Skip to main content

Cyber security regulation in Europe: recent developments

Cyber security regulation in Europe: recent developments

Authors: Julia Utzerath and Dana Post

Both the EU and the German government have been working for over a year on legislation aimed at enhancing cyber security. Both initiatives – the EU Cyber Security Directive and the German IT Security Law – would as drafted provide for mandatory minimum IT security requirements and an obligation to notify in the event of any IT security incident involving critical infrastructure. Both legislative processes, however, have been subject to ongoing delays, despite consensus in both politics and business that a coordinated effort at all levels is absolutely necessary in view of the increasing threat of cyber attacks. It is now expected that the German IT Security Law will be passed before the start of the summer holidays. The Brussels Cyber Security Directive is not expected prior to 2015.

What is causing the delay?

The current discussions are focused on the question of how concrete the technical requirements should be. Regulation in a highly technical arena such IT security is difficult per se. On the one hand, technical requirements need to be as concrete as possible in order to achieve a high and transparent security standard. At the same time, regulation can never adapt as quickly as technology develops. Ultimately, there will be little alternative to the establishment of minimum standards and a general definition of security incidents that trigger the obligation to notify. These rules will then have to be fleshed out by the responsible bodies within individual industries.At the EU level, an additional battle is being fought with regard to the scope of the regulation. Originally, not only the operators of critical infrastructure in the energy, financial services, health care and transport industries were to be subject to the regulation, but also government agencies, internet companies and cloud providers. These last three groups have been removed from the scope of the legislation in the current draft.

The situation in the US

On 12 February 2013, President Barack Obama announced during his annual state of the union address an executive order to strengthen cyber security. The executive order is to encourage businesses to adopt these cyber security standards. The US Executive Order on cyber security sets out to promote more cooperation and information sharing between the government and the private sector, and to develop voluntary standards for companies that run ‘critical infrastructure’

In February 2014, the Obama Administration announced the launch of the Cyber Security Framework. The Framework is a key deliverable from Obama's Executive Order and is the result of a year-long private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cyber security.

In terms of a Cyber Bill, the Republican-controlled House of Representatives made two attempts last year (2013) to pass legislation addressing cyber information-sharing, which ultimately failed in the Senate, where many Democrats had sought a broader bill. Senate Intelligence Committee Chairman Dianne Feinstein (Democrat) and Vice Chairman Saxby Chambliss (Republican) have circulated to key stakeholders a draft bill in April 2014 that would encourage the sharing of cyber security information between the government and companies, so as to avoid disagreements on questions of liability and privacy that have thwarted its acceptance in the past. This new bill by Feinstein and Chambliss would offer liability protections to companies and considers the possibility of sharing data with military, as well as civilian, government agencies. (Source: