Select regional store:

Governance and Regulatory Compliance

Organizations face an ever-increasing list of statutory, regulatory, contractual, and legal compliance obligations.

Learn more about regulatory compliance and which regulations may affect your organization.

Common compliance requirements

In today’s complex regulatory environment, organizations must:

Common regulations

The table below lists the most common regulations that organizations have to comply with, the security areas they cover, and their requirements:


Who Needs to Comply

Security Areas Covered


US healthcare organizations and partners

Creating, storing and transmitting electronic protected health information

All major best-practice security areas

SOX (Sarbanes–Oxley Act) and accounting standards, COSO, COBIT®, SAS

US public companies

Defined to secure the public against corporate fraud and misrepresentation

All major best-practice security areas

PCI DSS (Payment Card Industry Data Security Standard)

Merchants that take credit cards, and service providers that facilitate card payments

Privacy of customer financial data

Varies by size of merchant, requires best practices plus third-party assessments

GLBA – Public Law 106–102, FDIC/FFIEC guidelines, FACT Act, Patriot Act (2001)


US financial institutions

Privacy of personal information, safety of Internet-based products and services, fair and accurate credit transactions, anti-terrorism

Best-practice security, 2FA (two-factor authentication), ensure accuracy and safety, identity verification

Breach laws in all US states

Any company storing, accessing, or sharing personal information

Consumer privacy

All major "Best Practices Security" areas

EU GDPR (General Data Protection Regulation)

Any organization processing personal data of EU residents

Personal data

All major best-practice security areas

FISMA (Federal Information Security Management Act)

US federal agencies

Information and IT systems

NIST has developed its six-step RMF (Risk Management Framework) to enable agencies to achieve compliance

CCPA (California Consumer Privacy Act)

Organizations processing information on California residents or doing business in California

Personal data

All major best-practice areas

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA),  is a federal law that was enacted in 1996. It aims to make it easier for people to keep their health insurance when they change jobs, to protect the confidentiality and security of health care information, and to help the health care industry control its administrative costs.

Learn more about HIPPA >>

The Sarbanes Oxley Act (SOX)

From 2002, the Sarbanes-Oxley Act (SOX) enforces US organizations to demonstrate corporate governance compliance. SOX requires management to certify the company’s financial reports, and both management and an independent accountant are required to certify the organization’s internal controls. This has a huge dependency on the IT infrastructure and IT systems.

Find out more about the Sarbanes-Oxley Act >>

The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) has been devised to increase security around card transactions. Acknowledged the world over, compliance to the PCI Standard is mandatory for card-accepting organisations. The standard requires merchants to demonstrate a secure IT network that protects card holder data, maintain a vulnerability management programme, implement access control measures and regularly test their networks.

Find out more information on our bespoke PCI DSS page >>

US breach laws by State

Personal information in the United States is currently protected by a patchwork of industry-specific federal laws and state legislation whose scope and jurisdiction vary. Our Data Breach Notification Laws by State page provides more information on individual state obligations.

Find more more >>

The EU General Data Protection Regulation (GDPR)

The GDPR supersedes existing national data protection laws across the EU, bringing uniformity by introducing just one main data protection law for organizations to comply with. The GDPR applies to any organization processing and storing EU residents’ personal data, irrespective of the organization’s location or where the data is processed.

Find out more about the key elements EU GDPR >>

Federal Information Security Management Act of 2002 (FISMA)

The Federal Information Security Management Act (FISMA) is a United States federal law that was enacted as Title III of the E-Government Act of 2002. It requires federal agencies to implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including those provided or managed by other agencies or contractors.

Learn more about FISMA implementation and compliance >>

The California Consumer Privacy Act (CCPA)

The CCPA (California Consumer Privacy Act) is a data privacy law that will come into effect on January 1, 2020 in the State of California.

It applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU’s GDPR (General Data Protection Regulation).

Find out more about the CCPA >>

This website uses cookies. View our cookie policy