Regulations vs. Guidelines: A Look at How the EU and the US are Dealing with Standards and Certification in Cybersecurity

Note: This article was produced for the StandICT.eu project, a Horizon 2020 initiative that focuses on ICT standardisation and defines a pragmatic approach to reinforce the EU’s presence in the international development of standards.

In recent years, cybersecurity has become a key transatlantic policy issue. It has particularly resonated in the EU and the US, which together account for more than 50% of unique IP addresses on a global level. Both regions have taken markedly different approaches to cybersecurity in three main areas for R&I international collaboration: standards and certification; privacy and data protection; and public-private information sharing. Standards and certification is arguably one of the areas that has seen the most activity, and although there are many issues that both jurisdictions agree are of critical importance, each has developed regulations along a very specific policy line.

The AEGIS Project has analysed standards and certification measures and policy in both regions as part of its effort to foment greater EU-US cooperation in cybersecurity. The following is a breakdown of the similarities and differences in EU and US policy in cybersecurity standards and certification.

Similarities

Improve cyber preparedness

In terms of cyber preparedness, the EU and the US have developed laws or measures to address concerns. The EU implemented the Directive on Security of Network and Information Systems (NIS Directive) in 2018, a law that aims to increase the overall level of cybersecurity in the bloc. On the other side of the Atlantic, the US created the NIST Framework, released in 2014, a set of voluntary standards and industry best practices that help organizations, identify, prioritize and manage cyber risks.

Use the best cybersecurity measures available

The landmark cybersecurity standards and certification measures in the EU and the US, the NIS Directive and the NIST Framework, call upon government entities and private industry organizations to use the best cybersecurity measures available to increase overall resilience of systems. The NIS Directive refers to these measures as “state of the art” security approaches while the NIST Framework considers them “industry best practices.”

No one-size-fits-all solution

In addition to the above, the NIS Directive and the NIST Framework require their respective jurisdictions to implement cybersecurity measures that make sense. In other words, what is appropriate for one organization may not be the best solution for another.

Dedicated agency for cybersecurity focused on protecting critical infrastructures

Interestingly, both regions have recently established cybersecurity agencies focused on protecting critical infrastructures. The EU took action in 2018 in its Cybersecurity Act, which renewed the mandate of the EU Agency for Network and Information Security (ENISA). Meanwhile, the US acted the same year with the CISA Act of 2018, a law that establishes the Cybersecurity and Infrastructure Agency(CISA).

Differences

Law vs. voluntary standards

While both the EU and the US have acknowledged the importance of implementing minimum cybersecurity standards and certification, they have gone about addressing the issue differently. The EU has passed the NIS Directive, a law that must be adhered to by all EU Member States and Operators of Essential Services, or companies in the private sector, to use the best possible measures to safeguard their systems. The US has created the NIST Framework, which has been hailed as a breakthrough cybersecurity crisis management guide. Nonetheless, the NIST Framework is a voluntary framework that organizations can choose to adopt.

Cybersecurity certification framework

There is another primary difference between the EU and US landscapes on cybersecurity in the case of certification. The EU has made cybersecurity certification a hallmark of its Cybersecurity Act and established centralized voluntary certification schemes for ICT products and services. The US has not acted on certification in the last few years and relies on voluntary industry certification.

Electronic ID certification and trust services

Finally, there are also differences when it comes to electronic ID certification and trust services. The EU is currently working on eIDAS, a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. eIDAS will allow citizens to use their eIDAs to access online services offer by the government in other Member States. The US regulates electronic signatures through its Electronic Signatures in Global and National Commerce Act and Uniform Electronic Transactions Act, but has not taken action on trust services.

Reinforcing EU-US collaboration in cybersecurity standardisation

In conclusion, there is still much work to be done to create harmonized transatlantic cybersecurity standards and certification. This will not only be beneficial to private industry, which can rest assured knowing that there is not much difference in the standards they must comply with, it will also be beneficial to individual residents in both jurisdictions. Residents will have the assurance that their information and the products and services they acquire are secure.

It is clear that both jurisdictions understand the benefits of working together. The EU and the US are engaged in bilateral discussions with regard to standards and certification and have agreed to intensify their cooperation in standards and conformity assessment, including certification approaches, for connected devices.

The EU has confirmed that globally relevant standards, including where applicable standards and technical specifications developed by US-domiciled standards development organisations, may be taken into consideration in the future development of standards and voluntary certification schemes in the EU. Certification schemes under the EU Cybersecurity Regulation to be agreed will not prevent continued participation by EU Member States in existing international conformity assessment approaches.

Furthermore, AEGIS has developed actions and recommendations to improve cybersecurity standards and certification in specific sectors, such as finance and healthcare (2). These recommendations were presented to the European Commission in May 2019 and are used as reference material for EU-US bilateral dialogues on cybersecurity.