Cyber Security Basics 📂 Foundation · 10 of 15 36 min read

What is Governance? Governing the Internet

A practical guide to internet governance for security professionals, covering what governance actually is, the multistakeholder vs multilateral debate, the key bodies (ICANN, IETF, W3C, ITU, IGF, RIRs), the layered governance model, and four landmark 2025–2026 cases — the €120M EU fine on X, the US Sixth Circuit net neutrality strike-down, the Supreme Court's TikTok ruling, and India's 3-hour content takedown amendment.

Section 01

The Story That Explains Governance

Who Decides How a Road Works?
Imagine a busy road running through three towns. Who decides which side of the road you drive on? Who paints the lines? Who sets the speed limit? Who pays the police to enforce it? Who builds the next bridge? Who arbitrates when two trucks collide and each blames the other?

No single person decides all of these. The national government writes traffic laws. Local councils repair potholes. Engineers set technical standards for road signs. Insurance companies price risk. Citizens vote and complain. Courts settle disputes. The road works because all of these actors, with different powers and motives, coordinate around a shared resource. That coordination — written down or unwritten — is governance.

Now scale that road up to a network of 5.5 billion users, 200+ countries, and millions of interconnected networks. That's the Internet, and the same question applies: who decides how it works? Welcome to one of the most important and least understood topics in cybersecurity.

As a cybersecurity professional, you cannot understand attacks, defenses, or compliance without understanding governance. Every standard you implement, every regulation you obey, every court ruling that constrains your operations traces back to a governance decision made somewhere by someone. This tutorial walks through what governance means, how the Internet is actually governed, the bodies that shape it, and the real-world cases — from EU fines on X to the US TikTok ban — that show governance in action right now.

💡
The Core Insight

Governance is not the same as government. Government is one institution that uses law and force. Governance is the whole system of rules, norms, processes, and actors — public and private, formal and informal — that together shape how a shared resource is used. The Internet has no single government, but it has enormous amounts of governance.


Section 02

What is Governance? A Working Definition

Governance is the set of structures, processes, rules, and decisions through which a community manages its collective affairs. It answers four basic questions:

WHO
Decides?
Which actors — states, companies, technical bodies, users — have the authority to set rules and resolve disputes?
WHAT
Is Decided?
What domains of behaviour are governed — speech, security, identity, money, data — and what is left unregulated?
HOW
Are Decisions Made?
Through law, contracts, technical standards, codes of conduct, market pressure, or rough consensus?
WHY
Should Anyone Obey?
What makes the decisions legitimate — democratic mandate, expertise, voluntary participation, raw enforcement?

Governance Has Three Distinct Tools

⚖️
Hard Law
Statutes & Regulations
Binding legal rules enforced by states with penalties — GDPR, the EU Digital Services Act, India's IT Act. Breaking these draws fines, criminal charges, or shutdowns.
🤝
Soft Law & Norms
Voluntary Frameworks
Non-binding agreements, codes of conduct, multistakeholder declarations. The OECD AI Principles, the Paris Call for Cyberspace, the UN Tunis Agenda.
🔧
Technical Standards
Code Is Law
Protocols and reference implementations that simply work — TCP/IP, DNS, TLS, HTTP. Lawrence Lessig's famous "Code is Law" argument: technical design constrains behaviour as powerfully as any statute.

Section 03

What is Internet Governance?

The most widely cited definition comes from the UN Working Group on Internet Governance (2005): Internet governance is "the development and application by governments, the private sector, and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet."

Notice three things. First, it is explicitly multi-actor — not just states. Second, it covers both evolution (the technical future) and use (everyday behaviour). Third, it includes principles, norms, rules — three different forms of authority, not just law.

🛡️
Why It Matters for Cybersecurity

Every important cybersecurity question — Should encryption be backdoored? Who owns user data? Can a government order an ISP to block a website? Should an AI deepfake be labelled? — is at heart a governance question. The answer depends on who has authority to decide, what process they use, and what consequences follow for non-compliance.

Animated Diagram — The Internet Governance Ecosystem

🌐 Live Animation — Five Stakeholder Groups, One Internet
THE INTERNET GOVTSlaw & treaties PRIVATEplatforms & ISPs TECHIETF / W3C / ICANN CIVILNGOs & academia USERSindividuals
Each stakeholder group takes its turn shaping the same shared resource — no single one is sovereign over the Internet.

Section 04

The Two Competing Models

The history of Internet governance has been a long fight between two visions of who should be in charge — and that fight is more intense today than ever.

🌐 MULTILATERAL MODEL
Who decidesGovernments only, through treaties at bodies like the UN and ITU
AuthorityState sovereignty — each country has one vote
Backed byRussia, China, Iran, Saudi Arabia, many G77 states
StrengthDemocratic legitimacy of states; clear accountability
WeaknessSlow, politicised, can entrench censorship and fragmentation
🤝 MULTISTAKEHOLDER MODEL
Who decidesGovernments + private sector + technical community + civil society + academia, all together
AuthorityRough consensus + running code (the IETF motto)
Backed byUS, EU, Japan, India, most Western democracies, the technical community
StrengthIncludes technical expertise and user voice; agile
WeaknessPower asymmetries — big firms and rich states dominate
📚
Recent Milestone — IGF Made Permanent

In December 2025, the UN General Assembly's WSIS+20 Review made the Internet Governance Forum (IGF) a permanent UN body — a major victory for the multistakeholder camp. The technical community, including the Internet Corporation for Assigned Names and Numbers (ICANN), welcomed this achievement as recognition of the IGF's enduring value. ICANN announced a one-time $1 million contribution to support the IGF's long-term sustainability, signalling that even private bodies are stepping in to keep the open model alive.


Section 05

The Key Internet Governance Bodies

Internet governance is done by an alphabet soup of organisations, each with a specific remit. Here are the ones every cybersecurity professional must recognise on sight:

🌐
ICANN
Names & Numbers
Coordinates the global Domain Name System and IP address allocation. As the trusted steward of the Internet's unique identifier systems, ICANN is dedicated to strengthening the single, globally interoperable Internet for all. Headquartered in Los Angeles, governed by a multistakeholder board.
🔧
IETF
Protocols & Standards
The Internet Engineering Task Force writes the RFCs that define TCP, IP, HTTP, TLS, QUIC, DNS, BGP — virtually every protocol you use. Operates by "rough consensus and running code." No formal membership; anyone can participate.
🌍
W3C
Web Standards
The World Wide Web Consortium standardises HTML, CSS, the Web platform APIs, and accessibility. Led for decades by Tim Berners-Lee. Sets the rules that every browser obeys.
🏠
ITU
Treaty-Based Telecoms
The UN's telecommunications agency, founded 1865. Allocates radio spectrum, satellite orbital slots, and global phone codes. The International Telecommunication Union (ITU) Plenipotentiary (PP) Conference is the ITU's main decision-making body and is held every four years. A favoured platform for the multilateral camp.
💬
IGF
Permanent UN Forum
The Internet Governance Forum is the UN's annual multistakeholder dialogue space. Made permanent by the WSIS+20 review in 2025. No binding decisions — but where every other actor talks to every other actor on equal footing.
📍
RIRs
Regional IP Registries
Five Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, AfriNIC) allocate IP address blocks and AS numbers in their regions. They are who an ISP buys IPv4 and IPv6 space from.

Quick Comparison — Who Has Which Power?

BodyFoundedDecision ModelWhat They Actually ControlIf You Ignore Them
ICANN1998MultistakeholderRoot DNS, gTLDs, IANA functionsYou cannot get a domain
IETF1986Rough consensusInternet protocols (RFCs)You build something nobody can interoperate with
W3C1994Consensus + member votesWeb standards (HTML/CSS)Your site breaks in real browsers
ITU1865One-state-one-vote treatySpectrum, satellite, phone codesYour spectrum use is illegal
IGF2006Multistakeholder dialogueNothing binding — agenda-setting onlyNo legal effect
National regulatorsvariesStatuteLocal enforcement, fines, blocksMassive fines, criminal liability

Section 06

The Layered Model of Internet Governance

A useful way to think about it: just like the network stack has layers, governance has layers too. Each layer has its own actors, rules, and enforcement.

🏙️ Animated Diagram — Four Layers of Governance
CONTENT & APPLICATIONS DSA, GDPR, IT Rules, copyright, child safety, content moderation PLATFORMS & SERVICES Antitrust, app stores, cloud rules, intermediary liability LOGICAL & PROTOCOL LAYER DNS, IP allocation, BGP, TLS — ICANN, IETF, RIRs PHYSICAL INFRASTRUCTURE Cables, spectrum, data centres — ITU, national telecom regulators
Different actors dominate at different layers. A national parliament owns L1 spectrum rules; the IETF owns L3/L4 protocols; platforms write their own L7 community standards — until governments override them.

Section 07

Case Study — The EU Digital Services Act and the X Fine

€120 Million Fine: The DSA Enters the Enforcement Phase
On 5 December 2025, the European Commission imposed a €120 million fine on X (formerly Twitter). In a landmark step for digital regulation, the European Commission has issued its first major enforcement decision under the Digital Services Act (DSA), imposing a €120 million fine on social media platform X, formerly Twitter. The case is the textbook example of modern internet governance in action — and worth dissecting line by line.

The Three Violations

⚖️ What the European Commission Found
1
Deceptive blue checkmark. On X, anyone can pay to obtain the 'verified' status without the company meaningfully verifying who is behind the account, making it difficult for users to judge the authenticity of accounts and content they engage with.
2
Opaque ad repository. The DSA requires Very Large Online Platforms to maintain a usable, searchable database of every ad served, including who paid for it. X's repository missed key fields — blocking journalists and researchers from spotting malvertising and disinformation campaigns.
3
Blocking researcher access. Under Article 40(12) of the DSA, VLOPs must allow eligible researchers access to public data to study systemic risks. However, the Commission says X actively restricted such access by banning independent scraping in its terms of service.

Why This Matters for Governance

⚠️
Geopolitics Came to the Surface Immediately

The fine triggered exactly the political reaction that internet-governance scholars have predicted for years. Elon Musk, the owner of X, responded with sweeping denunciations, calling for the dissolution of the European Union and portraying the decision as censorship dressed in regulatory garb. US political figures soon joined the chorus, framing the case as an assault on US technology giants. The Commission's response was equally telling — restrained and legalistic, framing the case as consumer protection, not censorship.

💡
The Brussels Effect in Action

The DSA applies to any platform serving EU users, regardless of where it is headquartered. Under DSA enforcement rules, companies can be fined up to 6% of global annual turnover. This is the "Brussels effect" — Europe sets a rule, and global platforms either segment their products or apply the rule everywhere. Privacy professionals saw it with GDPR; we are now seeing it with content moderation.


Section 08

Case Study — The US Net Neutrality Decision

Sixth Circuit Strikes Down the FCC's Open Internet Order
On 2 January 2025, in Ohio Telecom Association v. FCC, the US Court of Appeals for the Sixth Circuit struck down the FCC's net neutrality rules. A federal appeals court struck down the Federal Communications Commission's net neutrality rules, ending a 20-year push to regulate internet service providers like a public utility. This single ruling reshaped American internet governance overnight.

The Twenty-Year Pendulum

2015
Obama FCC introduces net neutrality
Broadband reclassified as a Title II "telecommunications service," subjecting ISPs to common-carrier rules — no blocking, throttling, or paid prioritization.
2017
First Trump FCC repeals the rules
Then-chairman Ajit Pai reclassifies broadband back to a Title I "information service" — light-touch regulation returns.
2024
Biden FCC reinstates net neutrality
May 2024 vote restores Title II classification. USTelecom, representing AT&T and Verizon, immediately sues.
2025
Sixth Circuit kills it for good (probably)
In one of the first appellate decisions since the Supreme Court of the United States overturned Chevron deference in Loper Bright Enterprises v. Raimondo (2024), the U.S. Court of Appeals for the Sixth Circuit's decision in Ohio Telecom Association v. FCC (2025) held that the Federal Communications Commission (FCC) lacks authority to reinstate its 2015 net neutrality rules.

The Governance Lesson — Three Branches, Three Rules

⚖️
When Courts Reshape Internet Governance

This case isn't really about net neutrality — it's about who gets to make internet rules when Congress hasn't spoken clearly. After the Supreme Court's 2024 Loper Bright decision ended Chevron deference, federal agencies like the FCC can no longer fill statutory gaps with their own interpretations. The court emphasized that any future FCC effort to reinstate net neutrality "would require clear congressional authorization." A single Supreme Court ruling on administrative law completely reshaped what the FCC can do about ISPs.

📍
Federalism Creates a Patchwork

Federal net neutrality is gone — but state laws like those in California and Washington still apply and influence nationwide provider practices. The result is the classic governance dilemma: a national network with fifty different rulebooks, and ISPs in practice applying the strictest one (usually California's) everywhere because building per-state systems is too expensive. Sub-national governance can end up overriding federal inaction.


Section 09

Case Study — The TikTok Ban and National Security Governance

TikTok Inc. v. Garland — The Supreme Court Allows the Ban
On 17 January 2025, the US Supreme Court unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA). "There is no doubt that, for more than 170 million Americans, TikTok offers a distinctive and expansive outlet for expression, means of engagement, and source of community. But Congress has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok's data collection practices and relationship with a foreign adversary," the court wrote in an unsigned opinion.

What Actually Happened

DateEvent
April 2024Congress passes PAFACA — ByteDance must divest TikTok within 270 days or face a US ban
Dec 2024DC Circuit upholds the law against TikTok's First Amendment challenge
Jan 10, 2025Supreme Court hears oral arguments on an emergency timeline
Jan 17, 2025The Supreme Court on Wednesday unanimously upheld a federal law that will require TikTok to shut down in the United States unless its Chinese parent company can sell off the U.S. company by Jan. 19.
Jan 18, 2025TikTok briefly goes dark in the US
Jan 19–20, 2025Service restored after Trump signals he will not enforce the ban immediately

The Governance Tensions on Display

🇺🇸
Free Speech vs National Security
The Court applied intermediate (not strict) scrutiny, accepting Congress's national security justification. A foreign-owned platform serving 170 million Americans was treated as a national security asset, not a pure speech forum.
🇨🇳
Data Sovereignty
The core fear: under China's National Intelligence Law, ByteDance could be compelled to hand over US user data. The ruling effectively says: the nationality of the platform's parent matters, even online.
🤟
The Splinternet Becomes Real
India banned TikTok in 2020. The US joined in 2025. The EU is investigating. A platform with one billion users may end up serving fundamentally different versions in different blocs — the "splinternet" thesis made concrete.
💡
A Narrow Ruling — On Purpose

"That caution is heightened in these cases, given the expedited time allowed for our consideration. Our analysis must be understood to be narrowly focused in light of these circumstances," the justices wrote. The Court itself signalled that PAFACA-style bans should not be applied promiscuously to every foreign-owned app. The governance precedent is real but bounded.


Section 10

Case Study — India's IT Rules and the Speed of Takedowns

The Three-Hour Takedown Rule
India's Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were one of the most consequential pieces of internet governance in the Global South. They were amended again in 2026 to address the rise of generative AI — and the trend is unmistakable: shorter timelines, more obligations, and personal liability for platform officers.

What the Rules Require

🇮🇳 Significant Social Media Intermediary (SSMI) Obligations
Personnel
Must appoint a Chief Compliance Officer, a 24×7 nodal contact for law enforcement, and a Resident Grievance Officer — all resident in India and personally liable
Takedowns
Original 2021 rules: 36 hours. The timeframe for removing content after receiving a government order under Rule 3(1)(d) has been reduced from 36 hours to just 3 hours, while the deadline for taking down non-consensual intimate images or deepfake pornography under Rule 3(2)(b) has been cut from 24 hours to 2 hours.
Traceability
Messaging SSMIs (WhatsApp, Signal) must enable identification of the "first originator" of a message — a direct challenge to end-to-end encryption
AI Labelling
All AI-generated content must now be prominently labelled so that users can immediately recognize it as synthetic. Permanent metadata or unique digital identifiers must be embedded

The Governance Significance

🔒
Traceability vs End-to-End Encryption

The traceability requirement is one of the most-watched governance fights globally. End-to-end encrypted messaging services do not have the capability to read messages shared on their platform or identify the first originator of messages. Complying with the rule effectively requires weakening encryption — a textbook case of governance demands clashing with a fundamental security architecture. WhatsApp has challenged the rule in court, arguing it would force the platform to break the security promise made to billions of users worldwide.

📰
When Old Rules Hit New Technology

The 2026 amendments were a direct response to viral deepfakes — including the widely reported fake video of actress Rashmika Mandanna being "arrested." Governance is almost always reactive: rules tighten after a harmful event makes headlines, not before. Cybersecurity professionals should expect this pattern with every major incident — and build compliance programs that can absorb sudden timeline changes.


Section 11

The "Splinternet" Problem — Internet Fragmentation

Add up these cases — DSA in Europe, PAFACA in the US, IT Rules in India, the Great Firewall in China, the RuNet in Russia — and a worrying picture emerges. The Internet's founding promise was one global, interoperable network. Internet governance today is increasingly about preserving (or breaking) that promise.

🇺🇸
US Approach
Light federal regulation, strong First Amendment protection for platforms, national security carve-outs (PAFACA), state-level patchwork on privacy and net neutrality.
market-led, judicial check
🇪🇺
EU Approach
Comprehensive regulation by statute — GDPR, DSA, DMA, AI Act. Heavy fines, designated VLOPs, extraterritorial reach through the "Brussels effect."
rights-based, regulator-led
🇨🇳
China Approach
Cyber-sovereignty: the Great Firewall, foreign platform bans, mandatory data localisation, real-name registration, content control by the Cyberspace Administration of China.
state-led, closed
🇷🇺
Russia Approach
RuNet — a "sovereign internet" law allowing physical and logical isolation from the global Internet, with Roskomnadzor as the central regulator and many foreign platforms blocked.
state-led, isolatable
🇮🇳
India Approach
Multistakeholder rhetoric, but increasingly direct executive control via the IT Rules: short takedowns, personal liability for officers, traceability mandates, AI content labelling.
hybrid, executive-led
🌍
The Global South
Many states want a stronger UN-led model (ITU, IGF) to reduce US-led dominance. Concerned about data colonialism and dependence on Northern platforms.
treaty-based, multilateral

Section 12

Governance Meets Cybersecurity — Frameworks Every Professional Should Know

Internet governance isn't only an abstract international debate — it cashes out as the compliance frameworks that shape every cybersecurity program on Earth. These are the documents your CISO actually has to satisfy.

FrameworkBodyWhat It GovernsWho Must Comply
GDPREUPersonal data processingAnyone with EU users
DSA / DMAEUOnline platforms & gatekeepersVLOPs serving EU users
NIS2 DirectiveEUCritical infrastructure cybersecurityEssential & important entities in EU
HIPAAUS (HHS)Health data privacy & securityUS healthcare providers, insurers
CCPA / CPRACaliforniaConsumer data rightsBusinesses processing CA resident data
DPDP ActIndiaPersonal data protectionAnyone processing data in India
PIPLChinaPersonal data + cross-border transferAnyone processing PRC resident data
NIST CSF 2.0US (NIST)Voluntary cybersecurity frameworkIndustry best practice baseline
ISO/IEC 27001ISOInformation security managementVoluntary certification, contractually mandated by many enterprises
PCI DSS 4.0PCI SSCPayment card data securityAnyone storing/processing card data
🎯
Compliance Is Downstream of Governance

Every one of these frameworks exists because of a governance decision somewhere — a treaty, an act of parliament, a regulator's notification, a multistakeholder consensus. When you implement encryption-at-rest because PCI DSS demands it, or appoint a DPO because GDPR demands it, you are operationally translating governance into engineering. Knowing which governance body produced which requirement helps you anticipate what's coming next.


Section 13

Animated Diagram — A Governance Decision in Motion

⚡ Live Animation — How a Rule Becomes Reality
CRISISincident or scandal DEBATEstakeholders push STATUTElaw passed RULESregulator drafts ENFORCEfines & orders COURTSjudicial review
The yellow packet is one governance idea — say, "AI deepfakes must be labelled" — moving from a viral incident through to court tests. Every real case in this tutorial followed this same path.

Section 14

Golden Rules — Internet Governance for the Security Professional

🎯 Non-Negotiable Takeaways
1
Governance is broader than government. States, companies, technical bodies, and civil society all shape the Internet. A CISO who only watches government regulators misses half the rules they need to follow.
2
The multistakeholder model is contested, not settled. The IGF was just made permanent (2025) — but the ITU's 2026 Plenipotentiary will be a major test of whether states reassert control over technical governance.
3
Know the bodies. ICANN runs DNS. IETF writes protocols. W3C writes web standards. ITU runs spectrum. IGF talks. Your national regulator enforces. Putting every rule in the right box is half the battle.
4
The Brussels effect is real. EU rules (GDPR, DSA, DMA, AI Act) bind global platforms. If you operate anywhere with an Internet connection, you very likely have to comply with European law.
5
National security trumps free speech in the courts — narrowly. The TikTok ruling is real precedent for forced divestiture, but the Supreme Court itself called it narrow. Don't read it as a blanket rule.
6
Takedown timelines are shrinking. India just moved from 36 hours to 3 hours for government orders. The EU's DSA expects near-real-time response on illegal content. Build compliance for the future timeline, not yesterday's.
7
Encryption is a governance flashpoint. India's traceability rule, UK Online Safety Act provisions, EU CSAM proposals, US EARN IT Act drafts — multiple jurisdictions are pressing on end-to-end encryption. Treat your crypto stack as a regulatory risk, not just a technical control.
8
Fragmentation is the threat to watch. The single, globally interoperable Internet that we inherited was a historical accident. Keeping it whole — or splintering it into US, EU, Chinese, and Russian blocs — is the central governance fight of the next decade.