The introduction of the forthcoming EU compliance directive, ‘EuroSOX’, could be chaotic, the Information Security Forum (ISF) has warned.
The EU’s landmark directives on corporate governance are due to start being passed into law by member states this summer, but already the ISF has spotted trouble ahead. The first problem is that each state will have to interpret and translate the collection of directives that make up EuroSOX, leading to subtle divergences of law between different states.
“EuroSox is intended to harmonise existing laws but a lack of clarity compounded by 25 translated versions and different interpretations of auditing rules could confuse the true meaning of the legislation and jeopardise its positive effect on internal risks and controls,” said Andy Jones of the ISF.
This will give large enterprises a major compliance headache, potentially resulting in different regimes for every state in which they do business. In fact, according to the ISF, EuroSOX is also a much less ambitious directive than the US equivalents, which could see it if not ignored then disregarded.
“While on the surface there are similarities, there are also significant differences. For example, Sarbanes-Oxley imposes greater corporate governance responsibilities, creates whistle-blowing processes, addresses identity fraud and sets high penalties for breaches. Most of these are absent from EuroSox, which is intended more as a way to monitor corporate governance, rather than to establish it,” said Jones.
In the UK, the directive will enter law as an amendment to the Companies Act, rather than as brand new legislation, the ISF noted.
“The degree to which these laws will be enforced by EU Member states for the deadline this summer is currently unclear, but an aggressive approach to auditing and compliance could put a lot of pressure on information security departments and budgets.”
If past experience of EU IT-oriented directives is anything to go by, the timescale for rolling out laws across the 25 countries will be as slow as it needs to be. The much-heralded Waste Electrical and Electronic Equipment (WEEE) directive on recycling went years over its original schedule in countries such as the UK.
The ISF’s views should be interesting to the UK Government’s faceless legislators – the Forum ‘s membership includes 300 large companies from around the continent - but they are unlikely to be heard. As with many such directives, companies are left to iron out the inconsistencies for themselves.
The ISF's 'Standard of Good Practice for Information Security' can be downloaded from the organisation’s website.