Cybersecurity Regulation for Critical Infrastructure: A comparative analysis of European and US regulatory approaches

Investigator: Verena Jackson

Abstract:
Cyber threats, including cybercrime and state-sponsored cyber attacks, pose significant risks to society, with critical infrastructure sectors being prime targets. Malicious cyber-attacks on critical infrastructure cost companies millions and can have disastrous effects for citizens and governments, comparable to conventional armed attacks. This research project acknowledges the escalating significance of cybersecurity in critical infrastructure (e.g., energy sector, transportation systems, water systems, communication networks, healthcare facilities, financial institutions, government services) considering recent geopolitical events, such as the Russian-Ukrainian war, which has led to a notable increase in cyberattacks since 2022. The project, “Cybersecurity Regulation for Critical Infrastructure: A comparative analysis of European and US regulatory approaches,” aims to investigate and compare the regulatory frameworks governing cybersecurity in critical infrastructure sectors between the United States (U.S.) and the European Union (EU). It seeks to contribute insights into the different regulatory approaches, identifying regulatory gaps, strengths, and weaknesses in the U.S. and European approaches.
While the EU has adopted various directives and regulations to bolster cybersecurity in critical infrastructure, such as the NIS-2 Directive, the U.S. lacks a unified regulatory framework, relying primarily on sectoral regulations that vary from state to state. Using Germany as an example of EU law implementation, particularly regarding the NIS-2 Directive, the study explores potential implications for transatlantic cooperation and endeavors to provide practical policy recommendations.