The European Union (EU) and the United States are the leading hubs of global information and communications networks that strengthen the deep economic, political, and social ties between these two unions and link each of them with the rest of the world. These networks face cyber threats that are global in origin, indifferent to national borders, and common to both sides of the Atlantic.
Leaders in the EU and United States have recognised that the interconnectedness of information and communications systems and the global nature of the threats demand international cooperation and convergence to tackle cybersecurity risks. In fact, legal and policy measures adopted to address these risks are an area of convergence between the EU and the United States. This report explores this convergence and identifies opportunities to build on it in order to strengthen transatlantic cybersecurity.
The report begins by describing the transatlantic “cybersecurity commons” and the strong economic and security ties that dictate a shared approach to cybersecurity. It then reviews the relevant legal and public policy landscape in the EU and the United States. At the EU level, this consists primarily of legislation that takes effect in 2018: the Network Information Security Directive (NIS Directive) and the General Data Protection Regulation (GDPR). In the United States, the centrepiece is the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) issued in 2014 and now undergoing revision, coupled with state data breach notification laws and regulation of data security practices by various federal and state laws and agencies.
The report focuses on key points in common among these laws and policies. While there are certain differences between the EU and U.S. legal processes, their approaches to cybersecurity are aligned in essential ways. These converge around voluntary risk-based standards that can be enhanced constantly to reflect metastasizing cyber threats. Both the United States and the EU recognise and wish to encourage robust information sharing among organisations and with governments.
This report recommends ways that the EU and U.S. approaches to cybersecurity can be enhanced by adapting the NIST Framework into European cybersecurity frameworks. In particular, EU governmental authorities can incorporate the framework into implementation of the NIS Directive and the GDPR. In addition, EU stakeholders can help refine the forthcoming version of the NIST Framework so as to facilitate its use within the EU. This will, in turn, allow for broader and deeper EU and United States collaboration on cybersecurity both at the governmental level and within the private sector.
Sidley Austin LLP provides a broad range of legal services to meet the needs of a diverse client base. The strategic establishment of their offices in the key corporate and financial centers of the world has enabled them to represent a broad range of clients that includes multinational and domestic corporations, banks, funds and financial institutions.
This report has been prepared on behalf for informational purposes only and does not constitute legal advice. This information is not intended to create, and the receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. The content therein does not reflect an opinion of the firm. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.