Everyone is talking about cybersecurity. Articles appear almost daily regarding significant cybersecurity events. And over the past two years, the drumbeat for action on the issue of cybersecurity and the protection of the nation’s critical infrastructure has grown louder and louder. In the context of the current debate on cybersecurity, virtually everyone agrees that cyber threats are real, as evidenced by highly publicized cyber events, such as the recent denial of service attacks on banks. Virtually everyone also agrees that protecting critical infrastructure is an important goal. Nonetheless, little consensus has been reached, particularly in the U.S. Congress, on the “appropriate” approach to protecting the nation’s critical infrastructure from cyber threats.

The U.S. Executive Branch and the EU Commission, however, have both now weighed in on the issue. President Obama’s long-awaited and highly anticipated cybersecurity Executive Order (“Executive Order”) was released on February 12, 2013, directing the U.S. government to take various steps to protect the nation’s critical infrastructure from cyber threats. Similarly, on February 7, 2013, the European Commission published a proposed Directive on network and information security for “market operators” (the “EU Directive”). The EU Directive, once finalized and transposed into Member State legislation, would apply to all “market operators” providing a service in the EU/EEA, including operators of critical infrastructure in the energy, transport, banking, finance, and health sectors, as well as “information society” service providers, such as e-commerce platforms, payment gateways, social networks, search engines, and cloud providers.