United States

Comparing U.S. and European views on innovation, security and privacy


In today’s global economy, organizations face several common challenges to productivity and sustainability. Some of these concerns—data security, privacy and digital transformation—often converge, and are readily apparent within nearly every company worldwide, regardless of size or industry. Three recent surveys shed some light on the state of security, privacy and digital transformation approaches and attitudes among European and United States middle market companies.

RSM’s Catch 22: Digital Transformation and its Impact on Cybersecurity report analyzes how EU companies are leveraging innovation and its perceived effect on data security. In addition, the RSM US 2020 Middle Market Business Index Cybersecurity Special Report provides insight into the challenges that U.S. companies face in addressing persistent and emerging cybersecurity threats. Finally, the RSM US Digital Transformation Survey examines how executives are leveraging innovation to stay competitive.  

The results of these surveys uncovered four key themes that demonstrate some of the differences in how European and U.S. companies view and manage security, privacy and digital transformation.

Security versus privacy

The RSM surveys clearly illustrate the differences in the United States’ data security foundation and the European focus on data privacy.

At the time of the RSM Catch 22 report, the EU’s General Data Protection Regulation was viewed as the champion of security, with 68% percent stating it as a key reason for investing in security. Not surprisingly, 62% believe GDPR compliance has resulted in more investment in security. However, respondents were nearly evenly split on whether those investments have made them safer—51% agree and 49% disagree.

On the surface, it might seem odd that a regulation that is viewed as the primary driver for security isn’t viewed as being overly effective at actually improving security. The issue is syntax. The GDPR is more concerned with the processes meant to gather and track customer consent to use data, and then maintaining processes and technologies that let organizations use customer data in accordance with that consent. The actual functional tasks of securing the data is secondary to the processes of managing the data.

In the 2020 RSM US Cybersecurity Special Report, only 39% of executives are familiar with the requirements of the GDPR. Although, 83% believe they will need to comply with a privacy regulation in the next two years, which seems to be a safe bet based on the number of states that have openly articulated plans to have privacy laws enacted within the next two years.  

While the difference in these data sets may seem surprising at first, they are consistent with the data protection fundamentals in both the United States and Europe. From the start, U.S. data guidelines have been focused on security, with privacy second. Until recently, the EU didn’t have standards that governed either. But when it began to move into data protection, privacy was top of mind, with security taking a secondary role.

“In the United States, for the longest time, you showed that you kept your data private by keeping it secure,” said RSM principal Daimon Geopfert. “A giant repository of customer data would be considered private because it’s locked down and properly patched. However, the privacy-first concept in Europe says, ‘I don’t care if you have secured the data; why do you have it in the first place?’ The GDPR is focused on how did you get consent, and how did you maintain it.”

Interestingly, the GDPR can be seen as having an inherent element of security, as the likelihood of large data breach events is reduced as companies possess less consumer data. On the other hand, some U.S. companies have experienced massive data breaches because of a more relaxed approach to data privacy. For now.   

Over time, U.S and European data protection measures will likely grow to be more similar. Privacy laws are becoming much more prominent in the United States, with multiple laws currently being reviewed and reconciled in the House and Senate. In addition, the EU is expected to take a stronger stance on security measures, with security guidance recently released by multiple European regulatory bodies.      

Perception of technology and risk: Cause and effect

Many of the same underlying foundational security approaches across borders also seem to affect the perceived benefits or hazards of technology investments.

For example, the Catch 22 survey revealed a correlation between investment in new technologies and increased perception of risk. Exactly half of businesses agreed that the more technology you implement, the more at risk you are. In addition, less than half (48%) of organizations believe that their security strategy will protect them.

On the other hand, the RSM US Cybersecurity Special report found that 95% of middle market executives are confident in their organization’s measures to safeguard sensitive data. In fact, the level of confidence has grown despite a steady increase in breaches reported in the survey. Furthermore, 90% of executives believe data residing in the cloud is more secure. Ultimately, U.S. executives believe that an increased spend on new technology decreases risk.

These positive feelings from U.S. executives are likely due to the aforementioned security-first approach of American businesses. Many new cloud-based technologies allow organizations to more easily centralize and enforce processes and data usage which tends to make compliance with privacy laws, which are very process-oriented, easier. This might lead EU-based organizations to view these platforms as safer because they help address their most prevalent regulatory risks.

However, U.S. regulations tend to be more focused on the underlying hardening of a platform, such as configurations, patching and other low-level technical settings. Cloud solutions that work well to show compliance with privacy requirements often make it difficult to demonstrate security compliance because much of the technical detail is masked and out of an organization’s control.

“We end up with two different business communities with two different sets of requirements that they are trying to meet,” said Geopfert. “Moving to new technologies is easier for European businesses because almost all of the new technology is built to manage privacy, but not necessarily security. The U.S. has been regulatory heavy for so much longer than the EU, and all of that is much more about technical security. Moving to new technology is harder because of the moving pieces involved and questions from regulators about underlying settings and architecture. The two sets of requirements will most likely drift closer over time, but the current reality is that the security concerns of the two populations are not apples to apples.”  

State of digital transformation

In the European and U.S. surveys, the results demonstrated the importance of digital transformation initiatives, although focus areas differ slightly between European and U.S. respondents.

Among European businesses in the Catch 22 survey, 80% say that digital transformation is a current strategic priority for their business. In addition, digital transformation is happening across multiple areas of the business, not just operations and customer service. Other priority areas include:

  • Sales and business development
  • Logistics
  • Marketing and human resources

In the RSM US Digital Transformation Survey, 94% of respondents reported that they have a digital road map, but only 48% say they have a fully developed digital strategy. Executives in the survey reported a focus on operational efficiency and employee matters and talent experience, with risk management and the customer experience following closely behind.

The European and U.S. business landscapes are likely leading to some of the variances in opinion and focuses for digital initiatives.

“There is a completely different mix in the major industry types and sizes in the EU versus the U.S., and I think that drives a lot of the digital thoughts,” said Geopfert. “For example, the United States has some legacy heavy manufacturing companies and similar industries that you wouldn’t have in the EU. These different business drivers create different answers.”

Furthermore, the regulatory differences between the U.S. and Europe certainly influence attitudes toward digital transformation. Federal and state regulations in the United States are more straightforward and coordinated, but how guidelines are enforced in the EU—and who enforces them—can vary significantly from country to country. Therefore, European companies may look at digital transformation initiatives to catch up, or solve problems meeting requirements.   

“A U.S. company can get away with systems that are out of date, by buying an upgrade, patching or maintaining it to remain regulatory compliant,” commented Geopfert. “On the other hand, an EU company, with almost no regulations in the past now has the difficulty of meeting a mismatch of new regulations that are more complex. Some companies are looking much more heavily at digital transformation because it’s the only way they are going to survive and catch-up to the new demands. They have to make that jump.”   

Technology investment and priority

U.S. and European survey respondents show some distinct differences in how technology investments are made, highlighting some potential opportunities for advancement.

The Catch 22 survey highlighted the main technologies European companies are currently investing in. Those include the cloud (73%), automation (58%), the internet of things (32%), artificial intelligence (22%) and machine learning (20%).

In the survey, respondents listed the main purposes of the technologies invested in as:

  • To integrate, activate and utilize data across functions to enhance business performance
  • To update obsolete systems
  • To reinvent and evolve business processes
  • To secure sensitive data at risk of a breach

RSM US’s Digital Transformation Survey showed that several innovations are being embraced and emphasized by almost all respondents. When asked what technologies have the most importance to their digital strategy, executives overwhelmingly cited cloud computing (96%), content management (96%), marketing automation (95%), customer relationship management (95%), enterprise resource planning (94%) and analytics (93%).

The variances are likely once again at least partially attributable to regulatory challenges, according to RSM US principal Bill Kracunas.

“Comparing the results—there appears to be some hesitation around the cloud in Europe,” said Kracunas. “I think the federal security standards in the United States provide a common infrastructure to work from. It gives U.S. companies more confidence in the cloud as a utility and how it operates.”

These differences between the survey results illustrate two very different approaches to technology investments, but also point to some potential opportunities for European-based organizations.  


Much can be learned from the security, privacy and digital transformation approaches of European and American businesses outlined within the survey data. So many of the differences are due to the data security foundation of the United States contrasted with the privacy focus of the EU. However, it is only a matter of time before these two strategies begin to converge even further, and American companies can take cues from their European counterparts about integrating a privacy focus into technology systems built on security, and getting ahead of potential new legislation.