Platform governance under NIS2 and the Cyber Resilience Act: cybersecurity by design as social practice

Platform governance is increasingly shaped by regulatory mandates that embed cybersecurity principles into the design and operation of digital services. This study examines how the European Union’s NIS2 Directive and proposed Cyber Resilience Act (CRA) institutionalize ‘cybersecurity-by-design’ within platform ecosystems, and how this shift is understood as a social practice. It outlines the key requirements these frameworks impose on online platforms, from risk management processes and secure development obligations to lifecycle vulnerability handling, and compares them with international approaches such as the US Executive Order 14028 and ISO 27001 standards. Drawing on sociological perspectives, including actor-network theory, Bourdieu’s theory of practice, and Science and Technology Studies, the study argues that cybersecurity-by-design constitutes not merely a technical mandate but a practice shaped by organizational cultures, power relations, and the circulation of knowledge among stakeholders. This argument is illustrated through case studies of the security challenges and compliance strategies of major platforms, emphasizing how law, technology, and social dynamics intersect. The discussion explores the opportunities and tensions involved in regulating platform security by design, including balancing control and trust, considering global governance implications, and addressing the influence of commercial incentives as described by surveillance capitalism. The study indicates that effective cybersecurity-by-design requires not only legal enforcement but also the active engagement of practitioner communities and users, making it a sociotechnical project embedded in a broader societal context.