Welcome to the cybersecurity compliance maze—where one wrong click can cost you your job, your savings, or even that embarrassing collection of cat memes you’ve worked so hard to amass. The cybersecurity compliance maze is a labyrinth where each region, sector, and industry throws in its own set of unique challenges—because why would they make it easy, right?
But don’t panic, just comply!
We've put together this grand tour of cybersecurity standards, regulations, and voluntary frameworks, all conveniently divided and served with descriptions, regional quirks, key rules, and links to source texts. It's like a travel guide staying out of regulatory jail.
Enjoy if you can!
Gramm-Leach-Bliley Act (GLBA) [USA] The GLBA, enacted in 1999, focuses on safeguarding consumer financial privacy. It applies to financial institutions like banks, credit unions, and securities firms.
Payment Card Industry Data Security Standard (PCI DSS) [Global: USA, EMEA, APAC, LATAM] PCI DSS is applicable globally for organizations handling payment card transactions such as retailers, financial institutions, and e-commerce businesses.
Sarbanes-Oxley Act (SOX) [USA, Global for US-listed companies] SOX primarily applies to publicly traded companies globally listed on US exchanges, focusing on ensuring financial data accuracy and reliability.
SEC Regulation S-P [USA, Global for SEC-registered entities] Applies to brokers, dealers, and investment firms registered with the SEC, both in the USA and foreign entities that deal with US clients.
Commodity Futures Trading Commission (CFTC) System Safeguards [USA, Global for CFTC-registered entities] Applies to derivatives clearing organizations globally that are regulated by the CFTC.
MiFID II (Markets in Financial Instruments Directive) [EMEA, Global for financial institutions dealing with EU] MiFID II aims to increase transparency in the financial markets, applicable to EU member states and foreign entities providing services in the EU.
Payment Services Directive 2 (PSD2) [EMEA, Global for organizations providing financial services in the EU] PSD2 enhances consumer rights and secure electronic payments, applicable to financial institutions in the EU and foreign companies providing payment services.
Health Insurance Portability and Accountability Act (HIPAA) [USA, Global for US-based healthcare entities] HIPAA applies to healthcare providers, insurers, and businesses handling US patient data worldwide.
Health Information Technology for Economic and Clinical Health Act (HITECH) [USA, Global for US-related operations] Extends HIPAA regulations and emphasizes the secure use of electronic health records (EHRs).
EHR Meaningful Use: Promotes secure use and adoption of EHRs.
Enhanced Penalties: Higher penalties for data breaches and violations.
FDA Regulations for Clinical Investigations (21 CFR Part 11) [USA, Global for US-sponsored trials] Applies to organizations involved in US FDA-regulated clinical investigations, including international research organizations.
Federal Information Security Management Act (FISMA) [USA, Global for US contractors] Applies to US federal agencies and contractors, setting standards for protecting federal data.
Homeland Security Act [USA, Applicable for foreign entities dealing with US critical infrastructure] Applies to public and private entities involved in US critical infrastructure protection.
California Consumer Privacy Act (CCPA) [USA, Global for businesses handling California resident data] The CCPA applies to companies worldwide that process the personal data of California residents.
Children’s Online Privacy Protection Act (COPPA) [USA, Global for websites targeting US children] COPPA protects children under 13 by regulating online data collection.
Fair and Accurate Credit Transactions Act (FACTA) [USA, Global for organizations handling US consumer credit data] FACTA applies to companies handling US consumer data, primarily to prevent identity theft.
General Data Protection Regulation (GDPR) [EMEA, Global for organizations handling EU resident data] GDPR applies to organizations globally if they handle EU resident data, making it critical for data protection.
ISO/IEC 27001 [Global: USA, EMEA, APAC, LATAM] An internationally recognized standard applicable to organizations worldwide for managing information security.
NIST Cybersecurity Framework (CSF) [USA, Global for organizations adopting NIST standards] Provides guidelines for managing cybersecurity risks, applicable to entities in both public and private sectors globally.
Electronic Communications Privacy Act (ECPA) [USA, Global for US-related communication services] Regulates privacy of electronic communications, such as email, with applicability to companies providing services in the US.
Computer Fraud and Abuse Act (CFAA) [USA, Global applicability for offenses involving US systems] Targets unauthorized access to computer systems, applicable to anyone accessing US systems unlawfully.
Telecommunications Act of 1996 [USA, Global for entities operating within the US telecommunications market] The Telecommunications Act of 1996 is a landmark piece of legislation that governs the telecommunications industry in the USA. It promotes competition while setting regulations related to privacy and cybersecurity, particularly in telecommunications networks.
Defense Federal Acquisition Regulation Supplement (DFARS) [USA, Global for contractors working with the DoD]
DFARS applies to all contractors and subcontractors working with the U.S. Department of Defense (DoD). It mandates adherence to cybersecurity standards to protect Controlled Unclassified Information (CUI).
Penalties for Non-Compliance: Failure to comply can lead to contract termination or debarment.
Cybersecurity Maturity Model Certification (CMMC) [USA, Global for organizations involved with DoD] CMMC is a unified standard for implementing cybersecurity across the defense industrial base. It is designed to ensure that contractors working with the DoD have adequate cybersecurity practices in place.
ISO/IEC 27002 [Global: USA, EMEA, APAC, LATAM] ISO/IEC 27002 is part of the ISO/IEC 27000 family and provides guidelines to organizations on how to implement security controls based on risk assessments.
Center for Internet Security (CIS) Controls [Global: USA, EMEA, APAC, LATAM] The CIS Controls are a globally recognized set of cybersecurity best practices developed by a community of experts. These controls are frequently updated based on the latest cybersecurity threats.
COBIT (Control Objectives for Information and Related Technologies) [Global: USA, EMEA, APAC, LATAM] Developed by ISACA, COBIT is an IT governance framework designed to help businesses develop, implement, and manage information governance strategies.
SOC 2 (System and Organization Controls 2) [Global: USA, EMEA, APAC, LATAM] SOC 2 is a framework for auditing service providers regarding their information systems' controls relating to security, availability, confidentiality, and privacy.
Cyber Resilience Act (Proposed) [EMEA, Global for entities doing business in the EU] The Cyber Resilience Act is a proposed regulation designed to improve the security of hardware and software products.
Digital Operational Resilience Act (DORA) [EMEA, Global for financial institutions in the EU] DORA aims to strengthen the digital operational resilience of the financial sector by ensuring that financial entities can withstand all types of ICT-related disruptions and threats.
ePrivacy Directive (EU Directive 2002/58/EC) [EMEA, Global for entities handling EU resident data] The ePrivacy Directive focuses on ensuring privacy in the processing of personal data in electronic communications, applicable to entities globally if they interact with EU residents.
FDA Part 11 Compliance (21 CFR Part 11) [USA, Global for organizations conducting clinical trials] This regulation applies to clinical research and ensures that electronic records and signatures used in clinical investigations are as reliable as paper records.
FFIEC IT Examination Handbook [USA, Applicable globally for financial services involving US institutions] This handbook provides guidance to examiners for evaluating financial institutions’ IT systems, covering aspects such as cybersecurity and risk management.
2. LATAM-Specific Standards
General Data Protection Law (LGPD) [Brazil] The LGPD, effective since 2020, applies to any organization processing data of Brazilian residents, similar to the GDPR.
National Cybersecurity Strategy (E-Ciber) [Brazil] E-Ciber aims to mitigate cyberattacks and establish cybersecurity resilience across industries.
Cybersecurity and Critical Information Infrastructure Framework Law [Chile] Enacted in 2024, this law is applicable to critical infrastructure operators in Chile.
Colombian National Digital Security Policy (CONPES 3854) [Colombia] Focuses on establishing digital security measures for both public and private entities in Colombia.
National Cybersecurity Policy 2023-2028 [Chile] This policy aims to enhance cybersecurity across all sectors, from government to private businesses.
3. APAC-Specific Standards
Essential Eight [Australia] The Essential Eight is a set of mitigation strategies designed to protect Australian organizations from cyber threats.
Singapore Cybersecurity Act [Singapore, APAC] Enforced in 2018 and recently amended, this act regulates critical information infrastructure and other entities involved in the digital economy.
Personal Data Protection Act (PDPA) [Singapore, APAC] The PDPA governs the collection, use, and disclosure of personal data, applicable to organizations in Singapore.
Digital Personal Data Protection Bill [India, APAC] Passed in 2023, this law aims to regulate data protection across India, similar to GDPR.
Cybersecurity Management Act [Taiwan] Recently amended, this act applies to government agencies and critical infrastructure operators in Taiwan.
Presidential Regulation Number 47 of 2023 on Cyber Crisis Management and National Cybersecurity Strategy [Indonesia] This regulation establishes a national approach to cybersecurity incident response.
4. Regional Standards for EMEA, LATAM, and APAC
Network and Information Security (NIS) Directive/NIS2 [EMEA, Global for businesses serving the EU market] Establishes measures for the security of network and information systems across the EU.
African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) [Africa, EMEA] Establishes a framework for cybersecurity and data protection across African Union member states.
Asia-Pacific Economic Cooperation (APEC) Privacy Framework [APAC, Global for cross-border data transfers] The APEC Privacy Framework focuses on protecting data privacy and enabling cross-border data flows within APAC.
ASEAN Cybersecurity Cooperation Strategy [APAC] Encourages alignment of ASEAN countries' cybersecurity policies with international standards such as GDPR.
5. General Data Protection and Security (Continued)
ISO/IEC 27032 [Global: USA, EMEA, APAC, LATAM] Provides guidelines on cybersecurity for organizations globally.
Cybersecurity Information Sharing Act (CISA) [USA, Global for entities sharing threat information with US authorities] Promotes the sharing of cybersecurity threat information between the private sector and the US government.
Privacy Protections: Ensures protection of personal data during threat sharing.
Congratulations! You made it through this regulatory jungle without throwing your laptop out the window. Now, if you’ve truly absorbed all these cybersecurity standards, you may have developed a few new superpowers—decoding legalese or spotting compliance gaps from a mile away, translating regulatory jargon into human language, converting vague compliance guidelines into precise checklists, and then some.
You’re now a Master of Intergalactic Compliance.