When you have competing priorities and finite time and budget, people often don't investigate external requirements, assuming that they'll just comply when they no longer have a choice.
That's why the first few audits (SOX, PCI, etc...) for a company new to them, are always such a struggle, people starting to look at the months of work needed the same week the auditors are planned to come in.
edit/PS: Did you notice how many "We changed our policy" emails you've received in the past 2 weeks, including from very large international companies like google, yahoo, etc... Companies for which not being open for business in Europe would have financially impact. Probably a good indication that they ended up with a lot more work to comply that they had anticipated, and still made it just in time. Now imagine the same situation in smaller companies running on very thin resources that cannot afford a sudden increase in staff!
That's why the first few audits (SOX, PCI, etc...) for a company new to them, are always such a struggle, people starting to look at the months of work needed the same week the auditors are planned to come in.
edit/PS: Did you notice how many "We changed our policy" emails you've received in the past 2 weeks, including from very large international companies like google, yahoo, etc... Companies for which not being open for business in Europe would have financially impact. Probably a good indication that they ended up with a lot more work to comply that they had anticipated, and still made it just in time. Now imagine the same situation in smaller companies running on very thin resources that cannot afford a sudden increase in staff!