.png)
Book a demo
Talk to us about our industry-leading CDR solutions
.png)
Cybersecurity compliance is a complex ecosystem of domestic and international laws, regulations and frameworks where compulsory rules work alongside voluntary certifications. In the US, for example, federal and state legislation both apply – a situation that contrasts with the EU, where laws can apply equally across all 27 member states.
In addition, not all relevant rules and regulations focus solely on cybersecurity, and there is considerable crossover between cybersecurity and data protection. For example, major US laws such as HIPAA include important cybersecurity provisions that require organizations to maintain administrative, technical and physical security safeguards for protecting data
There is also a wide range of voluntary standards, frameworks and certifications designed to deliver cybersecurity best practices across various industries and technology use cases. While non-compliance with these doesn’t typically carry the kind of financial sanctions found in government-backed laws, it can still result in significant penalties, while loss of certification can have other serious business consequences.
As a result, organizations have an obligation to understand each set of relevant regulations and ensure their technologies and processes remain in compliance. Today, there is a very wide range of laws and regulations in place, but some of the key examples include:
National Security Agency's (NSA) National Cross Domain Strategy & Management Office (NCDSMO) Raise the Bar
What is it?
Introduced in 2018, NSANIST Raise the Bar (RTB) is an important set of standards designed to improve the cybersecurity of all cross-domain solutions. It sets out a number of stringent controls that vendors must adhere to when shipping software into government networks.
Who does it apply to?
RTB applies to U.S. federal agencies, contractors and organizations involved in handling classified or sensitive government information and systems.
Key compliance requirements:
Key compliance requirements for RTB include implementing advanced cybersecurity measures such as multifactor authentication, stronger encryption, privileged access restrictions, and continuous monitoring of classified and sensitive systems. Organizations are also expected to secure their supply chains and establish robust incident response capabilities to mitigate risks from cyber threats.
Breach reporting requirements:
Organizations must adhere to federal incident reporting timelines and protocols, notifying relevant authorities promptly in case of breaches or cybersecurity incidents affecting classified or sensitive systems.
Non-compliance penalties:
As a voluntary framework, RTB does not include non-compliance penalties, but security breaches or failure to comply may result in loss of contracts, reduced funding or increased scrutiny from federal oversight bodies.
Official site/further reading: https://www.nsa.gov/Cybersecurity/Partnership/National-Cross-Domain-Strategy-Management-Office/
NIST Cybersecurity Framework
What is it?
The NIST Cybersecurity Framework (CSF) provides guidance to industry, government
agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize, and communicate its cybersecurity efforts.
Who does it apply to?
The framework applies to any organization, regardless of size, sector, or maturity level –including industry, government agencies, academia, and nonprofit organizations—to help manage cybersecurity risks.
Key compliance requirements:
The NIST CSF focuses on governance and risk management strategies, implementing safeguards for asset protection, continuously monitoring for threats, responding to incidents, and ensuring recovery processes – all while aligning with legal, regulatory, and contractual cybersecurity obligations.
Breach reporting requirements:
NIST CSF does not mandate specific breach reporting timelines or authorities, but organizations using it should comply with external legal, regulatory, or contractual obligations that dictate when and how breaches must be reported.
Non-compliance penalties:
As a voluntary framework, NIST does not include provisions for non-compliance penalties. However, organizations that fail to align with the CSF may face indirect consequences depending on legal, regulatory, or contractual requirements that incorporate NIST standards.
Official site/further reading: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
CISA Zero Trust Maturity Model (ZTMM)
What is it?
The Zero Trust Maturity Model (ZTMM) is a voluntary framework developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to help organizations adopt zero trust principles.
Who does it apply to?
ZTMM is primarily targeted at U.S. federal agencies, as mandated by Executive Order 14028 on Improving the Nation's Cybersecurity. However, it has also been widely referenced by private organizations and state/local governments looking to adopt zero trust principles.
Key compliance requirements:
ZTMM provides a roadmap for implementing zero trust architecture (ZTA) across five pillars: Identity, Device, Network/Environment, Application/Workload, and Data. This includes enforcing multifactor authentication and role-based access controls for identity management, ensuring device health monitoring and endpoint protection, segmenting networks and encrypting data in transit, securing application access and workload integrity, and implementing least-privilege access with robust encryption for sensitive data. Continuous monitoring and verification are essential at every stage to align with zero trust principles.
Breach reporting requirements:
Breach reporting requirements related to the ZTMM are not directly specified in the model itself. However, organizations adopting zero trust principles are expected to integrate breach reporting processes into their security and governance strategies.
Non-compliance penalties:
As seen across other voluntary cybersecurity frameworks, the ZTMM does not include non-compliance penalties, but security breaches or failure to comply may result in loss of contracts, reduced funding or increased scrutiny from federal oversight bodies.
Official site/further reading: https://www.cisa.gov/zero-trust-maturity-model
.png)
Health Insurance Portability and Accountability Act (HIPAA)
What is it?
Signed into federal law in 1996, HIPAA protects sensitive protected health information (PHI) from being disclosed without the patient's consent or knowledge. It establishes standards for the security and privacy of health data.
Who does it apply to?
HIPAA applies to organizations known as ‘covered entities’. This includes healthcare providers, health plans, healthcare clearinghouses and business associates, as well as third-party organizations that handle PHI on their behalf.
Key compliance requirements:
HIPAA compliance depends on adhering to a range of rules around privacy, security, breach notification, enforcement and transaction standards.
Breach reporting requirements:
Covered entities and business associates must notify affected individuals, the HHS and the media within 60 days of discovering a PHI breach. Breaches affecting fewer than 500 individuals may be reported annually.
Non-compliance penalties:
Penalties vary depending on the severity of the breach, ranging from $141 to $2,134,831 per violation.
Official site/further reading: https://www.hhs.gov/hipaa/index.html
.png)
NIS2 Directive
What is it?
The NIS2 Directive is an updated version of the original Network and Information Systems (NIS) Directive, adopted by the European Union in 2022 to strengthen cybersecurity resilience and incident response capabilities across the EU.
Who does it apply to?
NIS2 applies to essential and important entities in critical sectors, such as energy, healthcare, transport, financial services and digital infrastructure, among others, within the EU.
Key compliance requirements:
Compliance requirements include implementing risk management measures, enhancing incident detection and reporting capabilities, and designating clear cybersecurity governance roles. Entities must also conduct regular audits, manage supply chain risks and report significant cybersecurity incidents to authorities within strict timelines.
Breach reporting requirements:
Organizations must report significant cybersecurity incidents to their national authorities within 24 hours of detection, followed by an initial assessment report within 72 hours.
Non-compliance penalties:
Non-compliance penalties include fines of up to €10 million or 2% of global annual turnover, whichever is higher.
Official site/further reading: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
.png)
International Traffic in Arms Regulations (ITAR)
What is it?
ITAR is a set of U.S. government regulations that control the export and import of defense-related articles, services and technical data under the Arms Export Control Act (AECA). It ensures that military technologies do not fall into the wrong hands.
Who does it apply to?
ITAR applies to U.S. manufacturers, exporters, and brokers of defense articles and services, as well as foreign entities handling ITAR-controlled items.
Key compliance requirements:
Organizations must register with the Directorate of Defense Trade Controls (DDTC), obtain export licenses for controlled items, restrict access to technical data and maintain compliance records for at least five years.
Breach reporting requirements:
Companies must report ITAR violations to the DDTC, with voluntary self-disclosures potentially reducing penalties.
Non-compliance penalties:
Violations can result in civil fines up to $1.2 million per infraction, criminal fines up to $1 million, and imprisonment. Non-compliance may also lead to debarment from exporting defense-related items.
Official site/further reading: https://www.pmddtc.state.gov/ddtc_public/ddtc_public?id=ddtc_kb_article_page&sys_id=24d528fddbfc930044f9ff621f961987
.png)
Export Administration Regulations (EAR)
What is it?
EAR is a set of U.S. regulations administered by the Bureau of Industry and Security (BIS) that control the export, reexport, and transfer of dual-use items—commercial products with potential military applications.
Who does it apply to?
EAR applies to U.S. exporters, reexporters, and foreign entities handling controlled items, including software and technology, especially those incorporating U.S.-origin components.
Key compliance requirements:
Companies must classify items under the Export Control Classification Number (ECCN), secure the necessary export licenses, screen end-users for restricted activities, and maintain export records for at least five years.
Breach reporting requirements:
Voluntary self-disclosure of violations to BIS is encouraged and may reduce penalties.
Non-compliance penalties:
Criminal penalties can include fines of up to $1 million per violation and imprisonment for up to 20 years. Administrative penalties can reach $300,000 per violation or twice the transaction value.
Official site/further reading: https://www.bis.gov/regulations
General Data Protection Regulation (GDPR)
What is it?
In effect from 2018, GDPR is the EU’s data privacy and security law, which claims it is the “toughest privacy and security law in the world”.
Who does it apply to?
GDPR applies to organizations that process personal data or offer goods or services to EU citizens or residents, including those not based in the region.
Key compliance requirements:
Compliance is based on a number of data protection and accountability principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
Breach reporting requirements:
Organizations must report personal data breaches to their relevant supervisory authority within 72 hours of becoming aware.
Non-compliance penalties:
A maximum of €20 million or 4% of global revenue (whichever is higher).
Official site/further reading: https://gdpr.eu/what-is-gdpr/
Payment Card Industry Data Security Standard (PCI DSS)
What is it?
First available in 2004, the PCI Security Standards are developed and maintained by the PCI Security Standards Council to protect payment data throughout the payment lifecycle.
Who does it apply to?
PCI-DSS are mandatory global standards that apply to all entities that store, process or transmit cardholder data.
Key compliance requirements:
Compliance is based on 12 requirements, which include securing networks with firewalls, encrypting payment data, and protecting stored cardholder data through robust access controls and authentication mechanisms. Organizations must also regularly monitor and test networks, address vulnerabilities and maintain a comprehensive security policy for all personnel.
Breach reporting requirements:
PCI DSS breach reporting requires immediate notification of relevant parties, engagement of an independent PFI for forensic investigation, adherence to evidence preservation protocols and submission of mandatory reports to payment brands and acquirers.
Non-compliance penalties:
Penalties vary and may include fines of $5,000 to $100,000 per month for non-compliance, potential loss of merchant privileges, and liability for breach-related damages.
Official site/further reading: https://www.pcisecuritystandards.org/
Getting compliant
Cybersecurity compliance is a highly complex and nuanced subject and will only become more challenging as new rules and regulations are brought into force. To source proper advice, organizations should consult relevant authorities for official guidelines and can also engage legal and cybersecurity consultants for more focused advice. Other options include using compliance tools from trusted vendors and adopting industry standards and certifications to ensure they comply with each relevant cybersecurity and data protection law.
