While the U.S. has seen several recent data protection laws enacted in states like California and New York, those regulations are nothing compared to what’s been enacted across Europe.
Although the U.S. might have a larger total number of cybersecurity laws, European bodies tend to enact stricter regulations than the U.S. It seems Europe takes cybersecurity more seriously than the United States and it’s time for America to catch up.
Europe has a strong level of cybersecurity standards
Perhaps what supports Europe in passing so many strong cybersecurity regulations is the fact that they have several organizations that focus on standardizing the tech industry. For example, the CEN-CLC/JTC 13 Cybersecurity and Data Protection Committee transports relevant international standards into European standards in the IT field.
There are multiple, individual cybersecurity standards that fall under the CEN-CLC/JTC 13 standards that are exceptionally strict and complex. If you’re not familiar with these regulations, you can download CEN regulations from iTeh.ai.
Europe’s GDPR is still changing the world
In 2016, the European Union passed the most aggressive cybersecurity regulations on the planet: The General Data Protection Regulation (GDPR). Although it was enacted by the European Parliament and Council, the GDPR applies to any individual or business anywhere in the world that handles or stores data belonging to EU citizens.
The GDPR became enforceable beginning May 25, 2018, so people have had some time to adjust. However, a few years later, some people are just starting to realize this regulation applies to their business.
What is required under GDPR?
Generally speaking, GDPR requires that entities make it easy for people to control the use of data in the following ways:
· People can request a copy of their data
· People must give explicit consent before data can be collected
· People can request an entity to update their data
· People can transport their data from one provider to another
· People can request their data be erased
· People are to be informed of how their data is being used
· People can require an entity to stop using their data
GDPR contains a multitude of requirements ranging from simple to complex. For example, entities are required to provide a visible ‘unsubscribe’ link in every marketing email. That’s a simple requirement to meet. However, other regulations are so complex, many business owners are still trying to figure it all out.
One of the most complex requirements is that entities outside of the EU are required to designate a representative located within the EU as their “GDPR Representative.” This applies to every entity that collects even just simple email addresses from website visitors located in the EU. In other words, if you have an email list, you need to pay someone physically located in the EU to be your GDPR representative.
Most U.S. companies are not 100% GDPR-compliant (yet)
When the GDPR was first enacted, the majority of U.S. business owners didn’t think the regulations applied to their business. However, once they realized it applies, many business owners became scared because the enforcement provisions called for huge fines.
A few years later, U.S. businesses are still lagging behind on becoming GDPR-compliant. Granted, many businesses have added pop-up cookie policies to their websites to get permission before collecting anonymous data, but that’s not enough. The mandates under GDPR are vast and complex. Even some IT-oriented people struggle to understand the directives.
Does anyone know about the EU Cybersecurity Act of 2019?
Yes, another European cybersecurity act was passed in 2019, which created the EU’s official Cybersecurity Agency along with a standardized certification process IT services and products must obtain to be compliant.
Can cybersecurity compliance really be certified?
There is a heavy focus on certification in the IT industry, which includes cybersecurity certifications that demonstrate an organization is compliant with certain mandated regulations. These certifications are actually worthwhile. They force a business to get an audit, which can be quite revealing when a business isn’t as prepared as they thought. After the audit, businesses are advised on what they can change to become compliant.
When businesses get certified in whatever cybersecurity regulation they need to follow for their industry, they end up with a tighter cybersecurity posture. In the end, everyone benefits.
Maybe the U.S. needs more cybersecurity standardization
Standardization is what makes certification possible. While there are many cybersecurity standards in the U.S., there are also many conflicting points between the various regulations that are passed.
Perhaps the U.S. needs one national source of standards that all states are required to refer to when creating their own standards. It may not be possible to mandate statewide, but it would encourage state lawmakers to think about the importance of standardizing future regulations.