Regulations & Compliance
Navigate regulatory requirements for software migration and modernization. Understand compliance obligations for GDPR, HIPAA, PCI DSS, and more.
GDPR
European Union regulation on data protection and privacy for individuals within the EU and EEA
CCPA
California state statute enhancing privacy rights and consumer protection for residents of California
HIPAA
US legislation providing data privacy and security provisions for safeguarding medical information
PCI DSS
Information security standard for organizations that handle branded credit cards
SOX
US federal law mandating certain practices in financial record keeping and reporting for corporations
EU AI Act
European Union regulation on artificial intelligence, establishing rules for AI systems based on risk levels
DORA
EU regulation on digital operational resilience for the financial sector
NIS2
EU directive on cybersecurity measures across the Union
FedRAMP
US government program providing standardized approach to security assessment for cloud products and services
LGPD
Brazil's General Data Protection Law regulating personal data processing
PIPEDA
Canadian federal privacy law for private-sector organizations
GLBA
US law requiring financial institutions to explain their information-sharing practices
UK GDPR
The UK's retained and amended version of the EU GDPR governing the processing of personal data of individuals in the United Kingdom.
CCPA
California's landmark consumer privacy law giving residents rights to know, delete, and opt out of the sale of their personal information.
CPRA
A 2020 ballot measure that expanded the CCPA, adding new consumer rights, sensitive data rules, and a dedicated California privacy regulator.
VCDPA
Virginia's comprehensive consumer privacy law granting residents data rights and imposing controller and processor obligations.
CPA
Colorado's comprehensive consumer privacy law granting data rights and requiring recognition of universal opt-out mechanisms.
CTDPA
Connecticut's comprehensive consumer privacy law granting data rights and requiring opt-out preference signal recognition.
UCPA
Utah's comprehensive consumer privacy law granting limited data rights with a business-friendly, opt-out-based design.
TDPSA
Texas's comprehensive consumer privacy law applying to most businesses regardless of revenue, with broad data rights and opt-out signals.
LGPD
Brazil's general data protection law governing the processing of personal data, modeled closely on the EU GDPR.
PIPEDA
Canada's federal private-sector privacy law governing the collection, use, and disclosure of personal information in commercial activity.
Quebec Law 25
Quebec's privacy reform law (formerly Bill 64) overhauling personal information protection in the public and private sectors.
POPIA
South Africa's data protection law regulating the processing of personal information by public and private bodies.
PDPA
Singapore's data protection law governing the collection, use, and disclosure of personal data by private-sector organizations.
PDPA
Thailand's comprehensive data protection law governing the collection, use, and disclosure of personal data, modeled on the GDPR.
APPI
Japan's national data protection law governing how businesses handle personal information, overseen by the PPC.
PIPL
China's comprehensive personal information protection law governing processing of personal data with strict consent and cross-border rules.
DPDP Act
India's first comprehensive data protection law governing the processing of digital personal data with consent at its core.
Privacy Act
Australia's principal privacy law regulating handling of personal information through the Australian Privacy Principles.
KVKK
Turkey's data protection law regulating the processing of personal data, modeled on the EU Data Protection Directive.
nFADP / nLPD
Switzerland's revised federal data protection law modernizing privacy rules and aligning them more closely with the GDPR.
PDPL
Saudi Arabia's first comprehensive data protection law governing the processing of personal data, supervised by the SDAIA.
UAE PDPL
The United Arab Emirates' first federal data protection law governing the processing of personal data across the country.
NDPA
Nigeria's comprehensive data protection law governing the processing of personal data and establishing a national data protection commission.
Kenya DPA
Kenya's comprehensive data protection law governing the processing of personal data and establishing the Office of the Data Protection Commissioner.
NZ Privacy Act
New Zealand's principal privacy law regulating the handling of personal information through 13 Information Privacy Principles.
ePrivacy Directive
The EU directive governing privacy in electronic communications, including cookies, traffic data, and marketing, often called the cookie law.
CIRCIA
US law requiring critical infrastructure entities to report covered cyber incidents and ransomware payments to CISA within defined deadlines.
FISMA
US law requiring federal agencies and their contractors to secure information systems using risk-based controls and continuous oversight.
CMMC
US Department of Defense program requiring defense contractors to certify cybersecurity maturity to protect controlled unclassified information.
CRA
EU regulation setting mandatory cybersecurity requirements for products with digital elements across their entire lifecycle.
Cyber Essentials
UK government-backed certification scheme defining baseline technical controls to protect organizations against common cyber attacks.
Essential Eight
Australian government baseline of eight prioritized mitigation strategies to protect systems against common cyber threats.
FedRAMP High
The FedRAMP authorization baseline for cloud services handling high-impact US federal data such as law enforcement and health records.
SOX (Sarbanes-Oxley)
US law mandating accurate financial reporting and internal controls for public companies, with implications for IT and data integrity.
PCI DSS 4.0
Global security standard for organizations that store, process, or transmit payment card data, mandated by the major card brands.
PSD2
EU directive regulating electronic payments, opening bank data to licensed third parties and mandating strong customer authentication.
MiFID II
EU framework regulating investment services and trading venues, with extensive transaction reporting, transparency, and record-keeping duties.
Basel III
Global banking standards strengthening capital, leverage, and liquidity requirements to improve the resilience of the banking sector.
Dodd-Frank
US law overhauling financial regulation after the 2008 crisis, covering systemic risk, derivatives, and consumer financial protection.
FINRA
Rules of the US self-regulatory organization governing broker-dealers, covering conduct, supervision, recordkeeping, and communications.
SEC Cyber Disclosure
US SEC rules requiring public companies to disclose material cybersecurity incidents promptly and describe their risk-management governance.
FFIEC
US interagency guidance and examination standards for information security and IT risk management at financial institutions.
EMIR
EU regulation on OTC derivatives, central counterparties, and trade repositories, mandating clearing, reporting, and risk mitigation.
Open Banking UK
UK framework requiring major banks to share account data and enable payments through standardized, secure APIs with customer consent.
HITECH
US law that strengthened HIPAA, promoted electronic health records, and added breach notification and stronger enforcement for health data.
FERPA
US law protecting the privacy of student education records and giving students and parents rights over those records.
COPPA
US law governing the online collection of personal information from children under 13, requiring verifiable parental consent.
21 CFR Part 11
US FDA regulation setting requirements for trustworthy electronic records and electronic signatures in regulated life-sciences systems.
GDPR Transfers / SCCs
GDPR rules restricting transfers of personal data outside the EU/EEA unless an adequate safeguard such as SCCs or adequacy applies.
NYDFS Part 500
New York regulation requiring financial-services companies to maintain a risk-based cybersecurity program with specific safeguards.
TISAX
Automotive-industry information-security assessment and exchange mechanism based on the VDA ISA catalogue, used across the supply chain.
FTC Safeguards Rule
US FTC rule under GLBA requiring non-bank financial institutions to implement a comprehensive information security program for customer data.
US AI Executive Order
US federal executive order directing agencies to set safety, security, and rights standards for AI development and deployment across government and industry.
Colorado AI Act
Colorado state law requiring developers and deployers of high-risk AI systems to prevent algorithmic discrimination in consequential decisions.
AILD
Proposed EU directive easing the burden of proof for victims claiming damage caused by AI systems, complementing the EU AI Act.
China Generative AI Measures
Chinese regulation governing public-facing generative AI services, covering content safety, training data, and security review.
AIDA
Proposed Canadian federal law (part of Bill C-27) regulating high-impact AI systems for safety and non-discrimination.
NYC Local Law 144
NYC law requiring bias audits and candidate notice for automated employment decision tools used in hiring and promotion.
ADA
US civil rights law prohibiting disability discrimination; increasingly applied to website and digital service accessibility.
Section 508
US federal law requiring electronic and information technology procured or used by federal agencies to be accessible to people with disabilities.
EAA
EU directive requiring a wide range of products and digital services to meet common accessibility requirements across member states.
EN 301 549
European harmonized standard specifying accessibility requirements for ICT, used to demonstrate compliance with EU accessibility law.
AODA
Ontario law setting accessibility standards, including web accessibility, for public and private organizations in the province.
UK Equality Act
UK law prohibiting discrimination that requires service providers to make reasonable adjustments, including for accessible digital services.
Data Act
EU regulation governing access to and sharing of data from connected products and related services, including cloud-switching rules.
DGA
EU regulation establishing trusted mechanisms for data sharing, data intermediaries, and data altruism across sectors.
DSA
EU regulation setting content moderation, transparency, and accountability rules for online intermediaries and large platforms.
DMA
EU regulation imposing fairness and contestability obligations on large digital gatekeeper platforms providing core platform services.
eIDAS / eIDAS 2
EU framework for electronic identification, trust services, and the European Digital Identity Wallet.
CLOUD Act
US law clarifying that providers must produce data they control regardless of storage location, and enabling cross-border data agreements.
DPF
Transatlantic mechanism allowing lawful transfer of personal data from the EU to certified US organizations under an adequacy decision.
Schrems II
Landmark CJEU ruling invalidating the EU-US Privacy Shield and tightening conditions for international transfers of personal data.
Delete Act
California law creating a single mechanism for consumers to direct all registered data brokers to delete their personal information.
Right to Repair
EU directive promoting repair of goods, including obligations to provide spare parts, repair information, and software support.
WAD
EU directive requiring public-sector websites and mobile apps to be accessible and to publish accessibility statements.
ISO/IEC 42001
International management-system standard for governing the responsible development and use of artificial intelligence within organizations.
OCPA
Oregon's comprehensive consumer privacy law granting residents rights over their personal data and imposing duties on businesses that process it.
MCDPA
Montana's comprehensive privacy law giving residents data rights and requiring controllers to honor opt-outs and protect sensitive data.
ICDPA
Iowa's consumer privacy law giving residents access, deletion, and opt-out rights with comparatively limited controller obligations.
DPDPA
Delaware's comprehensive privacy law granting residents broad data rights with low applicability thresholds and coverage of many nonprofits.
NJDPA
New Jersey's comprehensive privacy law giving residents data rights and requiring consent for sensitive data and certain processing of minors.
TIPA
Tennessee's comprehensive privacy law granting consumer data rights and offering an affirmative defense for documented privacy programs.
INCDPA
Indiana's comprehensive privacy law granting residents data rights, with one of the latest effective dates among state privacy statutes.
FDBR
Florida's privacy law targeting large technology companies, with rights for consumers and rules on data sales, profiling, and children's data.
NDPA
Nebraska's comprehensive privacy law modeled on Texas, applying to most businesses except small businesses regardless of data volume.
NHPA
New Hampshire's comprehensive privacy law granting residents data rights with low applicability thresholds and rulemaking by the Department of Justice.
KCDPA
Kentucky's comprehensive privacy law modeled on Virginia, granting residents data rights and requiring consent for sensitive data.
MODPA
Maryland's strict privacy law imposing strong data minimization limits and broad protections, especially for sensitive data and minors.
MCDPA-MN
Minnesota's comprehensive privacy law with novel rights including the right to question profiling decisions and to review a data inventory.
RIDTPPA
Rhode Island's comprehensive privacy law granting consumer data rights with distinctive third-party disclosure transparency requirements.
BIPA
Illinois law regulating the collection and handling of biometric identifiers such as fingerprints and facial geometry, with a private right of action.
PIPA
South Korea's comprehensive data protection law, one of the strictest globally, governing the processing of personal information by public and private entities.
PDPA
Argentina's foundational data protection law, recognized as EU-adequate, governing processing of personal data and habeas data rights.
LFPDPPP
Mexico's federal privacy law governing how private-sector entities collect and process personal data, centered on the privacy notice and ARCO rights.
Law 1581
Colombia's general data protection law governing the processing of personal data, requiring database registration and authorization from data subjects.
Law 19.628
Chile's data protection law on the processing of personal data, recently overhauled by Law 21.719 to align with modern GDPR-style standards.
DPA 2012
The Philippines' comprehensive data privacy law protecting personal information in government and private systems, enforced by the National Privacy Commission.
PDP Law
Indonesia's first comprehensive personal data protection law, modeled on the GDPR, governing data controllers and processors across all sectors.
PDPD
Vietnam's foundational personal data protection regulation establishing consent, data subject rights, and cross-border transfer impact assessments.
PDPA
Malaysia's data protection law regulating the processing of personal data in commercial transactions, recently amended to add breach notification and a DPO duty.
PPL
Israel's foundational privacy law governing databases of personal information, recognized as EU-adequate and modernized by Amendment 13.
PDPL
Egypt's first comprehensive data protection law governing electronic personal data, requiring licensing, consent, and a data protection officer.
DPA 2012
Ghana's data protection law regulating the processing of personal data and requiring registration of data controllers with the Data Protection Commission.
NERC CIP
Mandatory cybersecurity standards protecting the North American bulk electric system from physical and cyber threats.
TSA Pipeline
Mandatory U.S. cybersecurity directives requiring critical pipeline owners to protect IT and OT systems against cyber threats.
EU MDR
EU regulation governing the safety, performance, and market access of medical devices, including software as a medical device.
EU IVDR
EU regulation governing in-vitro diagnostic medical devices and related software, raising risk classification and clinical evidence requirements.
FDA 524B Cyber
U.S. FDA requirements obliging makers of connected medical devices to address cybersecurity in premarket submissions, including SBOMs and update plans.
UNECE R155
UN regulation requiring vehicle manufacturers to operate a cybersecurity management system and secure vehicles across their lifecycle for type approval.
UNECE R156
UN regulation requiring vehicle manufacturers to operate a software update management system and safely deliver over-the-air and other vehicle software updates.
ISO/SAE 21434
International standard for automotive cybersecurity engineering, widely used as the technical basis for meeting UNECE R155 type-approval obligations.
UK TSA 2021
UK law imposing strong security duties on public telecoms providers to protect networks and services against cyber and supply chain threats.
EU Cybersecurity Act
EU regulation strengthening ENISA's mandate and creating an EU-wide cybersecurity certification framework for ICT products, services, and processes.
IoT Cybersecurity Act
U.S. law requiring IoT devices bought by the federal government to meet NIST security standards, with vulnerability disclosure guidance.
EU CSRD
EU directive requiring large and listed companies to report standardized, audited sustainability information including environmental, social, and governance data.
SEC Climate Disclosure
U.S. SEC rules requiring public companies to disclose material climate-related risks, governance, and certain emissions in registration statements and reports.
UK OSA
UK law imposing duties of care on online platforms to protect users, especially children, from illegal and harmful content.
EU Cyber Solidarity Act
EU regulation strengthening collective detection, preparedness, and response to large-scale cyber incidents across the Union.
CA AADC
California law requiring online services likely accessed by children to prioritize their privacy and safety by design and default.
UK Children's Code
UK statutory code requiring online services likely accessed by children to follow data protection standards that put children's best interests first.
GLBA Safeguards Rule
U.S. FTC rule requiring financial institutions to implement a documented information security program to protect customer data.
J-SOX
Japanese internal control reporting requirements for listed companies over financial reporting, modeled on the U.S. Sarbanes-Oxley Act.
SOCI Act
Australian law imposing security, risk management, and incident reporting obligations on owners and operators of critical infrastructure assets.
Marco Civil
Brazilian law establishing principles, rights, and duties for internet use, including net neutrality, privacy, and intermediary liability rules.
EU Machinery Regulation
EU regulation setting health, safety, and cybersecurity requirements for machinery and related products, including digital and AI-enabled systems.
HHS 405(d) HICP
U.S. HHS program providing voluntary, consensus-based cybersecurity practices to reduce threats across the healthcare and public health sector.
EU RED Cyber
EU delegated regulation activating cybersecurity requirements for internet-connected radio equipment, protecting networks, privacy, and against fraud.