantum Threats. International Journal of Science and Research Archive, 10(2), 1518-1535. https://doi.org/10.30574/ijsra.2023.10.2.1019

Thumfart, J. (2022). The (Il)legitimacy Of Cybersecurity. An Application Of Just Securitization Theory To Cybersecurity Based On The Principle of Subsidiarity. Applied Cybersecurity & Internet Governance, 1(1), 1-24. https://doi.org/10.5604/01.3001.0016.1093

Tiwari, S. (2022). Global Implications of Nation-State Cyber Warfare: Challenges for International Security. Ijrmeet, 10(3), 42-61. https://doi.org/10.63345/ijrmeet.org.v10.i3.6

Zatonatskiy, D., & Lavrentiev, M. (2023). Institutional Support for Investing in Critical Infrastructure Objects in Ukraine. 1, 149-163. https://doi.org/10.61432/cpne0101149z

Zhyvylo, E. O., & Shevchenko, D. (2022). Risk Assessment of Cyber Security and Control of Privacy in Public Administration Information Systems. Collection of Scientific Works of the Military Institute of Kyiv National Taras Shevchenko University(75), 66-77. https://doi.org/10.17721/2519-481x/2022/75-07

Макарчук, В. В. (2021). Administrative and Legal Status of Law Enforcement Bodies as Subjects of Formation and Implementation of State Policy in the Field of National Security and Defense. Law Journal of Donbass, 75(2), 35-44. https://doi.org/10.32366/2523-4269-2021-75-2-35-44

Downloads

Published

2023-07-01

Submitted

2025-07-12

Revised

2025-12-01

Accepted

2025-12-07

Issue

Vol. 2 No. 3 (2023): Serial Number 4

Section

Articles

License

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

How to Cite

Sharma, D., Reddy, S., & Shahid, H. (2023). Cybersecurity Obligations for Critical Infrastructure: Emerging Legal Norms, Enforcement Gaps, and Governance Challenges. Legal Studies in Digital Age, 2(3), 49-63. https://jlsda.com/index.php/lsda/article/view/322

Similar Articles

1-10 of 227

You may also start an advanced similarity search for this article.