1250x260_Light
1250x260

Cybersecurity Regulations – A Strategy review between EU and USA

Date:

The history of cybersecurity regulation can be traced back to the 1990s when the E.U. passed the Data Protection Regulation. Shortly after, the U.S. established a President’s Commission on Critical Infrastructure Protection to identify and protect critical infrastructure, culminating in the National Strategy to Secure Cyberspace in 2001; now, the U.S. took global cybersecurity leadership. Ever since the U.S. Congress and States have passed numerous laws and regulations in the cybersecurity space. The U.S. Department of Homeland Security (D.H.S.) created the U.S. Computer Emergency Response Team (US-CERT) to facilitate public-private sector information sharing on cyber threats. The U.S. Cyber Command was established in 2008 by the Secretary of Defense to protect U.S. national security interests. 

The European Union has recently passed the Global Data Protection Regulation (GDPR) in 2018 to add another layer of regulations. To fight increasing cybersecurity incidents and protect critical infrastructure. The E.U. has some of the most rigid data protection laws in the world. The passing of the GDPR had far-reaching ramifications for businesses worldwide. That are face with fines of up to 2-4% of their total global turnover if found guilty. From 2013 when the E.U. Cybersecurity Strategy is pass, the E.U. has aggressively passed and enacted cybersecurity laws, particularly in data privacy, that most U.S. businesses haven’t paid attention to. 

Cybersecurity Regulation

Most businesses, especially those in the U.S., are unaware of E.U.’s cybersecurity regulatory frameworks, especially the Directive on Security of Network and Information Systems, popularly known as the N.I.S. directive. The N.I.S. directive that came into effect in 2016 empowers E.U. member states to regulate and enforce cybersecurity requirements within their boundaries. The passing of the Communication from the Commission to the European Parliament and the Council has an annex and is meant to help member states implement the N.I.S. Directive. The Directive applies to operators of essential services (O.E.S.) that happen to be critical infrastructure companies and digital service providers. 

O.E.S. companies are required to meet the following in the Directive:

  • Implement all the technical and organizational security measures to prevent risks and manage the security of networks and information systems. 
  • Notify relevant national authorities about any severe cybersecurity incidents.

On the other hand, the Directive has imposed several obligations on E.U. member states, including:

  • The development of a cybersecurity strategy.
  • Establishment of a national point of contact for purposes of coordination with other member states. 
  • Establish Computer Security Incident Response Teams (CSIRTs) that help monitor events at the national level to provide early warnings and alerts about incidents, respond to incidents, and share information among stakeholders. 
  • Assign the role of checking compliance to competent national authorities. The authorities will also regularly check that O.E.S. companies are managing cybersecurity risks to their systems and networks. E.U. member states are allowed to set stricter requirements than those already established by the E.U. 
  • Ensure that O.E.S. companies minimize the impact of incidents and notify national authorities or the CSIRT without delay.
  • Ensure that competent national authorities have the power and resources to:
  • Assess if O.E.S. companies are complying with the N.I.S. Directive
  • Compel O.E.S. companies to provide critical information required for assessment as well as evidence of implementation. 
  • Issue binding instructions to the O.E.S. company to help fic deficiencies. 

The N.I.S

The N.I.S. directive applies to U.S. companies that have operations in E.U. member states. That means that U.S. companies have to implement and comply with the security requirements captured in the regulations, hand over operational data to national authorities for compliance assessment, and provide remediation efforts. Failure to abide by the rules will attract fines and penalties set by the member states. Member states’ varying levels of enforcement of the N.I.S. directive make it difficult for U.S. companies to comply.

On the other side of the world, the U.S. Congress has passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) that gives law enforcement authorities the right to obtain personal data from IT companies even when it’s located in data servers in other countries. Other regulations and laws are in the pipeline, and their enactment may spell another wave of changes for the cybersecurity sector. 

Cybersecurity Regulations in E.U. and U.S.A. – By Alessandro Civati

Notable Differences in E.U. and U.S. Cybersecurity Strategies

In a brief summary, the cybersecurity strategies in the E.U. and the U.S. focus on:

The E.U. and the U.S.

The E.U. and the U.S. do not have shared pieces of legislation in standards and certification. Each jurisdiction has identified different policy areas and developed approaches that suitably meet their unique needs. In the U.S.A., the focus for cybersecurity standards has been on the NIST Framework, a set of voluntary standards issued in 2014 and meant to improve critical infrastructure security. In the E.U., the European Commission focuses on cohesive cybersecurity laws and therefore developed the N.I.S. Directive. The Directive requires all E.U. member states to keep to the set of standards and always be adequately prepared before, during, and after a cybersecurity breach.

Despite the divergent approaches to cybersecurity laws and regulations, one area of consensus has been the importance of public-private information sharing. There’s the recognition of the role of that information sharing in preventing and mitigating attacks, especially of digital service providers (D.S.P.) and operators of essential services (O.E.S.s). The GDPR and the N.I.S. directive have made it mandatory for data controllers and data processors. It also mandates that O.E.S.s report cybersecurity breaches to data protection authorities immediately. In the U.S., the Cybersecurity Information Sharing Act (CISA) facilitates companies to monitor cybersecurity threats, implement defensive measures, and share information with other companies and the federal government.

In conclusion, policy discussion between the E.U. and the U.S.A. will set the stage for strong cooperation, especially about emerging cybersecurity trends and protecting an open and interoperable Internet

Popular

Subscribe to our newsletter


Your emaill address should be use only for updating you on our articles, in the respect of the privacy law

Share post:

More like this
Related

Blockchain scalability is a limit, how technologies solve the problem

In modern blockchain, scalability is a limit and is the main problem for meaningful planetary adoption. How technologies solve the problem

The State of Centralized and Decentralized Metaverse

The highlight of Meta's earnings announcement was the $3.7 billion loss from its Metaverse division in the third quarter. As a result, the loss from Metaverse investments for the year to date was $9.4 billion.

Important Performance Metrics for Decentralized Finance

In the world of DeFi, the price-to-sales ratio (P/S ratio) is a critical KPI. It is calculated by dividing the fully diluted market capitalization of the token by its 12-month revenue.

Augmented Reality and Virtual Reality: Key Differences

AR is already interesting for the pure design of the work instruction. For example, explanatory text can be dispensed with if images are enhanced with AR elements and short animations.