MANDATORY REGULATIONS FOR CYBER SECURITY: DO THEY WORK?
In February 2013, the EU Commission and the US government both issued proposals for the future management of cyber threats.
These two sets of proposals represent quite different approaches to the development of standards and regulations for cyber security.
In the US, the government used a non-regulatory body in the Commerce Department – the National Institute of Standards and Technology (NIST) – to produce a Framework for Improving Critical Infrastructure Cybersecurity. The framework encourages organisations, regardless of their size, exposure to cyber risk or sophistication in cyber security, to apply the principles and best practices of risk management to improve the security and resilience of the national critical infrastructure. NIST developed this framework through an intensive consultation process, using facilities on university campuses across the country to get the private and public sectors together to discuss their proposals.
In the EU, the European Commission (EC) published a draft Network Information Security (NIS) Directive, which will shortly pass into law.
The NIS Directive mandates minimum cyber security standards for organisations that operate critical infrastructure. Outside EU official circles there was little preliminary discussion of the terms of the NIS Directive. Since its publication, there has been an irregular series of meetings in Brussels in a so-called ‘Platform Process’, involving representatives of “market operators and public administrations” in Europe.
Very few major European multinationals have taken part in the platform discussions, preferring to work either through sectoral NGOs or through their national governments.
Jan-Mar 2016 Issue
Internet Security Alliance for Europe (ISAFE)