The Tenth Amendment to the US Constitution states:
The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
The states are often referred to as “laboratories of democracy”. Elected representatives at the state level can take very different approaches to issues and responsibilities, and the results can be viewed by all.
Hopefully the successes in one state’s approach can be adopted by other states (and the failures abandoned). Over the last decade we are slowly seeing this in primary and secondary education.
Will we see something like this with the EU NIS2 Directive? And would different approaches to NIS2 in EU countries a positive or negative? It’s a question. I don’t claim to have great experience or insight to what is happening in Europe.
A major criticism of NIS1, and a reason for NIS2, was the different interpretations and implementations of NIS1. This “lack of harmonization” is viewed as a flaw. It could:
- make it difficult for companies working cross-border
- put a larger regulatory burden on companies in one country as compared to other countries
- lead to countries having varying levels of cybersecurity
The first two bullets are hard to argue with.
Why then am I hoping for a lack of harmonization in implementation and audit of NIS2?
Because I’ve yet to see an effective OT cybersecurity regulatory regime, let alone a OT cyber risk management regulatory regime. The more approaches tried, the more likely we are to find elements that work and don’t work. NIS2 may be the best OT cybersecurity regulatory laboratory we will ever see.
It does come back to metrics. How do we know which regulatory regime is most effective? I’d hate to see it be the regime that proved they could force implementation of the largest set of cybersecurity controls. The highest level of cyber hygiene.
It would be better to measure the impact of cyber incidents by country. Fortunately NIS2 does require incident reporting and information sharing.
Speaking of metrics, the International Counter Ransomware Initiative is meeting this week in the US. The data … Ransomware Attacks In The US:
2022: 2,593
2023: 4,506
2024: 4,642 (pro-rated from 6-month data)
Two thoughts on this. One, we should be measuring impact of ransomware, preferably by sector. This is more important than the number of incidents. While I’d prefer not to have a ransomware incident, if it’s a minor inconvenience and a simple fix the number of incidents is small.
And two, we should see very different initiatives proposed this week. What is being done isn’t working based on the Initiative’s metrics. Doubling down and trying harder isn’t the right approach.