Data Security and Privacy Regulations
Organizations of every size face cyber threats that can expose sensitive data and cause significant harm. In response, governments and industry bodies worldwide have introduced regulations and standards to protect data, reduce risk, and ensure compliance across sectors.
CIPA
The Children’s Internet Protection Act (CIPA) is a United States law that requires schools and libraries to address children’s access to inappropriate content by implementing internet safety policies that block or filter content and provide a secure online environment.
Learn more
GDPR
The General Data Protection Regulation (GDPR) is a European Union regulation that establishes modern requirements for protecting personal data and applies to any organization that processes the data of EU residents, regardless of location.
Learn more
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a United States health data protection law that requires technical safeguards such as access controls, encryption, and network security to protect private health information (PHI).
Learn more
KCSiE
Keeping Children Safe in Education (KCSiE) is a United Kingdom statutory guidance that outlines how schools must safeguard students under 18, including requirements for policy, training, physical protection, and secure internet access.
Learn more
NIS 2
The Network and Information Systems Directive 2 (NIS 2) is a European Union directive that strengthens cybersecurity and resilience requirements for essential and important entities, expanding coverage, governance obligations, and incident reporting rules across critical sectors.
Learn more
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard for organizations that store, process, or transmit cardholder data and requires defined policies, auditing, and strong network controls.
Learn more
Overview of Cybersecurity Regulations and Compliance Preparation
Key International Standards/Frameworks
Non-Jurisdictional but Widely Referenced
These are not laws per se, but are often referenced by regulators as evidence of “reasonable security practices.”
| Standard / Framework | Region | Overview |
|---|---|---|
| CIS Critical Security Controls v8 | Global | A prioritized, standards‑agnostic set of cybersecurity best practices designed to help organizations defend against common cyber threats. |
| Essential Eight | Australia | Australia’s core cybersecurity baseline framework developed by the Australian Cyber Security Centre (ACSC). |
| ISO/IEC 27001 | Global | International information security management standard defining requirements for an Information Security Management System (ISMS). |
| NIST Cybersecurity Framework (CSF) | Global | Risk management framework for identifying, protecting, detecting, responding to, and recovering from cybersecurity risks. |
| Payment Card Industry Data Security Standard (PCI DSS) | Global |
Mandatory security standard for organizations that store, process, or transmit payment card data. Learn more |
Strengthening Cybersecurity: A Deep Dive into DORA
Discover the key DORA requirements and how financial organizations can build the resilience needed to manage ICT risk and disruption.
Major Cybersecurity and Data Protection Regulations
Below are some of the most widely referenced cybersecurity and data protection regulations and standards from around the world:
| Regulation | Region | Overview |
|---|---|---|
| California Consumer Privacy Act & California Privacy Rights Act (CCPA / CPRA) | United States | California privacy laws granting consumer data rights and imposing business data protection obligations. |
| Children’s Internet Protection Act (CIPA) | United States |
Requires schools and libraries to implement internet safety measures to receive federal funding. Learn more |
| Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) | United States | Requires critical infrastructure operators to report significant cyber incidents. |
| Cyber Resilience Act (CRA) | European Union | Security requirements for products with digital elements across their lifecycle. |
| Cyber Solidarity Act | European Union | EU-wide cyber incident preparedness and coordinated response mechanisms. |
| Cybersecurity Information Sharing Act (CISA) | United States | Encourages voluntary sharing of cyber threat intelligence between private organizations and government. |
| Cybersecurity Maturity Model Certification (CMMC) | United States | Department of Defense program requiring security maturity levels for defense contractors. |
| Digital Operational Resilience Act (DORA) | European Union | Digital resilience requirements for financial entities and ICT providers. |
| Federal Information Security Modernization Act (FISMA) | United States | Establishes information security requirements for U.S. federal systems and contractors. |
| General Data Protection Regulation (GDPR) | European Union |
Comprehensive personal data protection and privacy regulation. Learn more |
| Gramm-Leach-Bliley Act (GLBA) | United States | Requires financial institutions to protect customers’ non‑public personal information. |
| Health Insurance Portability and Accountability Act (HIPAA) | United States | Health data protection law requiring administrative, physical, and technical security safeguards. |
| Information Security and Cyber Resilience Framework (OSFI I-CRT) | Canada | Cyber resilience guidance for federally regulated financial institutions. |
| Keeping Children Safe in Education (KCSiE) | United Kingdom | Safeguards for students under 18, including requirements for policy, training, physical protection, and secure internet access. |
| Network and Information Security Directive 2 (NIS 2) | European Union |
Cybersecurity risk management and incident reporting requirements for essential services. Learn more |
| Online Safety Act 2023 | United Kingdom | Regulates platform responsibilities to protect users from harmful content. |
| Personal Information Protection and Electronic Documents Act (PIPEDA) | Canada | Personal data protection law including mandatory breach notifications. |
| UK General Data Protection Regulation & Data Protection Act 2018 (UK GDPR) | United Kingdom | UK data protection regime aligned with EU GDPR principles. |
| UK Network and Information Systems Regulations (UK NIS) | United Kingdom | Cybersecurity requirements for operators of essential services. |
Why Cybersecurity Regulations Matter
Cybersecurity regulations help protect personal, financial, and critical data from unauthorized access, misuse, and breaches, reducing the potential impact on individuals, organizations, and essential services.
Ready for a Compliance Consult?
Connect with our experts on your specific regulatory needs and how WatchGuard closes gaps, reduces risk and improves resiliency.