Soft law refers to rules, guidelines, or recommendations that, unlike formal legislation, are not legally binding. In cybersecurity, soft law includes standards, codes of conduct, best practices, and frameworks developed by governments, international organizations, or industry groups. While these measures do not have the force of law, they significantly influence organizational behavior, policy development, and compliance efforts. Adhering to soft law can help organizations demonstrate due diligence, reduce risk, and prepare for future regulatory requirements. Soft law often evolves rapidly to address emerging cybersecurity threats and can serve as a precursor to hard law (binding regulations).