Skip to content
Cyber Compliance

Cybersecurity Regulations & Laws

GDPR, NIS2, DORA and more — each article mapped to the security framework controls that help you satisfy it.

GDPR

MandatoryEuropean Union

General Data Protection Regulation (EU 2016/679)

Any organization, anywhere in the world, that processes the personal data of individuals in the EU/EEA — whether established in the EU or offering goods and services to, or monitoring the behaviour of, people there.

Any sectorEU / EEAProcesses personal data

6 Articles · EU · 2016

NIS2

MandatoryEuropean Union

NIS2 Directive (EU 2022/2555)

Medium and large organizations operating in critical sectors across the EU — energy, transport, health, banking, digital infrastructure, public administration, water, waste and more — classified as 'essential' or 'important' entities.

Essential & important entitiesEUCritical sectors

5 Articles · EU · 2022

DORA

MandatoryEuropean Union

Digital Operational Resilience Act (EU 2022/2554)

Financial entities in the EU — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers and more — and the critical ICT third-party providers that serve them.

Financial entitiesEUICT third parties

6 Articles · EU · 2022

HIPAA

MandatoryUS HHS

HIPAA Security Rule (45 CFR Part 164, Subpart C)

US healthcare 'covered entities' (health plans, healthcare clearinghouses and most healthcare providers) and their 'business associates' that create, receive, maintain or transmit electronic protected health information (ePHI).

HealthcareUSProcesses PHI

6 Safeguards · US · 2003

CCPA / CPRA

MandatoryState of California

California Consumer Privacy Act (as amended by CPRA)

For-profit businesses doing business in California that meet a threshold — gross revenue over $25M, handling personal information of 100k+ consumers/households, or earning half their revenue from selling/sharing data — and process California residents' personal information.

For-profit businessesCalifornia / USProcesses personal data

3 Sections · US · 2018

LGPD

MandatoryANPD (Brazil)

Lei Geral de Proteção de Dados (Brazil, Lei 13.709/2018)

Any organization that processes the personal data of individuals in Brazil, or processing carried out in Brazil, or aimed at offering goods or services to people in Brazil, regardless of where the organization is based.

BrazilProcesses personal dataAny sector

4 Articles · BR · 2018

GLBA

MandatoryUS FTC

GLBA Safeguards Rule (16 CFR Part 314)

Financial institutions under FTC jurisdiction — including non-bank lenders, mortgage brokers, auto dealers offering financing, tax preparers and fintechs — that handle customers' nonpublic personal information.

US financial institutionsNon-bank financialHandles customer info

6 Requirements · US · 2003