KuppingerCole Report
Advisory Note
By Phillip Messerschmidt

Federal Regulations on Cybersecurity

Federal Regulations on cybersecurity are regularly published at the national level. However, these national regulations also impact federal regulations in other countries. Therefore, looking at other countries' regulations can help you proactively prepare for upcoming regulations in your own. This document compares Executive Order 14028, the Network and Information Security (NIS) Directive, and IT Security Act (IT-SIG) 2.0 to demonstrate the relationship between these national regulations and future developments in cybersecurity.
By Phillip Messerschmidt
phm@kuppingercole.com

1 Introduction / Executive Summary

Due to increasing digitization and the associated rise in the number of cyber-attacks, companies must protect themselves, their customers and their assets at the technical level. Federal regulations help to pass on experience by defining area-wide standards. The minimum required defenses set by the standards provide a basic level of protection for all stakeholders and businesses. Even though cyberattacks occur as global events, most countries prefer to have their own standards.

In the United States, Executive Order 14028 was issued in 2021 to modernize cybersecurity defenses, improve information sharing between the U.S. government and the private sector, and strengthen incident response capabilities. Experts believe this Executive Order will become a new security standard for non-regulated companies as well.

In the European Union, the Network and Information Security (NIS) Directive, published in summer 2016, provides a framework for cybersecurity development at the national level. It supports the Member States, by encouraging each of them to adopt a national strategy and by improving EU-wide cooperation as well as national and global reporting. Therefore, it creates a framework for cooperation and leaves enough room for national specifications.

In Germany, IT-SIG 2.0 was published in May 2021. In addition to translating the framework set by the NIS Directive into a national strategy, it provides detailed operational guidance for cybersecurity measures. Although there is a strong focus on critical infrastructure, most companies accept IT-SIG 2.0 as a minimum-security standard and best practice without being bound by any law.

From a global perspective, all these federal regulations provide a good safety standard at the national level, but also additional guidance for other countries. The recently published Executive Order is expected to set a new standard for all national sectors but will also have an impact on other regulations around the world. Therefore, looking at advanced and recently published regulations of other forward-looking countries can help proactively prepare defensive best practices even before they become a national standard in one' s own country.

2 Highlights

  • Timeline of meaningful cybersecurity regulations for the U.S., EU, and Germany over the past 10 years.

  • Insights into Executive Order 14028, ...

Login Get full Access

3 The Need for Federal Regulations

Login Get full Access

3.1 What are Federal regulations?

In this age of digitalization, increasingly processes are becoming automated, and life cybernated. Due to past incidents and recent cyber-attacks on v ...

Login Get full Access

3.2 What are the reasons for new federal regulations?

In the recent past, government institutions and large enterprises have been the focus of cyber-attacks. These attacks have varying motivations. Some r ...

Login Get full Access

3.3 How is the defense strengthened?

In both the U.S. and Europe, there are various government initiatives and guidelines already in place or planned for the future. The President of the ...

Login Get full Access

3.4 Why is the defense being strengthened right now?

Even though several major cyber-attacks have been reported in the last two years, cybersecurity is not a new issue. Improving cybersecurity is not a r ...

Login Get full Access

4 US - Executive Order on Improving the Nation's Cybersecurity 14028

Login Get full Access

4.1 What is an Executive Order?

An executive order (E.O.) is a federal directive in the United States, used by the President to manage operations of the federal government. On May 12 ...

Login Get full Access

4.2 What are the contents of the Executive Order on Improving the Nation's Cybersecurity?

The official Fact Sheet highlights the main objectives of E.O. 14028 as follows:

  • Remove Barriers to Threat Information Sharing Between Governm ...

Login Get full Access

4.3 Who is affected by the Executive Order?

The focus of the E.O. is clearly on the Federal Government. After past incidents, the aim is to protect critical infrastructure and federal government ...

Login Get full Access

4.4 What are the purpose and goal behind the Executive Order?

The E.O. aims to strengthen proactive and reactive measures in the cybersecurity environment:

  • Proactive: The technical measures for defending ag ...

Login Get full Access

4.5 How will the private sector respond to the Executive Order?

The E.O. puts pressure on the private sector by creating new best practices as well as a security baseline. Even though the measures are non-binding f ...

Login Get full Access

5 EU - NIS

Login Get full Access

5.1 What is the NIS Directive?

NIS Directive (Directive on security of network and information systems) is the first EU-wide piece of legislation on cyber security. Its aim is to a ...

Login Get full Access

5.2 What are the contents of the NIS Directive?

The published Fact Sheet highlights the main objectives of the NIS Directive as follows:

  • Improved cybersecurity capabilities at national level ...

Login Get full Access

5.3 Who is affected by the NIS Directive?

For the NIS Directive, there are several groups involved. First of all, each member state of the EU must adopt a national strategy. In addition, there ...

Login Get full Access

5.4 What are the purpose and goal behind the NIS Directive?

The included NIS Directive especially forces national responsibility and strategy, cooperation and communication as well as transparency between the n ...

Login Get full Access

6 IT-SIG 2.0

Login Get full Access

6.1 What is the IT-SIG 2.0?

The IT Security Act 2.0 (IT-SIG 2.0), which is the second version of the IT Security Act 1.0, updates existing guidelines and covers new cyber-related ...

Login Get full Access

6.2 What are the contents of the IT-SIG 2.0?

In its preliminary version in early 2021, the IT-SIG 2.0 states several main objectives as follows:

  • Improving the protection of the federal ad ...

Login Get full Access

6.3 Who is affected by the IT-SIG 2.0?

The IT-SIG 2.0 affects many companies across multiple sectors but is primarily focused on critical infrastructure. Thus, all the KRITIS-relevant secto ...

Login Get full Access

6.4 What are the purpose and goal behind the IT-SIG 2.0?

As a national law, the IT-SIG 2.0 implements missing requirements of the NIS Directive. In addition, it specifies cybersecurity requirements not previ ...

Login Get full Access

7 Mutual relationship and comparison of the three initiatives

Login Get full Access

7.1 NIS Directive and Executive Order

At first glance, both the NIS Directive and the Executive Order look very similar. Both are broad in scope and cover defensive cybersecurity measures. ...

Login Get full Access

7.2 NIS Directive and IT-SIG 2.0

The NIS Directive and the IT-SIG 2.0 are closely linked. While the NIS Directive places responsibility under national control, the IT-SIG 2.0 takes th ...

Login Get full Access

7.3 Executive Order and IT-SIG 2.0

The Executive Order and IT-SIG 2.0 are both national laws on improving national cyber security. Both come with many specific measures for certain comp ...

Login Get full Access

8 Recommendations

All three regulations provide guidance in their own way, although each is different. Nevertheless, the NIS Directive focuses on its member states and ...

Login Get full Access

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top