This page is a hub for key regulatory frameworks for information security, data protection and cyber security.

You can use the summaries below to quickly understand your legal requirements.

Contents

• UK
• EU
• US
• Global

UK

UK GDPR

The UK GDPR (General Data Protection Regulation) provides the baseline for how organisations must process personal data and protect individuals’ rights, sitting alongside other laws to form the UK’s data protection framework.

Who needs to comply?

The UK GDPR applies to organisations that process personal data in the UK, as well as those based outside the UK if they offer goods or services to, or monitor the behaviour of, individuals in the UK.

What are its core requirements?

The requirements of the UK GDPR mirror those of the EU GDPR. Organisations must follow the same data processing principles, be accountable for their processing, and give individuals rights regarding the use of their data.

Speak to an expert about UK GDPR compliance

DPA 2018

The Data Protection Act 2018 sets out how personal data must be collected, handled and stored.

Who needs to comply?

Organisations that are subject to the UK GDPR.

What are its core requirements?

It sets UK-specific standards in areas such as the digital age of consent and sensitive data processing, and sets data processing requirements for law enforcement agencies and intelligence sectors.

Speak to an expert about DPA 2018 compliance

PECR

The PECR (Privacy and Electronic Communications Regulations) specify how organisations can lawfully communicate with people and gather their information.

Who needs to comply?

Organisations in the UK that contact people for marketing purposes by phone, email, text or fax, gather website cookies or compile public directories.

What are its core requirements?

It restricts marketing activities and certain types of data processing, requires organisations to secure their electronic communications network and services, and gives individuals rights regarding the way their data is processed.

Speak to an expert about PECR compliance

DUAA

The Data (Use and Access) Act amends data protection requirements in the UK, primarily supplementing the GDPR, DPA 2018 and PECR.

Who needs to comply?

UK-based organisations and public bodies that collect, use or share personal data, and overseas organisations that offer goods or services into the UK.

What are its core requirements?

It sets new requirements for responding to DSARs (data subject access requests) and personal data complaints, establishes additional requirements for protecting children’s data and establishes new lawful ways to use people’s data.

Speak to an expert about DUAA compliance

NIS Regulations

The NIS Regulations (Security of Network & Information Systems Regulations) set out security requirements in the UK’s essential services and digital services sectors.

Who needs to comply?

Operators of essential services (such as energy and transportation) and digital service providers in the UK.

What are its core requirements?

Organisations must implement technical and organisational measures to manage risks, assets and their supply chain.

Speak to an expert about NIS Regulations compliance

EU

EU GDPR

The EU GDPR (General Data Protection Regulation) protects individuals’ personal data and regulates how organisations collect and use it.

Who needs to comply?

The EU GDPR applies to organisations in the EU that process personal data, and to organisations based outside the EU that offer goods or services to, or monitor the behaviour of, EU residents.

What are its core requirements?

Personal data must be processed securely, transparently and only where there is a lawful basis for doing so. Organisations must remain accountable for their processing activities and preserve data subjects’ rights when processing their data.

Speak to an expert about EU GDPR compliance

NIS2

The NIS2 Directive establishes a framework that to protect critical sectors across the EU from cyber security risks.

Who needs to comply?

Public and private sector organisations that provide critical infrastructure and essential services in the EU.

What are its core requirements?

Organisations must adopt measures to manage the risk of security breaches and operational disruptions.

Speak to an expert about NIS2 compliance

AI Act

The EU AI Act ensures that artificial intelligence systems are designed and used in a responsible manner.

Who needs to comply?

Organisations that provide, deploy, import or distribute AI systems that are used in the EU.

What are its core requirements?

AI systems must be designed, documented and monitored in ways that manage and reduce risks, including through transparency, human oversight and safety controls.

Speak to an expert about AI Act compliance

DORA

DORA (Digital Operational Resilience Act) protects the financial sector against ICT threats and disruptions.

Who needs to comply?

Financial entities operating within the EU and their service providers.

What are its core requirements?

Organisations must manage ICT risks, regularly test their systems and manage third-party risks.

Speak to an expert about DORA compliance

US

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a law that protects the confidentiality, integrity and availability of electronically protected health information (ePHI).

Who needs to comply?

Organisations in the US that process ePHI, which can include health care providers, health plans and some suppliers.

What are its core requirements?

Health information must be subject to physical and technical safeguards. There are also requirements regarding when information can be legally disclosed and how to respond in the event of unauthorised disclosures.

Speak to an expert about HIPAA compliance

Sarbanes–Oxley

The Sarbanes–Oxley Act, often referred to simply as ‘SOX’, ensures that organisations produce accurate financial statements.

Who needs to comply?

Public companies that do business in the US.

What are its core requirements?

Financial data must be protected from tampering, while organisations must file regular reports confirming that these controls are effective and that financial disclosures are accurate.

Speak to an expert about SOX compliance

CCPA

The CCPA (California Consumer Privacy Act) gives consumers more control over the personal information that organisations process about them.

Who needs to comply?

Organisation that processes the personal information of California residents and generate $25 million annually in revenue, derive 50% of revenue from selling/sharing personal data or process personal information from 100,000 California residents or California-based households/devices.

What are its core requirements?

Individuals must be given greater transparency regarding their use of personal data and given access and control over its use. Organisations must implement measures to reduce risks associated with data processing.

Speak to an expert about CCPA compliance

GLBA

The Gramm–Leach–Bliley Act requires financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data.

Who needs to comply?

Organisations that offer financial products and services to US consumers.

What are its core requirements?

Sensitive data must be subject to appropriate safeguards and individuals must be notified about how their data is used and their rights to opt out of certain processing activities.

Speak to an expert about GLBA compliance

DFARS

The DFARS (Defence Federal Acquisition Regulation Supplement) is a set of regulations that ensure that the US DoD (Department of Defense) receives quality goods and services at fair and reasonable prices.

Who needs to comply?

Any organisation in the DoD’s supply chain.

What are its core requirements?

Valuable data and systems must be protected against unauthorised access, misuse, disruption or destruction. Organisations must also implement measures to identify, monitor, prevent and respond to risks.

Speak to an expert about DFARS compliance

Global

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is designed to protect cardholder data.

Who needs to comply?

All merchants and service providers that process, transmit or store cardholder data.

What are its core requirements?

Organisations must implement security measures to protect their network and systems and regularly test their networks to identify vulnerabilities.

Speak to an expert about PCI DSS compliance

SWIFT CSP

The SWIFT CSP (Customer Security Programme) help financial organisations ensure their cyber security defences are adequate and up to date.

Who needs to comply?

Organisations that use the SWIFT network.

What are its core requirements?

Critical systems must be protected against IT-based and physical threats, access to valuable data must be secured and measures must be put in place to detect and respond to suspicious activity.