EU Cybersecurity Requirements Likely to Surprise U.S. Businesses
EU Cybersecurity Requirements Likely to Surprise U.S. Businesses
By Jody R. Westby, Global Cyber Risk
Over the past two decades, the U.S. has generally led the world on the issue of cybersecurity, and the European Union (EU) has led on privacy. That may be about to change, and U.S. companies could be surprised. Although American businesses scrambled to comply with the EU’s Global Data Protection Regulation (GDPR) and took its stiff penalties seriously, the EU’s cybersecurity actions have barely been reported on and most companies are unaware of them.
Since 2013, the EU has made cybersecurity a high priority and has taken a number of actions that directly impact U.S. companies. For example, it has:
Adopted the EU Cybersecurity Act, which became effective June 27, 2019, with some provisions effective June 28, 2021.
These two pieces of legislation will significantly impact a large number of U.S. companies by imposing cybersecurity requirements, requiring government compliance audits, mandating remediation measures, and imposing certification schemes for IT products, services, and processes.
The NIS Directive
The NIS Directive establishes cybersecurity requirements for critical infrastructure companies, called “operators of essential services” (OES), and digital service providers (DSP), which includes search engines, cloud computing services, and e-commerce sites. The directive empowers the 28 EU member states to regulate and enforce the requirements.
Under the directive, OES companies are identified by each member state and have to implement required security measures and notify national authorities of serious incidents. Member states may set more stringent cybersecurity measures. Member states must assign one or more national competent authorities to enforce the directive. These authorities are empowered to conduct assessments of OES companies to determine whether they are complying with the directive and can compel companies to provide any necessary information. The national authorities can also issue binding instructions to the OES to remedy any deficiencies noted in the assessment.
While DSPs are not formally identified, they must comply with security and notification requirements. A European Commission Implementing Regulation sets forth rules for DSP risk management and determination of when a cyber incident has a substantial impact. Mandatory DSP security requirements include security measures pertaining to incident response, business continuity, monitoring, auditing and testing, and compliance with international standards. DSPs must register with the national authority of its main location in the EU or, if the company offers services in the EU but does not have a presence there, it has to designate an EU representative.
Member states set their own fines and penalties for non-compliance with the NIS Directive. There is a lot of variance among member states in these fines and penalties. Some countries, such as the U.K. and Germany, consider whether a cyber incident involves a GDPR violation, in which case, the fines could run in parallel to those imposed under the GDPR. Some member states, such as Belgium, have established criminal penalties in addition to administrative fines.
EU Cybersecurity Act
The EU Cybersecurity Act made the European Network and Information Security Agency (ENISA) a permanent government agency and significantly expanded the organization’s role and responsibilities with respect to cybersecurity. The act also established an EU cybersecurity certification framework for information and communication technology (ICT) products, services, and processes, which are broadly defined. It established assessment bodies to determine compliance with the act. Each member state must designate one or more national certification authorities and determine penalties for certification violations.
An EU cybersecurity certification scheme “means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes.” EU-wide certification schemes will be drafted by ENISA and adopted by the European Commission.
The EU Cybersecurity Act specifies 22 required elements for certification schemes, including the types of products, services, or processes covered; applicable standards; evaluation criteria; required information; rules for monitoring compliance; and format and procedures to be followed by the manufacturer. The Commission will establish a rolling work program for certification schemes that identifies strategic priorities for the certification of products, services, and processes. The first rolling work program must be published by June 28, 2020.
At this point, compliance with cybersecurity certification schemes is voluntary – unless otherwise specified by EU or member-state law. Article 56 of the act provides, however, that the European Commission shall regularly assess cybersecurity certification schemes to determine whether they should be made mandatory. The first assessment is due by December 31, 2023.
What Should U.S. Companies Do?
Overall, U.S. companies need to start paying attention to what the EU is doing in the area of cybersecurity. The NIS Directive impacts a number of U.S. companies doing business in Europe, and the certification schemes may do the same. U.S. companies doing business in the EU need to get up to speed and prepared by:
Determining whether the company is an OES or DPS within the NIS Directive.
Identifying Member States where the company or its subsidiaries are doing business.
Identifying national authorities and national computer security incident response teams (CSIRTs) in each country where the company is doing business.
Preparing for compliance with the cybersecurity requirements by conducting a comprehensive cybersecurity risk assessment and closing gaps and deficiencies.
U.S. companies offering an ICT product, service, or process within the EU should:
Begin monitoring ENISA and EU websites for updates on certification schemes.
Apply for membership in the Stakeholder Cybersecurity Certification Group (SCCG), which advises the European Commission on certification and standardization and rolling work programs.The Commission has issued a call for applications to the SCCG.
Monitor EU and international standardization, keeping an eye on those that may be favored by ENISA and run counter to U.S. standards.
Determine whether the company wants to seek certification so they can compete evenly in the EU markets.
Obtain expert advice on EU certification schemes and the Act, paying particularly close attention to actions that may indicate the schemes will be made mandatory.
The EU Wants ICT Sector to be a Competitive, Economic Driver
When the EU decides to pursue a topic, it allocates money to match its intentions. The EU Cybersecurity Act has an entire chapter devoted to ENISA’s budget. ENISA will receive funds from the general EU budget, plus it may receive funds from other sources, such as Member States, EU delegation agreements, and ad hoc grants. ENISA currently has a budget of €17 million, but its budget for 2020 is projected to be €21.8 million. This is just a drop in the bucket compared to the EU’s overall plans for cybersecurity.
The European Commission proposed that the cybersecurity budget for 2021-27 include €2 billion to fund “safeguarding the EU's digital economy, society and democracies through polling expertise, boosting EU's cybersecurity industry, financing state-of-the-art cybersecurity equipment and infrastructure.” Additional funding will come from Horizon Europe, a €100 billion research and innovation program.
The EU has seen how America’s IT sector has driven the U.S. economy, and it wants part of the action. This desire is clearly at play throughout the EU Cybersecurity Act. The first sentence of the Act states, “Network and information systems and electronic communications networks and services play a vital role in society and have become the backbone of economic growth.” The EU is committed to becoming “a leader in the next-generation cybersecurity and digital technologies.”
The EU Leadership on Cybersecurity
The NIS Directive and EU Cybersecurity Act establish important requirements for cybersecurity and compliance structures. ENISA has already issued 366 documents on cybersecurity, including technical guidelines, good practices, and assessment guidance. These documents – as well as those produced by the NIS Cooperation Group established by the Directive – are likely to be reviewed and leveraged by other countries who are trying to advance cybersecurity requirements within their own borders.
In this way, the EU could immediately begin influencing cybersecurity globally, and it could seize global leadership of cybersecurity away from the U.S. Just consider how the EU has influenced data protection laws around the world. When countries ponder privacy (a U.S. term) or data protection (a broader, European term), they tend to look at what legal frameworks they can emulate in establishing laws and regulations. Quite simply, if countries align their laws with those of the EU, they are simultaneously in sync with 28 countries (31 if one considers the European Economic Area). This can be quite advantageous to their companies and global trading partners.
The EU’s push toward cybersecurity regulation over the past six years is impressive, and U.S. companies may be in for a jolt. The U.S.’s voluntary approach to cybersecurity will be met head-on with the EU’s regulatory approach, impacting business operations and raising compliance costs. U.S. tech companies may also find their products, services, and processes are less favored than those meeting EU certification requirements.
About the author: Jody Westby is CEO of Global Cyber Risk LLC and adjunct professor at Georgia Institute of Technology, School of Computer Science. Jody was lead author on Carnegie Mellon’s Governing for Enterprise Security Implementation Guide, which was developed for boards and senior management. She is author of the 2008, 2010, 2012, and 2015 Governance of Cybersecurity survey reports.