It is always enlightening to read contradicting viewpoints that are substantiated with good reasoning and ample evidences. Read this article by Prescott Winter and this related article by Alec Muffett. Can we ever have cybersecurity frameworks and/or laws that cut across national boundaries? Or, should we, in the first place?
I am personally more inclined towards Alec’s thoughts. Right from 1969, Internet has been more de facto than de jure. It is good to have standards, policies and processes drive the expectations (say, something like ISO 27001) and various roles in a delivery process adhere to the rights and responsibilities on data handling. That adherence can always be strengthened with liability regulations of the land. That works much better than International cybersecurity laws.