Select regional store:

What is regulatory compliance and why is it important?

Regulatory compliance definition

Regulatory compliance is the process of adhering to laws, regulations, guidelines, and specifications relevant to a business’ operations.

It involves making sure a business is operating within the bounds of the law and taking steps to ensure that the business is meeting all relevant regulatory requirements.

Compliance is necessary for businesses to maintain their licenses and remain in good standing with regulators.

Why is regulatory compliance important?

Regulatory compliance is essential for protecting customers, employees, and assets by ensuring adherence to applicable laws, regulations, and industry standards.

It also helps organizations avoid the costly penalties, fines and reputational damage that occur when an organization fails to comply with the law.

Regulatory compliance boosts customer and investor confidence by ensuring organizations operate safely and responsibly.

Common compliance requirements

In today’s complex regulatory environment, regulatory compliance requires that organizations:

Common regulations

The table below lists the most common regulations that organizations have to comply with, the security areas they cover, and their requirements:


Who needs to comply

Security areas covered


US healthcare organizations and partners

Creating, storing and transmitting electronic protected health information

All major best-practice areas

SOX (Sarbanes–Oxley Act) and accounting standards, COSO, COBIT®, SAS

US public companies

Defined to secure the public against corporate fraud and misrepresentation

All major best-practice security areas

PCI DSS (Payment Card Industry Data Security Standard)

Merchants that take credit cards, and service providers that facilitate card payments

Privacy of customer financial data

Varies by size of merchant, requires best practices plus third-party assessments

GLBA – Public Law 106–102, FDIC/FFIEC guidelines, FACT Act, Patriot Act (2001)


US financial institutions

Privacy of personal information, safety of Internet-based products and services, fair and accurate credit transactions, anti-terrorism

Best-practice security, 2FA (two-factor authentication), ensure accuracy and safety, identity verification

Breach laws in all US states

Any company storing, accessing, or sharing personal information

Consumer privacy

All major "Best Practices Security" areas

EU GDPR (General Data Protection Regulation)

Any organization processing personal data of EU residents

Personal data

All major best-practice security areas

FISMA (Federal Information Security Management Act)

US federal agencies

Information and IT systems

NIST has developed its six-step RMF (Risk Management Framework) to enable agencies to achieve compliance

CCPA (California Consumer Privacy Act)

Organizations processing information on California residents or doing business in California

Personal data

All major best-practice areas

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that was enacted in 1996. It aims to make it easier for people to keep their health insurance when they change jobs, to protect the confidentiality and security of health care information, and to help the health care industry control its administrative costs.

Learn more about HIPAA >>

The Sarbanes Oxley Act (SOX)

From 2002, the SOX (Sarbanes-Oxley Act) enforces US organizations to demonstrate corporate governance compliance. SOX requires management to certify the company’s financial reports, and both management and an independent accountant are required to certify the organization’s internal controls. This has a huge dependency on the IT infrastructure and IT systems.

Find out more about the Sarbanes-Oxley Act >>

The Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS (Payment Card Industry Data Security Standard) has been devised to increase security around card transactions. The Standard is acknowledged the world over, and compliance is mandatory for card-accepting organizations. It requires merchants to demonstrate a secure IT network that protects cardholder data, maintain a vulnerability management program, implement access control measures, and regularly test their networks.

Find out more about our PCI DSS solutions and services >>

US breach laws by State

Personal information in the US is protected by federal and state laws with varying rules and authority. Our Data Breach Notification Laws by State page provides more information on individual state obligations.

Find out more >>

The EU General Data Protection Regulation (GDPR)

The GDPR replaces existing national data protection laws in the EU, creating one unified law for organizations to follow. The GDPR is applicable to any organization, regardless of location, that processes and stores personal data of EU residents.

Find out more about the key elements of the EU GDPR >>

Federal Information Security Management Act of 2002 (FISMA)

FISMA is a federal law established in 2002 as part of the E-Government Act of 2002. It requires federal agencies to implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including those provided or managed by other agencies or contractors.

Learn more about FISMA implementation and compliance >>

The California Consumer Privacy Act (CCPA)

The CCPA is a data privacy law that took effect in California on January 1, 2020. It applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU’s GDPR.

It applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU’s GDPR.

Find out more about the CCPA >>

This website uses cookies. View our cookie policy