The Commission Proposes Cybersecurity and Information Security Regulations (Free Preview)

The Commission Proposes Cybersecurity and Information Security Regulations (Free Preview)
Photo by Christian Lue on Unsplash

This is a free preview of yesterday's more detailed edition on the European Commission's draft regulations.

Subscribe today for all the paywalled material posted on The Wavelength. Subscriptions are available for $250 a month and less for an annual subscription. I think you'll find the value to cost ratio is high with The Wavelength.

You can find previously posted content on technology policy, politics, and law on Substack and my blog.

Last week, the European Commission (EC) unveiled two interrelated proposals aimed at shoring up the European Union’s (EU) cybersecurity and information security. However, this are not applicable to all entities in the EU or the European Economic Area (EEA) but rather just to EU government “institutions, agencies and bodies.” Not surprisingly, these measures are being couched in the bloc’s larger digital ambitions, and considering that these entities are not subject to the EU’s standing and proposed regulations on these matters (e.g. NIS 2), the EC sees it as necessary to plug security gaps. The EC explained that the bloc’s government entities “have become highly attractive targets of sophisticated cyberattacks.” Moreover, in order to ensure the harmonious operation and efficiency of the EU,  better, uniform standards must be imposed on and met by these agencies.

However, at the same time the EC is seeking to update its governmental cybersecurity and information security, the United States (U.S.) Congress is also looking to do the same with legislation to revamp how the U.S. government and its contractors secure their systems with the “Strengthening American Cybersecurity Act of 2022” and (S.3600) and the “Federal Information Security Modernization Act of 2022” (H.R.6497) (see here for more detail and analysis.)

Both EC actions occur against a backdrop of high-profile hacks and what may still erupt into a cyberwar in Ukraine that spills over to both the EU and the U.S. The Russian Federation, People’s Republic of China, the Democratic People’s Republic of Korea, Iran, and other nations’ hacking and espionage pose continuing threats to the EU. And, lest we forget, even allies and like-minded nations spy on one another, and so the EU is probably also concerned about U.S. surveillance, which is reputedly without peer. Indeed, the EC claimed “[f]rom 2019 to 2021, the number of significant incidents[1]affecting Union institutions, bodies and agencies, authored by advanced persistent threat (APT) actors, has surged dramatically…[and] [t]he first half of 2021 saw the equivalent in significant incidents as in the whole of 2020.”

[1] ‘Significant incident’ means any incident unless it has limited impact and is likely to be already well understood in terms of method or technology.