EU Compliance Laws in line for Problems

By Dave Nixon

The introduction of the impending EU compliance directive, ‘EuroSOX’, could be messy, the Information Security Forum (ISF) has warned.

The EU’s milestone directives on corporate governance are due to start being passed into law by member states this summer, but already the ISF has spotted problems ahead. The first problem is that each state will have to interpret and translate the assortment of directives that comprise EuroSOX, resulting in slight deviations of law between different states.

Andy Jones of the ISF stated “EuroSox is intended to harmonise existing laws but a lack of clarity compounded by 25 translated versions and different interpretations of auditing rules could confuse the true meaning of the legislation and jeopardise its positive effect on internal risks and controls,”.

This will give large enterprises significant compliance pain, potentially ensuing in dissimilar regimes for every state in which they do business. Indeed, according to the ISF, EuroSOX is also a great deal less striving directive than the US equivalents, which may see it ignored then disregarded.

Jones stated “While on the surface there are similarities, there are also significant differences. For example, Sarbanes-Oxley imposes greater corporate governance responsibilities, creates whistle-blowing processes, addresses identity fraud and sets high penalties for breaches. Most of these are absent from EuroSox, which is intended more as a way to monitor corporate governance, rather than to establish it.”

In the UK, the directive will enter law as a modification to the Companies Act, as opposed tonew legislation, the ISF noted.

“The degree to which these laws will be enforced by EU Member states for the deadline this summer is currently unclear, but an aggressive approach to auditing and compliance could put a lot of pressure on information security departments and budgets.”

If historical familiarity of EU IT-oriented directives is anything to go by, the timescale for rolling out laws across the 25 countries will be as slow as is required. The much-heralded Waste Electrical and Electronic Equipment (WEEE) directive on recycling slipped years over its original timetable in countries such as the UK.

The ISF’s observations should be interesting to the UK Government’s faceless legislators. The Forum ‘s membership includes 300 large companies from around the continent but they are doubtful to be heard. As with many such directives, companies are left to iron out the discrepancies for themselves.