At the same time, with the passage of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), the US Congress has given law enforcement authorities the power to obtain personal data from technology companies even if it is stored in data centers in other countries. Meanwhile, President Donald Trump is expected to announce his national cyber strategy before the end of 2018, an announcement which could set off another wave of changes in the cybersecurity sector.
With this in mind, the AEGIS Project, an EU-US initiative funded by the Horizon 2020 program for R&I that aims to foster dialogue and cooperation in cybersecurity and privacy between both nations, developed a White Paper on Cybersecurity Policies in an attempt to capture the current policy landscape on both sides of the Atlantic.
The White Paper focuses on three policy areas: standards and certification; privacy and data protection; and public-private information sharing. It later analyzes the similarities and differences of these policies. The policies chosen for the analysis are based on the major political actions in cybersecurity and privacy in the EU and the US over the past few years.
A brief summary of the key policy points of the White Paper is provided below. You can read the full version here.
The EU and the US do not have shared or mirror pieces of legislation in the area of standards and certification.
There has been significant activity in the area of standards and certification in both jurisdictions over the past few years. Nonetheless, both regions have focused on different aspects in this policy area and developed different approaches. In the US, the focal point for cybersecurity standards is the NIST Framework, a set of voluntary standards issued in 2014 to improve critical infrastructure security. Meanwhile, in the EU, the European Commission developed the NIS Directive, a law that requires all Member States to adhere to a set of standards and be adequately prepared during and after a cybersecurity breach. It went into effect in 2018.
In terms of future laws, there are numerous legislative proposals actively in the works in this area on the EU side, including liability standards for cybersecurity products and companies affected by a cybersecurity attack or data breach and the creation of an electronic identification scheme – known officially as the eID Regulation – recognized by all Member States. The US has liability standards and a standards setting procedure in place, but the process is multidimensional, meaning that legislation can be created on a federal, state or municipal level.
In the area of privacy and data protection, the EU and the US have also adopted different regulation strategies.
A common theme of the White Paper focuses on the different approaches: centralized vs. multi-jurisdictional. In general, the EU has opted for a more centralized approach for cybersecurity policy creation, adoption and implementation. By comparison, the US often follows a multi-jurisdictional approach carried out by various agencies with diverse constituencies.
The different approaches can be clearly seen in the area of privacy and data protection. For instance, the EU implemented the GDPR this year. It has been referred to as one of the world´s toughest data protection laws, establishing EU-wide standards for how businesses and entities obtain user data, how they process it and how they protect it. In parallel, EU officials are currently working on a new e-Privacy Regulation, which would harmonize the region´s privacy law in the area of electronic communications.
The US, meanwhile, has no federal comprehensive data protection law. Instead, the country has opted for a tailored strategy, creating regulations for specific sectors and types of information.
In the area of public-private information sharing, there is consensus on the importance of this practice.
Although the EU and the US have focused on different policy areas and projects, there is one thing they agree on: the importance of public-private information sharing. Both jurisdictions recognize the role that sharing information can play in preventing and mitigating attacks, especially those that affect Operators of Essential Services (OESs) and Digital Service Providers (DSPs). In addition, there are mechanisms in place on both sides of the Atlantic to encourage the public-private information sharing.
On the EU side, the GDPR and the NIS Directive make public-private information sharing mandatory for data controllers and data processors and require OESs that meet certain criteria to report cybersecurity breaches to data protection authorities, respectively. The EU is currently working on proposals for a new legislative project called e-Evidence, a law that would create new tools and safeguards to gather evidence during criminal investigations.
The US has in turn adopted the Cybersecurity Information Sharing Act (CISA), which allows companies to implement defensive measures, monitor cybersecurity threats and share information with other companies and the federal government. In 2018, it also adopted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a law that requires US law enforcement agencies to provide law enforcement authorities with requested data even if such information is held in another country.
In addition to documenting the cybersecurity policy landscape in the US and the EU, the White Paper also outlined short and long-term policy recommendations aimed at strengthening dialogue between both regions and improving cooperation.
The short-term attainable milestones include:
- Raising awareness among thought leaders, policy makers and elected officials about the myriad advantages of pursuing deeper connections in the cybersecurity sector.
- Increasing synergy and collaboration between the agencies responsible for the NIST Framework and those tasked with the implementation of the NIS Directive and GDPR.
- Adopting a common and harmonized language for stakeholder communication, which will accelerate EU-US collaboration in cybersecurity.
- Strengthening EU-US cybersecurity dialogues.
- Laying the groundwork for a joint roadmap for EU-US collaboration in cybersecurity and privacy R&I.
The long-term benchmarks are the following:
- Establishing a framework for resolving conflicts that arise from inevitable differences in policy and regulation.
- Creating a new mechanism for more effective coordination between cybersecurity agencies and stakeholders on both sides of the Atlantic.
- Promoting the adoption of a unified approach based on international standards to foster collaboration in cybersecurity R&I in the EU and the US.
- Stimulating public-private partnerships (PPPs) by engaging public organizations and private industry to enthusiastically take on the role of champions of transatlantic collaboration in cybersecurity.
The goal of the recommendations is not to eliminate policy differences, but rather to collaboratively develop common ground measures that further the benefits of transatlantic innovation, economic ties and private sector investment.