The Quiet Revolution: How Soft Law and Standards Are Redefining Global Tech Security

The New Rulemakers: When Standards Outpace Laws

In the rapidly evolving landscape of global technology security, a quiet but powerful revolution is taking place. The rulebook is being rewritten not solely by parliaments and congresses, but by standards bodies, corporate boardrooms, and non-binding agreements. This shift towards 'soft power' governance—where influence is exerted through certification, market pressure, and voluntary frameworks—is fundamentally altering how cybersecurity and AI ethics are implemented worldwide. The recent milestone achieved by Financial Software and Systems (FSS), becoming the first payments company across a vast swath of the globe to achieve ISO/IEC 42001 certification for AI management, is a potent symbol of this trend. It demonstrates how technical standards are becoming de facto passports for market access and trust, especially in regions where formal AI regulation is still nascent.

ISO/IEC 42001: The Silent Arbiter of AI Governance

The ISO/IEC 42001 standard represents a critical piece of this soft law puzzle. As a framework for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS), it provides organizations with a structured approach to managing AI risks and opportunities. For a payments processor like FSS, operating in sensitive financial sectors across India, the Middle East, Asia-Pacific, and South America, this certification is not merely a badge. It is a strategic asset. It signals to partners, regulators, and customers that the company has systematic controls for AI lifecycle management—from development and data sourcing to deployment and monitoring. In the absence of harmonized global AI law, such certifications fill the void, creating a common language of compliance and risk management that transcends borders.

The Governance Exemption Paradox

Parallel to the rise of voluntary standards is a more opaque trend: the strategic use of corporate governance exemptions. As illustrated by the case of Nidhi Granites Limited, which was exempted from certain corporate governance provisions, regulatory flexibility can create a two-tiered system. While such exemptions are often granted to smaller or specific categories of companies to reduce administrative burden, they introduce significant asymmetries in oversight. From a cybersecurity perspective, robust corporate governance is intrinsically linked to security accountability. Governance frameworks typically mandate risk management committees, internal audit functions, and disclosure requirements—all crucial for identifying and mitigating cyber risks. When companies are exempt, the formal mechanisms for ensuring security oversight at the board level can be weakened, potentially creating blind spots that attackers could exploit. This creates a paradox where soft law pushes for higher standards in some areas, while hard law exemptions may lower the bar in others.

The 'Underestimated Power' of Soft Law: Lessons from the EU

The dynamics observed in the tech sector are not isolated. Academics and policymakers in the European Union have begun speaking of the 'underestimated power' of soft law in shaping policy outcomes. In areas from health to environment, non-binding recommendations, guidelines, and standards often achieve rapid adoption and practical implementation where traditional directives face political gridlock or lengthy legislative processes. This phenomenon is now clearly visible in digital policy. EU soft law instruments, such as the Ethics Guidelines for Trustworthy AI (which preceded the AI Act) or various cybersecurity certification schemes under the Cybersecurity Act, have already set expectations and changed corporate behavior ahead of binding legislation. They create market norms, shape procurement requirements, and influence international standards bodies, effectively setting the global agenda.

Implications for the Cybersecurity Profession

For cybersecurity leaders and practitioners, this evolving landscape presents both challenges and opportunities. The professional mandate is expanding beyond technical controls and regulatory compliance (like GDPR or NIS2). It now requires fluency in a new lexicon of voluntary frameworks and an understanding of how soft power mechanisms influence organizational risk posture.

The Road Ahead: A Layered World Order

The global tech security environment is becoming a layered construct. At the top sits traditional 'hard law'—slow-moving but legally enforceable. Beneath it, a dynamic layer of 'soft law'—standards, certifications, and guidelines—moves quickly to address emerging threats and technologies. At the foundation are corporate governance structures that can either reinforce or undermine both layers. The interplay between these forces will define the next decade of cybersecurity.

Organizations that proactively embrace this complexity, viewing standards not as a cost but as a strategic framework for resilience, will gain a significant advantage. They will be seen as trustworthy partners in an interconnected digital economy. Conversely, those that rely solely on minimum legal compliance or seek shelter in governance exemptions may find themselves exposed to evolving threats and locked out of key markets. In the age of soft power, security is increasingly demonstrated not just by what the law requires, but by the standards an organization chooses to uphold.