States of Security

A new report from the U.S. Chamber of Commerce details the divisions and alignments between American and European Union approaches to cybersecurity, describing the legal and policy measures to address these risks as "an area of convergence between the EU and the United States."

Due to the "cybersecurity commons" as well as ties in the economic and security fields, the report recommends a shared approach to addressing cybersecurity. The report covers the EU's relevant legislation - the Network Information Security Directive (NIS Directive) and the General Data Protection Regulation (GDPR) - both active in 2018. The United States' centrepiece is the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework), issued in 2014 and now undergoing revision, as well as "state data breach notification laws and regulation of data security practices by various federal and state laws and agencies."

According to the report, the efforts of both the U.S. and EU "converge around voluntary risk-based standards that can be enhanced constantly to reflect metastasizing cyber threats", which supports the notion of intergovernmental and interorganizational information sharing.

The report also recommends that both the EU and U.S. can enhance their approaches to cybersecurity by adapting the NIST Framework into European cybersecurity frameworks. "In particular, EU governmental authorities can incorporate the framework into implementation of the NIS Directive and the GDPR," says the report. "In addition, EU stakeholders can help refine the forthcoming version of the NIST Framework so as to facilitate its use within the EU. This will, in turn, allow for broader and deeper EU and United States collaboration on cybersecurity both at the governmental level and within the private sector."