We can’t answer that question yet, and it’s the time to figure out how we will measure their effectiveness.
The EU and its member states are working furiously to figure out how to regulate, implement, and audit the Cyber Resilience Act (CRA) and Network and Information Security Directive 2 (NIS 2). You likely have seen numerous articles, presentations, and podcasts on CRA and NIS 2 on LinkedIn and elsewhere.
I don’t claim to be, or plan to be, an expert on these European requirements, and be careful and closely evaluate who you listen to on this. Like NERC CIP it’s not something that you can casually add to your circle of competence, beyond being buzzword capable. You want to work with people who focus at least 50% of their time on this, and you may even want to work with people, especially for NIS 2, with that level of dedication in the country you are in.
The EU approach is very different than the US approach. Which approach is more effective at reducing the consequence of cyber incidents? Consequence is more important than frequency, although the methodology should prevent a single incident from skewing the rest of the data.
Perhaps an approach like the SEC’s “material” criteria would work if it is defined by sector. For example, the threshold could be some amount of household outage days of power or water caused by a cyber incident. How many cyber incident caused outages above that threshold happened? To compare the US and EU the data would need to be normalized, probably by population.
I realize this article has more questions and possibilities than answers. Now is the time to dig in and get those answers, or at least first pass answers, so we are ready when the data comes in.
Is the cost to asset owner / operators to meet the regulations a good investment? Does it reduce the consequence of cyber incidents in critical sectors as compared to, at this time, much less regulated comparable US sectors?
EU As A Living Laboratory
I chased and found a presentation on the different approaches by member states to meet NIS 2. Prof. Dr. Dennis-Kenji Kipker showed how the early efforts are quite different. Hungary has very detailed and proscriptive required controls on risk levels. The Netherlands are creating a general legal decree with some power given to applicable authorities. Italy added a cultural sector and large food retailer sector. Belgium is focusing on risk management requirements and less on specifying controls. And it is still very early.
Similar to comparing the US and EU, we should prepare to gather metrics on the 27 EU member states. What approach is best? Can the approaches be grouped? Is there some multi-dimensional analysis possible with country characteristics, approach, and effectiveness.