Experts said one of the most frequent problems with cybersecurity policy is coming up with universal definitions for what constitutes cyber threats.

“I’m not convinced that every country has really considered for themselves what they consider an attack to be,” said Jessica Ruzic, a cybersecurity fellow at New America, a Washington, D.C.-based think tank.

Ruzic said cooperation between the public and private sectors is vital for developing an effective cybersecurity strategy. The Estonian Cyber Defence League, for example, is a voluntary organization made up of IT experts and young people prepared to mobilize during a national cyberattack.

Recent EU-wide regulation has also upped the penalties against companies that fail to protect online data. The General Data Protection Regulation, or GDPR, that went into effect in May gives regulators the power to fine companies that don’t comply with security measures.

Unlike in the past, the fines can be massive: up to 4 percent of global annual turnover or 20 million euros ($23 million), whichever is higher.