The EU's General Data Protection regulation (GDPR) has been hailed by privacy advocates, but there remains concern among cybersecurity experts that the regulation doesn't go far enough in securing data.

According to a survey by software company Avecto, 47 percent of international cybersecurity professionals believe the regulation's cybersecurity mandates were not strong enough to ensure adequate security. The survey took responses from 500 IT and cybersecurity professionals across the U.S., Germany and the U.K.

While the GDPR goes into much detail around how EU citizens' data should be stored and managed, it is far less specific around what exactly companies should do to protect this data. This vague language, said Simon Langton, vice president of professional services at Avecto, is likely a big factor in many cybersecurity professionals believing the regulation does not go far enough.

“In their attempt to try to make it broad, [regulators] didn't care about any specific technical controls and put the burden back on organizations to work out what they need to do in terms of cybersecurity controls,” Langton said.

Under the Article 32 of the GDPR, companies are required to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” While the regulation does point to specific controls for protecting personal data, such as encryption, system testing and backup capabilities, it notes such controls only need to be implemented as appropriate.

“It means it's not boiling the ocean, but of course it's not the other way either,” said Maarten Stassen, senior counsel in Crowell & Moring's Brussels office. However, he noted that some companies are struggling with the open-ended requirements.

“It's quite challenging, and unfortunately only when something goes wrong in many cases will you know that the [cybersecurity] measure were not sufficient,” Stassen added.

Such malleable requirements may make it hard for regulators to enforce compliance with the GDPR's cybersecurity mandates and for covered entities to know if they are meeting them. But Langton said that, because the GDPR standards reference best practices and security standards like the ISO-2700 series, enterprises may have some guidance as to what specific controls they need.

David Vance Lucas, partner at Bradley Arant Boult Cummings, also noted that many are “still waiting for guidance” from EU regulators on how to apply the cybersecurity requirements. He said there will likely be more specifics coming out of each member state, since the “GDPR provides minimum or base level standards” for security that each EU nation will likely build upon.

Lucas added that guidance is needed, given the uncertainty around how some requirements will apply. As an example, he cited the 72-hour breach notification requirement, noting that it is triggered only for a breach of personal data that could cause harm to the rights of EU citizens. “So the question is, what is the subjective determination of harm?”

The GDPR's lack of specific cybersecurity requirements could be because the regulation focuses far more on data privacy and how to handle and manage data in a privacy-conscious way, which in itself may be the best cybersecurity defense a company has.

“The privacy aspect of it is much more important, because that's where you need the mindset changes in companies,” Stassen said. He added that, while complying with the GDPR's cybersecurity requirements does require a lot of investment, “it's not investment from a monetary point of view or a technology point of view, but certainly in the mindset of changing the training and awareness of companies.”