Compliance & Regulations Directory
Your comprehensive reference for global privacy laws, security frameworks, and regulatory standards. Updated for 2026.
Security Frameworks & Standards
NIST Cybersecurity Framework 2.0
Organizations: All sectors, all sizes (global adoption) | Published: February 2024
The first major update since CSF 1.0 (2014), CSF 2.0 introduces a sixth core function โ GOVERN โ alongside Identify, Protect, Detect, Respond, and Recover. Expanded scope beyond critical infrastructure to all organizations. Covers 22 categories and 106 subcategories with enhanced supply chain risk management and improved alignment with other NIST guidance.
NIST 800-53
Organizations: US Federal Information Systems
A publication that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It defines over 1,000 controls across 20 control families including access control, audit, incident response, and system integrity.
ISO 27001
Organizations: All sectors, globally
A specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization's information risk management processes. The gold standard for information security certification.
ISO 27002
Organizations: All sectors, globally
Part of the ISO 27000 family of standards, it provides best practice recommendations on information security management. Serves as a detailed implementation guide for the controls referenced in ISO 27001, covering organizational, people, physical, and technological controls.
ISO 27701
Organizations: All sectors handling personal data
A privacy extension to ISO 27001 that provides a framework for creating, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). Bridges the gap between information security and privacy management, helping organizations demonstrate GDPR compliance.
ISO 22301
Organizations: All sectors, globally
A standard for business continuity management that can be used by organizations of any size or type to manage risk and protect against, reduce the likelihood of, and ensure business operations continue during disruptive incidents. Covers business impact analysis, recovery strategies, and exercise programs.
CIS Controls
Organizations: All sectors
A recommended set of actions for cyber defense published by the Center for Internet Security. Provides specific and actionable ways to stop today's most pervasive and dangerous attacks. Organized into 18 control groups with Implementation Groups (IG1-IG3) for prioritization based on organizational maturity.
SOC 2
Organizations: Service providers, SaaS companies
A type of audit report that focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. Type I evaluates design at a point in time; Type II evaluates operational effectiveness over a period (typically 6-12 months).
CMMC 2.0 - Cybersecurity Maturity Model Certification
Organizations: Defense Industrial Base (DIB) | Final rule: November 2025
A critical framework for companies in the Defense Industrial Base aiming to work with the U.S. Department of Defense. CMMC 2.0 streamlines the model into three levels: Level 1 (15 practices, self-assessment), Level 2 (110 practices aligned with NIST SP 800-171, third-party assessment), and Level 3 (NIST SP 800-172, government-led assessment). Phase 1 self-assessments required as contract pre-award conditions since November 2025.
ISA/IEC 62443
Organizations: Industrial & manufacturing
A series of standards on Industrial Automation and Control Systems (IACS) security. Includes various technical reports addressing security for asset owners, system integrators, and component suppliers in operational technology environments including SCADA, DCS, and PLC systems.
HITRUST CSF
Organizations: Healthcare & cross-industry | Current: v11.6.0 (August 2025)
A risk-based, prescriptive security and privacy framework informed by 60+ authoritative sources including NIST, ISO, HIPAA, and PCI DSS. Provides three assessment tiers: e1 (essential), i1 (implemented), and r2 (risk-based). Covers 100% of addressable MITRE ATT&CK techniques and maps to CMMC Level 1, NIST CSF 2.0, and ISO 27001.
MITRE ATT&CK
Organizations: All sectors (global knowledge base) | Current: v18.1 (October 2025)
A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Enterprise matrix covers 14 tactics, 216 techniques, and 475 sub-techniques. Also includes Mobile and ICS (Industrial Control Systems) matrices. Widely used for threat modeling, detection engineering, red teaming, and security gap analysis.
NERC CIP - Critical Infrastructure Protection
Organizations: North American Bulk Electric System operators (mandatory)
Mandatory cybersecurity standards for the North American power grid. Covers asset identification, security management, personnel training, electronic security perimeters, physical security, incident reporting, recovery planning, and supply chain risk management. CIP-015-1 (2025) adds Internal Network Security Monitoring requirements for high-impact systems.
AI Governance & Regulation
As AI systems reshape industries, governments are racing to establish guardrails. These frameworks and laws define how organizations must develop, deploy, and govern artificial intelligence.
EU AI Act
Jurisdiction: European Union & EEA | In force: August 2024 (phased through 2027)
The world's first comprehensive AI law. Classifies AI systems into risk tiers โ unacceptable (banned), high, limited, and minimal โ with obligations scaled accordingly. Bans social scoring, certain biometric surveillance, and manipulative AI. Requires conformity assessments, transparency, human oversight, and risk management for high-risk systems. GPAI model providers face obligations from August 2025; full high-risk system rules apply August 2026.
NIST AI Risk Management Framework (AI RMF 1.0)
Organizations: All sectors (voluntary, US origin, global adoption) | Published: January 2023
A voluntary framework providing a structured approach to identify, assess, and manage AI risks throughout the system lifecycle. Organized around four core functions: GOVERN, MAP, MEASURE, and MANAGE. Referenced by the Colorado AI Act as a recognized framework for safe-harbor compliance. NIST also published AI 600-1 (July 2024) specifically addressing generative AI risks.
ISO/IEC 42001 - AI Management Systems
Organizations: All sectors deploying AI (certifiable) | Published: December 2023
The world's first certifiable international standard for Artificial Intelligence Management Systems (AIMS). Specifies requirements for establishing, implementing, maintaining, and improving an AI management system throughout the AI lifecycle. Uses the Plan-Do-Check-Act methodology aligned with other ISO management system standards. Certification valid for three years.
Colorado AI Act (SB 24-205)
Jurisdiction: Colorado, USA | Effective: June 30, 2026
The first comprehensive US state law targeting high-risk AI systems. Requires developers and deployers to exercise "reasonable care" to prevent algorithmic discrimination. Developers must publish technical documentation and issue deployer notices. Deployers must adopt risk management policies, perform annual impact assessments, and issue consumer notices for consequential decisions. References NIST AI RMF and ISO 42001 for safe-harbor protections.
Texas Responsible AI Governance Act (TRAIGA)
Jurisdiction: Texas, USA | Effective: January 1, 2026
Establishes consumer protections and enforcement mechanisms for AI systems deployed in Texas. Creates a regulatory sandbox program for testing AI systems with reduced regulatory risk. Establishes a state council to support AI innovation while overseeing compliance and protecting consumer interests.
Illinois AI Employment Law (HB 3773)
Jurisdiction: Illinois, USA | Effective: January 1, 2026
Amends the Illinois Human Rights Act to prohibit employer use of AI systems that result in discrimination against protected classes. Requires employers to notify candidates when AI analyzes video interviews and obtain consent before AI-based evaluation of job applicants. Part of a growing wave of state-level AI employment protections.
EU Cyber Regulations
The European Union has enacted a trio of landmark cybersecurity regulations reshaping digital resilience requirements for organizations operating in or selling into the EU market.
NIS2 Directive
Jurisdiction: European Union | Transposition deadline: October 2024 | Compliance: October 2026
Replaces the original NIS Directive with significantly broader scope. Establishes "essential entities" (energy, healthcare, transport, banking, digital infrastructure) and "important entities" (food, postal, manufacturing, digital services) with mandatory cybersecurity risk management, incident reporting (24-hour early warning, 72-hour full notification), supply chain security, and business continuity requirements. Penalties up to EUR 10 million or 2% of global turnover.
DORA - Digital Operational Resilience Act
Jurisdiction: EU financial sector | Effective: January 17, 2025
EU regulation ensuring digital operational resilience across the financial sector. Covers banks, insurance companies, investment firms, FinTechs, and their ICT third-party service providers. Requires ICT risk management frameworks, incident classification and reporting, digital operational resilience testing (including threat-led penetration testing), ICT third-party risk management, and information-sharing arrangements.
EU Cyber Resilience Act
Jurisdiction: EU (products with digital elements) | In force: December 2024 (phased through 2027)
Establishes mandatory cybersecurity requirements for hardware and software products placed on the EU market. Requires security-by-design, vulnerability handling processes, automatic security updates by default, and incident reporting to ENISA within 24 hours. Vulnerability and incident reporting obligations apply from September 2026; full compliance required by December 2027. Products classified into standard, Class I, and Class II risk tiers.
Global Privacy Laws
GDPR - General Data Protection Regulation
Jurisdiction: European Union & EEA | Effective: May 2018
A regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Grants individuals rights including access, rectification, erasure, portability, and the right to object. Fines up to 4% of annual global turnover or EUR 20 million.
LGPD - Lei Geral de Protecao de Dados
Jurisdiction: Brazil | Effective: September 2020
Brazil's General Data Protection Law, similar to GDPR in the EU. Applies to any business that processes personal data of individuals located in Brazil, regardless of where the business is based. Enforced by the ANPD (National Data Protection Authority) with penalties up to 2% of revenue.
PDPA - Personal Data Protection Act
Jurisdiction: Singapore | Effective: July 2014
Governs the collection, use, and disclosure of personal data by all private organizations in Singapore. Administered by the Personal Data Protection Commission (PDPC). Penalties up to SGD 1 million or 10% of annual turnover for organizations with turnover exceeding SGD 10 million.
APPI - Act on the Protection of Personal Information
Jurisdiction: Japan | Amended: April 2022
Governs the processing of personal data in Japan. The 2022 amendments strengthened individual rights, tightened cross-border transfer rules, and introduced mandatory breach notifications. Enforced by the Personal Information Protection Commission (PPC).
POPIA - Protection of Personal Information Act
Jurisdiction: South Africa | Effective: July 2021
Promotes the protection of personal information by public and private bodies in South Africa. Establishes minimum requirements for processing personal information, including conditions for lawful processing, data subject rights, and the establishment of the Information Regulator.
PIPEDA - Personal Information Protection and Electronic Documents Act
Jurisdiction: Canada | Effective: April 2000
Federal law governing how private sector organizations collect, use, and disclose personal information in the course of commercial business. Based on 10 fair information principles. Being modernized through Bill C-27 (Digital Charter Implementation Act).
Australian Privacy Principles (APPs)
Jurisdiction: Australia | Effective: March 2014
The 13 Australian Privacy Principles are the cornerstone of the privacy protection framework in the Australian Privacy Act 1988. They apply to Australian Government agencies and private sector organizations with annual turnover exceeding AUD 3 million. Cover collection, use, disclosure, data quality, and cross-border transfers.
DPDPA - Digital Personal Data Protection Act
Jurisdiction: India | Effective: August 2023
India's comprehensive data protection law (replacing the earlier PDPB proposal). Establishes the Data Protection Board of India as the enforcement authority. Covers digital personal data processing, data fiduciary obligations, consent management, and cross-border data transfer provisions. Penalties up to INR 250 crore (~USD 30M).
PIPL - Personal Information Protection Law
Jurisdiction: China | Effective: November 2021
China's comprehensive data privacy law governing the collection, storage, use, processing, transmission, and disclosure of personal information. Requires local data storage with cross-border transfers restricted to government-approved jurisdictions. Compliance audit measures strengthened in May 2025. Penalties up to 50 million yuan or 5% of annual revenue, with potential personal liability for responsible individuals.
Thailand PDPA - Personal Data Protection Act
Jurisdiction: Thailand | Full enforcement: June 2022
One of the most robust data protection frameworks in Southeast Asia. Regulates the collection, use, and disclosure of personal data by data controllers and processors. Establishes data subject rights including access, portability, erasure, and objection. Enforced by the Personal Data Protection Committee with administrative fines up to THB 5 million and criminal penalties including imprisonment.
Saudi PDPL - Personal Data Protection Law
Jurisdiction: Saudi Arabia | Full enforcement: September 2024
Comprehensive data protection law enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA). Requires prior approval for cross-border data transfers and mandates consent for personal data processing. Applies to organizations processing data within Saudi Arabia or of Saudi residents. Fines up to SAR 3 million (~USD 800K) plus potential imprisonment up to two years.
Indonesia PDP Law - Personal Data Protection
Jurisdiction: Indonesia | Full effect: October 2024
Indonesia's first omnibus data protection law (Law No. 27/2022). Applies to all personal data processing activities within Indonesia or targeting Indonesian residents. Covers data subject rights, cross-border transfer requirements, and Data Protection Officer obligations. Implementing regulations are being finalized to define detailed compliance obligations and penalties.
Vietnam PDPL - Personal Data Protection Law
Jurisdiction: Vietnam | Effective: January 2026
Vietnam's first comprehensive data protection law, superseding the earlier Decree 13/2023. Establishes a full regulatory framework for personal data processing with penalties of up to 5% of annual revenue for cross-border data transfer violations. Creates formal data subject rights and processor/controller obligations aligned with international privacy standards.
PIPA - Personal Information Protection Act
Jurisdiction: South Korea | Amended: September 2023
South Korea's primary data protection law, significantly strengthened by the 2023 amendments. Enforced by the Personal Information Protection Commission (PIPC). Requires consent for data collection, purpose limitation, and data minimization. The 2023 amendments introduced cross-border transfer mechanisms, pseudonymization provisions, and enhanced penalties including fines up to 3% of related revenue.
US Federal Privacy & Security Laws
HIPAA - Health Insurance Portability and Accountability Act
Applies to: Healthcare providers, insurers, clearinghouses & business associates
Applies to healthcare providers, insurance companies, and any other organization that handles protected health information (PHI) in the United States. Establishes the Privacy Rule, Security Rule, and Breach Notification Rule. Penalties range from $100 to $50,000 per violation, up to $1.5 million per year per violation category.
HITECH - Health Information Technology for Economic and Clinical Health Act
Applies to: Healthcare organizations & business associates
A U.S. law that encourages the adoption of health information technology, especially electronic health records (EHRs), by providing financial incentives. It also expands upon the privacy and security protections under HIPAA, introducing breach notification requirements and increased enforcement penalties.
SOX - Sarbanes-Oxley Act
Applies to: All US public companies
Mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. Section 302 requires CEO/CFO certification of financial reports; Section 404 requires management assessment of internal controls and independent auditor attestation.
GLBA - Gramm-Leach-Bliley Act
Applies to: Financial institutions in the US
The Financial Services Modernization Act requires financial institutions in the U.S. to explain how they share and protect their customers' private information. Includes the Financial Privacy Rule, Safeguards Rule, and Pretexting Protection provisions. Enforced by the FTC, OCC, and other federal regulators.
FISMA - Federal Information Security Management Act
Applies to: US federal agencies & contractors
U.S. legislation defining a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. Requires agencies to develop, document, and implement information security programs. Updated by FISMA 2014 to emphasize continuous monitoring and real-time risk management.
CFAA - Computer Fraud and Abuse Act
Applies to: All entities (criminal & civil liability)
The federal anti-hacking law in the United States. Criminalizes unauthorized access to computer systems and exceeding authorized access. Brought into the spotlight after the tragic death of programmer and Internet activist Aaron Swartz, leading to ongoing calls for reform to narrow its broad scope.
FERPA - Family Educational Rights and Privacy Act
Applies to: Educational institutions receiving federal funding
Provides parents the right to access their children's education records, seek to have records amended, and exercise control over disclosure of personally identifiable information. Rights transfer to students at age 18 or upon entering postsecondary institutions. Enforced by the Department of Education.
NCUA Cyber Incident Reporting Rule
Applies to: Federally insured credit unions
The National Credit Union Administration proposed rule amending Part 748 of its regulations, requiring federally insured credit unions to report substantial cyber incidents to the NCUA within 72 hours. Covers incidents that disrupt vital member services, compromise sensitive data, or impact the credit union's ability to operate.
NYDFS Cybersecurity Regulation (23 NYCRR 500)
Applies to: Financial services companies in New York
The New York Department of Financial Services cybersecurity regulation requires covered entities to maintain a cybersecurity program, designate a CISO, implement written policies, conduct penetration testing, and report incidents within 72 hours. Updated in 2023 with stricter requirements including governance, access controls, and incident response.
SEC Cybersecurity Disclosure Rules
Applies to: US publicly traded companies (SEC registrants) | Effective: December 2023
Requires public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality. Also mandates annual disclosure of cybersecurity risk management, strategy, governance, and board oversight on Form 10-K/20-F. Created significant new obligations for CISOs and compliance officers around incident materiality determination.
CIRCIA - Cyber Incident Reporting for Critical Infrastructure Act
Applies to: US critical infrastructure (16 sectors) | Final rule expected: May 2026
Will require critical infrastructure operators to notify CISA within 72 hours of a covered cyber incident and within 24 hours of making a ransomware payment. Estimated to cover 300,000+ entities across 16 critical infrastructure sectors. Also established the Cybersecurity Incident Reporting Council to harmonize federal incident reporting requirements across agencies.
US State Privacy Laws
As of early 2026, over 20 US states have enacted comprehensive consumer data privacy legislation, with more in the pipeline. Here are all enacted state privacy laws.
| State | Privacy Act | Effective |
|---|---|---|
| California | CCPA / CPRA - California Consumer Privacy Act & California Privacy Rights Act | Jan 2020 / Jan 2023 |
| Colorado | CPA - Colorado Privacy Act | Jul 2023 |
| Connecticut | CTDPA - Connecticut Data Privacy Act | Jul 2023 |
| Virginia | VCDPA - Virginia Consumer Data Protection Act | Jan 2023 |
| Utah | UCPA - Utah Consumer Privacy Act | Dec 2023 |
| Indiana | INCDPA - Indiana Consumer Data Protection Act | Jan 2026 |
| Iowa | ICDPA - Iowa Consumer Data Protection Act | Jan 2025 |
| Montana | MCDPA - Montana Consumer Data Privacy Act | Oct 2024 |
| Tennessee | TIPA - Tennessee Information Protection Act | Jul 2025 |
| Texas | TDPSA - Texas Data Privacy and Security Act | Jul 2024 |
| Oregon | OCPA - Oregon Consumer Privacy Act | Jul 2024 |
| Delaware | DPDPA - Delaware Personal Data Privacy Act | Jan 2025 |
| New Hampshire | NHPA - New Hampshire Privacy Act | Jan 2025 |
| New Jersey | NJDPA - New Jersey Data Privacy Act | Jan 2025 |
| Illinois | PIPA - Personal Information Protection Act | Enacted |
| Nebraska | NDPA - Nebraska Data Privacy Act | Jan 2025 |
| Minnesota | MCDPA - Minnesota Consumer Data Privacy Act | Jul 2025 |
| Maryland | MODPA - Maryland Online Data Privacy Act | Oct 2025 |
| Florida | FDBR - Florida Digital Bill of Rights | Jul 2024 |
| Kentucky | KCDPA - Kentucky Consumer Data Protection Act | Jan 2026 |
| Rhode Island | RIDTPPA - Rhode Island Data Transparency and Privacy Protection Act | Jan 2026 |
CCPA - California Consumer Privacy Act
Jurisdiction: California | Effective: January 2020 (CPRA amendments January 2023)
The California Consumer Privacy Act, enhanced by CPRA, grants California residents the right to know what personal data is collected, delete it, opt-out of its sale, and non-discrimination for exercising rights. Applies to businesses meeting revenue ($25M+), data volume (100K+ consumers), or revenue-from-data thresholds. Enforced by the California Privacy Protection Agency (CPPA).
TDPSA - Texas Data Privacy and Security Act
Jurisdiction: Texas | Effective: July 2024
Applies to any entity that conducts business in Texas, processes or sells personal data, and is not considered a small business by the US Small Business Administration. Grants consumers rights to access, correct, delete, and port their data. Enforced by the Texas Attorney General with penalties up to $7,500 per violation.
Industry-Specific Compliance
PCI DSS v4.0.1 - Payment Card Industry Data Security Standard
Applies to: Any entity storing, processing, or transmitting cardholder data | Current: v4.0.1
The global standard for payment card data security. PCI DSS v4.0.1 (sole supported version since January 2025) made all 51 future-dated requirements mandatory as of March 2025, including MFA for all cardholder data environment access, automated audit log review, targeted risk analysis replacing fixed periodic checks, and enhanced e-commerce payment page script management protections.
COBIT - Control Objectives for Information and Related Technologies
Applies to: Enterprise IT governance
A framework for the governance and management of enterprise IT published by ISACA. A supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT 2019 provides 40 governance and management objectives across five domains.
ITIL - Information Technology Infrastructure Library
Applies to: IT service management organizations
A set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL 4 (current version) integrates with agile, DevOps, and lean practices. Covers service value system, guiding principles, governance, service value chain, and management practices.
FedRAMP - Federal Risk and Authorization Management Program
Applies to: Cloud service providers serving US government
A U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Defines three impact levels (Low, Moderate, High) based on FIPS 199 categorization. Requires third-party assessment organization (3PAO) validation.
Cloud Security & IT Governance
CSA Framework - Cloud Security Alliance
Applies to: Cloud service providers & consumers
Provides security principles to guide companies providing or using cloud services on assessing a cloud provider's security risk. The Cloud Controls Matrix (CCM) covers 17 domains including application security, audit assurance, business continuity, data security, and identity management.
CSA STAR - Security, Trust & Assurance Registry
Applies to: Cloud computing providers
A publicly accessible registry documenting various cloud computing offerings' security and privacy controls. Emphasizes key principles including transparency, rigorous auditing, and harmonization of standards as outlined in the Cloud Controls Matrix (CCM). Three levels: self-assessment, third-party audit, and continuous monitoring.
Children's Privacy & Online Safety
COPPA - Children's Online Privacy Protection Act
Jurisdiction: United States | Effective: April 2000
A federal law passed in 1998 that imposes specific requirements on operators of websites and online services to protect the privacy of children under 13. Requires verifiable parental consent before collecting personal information, clear privacy policies, and data minimization. Managed by the Federal Trade Commission (FTC) with penalties up to $50,120 per violation.
KOSA - Kids Online Safety Act (S.1409)
Jurisdiction: United States | Status: Passed Senate 2024
Protecting our children in the digital age. Its primary objective is to ensure the safety of minors on social media platforms. The bill proposes provisions including duty of care for platforms, default privacy settings for minors, parental tools, transparency reporting, and mandatory impact assessments for features targeting minors.
Cross-Border Data Transfer Frameworks
EU-US Data Privacy Framework
Jurisdictions: EU ↔ United States | Effective: July 2023
The successor to the EU-US Privacy Shield (invalidated by Schrems II). Provides a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Requires participating US organizations to self-certify compliance and adhere to DPF Principles.
Swiss-US Data Privacy Framework
Jurisdictions: Switzerland ↔ United States
Similar to the EU-US Data Privacy Framework, this regulates data exchange for commercial purposes between Switzerland and the United States. Organizations must self-certify with the US Department of Commerce and commit to comply with the framework's principles.
ASEAN Model Contractual Clauses (MCCs)
Jurisdictions: ASEAN member states
The Association of Southeast Asian Nations developed Model Contractual Clauses as a tool to facilitate cross-border data transfers within the region. Designed to complement EU Standard Contractual Clauses (SCCs) and provide a harmonized approach to data protection across the 10 ASEAN member states.
EU Standard Contractual Clauses (SCCs)
Jurisdictions: EU ↔ Third countries
Pre-approved contractual terms adopted by the European Commission that provide appropriate safeguards for personal data transferred from the EU to third countries. The 2021 modernized SCCs cover four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.
Stay Ahead of Compliance Changes
Get regulatory updates, framework deep dives, and compliance best practices delivered to your inbox.