Content of Figures
- Figure 1 Timeline of Major Federal Regulations in Europe, Germany, and the United States
- Figure 2 Factsheet: Executive Order 14028 (U.S.)
- Figure 3 Factsheet: NIS Directive 1.0 (Europe)
- Figure 4 Factsheet: IT-SIG 2.0 (Germany)
- Figure 5 Mutual relationship and comparison of the NIS Directive and the Executive Order 14028
- Figure 6 Mutual relationship and comparison of the NIS Directive and the IT Security Act 2.0
- Figure 7 Mutual relationship and comparison of the Executive Order 14028 and the IT Security Act 2.0
- Figure 8 Key Recommendations
1 Introduction / Executive Summary
Due to increasing digitization and the associated rise in the number of cyber-attacks, companies must protect themselves, their customers and their assets at the technical level. Federal regulations help to pass on experience by defining area-wide standards. The minimum required defenses set by the standards provide a basic level of protection for all stakeholders and businesses. Even though cyberattacks occur as global events, most countries prefer to have their own standards.
In the United States, Executive Order 14028 was issued in 2021 to modernize cybersecurity defenses, improve information sharing between the U.S. government and the private sector, and strengthen incident response capabilities. Experts believe this Executive Order will become a new security standard for non-regulated companies as well.
In the European Union, the Network and Information Security (NIS) Directive, published in summer 2016, provides a framework for cybersecurity development at the national level. It supports the Member States, by encouraging each of them to adopt a national strategy and by improving EU-wide cooperation as well as national and global reporting. Therefore, it creates a framework for cooperation and leaves enough room for national specifications.
In Germany, IT-SIG 2.0 was published in May 2021. In addition to translating the framework set by the NIS Directive into a national strategy, it provides detailed operational guidance for cybersecurity measures. Although there is a strong focus on critical infrastructure, most companies accept IT-SIG 2.0 as a minimum-security standard and best practice without being bound by any law.
From a global perspective, all these federal regulations provide a good safety standard at the national level, but also additional guidance for other countries. The recently published Executive Order is expected to set a new standard for all national sectors but will also have an impact on other regulations around the world. Therefore, looking at advanced and recently published regulations of other forward-looking countries can help proactively prepare defensive best practices even before they become a national standard in one' s own country.
Timeline of meaningful cybersecurity regulations for the U.S., EU, and Germany over the past 10 years.
Insights into Executive Order 14028, ...
3.1 What are Federal regulations?
In this age of digitalization, increasingly processes are becoming automated, and life cybernated. Due to past incidents and recent cyber-attacks on v ...Login Get full Access
3.2 What are the reasons for new federal regulations?
In the recent past, government institutions and large enterprises have been the focus of cyber-attacks. These attacks have varying motivations. Some r ...Login Get full Access
3.3 How is the defense strengthened?
In both the U.S. and Europe, there are various government initiatives and guidelines already in place or planned for the future. The President of the ...Login Get full Access
3.4 Why is the defense being strengthened right now?
Even though several major cyber-attacks have been reported in the last two years, cybersecurity is not a new issue. Improving cybersecurity is not a r ...Login Get full Access
4.1 What is an Executive Order?
An executive order (E.O.) is a federal directive in the United States, used by the President to manage operations of the federal government. On May 12 ...Login Get full Access
4.2 What are the contents of the Executive Order on Improving the Nation's Cybersecurity?
The official Fact Sheet highlights the main objectives of E.O. 14028 as follows:
Remove Barriers to Threat Information Sharing Between Governm ...
4.3 Who is affected by the Executive Order?
The focus of the E.O. is clearly on the Federal Government. After past incidents, the aim is to protect critical infrastructure and federal government ...Login Get full Access
4.4 What are the purpose and goal behind the Executive Order?
The E.O. aims to strengthen proactive and reactive measures in the cybersecurity environment:
Proactive: The technical measures for defending ag ...
4.5 How will the private sector respond to the Executive Order?
The E.O. puts pressure on the private sector by creating new best practices as well as a security baseline. Even though the measures are non-binding f ...Login Get full Access
5.1 What is the NIS Directive?
NIS Directive (Directive on security of network and information systems) is the first EU-wide piece of legislation on cyber security. Its aim is to a ...Login Get full Access
5.2 What are the contents of the NIS Directive?
The published Fact Sheet highlights the main objectives of the NIS Directive as follows:
Improved cybersecurity capabilities at national level ...
5.3 Who is affected by the NIS Directive?
For the NIS Directive, there are several groups involved. First of all, each member state of the EU must adopt a national strategy. In addition, there ...Login Get full Access
5.4 What are the purpose and goal behind the NIS Directive?
The included NIS Directive especially forces national responsibility and strategy, cooperation and communication as well as transparency between the n ...Login Get full Access
6.1 What is the IT-SIG 2.0?
The IT Security Act 2.0 (IT-SIG 2.0), which is the second version of the IT Security Act 1.0, updates existing guidelines and covers new cyber-related ...Login Get full Access
6.2 What are the contents of the IT-SIG 2.0?
In its preliminary version in early 2021, the IT-SIG 2.0 states several main objectives as follows:
Improving the protection of the federal ad ...
6.3 Who is affected by the IT-SIG 2.0?
The IT-SIG 2.0 affects many companies across multiple sectors but is primarily focused on critical infrastructure. Thus, all the KRITIS-relevant secto ...Login Get full Access
6.4 What are the purpose and goal behind the IT-SIG 2.0?
As a national law, the IT-SIG 2.0 implements missing requirements of the NIS Directive. In addition, it specifies cybersecurity requirements not previ ...Login Get full Access
7.1 NIS Directive and Executive Order
At first glance, both the NIS Directive and the Executive Order look very similar. Both are broad in scope and cover defensive cybersecurity measures. ...Login Get full Access
7.2 NIS Directive and IT-SIG 2.0
The NIS Directive and the IT-SIG 2.0 are closely linked. While the NIS Directive places responsibility under national control, the IT-SIG 2.0 takes th ...Login Get full Access
7.3 Executive Order and IT-SIG 2.0
The Executive Order and IT-SIG 2.0 are both national laws on improving national cyber security. Both come with many specific measures for certain comp ...Login Get full Access
All three regulations provide guidance in their own way, although each is different. Nevertheless, the NIS Directive focuses on its member states and ...Login Get full Access