EU Compliance Looms for Stateside IT

Storage managers in the U.S. may have finally come to grips with Sarbanes Oxley, but if their firms want to do business in Europe they should brace themselves for even more compliance headaches over the next few years. (See AMR Sees $6B in SOX Spending and IDC: 'Users, Do Your Homework'.)

Like the U.S., countries within the European Union have been hard at work tightening their own financial and homeland security regulations, bringing yet more complexity to the lives of already pressured IT pros.

"If U.S. companies aren't paying attention to this, then they need to, if they want to operate within the E.U.," says Dave Shearer of the U.K.-based Sun User Group. "It's a legal minefield."

In the financial services sector, for example, U.S. firms will come up against the Markets In Financial Instruments Directive (MiFID), a new set of regulations for reporting financial transactions. The E.U.-wide directive will come into force early next year, and is expected to prompt some major changes in users' storage systems.

A report released last year by Bob Fuller, director of IT at Dresdner Kleinwort Benson, and co-chair of the MiFID Working Group, warned that even in Europe, most financial firms are not ready for the Directive. With the typical firm using as many as 10 separate storage systems, users will need to either deploy middleware or consolidate their storage if they are to share all this transaction data, he explained.Then, of course, there is the fact that storage managers have yet another regulatory body breathing down their necks, not to mention a slew of new data to store.

Even niche markets within the European financial sector are feeling the pressure. In the insurance market, for example, firms are already preparing for the new Solvency II regulations, which aim to tighten risk management controls and are expected to be introduced sometime around 2010. Tellingly, HP has already jumped onto the Solvency II bandwagon, in an attempt to boost sales of its document management and storage products.

"The amount of legislation in Europe will increase," warns Sue Clarke, senior research analyst at U.K.-based firm Butler Group. "As the world becomes more and more global, U.S. firms will have to comply with the legislation that comes along."

The financial services and insurance sectors will not be the only ones to experience new compliance pressures. Last week, for example, Steve Duplessie, president of analyst firm Enterprise Strategy Group, urged U.S. storage managers to keep their eye on European homeland security efforts during his keynote at the StorageWorld Conference. (See ITIL Irritates IT Managers.)

After the bomb attacks on Madrid and London, E.U. legislators pushed through legislation aiming to boost security across member states. The result is a new data retention directive designed to help law enforcement agencies tackle terrorist threats, which looks set to cost telecom operators and ISPs a collective fortune. (See EU Debates Data Retention.)The Directive, 2006/24/EC, will be implemented in each of the E.U.'s 25 member states by September 15, 2007, and is already causing concern amongst users. (See Euro Telcos Face Storage Avalanche.) Service providers, by law, will need to retain and store call data records, voicemails, and text and multimedia messages placed on their networks. Those records must include the telephone numbers, identities, and addresses of the calling and called parties, the time and duration of the call, and the type of service used.

For Internet services the requirements are largely the same -- IP addresses, names and physical addresses, as well as email and VOIP service-usage records. Under the terms of the directive, data must be saved for a period from six months to two years.

U.S. telecom providers and ISPs looking to boost their European presence should pay close attention to the Directive, according to Clarke. "It could be a big deal for U.S. firms," she warns, adding that quickly retrieving all this data will be critical. "It could affect whether their data is kept on storage servers in the U.S. or in Europe."

But it is not just telecom firms and ISPs that will feel the weight of Europe's homeland security efforts. The E.U's Council of Ministers is also pressing ahead with a new law to prevent money-laundering as part of its anti-terrorism push, which will affect how certain data is handled and stored. The Directive, 2005/60/EC, covers cash payments of $19,000 and over and requires financial firms to record and report any suspicious activity. E.U. member states have until 15th December to comply with the regulation.

Over at Butler Group, Clarke warns that U.S. firms with European operations will have to think seriously about how they share data about these cash payments. The challenge, she explains, is that a typical financial firm will need to draw this information from a number of locations around the world.James Rogers, Senior Editor, Byte and Switch