Federal Regulations on Cybersecurity
Federal Regulations on cybersecurity are regularly published at the national level. However, these national regulations also impact federal regulations in other countries. Therefore, looking at other countries' regulations can help you proactively prepare for upcoming regulations in your own. This document compares Executive Order 14028, the Network and Information Security (NIS) Directive, and IT Security Act (IT-SIG) 2.0 to demonstrate the relationship between these national regulations and future developments in cybersecurity.
1 Introduction / Executive Summary
Due to increasing digitization and the associated rise in the number of cyber-attacks, companies must protect themselves, their customers and their assets at the technical level. Federal regulations help to pass on experience by defining area-wide standards. The minimum required defenses set by the standards provide a basic level of protection for all stakeholders and businesses. Even though cyberattacks occur as global events, most countries prefer to have their own standards.
In the United States, Executive Order 14028 was issued in 2021 to modernize cybersecurity defenses, improve information sharing between the U.S. government and the private sector, and strengthen incident response capabilities. Experts believe this Executive Order will become a new security standard for non-regulated companies as well.
In the European Union, the Network and Information Security (NIS) Directive, published in summer 2016, provides a framework for cybersecurity development at the national level. It supports the Member States, by encouraging each of them to adopt a national strategy and by improving EU-wide cooperation as well as national and global reporting. Therefore, it creates a framework for cooperation and leaves enough room for national specifications.
In Germany, IT-SIG 2.0 was published in May 2021. In addition to translating the framework set by the NIS Directive into a national strategy, it provides detailed operational guidance for cybersecurity measures. Although there is a strong focus on critical infrastructure, most companies accept IT-SIG 2.0 as a minimum-security standard and best practice without being bound by any law.
From a global perspective, all these federal regulations provide a good safety standard at the national level, but also additional guidance for other countries. The recently published Executive Order is expected to set a new standard for all national sectors but will also have an impact on other regulations around the world. Therefore, looking at advanced and recently published regulations of other forward-looking countries can help proactively prepare defensive best practices even before they become a national standard in one' s own country.