The regulatory nature of the Order was made evident in Sec. 10.b’s discussion of agencies proposing “prioritized, risk-based, efficient, and coordinated actions, consistent with Executive Order 12866…” and in the Section’s frank discussion of “cybersecurity requirements.”
The Order’s strong emphasis on use of private sector standards is very significant along as is the Order’s instance on cost-effectiveness. What remains to be seen is the extent to which industry compliance with the Order provides companies with safety from regulatory and legal liabilities.
Whether the Order succeeds in providing much needed improvement in critical infrastructure protections will depend on how closely all of its provisions are adhered to and enforced.