4. Overarching Principles

This section presents ten cross-cutting principles, which, when taken together, can help in the development of a forward-looking and holistic National Cybersecurity Strategy.

These principles are applicable to all key focus areas identified in this document. They should be considered in all steps of the Strategy development process, from the drafting of the Strategy document to its implementation.

The order of these principles reflects a logical narrative rather than an order of importance.

The Strategy should set a clear whole-of-government and whole-of-society vision.

A Strategy is more likely to succeed when it sets a vision that helps all stakeholders understand what is at stake and why the Strategy is needed (context), what is to be accomplished (objectives), and whom it impacts (scope).

The clearer the vision, the easier it will be for leaders and key stakeholders to ensure a comprehensive, consistent, and coherent approach. A clear vision also facilitates coordination, cooperation, assistance, and implementation across relevant stakeholders. It should be formulated at a sufficiently high level and consider the dynamic nature of the digital environment. The objectives and implementation timeline of the Strategy should be aligned with this vision.

The Strategy should result from an all-encompassing understanding and analysis of the overall digital environment, yet be tailored to the country’s circumstances and priorities.

Cybersecurity is not only a technical challenge but also a multifaceted issue extending beyond economic and social prosperity into areas such as law enforcement, national and international security, international relations, trade negotiations, and sustainable development.

Priorities should be based on the country’s specific context, aligned with national objectives and the Strategy implementation timeline, and supported with appropriate resources. Some cybersecurity issues may be addressed in separate strategic documents (e.g., digital aspects of national security and defense within a national security or defense strategy).

The Strategy should also be clearly aligned with broader digital governance frameworks, such as those for data governance, AI, and digital trust, to ensure policy coherence and institutional resilience. Such integration reinforces the Strategy’s comprehensive approach and helps embed cybersecurity within the secure and responsible use of data and emerging technologies, fostering a trusted and sustainable digital environment.

The Strategy should be developed with the active participation of all relevant stakeholders and should address their needs and responsibilities throughout the entire process.

The digital environment is critical to governments, organizations, and individuals. These groups face cybersecurity risks and share responsibility for managing them, depending on their role. Governments should establish partnerships and collaboration mechanisms that include all relevant stakeholders in NCS development and implementation.

While difficult, identifying and meaningfully engaging stakeholders is essential to ensure the Strategy reflects diverse needs and expertise and is successfully implemented. To foster inclusiveness and transparency, the Strategy should be a public document.

The Strategy should foster economic and social prosperity and maximize the contribution of digital technologies to sustainable development and inclusiveness.

Greater connectivity, digitalization, and participation in the digital economy can expedite growth and social progress, advance key societal values, improve public-service delivery and capacity, facilitate international trade, and promote good governance.

The increasing reliance on digital infrastructure for the functioning of societies demands increased attention to cybersecurity. However, cybersecurity is not a goal in itself; the Strategy should be aligned with the country’s broader socio-economic objectives, building trust and confidence so that societies can realize these objectives while protecting themselves from cybersecurity risks.

The Strategy should respect and be consistent with fundamental human rights.

It should recognize the fact that rights that people have offline must also be protected online. The Strategy should respect universally recognized human rights, including, but not limited to, those enshrined in the United Nations Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, as well as relevant multilateral or regional legal frameworks. Particular attention should be paid to freedom of expression, privacy of communications, and personal data protection. In particular, the Strategy should avoid facilitating arbitrary, unjustified, or otherwise unlawful surveillance, interception of communications, or collection of personal data.

In ensuring that the country is able to take action to meet its legitimate interests while still respecting individuals’ human rights, the Strategy should ensure that, where applicable, surveillance, interception, and collection of data only occur within the context of a specific investigation or legal case, under lawful authority, on the basis of a public, precise, comprehensive, and non-discriminatory legal framework, and with effective oversight, procedural safeguards, and remedies in line with international obligations.

The Strategy should enable efficient management of cybersecurity risks and strengthen the resilience of economic and social activities.

As with other types of risk, cybersecurity risk cannot be entirely eliminated but can be managed and mitigated.  The Strategy should encourage entities to prioritize cybersecurity investments, balance risk against opportunities, adopt continuous risk management, and facilitate a coherent approach across interdependent entities and sectors.

Resilience requires preparation for incidents, crisis management, and recovery. The Strategy should encourage the adoption of business continuity and disaster recovery measures to ensure essential services and functions can withstand and recover from disruptions to digital infrastructure.

The Strategy should use the most appropriate policy instruments available to achieve its objectives, considering specific national circumstances.

Governments have different levers and policy instruments at their disposal to achieve their outcomes. These include legislation, regulation, standardization, certifications, incentives, information-sharing mechanisms, education, good practice sharing, norms of behavior, and building communities of trust, among others. Each of these levers has its strengths and weaknesses, comes at a differing cost, and brings different results.

The most effective outcomes are achieved by selecting and balancing these policy instruments and tools according to the intended objective.

The Strategy should be set at the highest level of government, with clear leadership and accountability for its execution. Relevant roles and responsibilities must be assigned, and sufficient human and financial resources allocated.

Cybersecurity should be promoted and sustained at the highest levels of government. Moreover, to ensure accountability and progress, focal points of individual workstreams must be identified, and all parties should have a clear understanding of their respective roles and responsibilities.

The Strategy should also allocate the appropriate human, financial, and material resources necessary for its implementation. This principle needs to guide both the Strategy development process and the elaboration of its Action Plan and related initiatives.

The Strategy should help build a digital environment that citizens and organizations can trust.

Building trust in the national digital ecosystem, in which users’ rights and interests are protected, and the security of data and information systems is assured, is essential for realizing the full potential of the social, political, and economic opportunities of digital transformation. The Strategy must enable policies, processes, and actions to secure critical services such as e-governance, e-commerce, digital finance, and telemedicine. By protecting rights and assuring system security, the Strategy fosters trust among both the general population and public- and private-sector organizations delivering digital services.

Cybersecurity priorities, objectives, and actions must adapt to the evolving digital and risk environment.

Emerging and disruptive technologies (e.g., AI, automation, IoT, quantum computing, 5G/6G, distributed-ledger technologies) bring both opportunities and risks that may reshape the national strategic thinking.

Governments should institutionalize technological foresight, horizon scanning, and regular reviews to anticipate disruptive trends, assess their impact, and adapt policies accordingly. This requires structured engagement with government, industry, academia, and research to integrate innovation insights and international good practices.

The Strategy must be treated as a living framework, capable of evolving alongside technological change while supporting resilience, security, and digital innovation. Reviews and mid-term updates (see Section 3 – Lifecycle) are critical to ensure adaptability is built into the NCS lifecycle.