Regulation that matters - the EU - What is the difference between a regulation and a directive?
Previously we have pointed out regulatory issues that should be taken in mind when doing IT security audits and risk assessment, such as:
- What do government mandated regulatory compliance laws mean to an IT pro?
- How do ISO 17799 and Cobit complement each other?
- Regulation that matters: What is the difference between a standard, a policy and also a guideline?
The European Union has tried to bring enterprises and citizens a more unified framework of regulation and legislation. Nonetheless, legal compliance across Member States can mean many different things. In part this is due to the fact that the EU may bring in legislation by using a directive:
- What does a directive mean in the EC context?
A directive, as the above linked glossary entry from CyTRAP Labs shows, leaves Member States the opportunity to adjust legal text to the national peculiarities or simplye to make sure that it fits the national legislation. This is sometimes necessary because while one Member State may have liability as part of its common law, others may not. Hence, a directive may still cause a single market concern due to different national legislation that may be enacted based on it.
To limit the divergence of inacted legislation that follows such as the EU Privacy Directive, the European Commission may choose to get a regulation approved by Member States. A regulation usually comes in the form of a legally binding legislation.
- What does a regulation mean in the EC context?
As the above linked document explains, with a regulation every country has to accept the same defnition (e.g., what is an asset). Hence, in contrast to a directive, regulation does not allow Member States the freedom to interpret the ruling in different ways.
WHAT IT MEANS FOR it PROS
For an IT pro it is preferable to have regulation enacted by the European Union, thereby simplifying matters concerning such things as privacy or data protection across Member States. Unfortunately, this is often not the case and, instead, various national differences must be adhered to when doing business in Europe.
Doing business in various EU Member States still requires that procedures and so on are adjusted to the national legislation (e.g., privacy). Another approach would be to identify the most stringent legislation and see how that country’s regulator pursues violations or non-compliance.
Other material that might also be of interest:
- Key Performance Indicators (KPIs)
17799, best practice, Cobit, compliance laws, court verdicts, crime, EU directive, european union, glossary, guidelines, ISACA, ISO, ISO 17799, iso 17799, metrics, policy, prescriptive rules, principles based standards, regulation, regulatory compliance, regulatory issues, risk assessment, security audits, standards, trend, unified framework
February 27th, 2007 at 21:37
Thank you, I found this article both useful and informative.
February 27th, 2009 at 6:33
[…] But as we all know there are differences between policy and standards. In fact, for the EU, a regulation is sometimes better than a directive, because it leaves Member States less room for bending the rules. The list below shows that the implementation of the WEEE and RoHS Directives differ across EU Member States, which is not necessarily great for the environment: […]