Compliance Frameworks

Title 21 Code of Federal Regulations Part 211 establishes the minimum current good manufacturing practice (cGMP) requirements for the preparation of drug products (finished pharmaceuticals) for administration to humans or animals. Covers all aspects of pharmaceutical manufacturing from personnel and facilities to production controls and record keeping. Enforced by the FDA.

Title 21 Code of Federal Regulations Part 58 establishes Good Laboratory Practice (GLP) regulations for nonclinical laboratory studies supporting applications for research or marketing permits for FDA-regulated products. Covers organization, facilities, equipment, testing operations, records, and reporting requirements to ensure the quality and integrity of safety data.

3GPP Technical Specification 33.501 defines the security architecture and procedures for 5G systems, including authentication (5G-AKA and EAP-AKA'), key management, security between network functions, user plane integrity protection, and subscriber privacy through SUPI/SUCI encryption to prevent tracking and IMSI catching.

The 6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673) strengthens the EU's criminal law framework for combating money laundering. It harmonises the definition of money‑laundering offences, extends criminal liability to legal persons, introduces minimum sanctions, expands the scope of predicate offences, and requires member states to criminalise the facilitation of money laundering. AMLD6 was later superseded by AMLD7, which further expands the scope and introduces new obligations.

Australian Accounting Standards Board Standard S2 requires entities to disclose climate-related risks and opportunities. Based on IFRS S2 issued by the ISSB. Structured around four pillars: Governance, Strategy, Risk Management, and Metrics and Targets. Commenced as a legislative instrument on 31 December 2024.

Australian Cyber Security Centre Essential Eight Maturity Model: eight prioritised mitigation strategies with three maturity levels.

The AICPA Privacy Management Framework (PMF) provides a comprehensive framework for CPA practitioners and organisations to manage and report on privacy risk. It builds on the Generally Accepted Privacy Principles (GAPP) and SOC 2 Trust Services Criteria for Privacy. The PMF includes nine privacy components: management, agreement/notice/communication, collection, use/retention/disposal, access, disclosure to third parties, security, quality, and monitoring/enforcement. Used in SOC 2 privacy engagements and privacy programme assessments.

Trust Services Criteria for general use reporting

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) establishes a regulatory framework requiring Australian businesses providing designated services to identify, mitigate and manage money laundering and terrorism financing risks. Administered by AUSTRAC.

French National Cybersecurity Agency framework

The APEC Cross-Border Privacy Rules (CBPR) System is a voluntary accountability-based framework for facilitating cross-border data flows among APEC economies while protecting personal information. Participating companies self-certify compliance with programme requirements, verified by APEC-recognised accountability agents. Based on the APEC Privacy Framework. Participating economies include US, Japan, Canada, South Korea, Australia, Singapore, and others. Being transitioned to the Global CBPR Forum.

Pipeline SCADA Security for petroleum and natural gas

Act on Protection of Personal Information (Japan)

Australian Prudential Regulation Authority Prudential Standard CPS 220 sets out requirements for APRA-regulated entities to have an effective risk management framework, including the Board's responsibility for risk oversight, a Chief Risk Officer, and the 'three lines of defence' model. Applies to ADIs, insurers, and RSE licensees.

Australian Prudential Regulation Authority Prudential Standard CPS 230 sets out requirements for APRA-regulated entities to effectively manage operational risks, maintain business continuity, and manage risks from service provider arrangements. Effective 1 July 2025.

Australian Prudential Regulation Authority Information Security Standard

Australian Prudential Regulation Authority Prudential Standard SPS 220 sets out risk management requirements specifically for RSE licensees (superannuation trustees). It requires RSE licensees to maintain a Board-approved risk management framework covering material risks to the business operations and to the interests of beneficiaries.

AS9100D (SAE International) is the aerospace quality management system standard based on ISO 9001:2015 with additional aerospace-specific requirements. It addresses the unique quality, safety, and reliability requirements of the aviation, space, and defense industries. Required for certification of aerospace manufacturers and suppliers. Recognized by major aerospace OEMs (Boeing, Airbus, Lockheed Martin, etc.) as a prerequisite for supplier qualification.

AS9100D:2016 (equivalent to EN 9100:2018 in Europe) is the quality management system standard for the aviation, space, and defence (AS&D) industry. Based on ISO 9001:2015 with additional AS&D-specific requirements. Published by SAE International (IAQG - International Aerospace Quality Group). Covers product safety, counterfeit parts prevention, risk management, configuration management, and special processes. Required by major aerospace primes (Boeing, Airbus, Lockheed Martin, Rolls-Royce) for their supply chain. Over 20,000 certified organisations worldwide.

A prioritised list of 37 mitigation strategies published by the Australian Signals Directorate to help organisations protect themselves against cyber threats. The Essential Eight is a subset of these strategies.

The ASEAN Data Management Framework provides a common framework for ASEAN member states to harmonize data governance across the region. It covers data lifecycle management, cross-border data flows, data protection measures, and organizational accountability. Designed to facilitate trusted data flows within ASEAN while maintaining appropriate safeguards.

The ASEAN Guide on AI Governance and Ethics provides a practical framework for ASEAN member states and organizations to deploy AI responsibly. Based on principles of transparency, fairness, security, accountability, and human-centricity, it provides guidance for both AI developers and deployers. Complements existing national AI strategies across ASEAN member states.

The Australian Securities and Investments Commission sets expectations for cyber resilience of regulated entities in the financial services sector. Based on ASIC Report 429 (2015) and Report 716 (2022), it outlines good practices for boards and management in managing cyber security risks. Applies to Australian financial services licensees, credit licensees, and market operators.

ASIS SPC.1-2009 (Organizational Resilience: Security, Preparedness, and Continuity Management Systems - Requirements with Guidance for Use) is an American National Standard that establishes requirements for a management system to enhance organizational resilience. Published by ASIS International, it integrates security management, emergency management, and business continuity into a unified resilience management system. Certifiable standard used primarily in North America.

Amazon Web Services security best practices framework

The American Water Works Association (AWWA) provides comprehensive cybersecurity guidance for water and wastewater utilities. Key publications include: AWWA Cybersecurity Risk & Responsibility in the Water Sector (2019), Process Control System Security Guidance for the Water Sector, and collaboration with WaterISAC. AWWA serves 50,000+ members representing water utilities, treatment plants, and suppliers. The guidance addresses unique challenges of water sector OT systems including SCADA, PLCs, and chemical dosing systems. Aligned with NIST Cybersecurity Framework, EPA requirements, and America's Water Infrastructure Act (AWIA) Section 2013.

The Act on the Implementation of the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka, OG 42/2018) provides national provisions supplementing the EU GDPR in Croatia. It defines specific conditions for lawful processing, the rights of data subjects, and the powers of the Croatian Personal Data Protection Agency (AZOP). The act has been amended by OG 71/2020 and OG 115/2022 to align with subsequent EU legislative updates.

Regulations governing algorithmic recommendation services (2022) and security assessment of generative AI services (2023), with amendments introduced in 2024 expanding oversight of AI‑generated content and recommendation algorithms.

The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014) is the first continental framework addressing cybersecurity and data protection in Africa. It establishes obligations for AU member states in electronic commerce, personal data protection, cybersecurity, and cybercrime. Entered into force June 2023 after achieving 15 ratifications.

The Aged Care Quality Standards set out the level of care and services expected of aged care providers in Australia. Enforced by the Aged Care Quality and Safety Commission. All Commonwealth-funded aged care providers must comply with these 8 standards. Set out in Schedule 2 of the Quality of Care Principles 2014.

Albania's Law on Protection of Personal Data (Law No. 9887/2008, amended by Law No. 48/2014) establishes the data protection framework. The Information and Data Protection Commissioner oversees enforcement. The law was initially based on the EU Data Protection Directive and has been progressively updated toward GDPR alignment as part of Albania's EU accession process. Covers processing principles, consent, data subject rights, cross-border transfers, and DPO requirements. A new GDPR-aligned law has been under development.

Angola's Law No. 22/11 on the Protection of Personal Data (2011) establishes the country's data protection framework. The Agência de Protecção de Dados (APD) serves as the supervisory authority. The law establishes data processing principles, individual rights, controller obligations, and provisions for cross-border transfers. Applies to processing of personal data by controllers established in Angola.

Annex 11 (revised 2022) provides guidance on the application of Good Manufacturing Practice (GMP) to computerised systems used throughout the pharmaceutical lifecycle, including manufacturing, quality control, laboratory testing, and distribution. It addresses system validation, data integrity, security, change control, backup and recovery, and the overall lifecycle management of computerised systems. Published by the European Commission as part of EudraLex Volume 4.

Argentina Personal Data Protection Law (Law 25.326) together with its implementing regulation Decree 1558/2001, the AAIP oversight provisions, and the 2020 amendment (Law 27.401) that added data breach notification requirements.

Chris Argyris's theory of organizational learning distinguishing between single-loop learning (correcting errors within existing frameworks) and double-loop learning (questioning and modifying underlying assumptions, values, and policies). Published in 'Organizational Learning' (1978, with Donald Schon) and 'On Organizational Learning' (1999).

Armenia's Law on Protection of Personal Data (2015) establishes the data protection framework. The Agency for Protection of Personal Data (subsequently integrated into the Human Rights Defender's Office) oversees compliance. The law establishes processing principles, consent requirements, data subject rights, and cross-border transfer provisions. Armenia has been working to strengthen alignment with European standards through Council of Europe Convention 108+ ratification.

Australian AI Ethics Principles

The Australian Consumer Data Right (CDR) for banking, mandated under the Competition and Consumer Act 2010 (amended by the Treasury Laws Amendment), gives consumers the right to share their banking data with accredited third parties. Administered by the ACCC (accreditation), OAIC (privacy), and Data Standards Body (technical standards). Effective July 2020, covering transaction accounts, credit cards, and lending products. Expanding to energy and telecommunications sectors.

The Information Security Registered Assessors Program (IRAP) is an Australian Government initiative administered by the Australian Signals Directorate (ASD). IRAP provides a framework for assessing the implementation and effectiveness of security controls against the Australian Government Information Security Manual (ISM). IRAP assessors are endorsed by ASD to conduct security assessments for Australian Government agencies and cloud service providers seeking to host government data. Assessment against ISM controls at OFFICIAL, PROTECTED, and SECRET levels.

The My Health Records Act 2012 establishes the legal framework for Australia's national digital health record system (My Health Record). Managed by the Australian Digital Health Agency, it enables individuals and healthcare providers to access a summary of health information online. The system operates on an opt-out basis (since 2018). The Act establishes strict access controls, penalties for misuse, and governance by the System Operator.

The Australian National Health and Medical Research Council (NHMRC) National Statement on Ethical Conduct in Human Research (2007, updated 2018) sets out the ethical framework for research involving humans. It covers consent, privacy, data management, governance, and the role of Human Research Ethics Committees (HRECs). Compliance is mandatory for NHMRC-funded research and widely adopted across Australian research institutions. Key principles: research merit, justice, beneficence, and respect for persons. Specifically addresses data governance, biobanks, genetic research, and Aboriginal and Torres Strait Islander research.

The Australian Online Safety Act 2021 establishes the eSafety Commissioner as the independent regulator for online safety. The Act creates a complaints-based system for removing harmful online content, with powers to issue removal notices to platforms, hosting services, and internet service providers. Key provisions include the Online Content Scheme (replacing the Broadcasting Services Act schedules), cyber-bullying scheme for children, image-based abuse scheme, and Basic Online Safety Expectations. Applies to online services with an Australian link.

The Australian eSafety Commissioner, established under the Online Safety Act 2021, has regulatory powers to protect Australians from online harms. Key instruments include: Basic Online Safety Expectations (BOSE) for online services, mandatory industry codes and standards, cyberbullying schemes, image-based abuse schemes, and online content schemes. The eSafety Commissioner can issue removal notices for seriously harmful content, conduct investigations, and impose penalties. BOSE requires services to take reasonable steps to ensure safety, implement reporting mechanisms, and provide transparency about safety measures. Specific focus on child safety online.

The Australian Energy Sector Cyber Security Framework is developed by the Australian Energy Market Operator (AEMO) in collaboration with the Australian Cyber Security Centre. It provides a maturity model approach to cyber security for Australia's energy sector, incorporating elements from NIST CSF, C2M2, and the ASD Essential Eight. Applies to electricity and gas market participants.

ACSC Information Security Manual. Australian Government cybersecurity controls baseline.

The 13 Australian Privacy Principles form the cornerstone of the privacy protection framework in the Privacy Act 1988, regulating how organisations and agencies handle personal information.

Austria's Data Protection Act (Datenschutzgesetz, DSG) as amended in 2018 supplements the EU GDPR with national provisions. The Datenschutzbehörde (DSB - Austrian Data Protection Authority) oversees enforcement. The DSG retains a constitutional right to data protection (Section 1 DSG has constitutional rank). Notable provisions include the age of digital consent (14 years), broad research derogations, specific rules for image processing (Bildaufnahme), and administrative and criminal penalties. Austria's data protection has constitutional status since 2000.

Authorised Economic Operator (AEO) programmes are globally implemented supply chain security and trade facilitation initiatives based on the WCO SAFE Framework. Over 97 countries operate AEO programmes. AEO status is granted to economic operators (importers, exporters, customs brokers, carriers, warehouse operators) that demonstrate compliance with customs requirements, financial solvency, and supply chain security standards. Mutual recognition arrangements (MRAs) between countries provide reciprocal AEO benefits. Key programmes include EU AEO, US C-TPAT, Japan AEO, China AEO, and Australia Trusted Trader.

Automotive SPICE (ASPICE) v4.0 (2023) is a process assessment model for software development in the automotive industry. Based on ISO/IEC 33020 process measurement framework. ASPICE defines process reference models and process assessment indicators for system engineering, software engineering, hardware engineering, and machine learning engineering. Used by OEMs to assess supplier development process capability. Capability levels 0-5. ASPICE assessments are a de facto requirement for automotive Tier 1/2 suppliers.

Azerbaijan's Law on Personal Data (2010) establishes the personal data protection framework. The State Service for Special Communication and Information Security oversees implementation. The law establishes processing principles, consent requirements, data subject rights, data security obligations, and cross-border transfer provisions. Azerbaijan ratified Council of Europe Convention 108 in 2010. The law applies to processing of personal data by state bodies and private entities in Azerbaijan.

Microsoft Azure cloud security best practices and controls

Basel Committee Principles for Effective Risk Data Aggregation

BIMCO Guidelines on Cyber Security Onboard Ships

The BRCGS (Brand Reputation Compliance Global Standards) Global Standard for Food Safety Issue 9 (2022) is a GFSI-benchmarked food safety certification standard for food manufacturers. Originally developed by the British Retail Consortium. Over 30,000 certified sites in 130+ countries. Covers senior management commitment, HACCP, food safety and quality management systems, site standards, product control, process control, and personnel. Grades: AA, A, B, C, D (unannounced option gives higher grade). Published and managed by BRCGS (LGC ASSURE).

BREEAM (Building Research Establishment Environmental Assessment Method) is the world's oldest green building certification scheme, established in 1990 by BRE Global. It assesses and certifies the sustainability performance of buildings across their lifecycle. Categories include management, health and wellbeing, energy, transport, water, materials, waste, land use and ecology, and pollution. Rating levels: Pass, Good, Very Good, Excellent, and Outstanding. Over 590,000 buildings certified in 90+ countries.

BS 65000:2014, published by BSI (British Standards Institution), provides guidance on organizational resilience encompassing an organisation's ability to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper. It provides a holistic approach integrating business continuity, risk management, crisis management, and security management. Describes the resilience journey from awareness through to adaptive resilience. Predecessor to ISO 22316.

German Federal Office for Information Security baseline protection

Building Security In Maturity Model

Bahrain Personal Data Protection Law

The Bank Secrecy Act (31 U.S.C. 5311-5332) and implementing regulations (31 CFR Chapter X) establish requirements for financial institutions to detect and prevent money laundering, terrorist financing, and other financial crimes. Key components include AML compliance programs, customer identification/due diligence, suspicious activity reporting, currency transaction reporting, and recordkeeping. Amended by USA PATRIOT Act (2001), CDD Rule (2016), and AML Act (2020).

The Barbados Data Protection Act 2019 (Cap. 380A) establishes a data protection framework for Barbados. The Data Protection Commissioner oversees compliance. The Act establishes processing principles, individual rights, and provisions for cross-border transfers. Modelled on Caribbean Community (CARICOM) model data protection legislation. Applies to the processing of personal data by controllers in Barbados.

Basel III: International regulatory framework for banks, developed by the Basel Committee on Banking Supervision (BCBS). Strengthens bank capital requirements, introduces new requirements on bank liquidity and leverage, and enhances risk management. Published 2010-2017, with final reforms (sometimes called Basel IV) finalized in December 2017. Implementation ongoing through 2028.

Belgian Centre for Cybersecurity CyberFundamentals Framework

Belgium's Data Protection Act of 30 July 2018 supplements the EU GDPR with national provisions. The Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données, GBA/APD) oversees enforcement. The Act includes provisions for the age of digital consent (13 years), processing of national identification numbers (Rijksregisternummer/Numéro de registre national), journalistic exemptions, employment data, and administrative penalties. Belgium's DPA is notable for its Litigation Chamber and significant fine decisions.

The Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct (2020) establishes cybersecurity expectations for BMA-regulated entities including insurers, reinsurers, banks, and trust companies. Bermuda is a major international insurance and reinsurance hub. The Code covers cyber risk governance, risk management, incident response, third-party management, and reporting. Proportionate approach based on entity size, complexity, and cyber risk profile. Compliance monitored through BMA supervisory reviews and examinations.

Bermuda's Personal Information Protection Act 2016 (PIPA, substantially in force January 1, 2025) establishes a comprehensive privacy framework. The Privacy Commissioner for Bermuda oversees compliance. PIPA establishes processing principles, individual rights, mandatory breach notification, and provisions for cross-border transfers. Designed to support Bermuda's EU adequacy application for the insurance/reinsurance sector.

Bosnia and Herzegovina's Law on Protection of Personal Data (Official Gazette BiH No. 49/06, 76/11) establishes the data protection framework. The Personal Data Protection Agency of Bosnia and Herzegovina (AZLP) oversees enforcement. The law was modelled on the EU Data Protection Directive (95/46/EC). It covers processing principles, consent, data subject rights, cross-border transfers, and registration obligations. Amendments and alignment with GDPR have been under discussion as part of EU accession negotiations.

The Botswana Data Protection Act provides a comprehensive framework for the protection of personal data in Botswana. It establishes data protection principles, individual rights, obligations for data controllers and processors, and provisions for cross-border data transfers. Creates the Data Protection Commissioner to oversee implementation and enforcement.

Brazilian AI regulatory framework

Brazil's Open Finance framework, established by the Central Bank of Brazil (BCB) through Resolução Conjunta No. 1/2020 and subsequent regulations, creates one of the world's most comprehensive open financial data ecosystems. Mandatory for regulated financial institutions, it covers banking, insurance, investments, pensions, and foreign exchange data sharing. Phases implemented from 2021-2023. Uses standardised APIs managed by the Open Finance Brasil governance structure.

The Personal Data Protection Order (PDPO) 2022, issued under the Emergency (Prohibition of Certain Acts) Order, establishes a comprehensive data protection framework for Brunei Darussalam. The Authority for Info-communications Technology Industry (AITI) is designated as the data protection authority responsible for enforcement and compliance. The PDPO aligns with the APEC Privacy Framework, setting out obligations for data controllers, rights for data subjects, and enforcement mechanisms.

The program’s security criteria were last updated in 2023, adding new supply‑chain security requirements and enhanced validation processes.

Cybersecurity Capability Maturity Model for energy sector

Cloud Computing Compliance Criteria Catalogue by BSI Germany

California Consumer Privacy Act / California Privacy Rights Act

The Consultative Committee for Space Data Systems (CCSDS) 350.0-G-3 (The Application of Security to CCSDS Protocols) provides security guidance for space mission communications. CCSDS is the international standardisation body for space data systems with all major space agencies as members (NASA, ESA, JAXA, ROSCOSMOS, etc.). The security framework covers authentication, encryption, and access control for space-ground communications, telemetry, telecommand, and space data links. Key standards include CCSDS 352.0-B (Space Data Link Security Protocol) and CCSDS 355.0-B (Space Missions Key Management). Applicable to all civilian and scientific space missions.

CDP runs the global disclosure system for environmental impact. Through its annual questionnaires, CDP collects data from companies, cities, states, and regions on climate change, water security, and forests/deforestation. Approximately 9,000-10,000 companies disclose through CDP each year, and responses are scored on a scale from A (lead) to D (lagging).

The Commodity Futures Trading Commission (CFTC) System Safeguards rules (17 CFR Parts 37, 38, 39, and 49) establish comprehensive cybersecurity, business continuity, incident reporting, system integrity, and risk management requirements for designated contract markets (DCMs), swap execution facilities (SEFs), derivatives clearing organizations (DCOs), and swap data repositories (SDRs).

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Pub.L. 117‑103, Division Y) requires covered critical infrastructure entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery and to report ransom payments within 24 hours. The act establishes reporting requirements, defines covered entities, and mandates the Secretary of Homeland Security to issue guidance and maintain a public database of reported incidents.

Center for Internet Security Critical Security Controls - prioritized set of actions to protect organizations and data from known cyber attack vectors

CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risk to critical infrastructure operations. Aligned with the NIST Cybersecurity Framework, CPGs provide a common set of protections that all critical infrastructure owners and operators can implement.

CISA, through its Industrial Control Systems Cyber Emergency Response Team (ICS‑CERT), publishes a continuous set of security resources for operational technology. This includes ICS‑CERT Advisories (vulnerability disclosures), Recommended Practices (RP‑1, RP‑2, etc.), Vulnerability Reports, Technical Documents, and Security Alerts, all aimed at improving the security of industrial control and SCADA systems.

CISA Zero Trust Maturity Model for federal agencies

Cybersecurity Maturity Model Certification for defense industrial base

Cybersecurity Maturity Model Certification version 2.0 Level 1 (Foundational). 17 practices mapped to FAR 52.204-21.

The CNCF Security Technical Advisory Group (TAG) publishes security guidance for cloud‑native ecosystems, including the CNCF Cloud Native Security Whitepaper (v2, 2022), the Software Supply Chain Best Practices guide, and the CNCF Security Assessment process. These resources are best‑practice documents rather than a formal framework with defined domains or controls.

Control Objectives for Information and Related Technologies - governance framework for enterprise IT management

US federal law protecting the online privacy of children under 13, implemented by the FTC COPPA Rule (16 CFR Part 312, amended April 2025): notice, verifiable parental consent, parental review and deletion rights, data minimisation, security, retention limits, safe harbor, and FTC and state-AG enforcement.

COSO Enterprise Risk Management framework (2017 edition, Integrating with Strategy and Performance), structured as five interrelated components (Governance and Culture; Strategy and Objective-Setting; Performance; Review and Revision; Information, Communication, and Reporting) and 20 principles. Copyrighted by COSO/AICPA; full control text requires a licensed copy.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework, originally issued in 1992 and updated in 2013, defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) operations - effectiveness and efficiency of the entity’s operations, including operational and financial performance; (2) reporting - reliability of reporting, including the preparation of financial statements and other reports; and (3) compliance - compliance with applicable laws and regulations.

The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) programme provides a comprehensive framework for cloud security assurance. Based on the CSA Cloud Controls Matrix (CCM), STAR offers three levels of assurance: self-assessment (Level 1), third-party audit (Level 2 - SOC 2 or ISO 27001 based), and continuous monitoring (Level 3). The CCM provides 197 control objectives across 17 domains mapped to major standards and regulations.

EU CSRD (Directive (EU) 2022/2464) amends the Accounting Directive to require in-scope large and listed undertakings to report sustainability information per the European Sustainability Reporting Standards (ESRS, Commission Delegated Regulation (EU) 2023/2772): 2 cross-cutting standards (ESRS 1 general requirements incl double materiality and value-chain coverage, ESRS 2 general disclosures) and 10 topical standards (E1-E5 environment, S1-S4 social, G1 governance), with digital XBRL tagging, EU Taxonomy alignment, and limited (later reasonable) assurance.

The 2024 CWE Top 25 Most Dangerous Software Weaknesses published by MITRE Corporation and supported by CISA. Based on analysis of 31,770 CVE records scored by frequency multiplied by severity (CVSS). Identifies the most common and impactful software weaknesses that developers and organizations should prioritize. Released November 19, 2024.

California IoT security law (SB-327)

Cambodia's Sub‑Decree No. 134 on the Management of Personal Data in the Digital Sector, issued on 30 May 2022 under the Law on E‑Commerce (Law No. 6/2020) and effective from 1 January 2023, establishes the country's first comprehensive data‑protection framework. It sets out principles for personal data processing, consent requirements, data‑subject rights, obligations of data controllers and processors, cross‑border data transfer rules, and enforcement mechanisms. The decree maps to 11 privacy domains and 53 specific controls.

The Artificial Intelligence and Data Act (AIDA), proposed as Part 3 of Bill C‑27 (Digital Charter Implementation Act), is a pending Canadian federal law that would establish a risk‑based regulatory framework for high‑impact artificial intelligence systems. The Act would impose obligations on providers and operators of high‑impact AI systems, including conducting risk assessments, implementing monitoring and mitigation measures, maintaining detailed documentation, and providing transparency notices to affected individuals. It defines “high‑impact” AI based on criteria such as the system’s scope, level of autonomy, and potential for significant harm. The Act also includes provisions for exemptions, enforcement powers for the Minister of Innovation, Science and Industry, and alignment with existing privacy legislation. As of now, AIDA remains a proposed statute and has not yet been enacted.

ITSG‑33 (IT Security Risk Management: A Lifecycle Approach) is the Canadian Centre for Cyber Security (CCCS) standard for managing IT security risks in Government of Canada (GC) departments and agencies. It defines a security control catalogue aligned with the Treasury Board Policy on Government Security and provides a risk‑based, lifecycle approach to protect information and systems.

Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) regulates the sending of commercial electronic messages (CEMs), the installation of computer programs, and the unauthorized collection of electronic addresses. It is enforced by the Canadian Radio‑television and Telecommunications Commission (CRTC) for electronic messages, the Competition Bureau for false or misleading representations, and the Office of the Privacy Commissioner of Canada for privacy‑related aspects.

Personal Information Protection and Electronic Documents Act. Federal Canadian private-sector privacy law.

The Cayman Islands Data Protection Act 2017 (as amended) establishes a comprehensive data protection framework for the Cayman Islands. The Office of the Ombudsman serves as the Data Protection Authority. The Act is modelled on the EU GDPR and includes data processing principles, individual rights, breach notification, and cross-border transfer provisions. Important for the Cayman Islands' significant financial services sector.

Chile's reformed Personal Data Protection Law (Law No. 21.719, enacted December 2024) replaces the outdated Law 19.628 of 1999. It creates an autonomous Data Protection Agency, establishes GDPR-aligned data protection principles, introduces mandatory breach notification, cross-border transfer restrictions, and significant penalties. Chile becomes the first Latin American country with EU adequacy recognition potential under the new framework. Two-year transition period.

The Cybersecurity Law of the People's Republic of China (effective 1 June 2017) is China's foundational cybersecurity legislation. It imposes obligations on network operators and operators of critical information infrastructure (CII) to implement a multi‑level protection scheme (MLPS), conduct security assessments of network products and services, ensure data localization for personal information and important data, protect personal information, and cooperate with government security inspections. The law also defines responsibilities for data breach notification and establishes penalties for non‑compliance. Although the CSL itself has not been amended since 2017, it is now complemented by the Data Security Law (2021) and the Personal Information Protection Law (2021), which expand and refine China's data governance regime.

The Data Security Law of the People's Republic of China (effective September 1, 2021) establishes a comprehensive framework for data security governance. It introduces a data classification and grading system, cross‑border data transfer restrictions, security assessment mechanisms, government data security obligations, and a national security assessment system for data handling.

China's comprehensive personal information protection statute (effective 1 November 2021), administered by the Cyberspace Administration of China. Establishes legal bases for handling personal information, sensitive-PI and minors' rules, cross-border transfer mechanisms, individual rights, handler obligations (PIPIA, DPO, breach notification, audits) and legal liability.

Cloud Security Alliance Cloud Controls Matrix - cybersecurity control framework for cloud computing

Represents the GDPR Article 40 code-of-conduct mechanism applied to the scientific-research sector. There is no single EDPB-approved transnational research code; the controls capture what such a code must contain under GDPR Articles 40 (codes of conduct), 41 (accredited monitoring bodies) and 89 (safeguards and derogations for scientific research), informed by EDPB guidance. Sectoral codes exist (e.g. clinical-research and biobanking codes).

Colombia's Law 1581 of 2012 establishes the general framework for the protection of personal data, regulated by Decree 1377 of 2013. It defines principles for lawful processing, requirements for consent, data subject rights, security obligations, and the role of data controllers and processors. Oversight is currently exercised by the Superintendence of Industry and Commerce (SIC), though legislative efforts are underway to establish an independent data protection authority.

The Colorado Artificial Intelligence Act (SB 24-205), enacted 17 May 2024 and codified at C.R.S. 6-1-1701 et seq, requires developers and deployers of high-risk AI systems to use reasonable care to protect consumers from algorithmic discrimination through documentation, risk-management programs, impact assessments, consumer notices and Attorney General disclosures. Effective date originally 1 February 2026, subsequently amended/delayed.

The Colorado Privacy Act (CPA) grants Colorado residents rights over their personal data, including the right to access, correct, delete, and opt‑out of processing for targeted advertising, profiling, or other discriminatory purposes. It applies to controllers and processors that (a) conduct business in Colorado or target Colorado residents, (b) process personal data of at least 100,000 Colorado residents annually, or (c) derive revenue of $25 million or more from the personal data of Colorado residents. The CPA also requires covered entities to implement data minimization, purpose limitation, reasonable security measures, and to appoint a data protection officer (or designate a responsible individual).

The Commercial National Security Algorithm Suite (CNSA) 2.0, announced by the NSA in September 2022, defines a set of cryptographic algorithms-including AES‑256, SHA‑384, ECDSA P‑384, RSA‑3072, CRYSTALS‑Kyber (KEM) and CRYSTALS‑Dilithium (signature)-required for National Security Systems (NSS). CNSA 2.0 supersedes CNSA 1.0 and establishes a transition schedule: new NSS must adopt CNSA 2.0 algorithms by 2030, with full migration required by 2035.

The Connecticut Data Privacy Act (CTDPA), signed into law in June 2022 and effective July 1, 2023, establishes comprehensive consumer privacy rights for Connecticut residents. It provides rights to access, delete, correct, and opt out of the sale of personal data and targeted advertising. The law applies to any entity that conducts business in Connecticut or processes the personal data of Connecticut residents, regardless of where the entity is located.

Australia's Consumer Data Right (CDR) framework, established under Part IVD of the Competition and Consumer Act 2010, enables consumers to securely share their data with accredited third parties. It was first implemented for the banking sector (Open Banking) and subsequently rolled out for energy (July 2022) and non‑bank lending (2023). Additional sectors such as telecommunications and health are in advanced development. The framework is overseen by the ACCC and continuously updated through CDR rules and data standards.

The Cook Islands Electronic Transactions Act 2003 establishes the legal framework for electronic commerce, including the recognition of electronic signatures, electronic records, contracts, and the admissibility of electronic evidence. It sets out requirements for secure electronic signatures, time‑stamping, and the retention of electronic records. The Act was amended in 2015 to align with international standards and to clarify the legal effect of electronic signatures. Data privacy is governed separately by the Privacy Act 2016.

Costa Rica's Law for the Protection of Persons Regarding the Processing of Their Personal Data (Law No. 8968 of 2011), as amended by Executive Decree No. 42089-MGP (2023), establishes a comprehensive data protection framework. The Data Protection Agency (Agencia de Protección de Datos, APD) oversees and enforces compliance, issues guidelines, and handles complaints.

Made under Part 2A of the Security of Critical Infrastructure Act 2018, the Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 require responsible entities to develop, implement and maintain a risk management program that addresses cyber security, personnel security, supply chain security, physical security and other hazards. Entities must also report their risk management program and any significant incidents to the Australian Government in accordance with the Act.

EU Regulation (EU) 2024/1252 (Critical Raw Materials Act), in force 23 May 2024, establishing a framework for a secure and sustainable supply of critical raw materials: strategic and critical raw materials lists; 2030 Union benchmarks (extraction 10 percent, processing 40 percent, recycling 25 percent, single third country no more than 65 percent); Strategic Projects and accelerated permitting; national exploration programmes; supply monitoring and stress testing; company risk preparedness; strategic stocks and joint purchasing; circularity and recycling (incl permanent magnets); sustainability schemes; and the European Critical Raw Materials Board.

UK government-backed scheme to protect against common cyber attacks

Australia's first standalone cyber security legislation introducing mandatory security standards for smart devices, ransomware payment reporting, limited use obligations for ASD-shared information, and a Cyber Incident Review Board.

The Czech Republic's Act on the Protection of Personal Data (Act No. 110/2019 Coll.) implements and complements the EU GDPR with national provisions. The Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ) oversees enforcement. The Act sets the age of digital consent at 15 years and includes specific rules on processing for employment, public health, and research purposes, among others.

The DAMA International Data Management Body of Knowledge (DAMA‑DMBOK2, 2017) is the definitive guide to data management disciplines. It covers 11 knowledge areas: Data Governance, Data Architecture, Data Modeling and Design, Data Storage and Operations, Data Security, Data Integration and Interoperability, Data Quality, Reference & Master Data, Data Warehousing & Business Intelligence, Document & Content Management, and Metadata Management.

DFARS clause 252.204-7012 (48 CFR 252.204-7012, clause edition MAY 2024). Requires DoD contractors to provide adequate security on covered contractor information systems by implementing NIST SP 800-171, to rapidly report cyber incidents (within 72 hours of discovery) to DoD via dibnet.dod.mil using a DoD-approved medium assurance certificate, to submit isolated malicious software to the DoD Cyber Crime Center (DC3), to preserve affected media and monitoring data for at least 90 days, to support forensic analysis and damage assessment, and to flow the clause down to in-scope subcontracts. External cloud service providers must meet a FedRAMP Moderate-equivalent baseline.

DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs), published by the Defense Information Systems Agency via the DoD Cyber Exchange. SRGs are technology-family security-requirement sets derived from NIST SP 800-53 (via Control Correlation Identifiers); STIGs are product-specific hardening guides implementing the applicable SRG, each comprising findings categorised CAT I/II/III, assessed using STIG Viewer and SCAP-validated tools and tracked in eMASS. This node represents the STIG/SRG program structure (technology families, severity categories, assessment tooling and governance lifecycle); the per-product STIG findings are a catalog (hundreds of STIGs) and are not enumerated here.

DO-178C / ED-12C, the RTCA/EUROCAE standard for software in airborne systems and equipment certification. COPYRIGHTED (RTCA/EUROCAE); no licensed copy is held, so source-grounded controls and the normative objective tables (A-1..A-10) cannot be reproduced. Structure: software Design Assurance Levels A-E by failure-condition severity; life-cycle processes (Planning, Development, Verification incl structural coverage / MC-DC, Configuration Management, Software Quality Assurance, Certification Liaison); the Annex A objective tables A-1..A-10; technology supplements DO-330 (tool qualification), DO-331 (model-based), DO-332 (object-oriented), DO-333 (formal methods). Awaiting a licensed copy to author genuine controls.

DO-326A / ED-202A, the RTCA/EUROCAE Airworthiness Security Process Specification - the process standard for protecting civil aircraft from intentional unauthorised electronic interaction, integrated with ARP4754A. COPYRIGHTED (RTCA/EUROCAE); no licensed copy is held, so source-grounded controls cannot be authored. Structure: Plan for Security Aspects of Certification (PSecAC); security scope/perimeter; security risk assessment (asset and threat identification, threat conditions, risk evaluation); security measures and requirements; security architecture; security verification; security effectiveness assurance; Security Accomplishment Summary; Security Stage of Involvement (SecSOI). Companion documents: DO-356A/ED-203A (security methods), DO-355/ED-204 (continuing-airworthiness information security). Awaiting a licensed copy.

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, establishing uniform requirements for the security of network and information systems of EU financial entities and critical ICT third-party providers. Covers ICT risk management (governance, framework, identification, protection, detection, response/recovery, backup, learning), ICT-related incident management and major-incident reporting to competent authorities, digital operational resilience testing (including threat-led penetration testing), ICT third-party risk management (Register of Information, key contractual provisions, concentration risk) with a Union Oversight Framework for critical ICT third-party providers, and cyber threat information sharing. Applies from 17 January 2025.

Denmark's Data Protection Act (Databeskyttelsesloven) implements the EU GDPR and adds national provisions. It is enforced by the Danish Data Protection Agency (Datatilsynet). The Act contains specific rules for processing sensitive data, including health and biometric data, and governs the use of the national civil registration number (CPR). The 2022 amendment incorporated EU Court of Justice rulings (e.g., Schrems II) and clarified data protection impact assessments and cross‑border data transfer requirements.

The Data (Use and Access) Act 2025 amends and supplements the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. It introduces new rules on data sharing, access, and use, aiming to facilitate responsible data use while maintaining strong privacy protections.

Mauritius Data Protection Act 2017 (Act No. 20 of 2017), as amended by the Data Protection (Amendment) Act 2022, a GDPR-aligned data protection law administered by the Data Protection Office and the Data Protection Commissioner; repealed the Data Protection Act 2004. Parts I-IX: preliminary; Data Protection Office; registration of controllers and processors; obligations (principles, lawful processing, consent, special categories, child's data, security, breach notification, records); risk processing and DPIA; transfer outside Mauritius; rights of data subjects; offences and penalties; miscellaneous.

The Defence Industry Security Program (DISP) is a risk‑management and assurance framework administered by the Australian Department of Defence. It enables industry partners to understand and meet their security obligations when working with or for Defence. DISP membership requires compliance across 13 security domains and 41 controls, covering governance, personnel, physical security, information security, cyber security, and other critical areas.

The Defence Security Principles Framework sets out security principles and controls for the Australian Department of Defence and its industry partners. It is a principles-based framework supporting a progressive protective security culture. All Defence personnel, contractors, consultants and outsourced service providers must adhere to the DSPF.

The Delaware Online Privacy and Protection Act (DOPPA), Delaware Code Title 6 Chapter 12C (enacted 2015, effective 2016) - ENACTED, not proposed. Requires operators of commercial online services that collect personal information from Delaware residents to conspicuously post a privacy policy with prescribed content and a Do Not Track disclosure; prohibits marketing of specified age-restricted products to minors and the use of a minor's personal information for such marketing; protects the privacy of digital book service users; enforced as a deceptive trade practice by the Delaware Attorney General. (The comprehensive Delaware Personal Data Privacy Act / DPDPA 2023, Title 6 Ch. 12D, is a separate instrument and is not this node.)

The Digital Economy Partnership Agreement (DEPA), a plurilateral digital-trade agreement between Chile, New Zealand and Singapore signed 11 June 2020 (open to accession). Organised in 16 Modules covering business and trade facilitation (paperless trading, e-invoicing, e-payments, logistics), treatment of digital products (no customs duties on electronic transmissions, non-discriminatory treatment, cryptography), data issues (personal information protection, cross-border data flows, no forced data localisation), wider trust environment (cybersecurity cooperation, online safety), business and consumer trust (anti-spam, online consumer protection, internet access principles), digital identities, emerging technologies (fintech, AI, government procurement, competition policy), innovation (public domain, data innovation, open government data), SME cooperation, digital inclusion, and institutional/transparency/dispute-settlement/exceptions/final provisions.

The Digital Services Act (DSA), Regulation (EU) 2022/2065 of 19 October 2022. Establishes harmonised rules for intermediary services in the EU: conditional liability exemptions and no general monitoring obligation (Chapter II); and tiered due-diligence obligations (Chapter III) for all intermediaries (points of contact, legal representatives, terms and conditions, transparency reporting), hosting services (notice-and-action, statement of reasons, criminal-offence notification), online platforms (internal complaints, out-of-court dispute settlement, trusted flaggers, anti-misuse, advertising and recommender-system transparency, dark-pattern prohibition, protection of minors), online marketplaces (trader traceability/KYBC, compliance by design), and very large online platforms and search engines (systemic risk assessment and mitigation, crisis response, independent audit, ad repository, researcher data access, compliance function, supervisory fee).

Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law. Requires legal entities with 50 or more workers and public sector bodies to establish secure, confidential internal reporting channels with prescribed procedures (7-day acknowledgement, impartial follow-up, 3-month feedback); requires Member States to designate competent authorities operating external reporting channels; sets the conditions for protected public disclosure; mandates confidentiality of the reporting person's identity, GDPR-compliant data processing and record-keeping; prohibits retaliation and provides protective measures including reversal of the burden of proof, support measures and remedies; and requires effective, proportionate and dissuasive penalties.

Directive (EU) 2023/970 of 10 May 2023 strengthening equal pay for equal work or work of equal value between men and women through pay transparency and enforcement. Requires gender-neutral pay structures and job evaluation; pay transparency before employment (pay range, ban on pay-history questions); accessible pay-setting and progression criteria; a worker right to comparative pay information; gender pay-gap reporting on size-based thresholds; joint pay assessment where an unjustified gap of at least 5% persists; and a strong enforcement regime (full compensation, reversed burden of proof, access to evidence, three-year minimum limitation periods, penalties, protection against victimisation). To be transposed by 7 June 2026.

The U.S. Department of Defense Zero Trust Reference Architecture and Zero Trust Capabilities/Activities. Defines the DoD zero-trust target state across 7 pillars (User; Device; Application & Workload; Data; Network & Environment; Automation & Orchestration; Visibility & Analytics), 45 capabilities and 152 Target-Level / Advanced-Level activities, supporting the DoD Zero Trust Strategy goal of a target-level zero-trust architecture. Aligned with NIST SP 800-207 zero-trust tenets and implemented over NIST SP 800-53 controls.

The U.S. Export Administration Regulations (EAR), 15 CFR Parts 730-774, administered by the Bureau of Industry and Security (BIS), controlling the export, reexport and in-country transfer of commercial and dual-use items, software and technology. Covers scope and the items subject to the EAR (incl deemed exports, de minimis and Foreign-Direct-Product rules), the ten General Prohibitions, the Commerce Control List and Country Chart, License Exceptions, CCL-based and end-use/end-user controls (Entity List, prohibited end-uses), embargoes, license applications and processing, export clearance (AES/EEI, Destination Control Statement), antiboycott provisions, recordkeeping, and enforcement (penalties, denial of export privileges, voluntary self-disclosure).

EASA (European Union Aviation Safety Agency) Part‑IS (Information Security) regulation establishes mandatory information security requirements for aviation organisations. It requires the implementation of an Information Security Management System (ISMS) aligned with ISO/IEC 27001, covering 15 security domains and 34 controls, to protect the confidentiality, integrity and availability of aviation‑related information. The regulation (Commission Regulation (EU) 2022/xxxx) becomes fully effective in 2025.

The European Banking Authority Guidelines on ICT and security risk management (EBA/GL/2019/04, 28 November 2019, applied from 30 June 2020), addressed to financial institutions and payment service providers. (Reference corrected from a mislabelled 'EBA/GL/2024/07'.) Cover governance and strategy, the ICT and security risk management framework (identification, classification/risk assessment, mitigation, reporting, audit), information security (policy, logical and physical security, ICT operations security, monitoring, testing, training), ICT operations management and incident/problem management, ICT project and change management, business continuity management, and payment service user relationship management. Largely superseded for EU financial entities by DORA from January 2025.

The ECB TIBER-EU Framework for Threat Intelligence-based Ethical Red Teaming, the European framework for controlled, intelligence-led red-team testing of the live production systems of financial entities. Defines a three-phase process (Preparation, Testing, Closure) supported by an optional jurisdiction-level Generic Threat Landscape, the roles of the White/Control Team, Blue Team, Red Team, threat-intelligence provider and the authority TIBER Cyber Team, and the deliverables (Targeted Threat Intelligence Report, Red Team Test Plan and Report, Blue Team Report, replay/purple teaming, Test Summary Report, Remediation Plan and attestation). TIBER-EU underpins mutual recognition of threat-led penetration testing under DORA.

ECSS-E-ST-40C, the European Cooperation for Space Standardization standard for software engineering in space systems. Defines the software engineering processes across the life cycle (software-related system requirements, management, requirements and architecture, design and implementation, validation, delivery and acceptance, verification, operation, maintenance) and special requirements tailored by software criticality (categories A-D), including dependability and safety, reuse and tool qualification, with an interface to software product assurance (ECSS-Q-ST-80C). Freely published by the ECSS at ecss.nl.

The EDM Council Cloud Data Management Capabilities (CDMC) Framework, an industry framework for managing and protecting sensitive data in cloud and hybrid environments. Organised into 6 components (Governance and Accountability; Cataloguing and Classification; Accessibility and Usage; Protection and Privacy; Data Lifecycle; Data and Technical Architecture) implemented through 14 Key Controls and Automations covering data control compliance, ownership, authoritative sources, data sovereignty, cataloguing, classification, entitlements, consumption purpose, security controls, data protection impact assessments, retention, data quality, cost metrics and data lineage - with an emphasis on automated enforcement in the cloud.

The EDM Council Data Management Capability Assessment Model (DCAM), an industry capability/maturity model for enterprise data management. Organised into 8 components (Data Management Strategy; Business Case and Funding Model; Data Management Program; Data Governance; Data Architecture; Technology Architecture; Data Quality Management; Data Operations and Control Environment), each with capabilities and sub-capabilities, assessed against a maturity scale. Used to baseline and improve an organisation's data management capability. The full model is provided to EDM Council members under licence.

EIOPA Guidelines (EIOPA-BoS-20/600, issued 12 October 2020, applied from 1 July 2021) on how insurance and reinsurance undertakings should apply the Solvency II governance requirements (Directive 2009/138/EC and Delegated Regulation (EU) 2015/35) to information and communication technology (ICT) security and governance. 25 guidelines covering ICT governance and strategy, ICT and security risk management, information security, ICT operations and change management, business continuity, and outsourcing of ICT services. WITHDRAWN from 17 January 2025, superseded by the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) for EU financial entities.

EMVCo EMV 3-D Secure (3DS), the messaging protocol that enables consumer authentication for card-not-present e-commerce transactions (the basis of Visa Secure, Mastercard Identity Check, etc.). 3DS uses a three-domain model (Acquirer, Issuer, Interoperability domains) and the roles 3DS Requestor, 3DS Server, Directory Server (DS), Access Control Server (ACS) and 3DS SDK, exchanging Authentication (AReq/ARes), Challenge (CReq/CRes) and Results (RReq/RRes) messages to support frictionless (risk-based) and challenge (step-up) authentication across browser and app channels. The full EMV 3DS Protocol and Core Functions Specification and SDK Specification are copyrighted EMVCo material available under EMVCo registration/licence; this node represents the publicly documented protocol architecture, not the gated normative text.

The harmonised European Standard ETSI EN 301 549 specifying functional accessibility requirements for information and communication technology (ICT) products and services. EN 301 549 is the technical standard referenced by the EU Web Accessibility Directive (Directive 2016/2102) for public-sector websites and mobile apps and by the European Accessibility Act (Directive (EU) 2019/882) for products and services in scope. Clauses 4-13 cover functional performance, generic ICT, two-way voice communication, video, hardware, web content, non-web documents, software, documentation and support, and relay/emergency service access; clauses 9-11 incorporate the WCAG 2.1 Level A and AA success criteria.

CENELEC family of European Standards for railway functional safety. EN 50126-1 (2017) specifies a system-level RAMS process and lifecycle for railway applications; EN 50126-2 (2017) is its safety application guide. EN 50128 (2011) sets the software development lifecycle and techniques for railway control and protection systems by Software Safety Integrity Level (SSIL 0-4). EN 50129 (2018) specifies safety-related electronic systems for signalling, including the safety case structure (Quality Management Report, Safety Management Report, Technical Safety Report) and SIL apportionment. The full normative text is copyrighted CENELEC material available via paid licence from CENELEC or national standards bodies; this node is held as a needs_licensed_copy placeholder.

ENISA's primary report on the practical engineering of data protection (the umbrella PET / privacy-enhancing-technology document for the EU). 'Data Protection Engineering - From Theory to Practice' (January 2022) sets the connection from Data Protection by Design (GDPR Art.25) to engineering practice via the DPIA process, and surveys the main PETs and their applicability to data protection principles: anonymisation and pseudonymisation, differential privacy, homomorphic encryption, secure multiparty computation, trusted execution environments, private information retrieval, synthetic data, end-to-end encryption, proxy/onion routing, privacy-preserving storage, attribute-based credentials, zero-knowledge proofs, privacy policies/icons/sticky policies, privacy preference signals, privacy dashboards, consent management, and mechanisms for exercising data subject rights of access, erasure and rectification. Complementary ENISA PET works are referenced in the report (Pseudonymisation techniques 2019, Advanced Pseudonymisation 2021, Engineering Personal Data Sharing 2023, Engineering Personal Data Protection in EU Data Spaces 2023).

ESRB Privacy Certified (EPC) is one of the FTC-approved Children's Online Privacy Protection Act (COPPA) Safe Harbor programs (16 CFR Part 312, Section 312.11), operated by the Entertainment Software Rating Board since 1999. Members enter a contractual agreement with ESRB, submit each product/service for review, and undergo ESRB's comprehensive privacy assessment process plus at least two ongoing compliance reports per year and spot audits. EPC offers two seals: the ESRB Privacy Certified Seal (general audience) and the ESRB Privacy Certified Kids Seal (child-directed products). The full normative Member Guidelines and Kids Seal Requirements are FTC-approved but delivered to members under contractual membership; the program's structure and obligations - anchored in COPPA's notice, parental consent, data minimisation, retention/deletion, security and parental access requirements - are publicly documented on esrb.org.

ETSI EN 303 645 is the European baseline cyber security standard for consumer Internet of Things (IoT) products. Published by ETSI on cyber security in the consumer IoT space, it sets a baseline of 13 cyber security provisions (clause 5.1-5.13) plus reporting implementation (clause 5.0) and data protection provisions for consumer IoT (clause 6). The standard underpins national IoT security regulation (e.g. UK PSTI Act 2022) and is referenced by industry assurance schemes. Version 3.1.3 was published in September 2024.

The ETSI Industry Specification Group on Quantum Key Distribution (ISG QKD) maintains a series of Group Specifications (GS) and Group Reports (GR) covering use cases, application interfaces, components, security proofs/evaluation and network integration for QKD systems. The ISG QKD series is referenced by international evaluation/certification schemes (incl ISO/IEC 23837 - Security Requirements for Quantum Key Distribution). Specifications are published by ETSI; some are freely available and others have controlled distribution. This node records the document series scope and provides cross-references at the document-series level rather than reproducing detailed normative quantum-cryptography content.

The world's first comprehensive AI regulation, establishing risk-based rules for the placing on the market, putting into service and use of AI systems in the Union. Adopted 13 Jun 2024 (OJ L 1689/2024); entered into force 1 Aug 2024 with staged application: prohibited practices and AI literacy from 2 Feb 2025; GPAI obligations from 2 Aug 2025; most high-risk AI obligations from 2 Aug 2026; full application from 2 Aug 2027. 113 articles across 13 chapters: general provisions, prohibited AI practices, high-risk AI systems (classification, requirements, operator obligations, notified bodies, conformity assessment, standards), transparency for certain AI, general-purpose AI models (incl systemic-risk GPAI), measures for innovation (regulatory sandboxes), governance (AI Office, AI Board, scientific panel), the EU database for high-risk AI, post-market monitoring and market surveillance, codes of conduct and guidelines, delegation/committee, penalties, and final provisions including the right to explanation of individual decision-making.

The EU AI Liability Directive was a Commission proposal (COM(2022) 496 final) for a Directive on adapting non-contractual civil liability rules to artificial intelligence. It aimed to harmonise procedural rules for fault-based civil-liability claims arising from damage caused by AI systems, complementing the AI Act and the revised Product Liability Directive. Two operative procedural instruments were proposed: court-ordered disclosure of evidence about specific high-risk AI systems suspected of having caused damage (Article 3), and a rebuttable presumption of a causal link between the defendant's fault and the AI output that caused the damage where certain conditions are met (Article 4). The Commission withdrew the proposal in February 2025 and it never became law. This node tracks the withdrawn proposal text for reference; corpus status is 'referenced' (not enacted).

The EU Audiovisual Media Services Directive (AVMSD) coordinates national legislation across the EU on audiovisual media services covering: traditional linear television broadcasts; on-demand audiovisual media services; and (since the 2018 amendment) video-sharing platform services (VSPs). It establishes the country-of-origin principle, content standards (incitement to violence/terrorism, protection of minors, accessibility), rules on audiovisual commercial communications (advertising, sponsorship, product placement), promotion of European works (quotas for linear, prominence for on-demand), the right of reply, dedicated obligations for video-sharing platforms (Articles 28a-28b: jurisdiction and platform protection measures for terrorism, child sexual abuse material, illegal hate speech, advertising and age verification), independence of national regulatory authorities (Articles 30, 30a, 30b establishing ERGA), and media-literacy obligations. The Directive is implemented through national transposition; VSP obligations have been partially superseded for VLOPs by the Digital Services Act (Regulation (EU) 2022/2065) but remain authoritative for non-VLOP VSPs and for AVMSD-specific audiovisual obligations.

The European Strategy for a Better Internet for Kids (BIK+) is a Commission Communication (COM(2022) 212 final, 11 May 2022) updating the original 2012 BIK strategy. It is a non-binding policy document organised around three pillars: (1) Safe digital experiences (better protect children online) including an EU code of conduct on age-appropriate design (building on the DSA, AVMSD and GDPR), age-verification and EU-wide digital proof of age (eID-based), tackling online child sexual abuse, combating cyberbullying and the 116 111 helpline, the Safer Internet Centres (SICs) network, and safety in gaming/recommender systems/addictive design; (2) Digital empowerment (better empower children to make sound choices) including media and information literacy, digital skills aligned with Digital Decade targets, digital citizenship education, the betterinternetforkids.eu portal, and awareness-raising including Safer Internet Day; (3) Active participation (respect childrens views) including child participation in policymaking, industry youth consultations, peer-to-peer activities, and children as content creators with safeguards. Section 6 covers International outreach and cooperation. As a non-binding Communication BIK+ is implemented by Member States and industry through aligned actions; this corpus node tracks the Strategy structure and policy levers (corpus status: referenced).

The EU Carbon Border Adjustment Mechanism (CBAM) is an EU import-side carbon-pricing instrument designed to address carbon leakage and to mirror, at the border, the carbon cost faced by EU producers under the EU Emissions Trading System (EU ETS). Regulation (EU) 2023/956 applies to imports of cement, iron and steel, aluminium, fertilisers, electricity and hydrogen (Annex I), with downstream products added by 2025 amending acts. The CBAM has a transitional phase from 1 October 2023 until 31 December 2025 (quarterly reporting only) and a definitive phase from 1 January 2026 (financial obligation: authorised CBAM declarants must surrender CBAM certificates corresponding to the embedded emissions in the imported goods, at a price linked to the EU ETS allowance auction price). Operation: importers must obtain authorised CBAM declarant status (Art.4-5), file annual CBAM declarations covering embedded emissions (Art.6), verify embedded emissions through accredited verifiers (Art.8), and may deduct carbon prices paid in the country of origin (Art.9). Certificates are sold by Member States (Art.20), surrendered annually (Art.22, with minimum 80% holding rule), with limited repurchase (Art.23) and annual cancellation (Art.24). Enforcement: penalties for unsurrendered certificates (Art.26) and anti-circumvention (Art.27).

The EU Chips Act establishes a comprehensive EU framework to strengthen Europe's semiconductor ecosystem with three pillars. Pillar 1 - Chips for Europe Initiative - funds Union-wide R&D, the design platform, pilot lines for advanced semiconductor manufacturing, advanced packaging/test/assembly capacity, quantum design capacity and skills development, organised around the European Chips Infrastructure Consortium (ECIC) and a European network of competence centres. Pillar 2 - Security of Supply and Resilience - establishes Integrated Production Facilities (IPF) and Open EU Foundries (OEF) with first-of-a-kind status, Design Centres of Excellence, fast-tracked permit procedures and a state-aid framework. Pillar 3 - Monitoring and Crisis Response - mandates strategic mapping, an early-warning monitoring system, key-market-actor identification, alerts/preventive action, crisis-stage activation, an emergency toolbox (information gathering, priority-rated orders, common purchasing). Governance is via the European Semiconductor Board (ESB) and Member State national competent authorities + single points of contact. The Regulation entered into force on 21 September 2023; certain provisions apply progressively per Article 41.

Regulation (EU) No 536/2014 (the Clinical Trials Regulation, CTR) harmonises the authorisation and conduct of clinical trials on medicinal products for human use across the EU/EEA. It repealed Directive 2001/20/EC and came into application on 31 January 2022 following the go-live of the Clinical Trials Information System (CTIS), with mandatory CTIS use from 31 January 2023 (new trials) and full transition by 31 January 2025 (legacy 2001/20/EC trials). Key features: a single EU-wide application through CTIS; harmonised Part I (scientific) and Part II (national / ethics) assessment with one Reporting Member State; substantial modification procedure; subject protection and informed consent rules (with specific provisions for incapacitated subjects, minors, pregnant/breastfeeding women, emergency trials); safety reporting (SUSAR via EudraVigilance, annual safety reports, serious breach reporting); compliance with the protocol and Good Clinical Practice; risk-based monitoring; trial master file and 25-year retention; manufacturing/import authorisation for investigational medicinal products (IMPs) with qualified person responsibility; harmonised labelling; sponsor and investigator obligations; damage compensation systems by Member States; Member State inspections and Union controls; the EU portal and EU database (CTIS) with public-transparency layer; the Clinical Trials Coordination and Advisory Group (CTAG); fees; data protection (alignment with the GDPR for clinical-trial data); penalties.

Regulation (EU) 2024/2847 (the Cyber Resilience Act, CRA) introduces horizontal cybersecurity requirements for Products with Digital Elements (PDEs) placed on the Union market and for their manufacturers, importers and distributors. PDEs cover hardware, software and remote data processing solutions that are connected directly or indirectly to a device or network and intended to be placed on the market separately or alongside a product. The Regulation imposes: (a) Article 13 manufacturer obligations including cybersecurity risk assessment, due diligence on third-party components, a documented support period and security updates throughout, compliance with the essential cybersecurity requirements (Annex I Part I) and the vulnerability handling requirements (Annex I Part II); (b) Article 14 reporting obligations including a 24-hour early-warning notification of actively exploited vulnerabilities to ENISA + CSIRT, 72-hour update, final report, and a parallel 24h/72h severe-incident notification regime, channelled through the single reporting platform under Article 16; (c) Articles 18-25 obligations for authorised representatives, importers, distributors, open-source software stewards and security attestations; (d) Articles 27-34 conformity assessment (Module A self-assessment for default products; Modules B+C / Module H notified-body involvement for important products under Article 7 and critical products under Article 8, with mandatory European cybersecurity certification under Regulation (EU) 2019/881 for critical products as the conformity-assessment route); (e) Articles 35-51 notification of conformity-assessment bodies; (f) Articles 52-60 market surveillance and the Union safeguard procedure; (g) Article 64 penalties (up to EUR 15 million or 2.5% of worldwide annual turnover for breach of essential requirements). Entered into force 10 December 2024; main obligations apply from 11 December 2027 with the Article 14 reporting regime applying from 11 September 2026.

Regulation (EU) 2025/38 (the Cyber Solidarity Act, CSA) builds Union-level cybersecurity solidarity and response capacity through three pillars. Pillar 1 - the European Cybersecurity Alert System - establishes a Union-wide network of National Cyber Hubs and Cross-Border Cyber Hubs (deployed SOC consortia) for early detection of significant cyber threats and incidents across critical sectors, with information sharing inside and across the network and into Union-level networks (CSIRTs network, EU-CyCLONe). Pillar 2 - the Cybersecurity Emergency Mechanism - supports coordinated preparedness testing of essential and important entities under NIS2, establishes the EU Cybersecurity Reserve of certified private incident-response services available to Member States, Union institutions and DEP-associated third countries, supports mutual assistance and is coordinated with Union crisis management mechanisms. Pillar 3 - the European Cybersecurity Incident Review Mechanism - mandates post-incident review of significant or large-scale cybersecurity incidents, run by ENISA at the request of the Commission, EU-CyCLONe or the NIS Cooperation Group, with lessons-learned reports.

Regulation (EU) 2023/2854 (the Data Act) creates the EU horizontal regime for fair access to and use of data. It applies from 12 September 2025. Key levers: Chapter II grants users of connected products and related services a right to access the data they generate and to share that data with third parties of their choice, and imposes data-by-design obligations on manufacturers and data holders. Chapter III governs business-to-business data sharing conditions (FRAND, no abuse of dominance, dispute settlement). Chapter IV prohibits unfair contractual terms unilaterally imposed in B2B data-sharing contracts. Chapter V creates a public-sector exceptional-need access regime for the Commission, the ECB, Union bodies and public sector bodies. Chapter VI imposes the cloud-switching regime on providers of data processing services (cloud + edge): removal of obstacles, contractual terms, gradual withdrawal of switching charges by 12 January 2027, functional equivalence, technical-aspects-of-switching obligations. Chapter VII restricts third-country foreign-court access to non-personal data held in the Union. Chapter VIII sets interoperability essential requirements for data spaces, in-parallel use of data processing services, and smart-contract essential requirements. Chapter IX establishes competent authorities, complaint and remedy rights, and penalties. Chapter X-XI cover the sui generis database-right adjustment (Directive 96/9/EC), model contractual terms, the European Data Innovation Board (EDIB), and the final provisions.

Regulation (EU) 2022/868 (the Data Governance Act, DGA) establishes EU horizontal rules for data governance. It applied from 24 September 2023. The DGA creates four operational regimes framed around the European data spaces. Chapter II governs the re-use of protected data held by public sector bodies (data subject to commercial confidentiality, IP rights, statistical confidentiality or personal data): conditions for re-use, anonymisation / pseudonymisation, single information points, third-country safeguards. Chapter III regulates data intermediation services (DIS): mandatory notification, neutrality / structural separation from data-trader activities, ICT-security obligations, transparency. Chapter IV creates the data-altruism regime: voluntary registration of recognised data-altruism organisations, the European Data Altruism Consent Form, transparency and safeguarding requirements for data subjects. Chapter V designates competent authorities and grants complaint + judicial-remedy rights. Chapter VI establishes the European Data Innovation Board (EDIB) - the body the Data Act and other horizontal data instruments rely on for technical guidance. Chapter VII restricts international access and transfer of protected non-personal data held in the Union. Chapters VIII-IX cover delegation, committee procedure, penalties, evaluation by 24 September 2025 and transitional provisions (DIS notification deadline, recognised data-altruism organisations).

Regulation (EU) 2022/1925 (the Digital Markets Act, DMA) creates EU ex-ante rules for the largest digital platforms ('gatekeepers') providing 'core platform services' (CPS): online intermediation, search engines, social networks, video-sharing platforms, number-independent interpersonal communication services (N-IICS), operating systems, web browsers, virtual assistants, cloud computing services, online advertising services. Applied from 2 May 2023; gatekeepers were first designated September 2023 with the 6-month obligation-compliance deadline of 6 March 2024. Article 3 sets the quantitative + qualitative designation criteria (turnover thresholds, EUR 7.5B annual EU revenue or EUR 75B market cap; >=45M monthly active end users and >=10K monthly active business users in EU; entrenched and durable position over the past three financial years). Article 4 reviews designation. Article 5 lists the 'self-executing' obligations (e.g. no cross-service personal-data combining without consent, allow business users to offer cheaper elsewhere, allow free communication with end users acquired through the CPS, no anti-steering, transparency in advertising). Article 6 lists obligations susceptible to specification (no use of non-public business-user data, allow uninstallation + default changes + third-party app stores, non-discriminatory ranking, interoperability with hardware/software, effective data portability, FRAND access to app stores / search / N-IICS / social networks, fair termination conditions). Article 7 specifically imposes phased N-IICS interoperability. Article 14 imposes acquisition-notification obligations. Article 23 sets dawn-raid inspection powers. Article 28 mandates a compliance function. Article 30 sets the penalty regime (up to 10% of worldwide annual turnover; 20% for repeat infringements). The DMA operates alongside competition law and is enforced centrally by the European Commission.

Directive (EU) 2024/1275 (the EPBD Recast) is the EU's central building-decarbonisation instrument, repealing Directive 2010/31/EU. It entered into force on 28 May 2024 and Member States must transpose by 29 May 2026. Key deliverables: National Building Renovation Plans (NBRPs) every 5 years setting national decarbonisation trajectories aligned with the 2050 climate-neutrality goal; Zero-Emission Building (ZEB) standard for all new buildings (Article 7: new public buildings from 1 January 2028, all new buildings from 1 January 2030); Article 8 trajectory for existing-building renovations; Article 9 Minimum Energy Performance Standards (MEPS) for non-residential buildings (top-worst 16% in 2030, top-worst 26% in 2033) and Member-State trajectories for progressive improvement of the residential building stock; Article 10 solar-energy-on-buildings rollout (new public + non-residential from 2026, parking +2027, new residential 2029, renovations 2027); Article 11 ZEB standard specification (very low energy demand + zero on-site fossil-fuel emissions); Article 12 deep-renovation Renovation Passport voluntary scheme; Article 13 Technical Building Systems (TBS) requirements; Article 14 sustainable-mobility infrastructure (EV charging, bike parking); Article 15 Smart Readiness Indicator (SRI); Article 16 data exchange; Articles 19-22 Energy Performance Certificates (EPC) issue + display + databases; Articles 23-27 inspections + independent experts + certification + independent control system; Article 34 penalties.

Regulation (EU) 2024/1083 (the European Media Freedom Act, EMFA) establishes a common framework for media services in the internal market and amends the AVMSD (Directive 2010/13/EU). It entered into force on 7 May 2024 and applies from 8 August 2025 (with Articles 3, 4(1)-(2) and 6(3) applying from 8 November 2024). Key levers: Article 4 rights of media service providers including the protection against intrusive surveillance (no spyware on journalists' devices except specific safeguards) and the protection of journalistic sources; Article 5 safeguards for the independent functioning of public service media (independent boards, adequate and stable funding, transparent appointments); Article 6 duties of media service providers including ownership transparency; Articles 8-13 the new European Board for Media Services (replacing the ERGA structure); Article 18 protection of media-service-provider content on very large online platforms (VLOPs) from arbitrary moderation, with a specific notice-and-redress regime; Article 19 structured dialogue between VLOPs, the Board and media-service providers; Article 20 right to customise the media offering on smart-television interfaces; Article 22 media market concentration assessment; Article 24 audience-measurement transparency; Article 25 transparency of public-funds allocation for state advertising. EMFA coordinates with AVMSD (which it amends), DSA (VLOP supervision), DMA (gatekeeper-platform issues) and the GDPR (data-protection of journalistic sources).

Regulation (EU) 2023/988 (the General Product Safety Regulation, GPSR) is the EU horizontal product-safety regime for non-food consumer products, applicable from 13 December 2024. It repeals Directive 2001/95/EC (the General Product Safety Directive). Key levers: Article 5 general safety requirement (only safe products may be placed on the market); Articles 6-8 assessment criteria (intrinsic characteristics, presentation, foreseeable use, exposure to other products, categories of consumers, cybersecurity features where they have a bearing on safety); Articles 9-13 manufacturer + authorised representative + importer + distributor obligations (including risk analysis, technical documentation, conformity-statement equivalent + Article 16 'responsible person in the Union' rule which makes a Union-established economic operator legally accountable for products from non-EU manufacturers); Article 18 specific traceability requirements; Article 19 distance-sales obligations (e-commerce); Article 20 accident-notification regime (Safety Business Gateway); Article 22 specific obligations on providers of online marketplaces (including the Article 22(4) single point of contact and Article 22(7) product recall interface obligations, Article 22(8)-(10) DSA-style notice-and-takedown for dangerous products + DSA-Art.30 trader-traceability link); Articles 23-32 market surveillance + Article 25-27 Safety Gate Rapid Alert System + Safety Business Gateway + Safety Gate Portal; Articles 33-37 recall notice template + remedies (repair, replacement, refund); Article 39 representative actions; Article 44 penalties.

Regulation (EU) 2017/746 (the IVDR) is the EU horizontal regime for in vitro diagnostic medical devices (IVDs). It applied from 26 May 2022 and replaced Directive 98/79/EC. Regulation (EU) 2024/1860 extended transitional periods for legacy IVDs to 2027-2029 staged by risk class. Key levers: Article 5 placing on the market gating + Article 8/Annex I general safety and performance requirements; Articles 10-15 manufacturer + authorised representative + importer + distributor + Person Responsible for Regulatory Compliance (PRRC) obligations; Article 16 substantial-modification rule; Article 17 EU declaration of conformity + Article 18 CE marking; UDI system (Articles 24-25) and economic-operator registration (Articles 26-28); Article 29 summary of safety and performance + Article 30 European database (EUDAMED); Article 47 risk classification (Class A/B/C/D) + Articles 48-54 conformity assessment routes including Article 50 mechanism for scrutiny of Class D devices; Articles 56-77 performance evaluation + performance studies + Article 59 informed consent (with interventional-clinical-performance studies running alongside the Clinical Trials Regulation); Articles 78-90 post-market surveillance + vigilance + serious incident reporting + Periodic Safety Update Report (PSUR); Articles 92-103 market surveillance + Member-State coordination + Medical Device Coordination Group + EU reference laboratories; Articles 102-104 confidentiality and data protection; Article 110 transitional provisions (as amended by (EU) 2024/1860); Articles 112-113 penalties + entry into force.

Regulation (EU) 2023/1230 (the Machinery Regulation) is the EU horizontal regime for machinery, related products and partly completed machinery placed on the Union market. It entered into force on 19 July 2023 and applies from 20 January 2027 (3.5-year transition for the Machinery Directive 2006/42/EC, which is repealed from that date). Key levers: Article 8 + Annex III essential health and safety requirements (EHSR) covering general safety integration, control systems, mechanical hazards, instructions for use, Annex III 1.1.9 protection against corruption (cybersecurity-as-safety) and Annex III 1.2 safety + reliability of control systems including AI integrated into safety functions; Article 6 + Annex I high-risk machinery categories requiring third-party notified-body conformity assessment (woodworking machines, portable cartridge-operated fixing tools, vehicle servicing lifts, etc., plus new categories like machinery with AI safety functions and high-risk software updates); Articles 10-19 economic-operator obligations (manufacturer, authorised representative, importer, distributor, partly-completed-machinery manufacturer); Article 17 substantial-modification rule; Articles 20-24 EU declaration of conformity + EU declaration of incorporation + CE marking; Articles 25-42 conformity assessment + notified bodies; Articles 43-46 market surveillance + Union safeguard; Article 50 penalties; Article 51 repeal of 2006/42/EC + 73/361/EEC; Article 54 entry into force + application from 20 January 2027.

Regulation (EU) 2023/1114 (the Markets in Crypto-Assets Regulation, MiCA) is the EU horizontal regime for crypto-assets that fall outside existing financial-services Union law. It entered into force on 29 June 2023; the e-money-token + asset-referenced-token regime (Titles III + IV) applied from 30 June 2024; the crypto-asset service provider (CASP) regime (Title V) + the remaining titles applied from 30 December 2024. MiCA categorises crypto-assets into three types: (1) asset-referenced tokens (ARTs) - stabilised by reference to multiple assets / currencies; (2) e-money tokens (EMTs) - stabilised by reference to a single fiat currency; (3) other crypto-assets including utility tokens. Title II governs offers and admission to trading of category-3 crypto-assets with a crypto-asset white-paper regime. Title III governs the authorisation + operating conditions for ART issuers including own-funds + reserve-of-assets + custody-of-reserve + governance + conflict-of-interest + redemption-right + significant-ART regime. Title IV governs EMT issuers (subset of EMD2 e-money institutions + credit institutions). Title V authorises CASPs to provide the 10 enumerated crypto-asset services (custody + administration of crypto-assets for clients, operation of a trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for crypto-assets, execution of orders, placing of crypto-assets, reception + transmission of orders, providing advice on crypto-assets, providing portfolio management, providing transfer services for crypto-assets) with prudential + governance + conduct + custody + outsourcing + complaints + conflicts + wind-down obligations. Title VI prohibits insider dealing + unlawful disclosure + market manipulation. Title VII establishes competent authority + EBA + ESMA powers including the significant-token supervisory regime. Titles VIII-IX cover delegated acts + transitional + final provisions.

Regulation (EU) 2017/745 (the MDR) is the EU horizontal regime for medical devices and accessories, replacing the prior MDD (93/42/EEC) and AIMDD (90/385/EEC) framework. It applied from 26 May 2021. Regulation (EU) 2023/607 extended transitional periods for legacy MDs (under MDD/AIMDD certificates) by risk class: Class III implantables + Class IIb implantables (with exceptions) until 31 December 2027; other Class IIb + Class IIa + Class I (sterile/measuring) until 31 December 2028; legacy Class I (with NB involvement under MDD Annex II/V) until same dates. Key levers: Article 5 placing on market gating + Article 7 prohibition of misleading claims; Articles 10-15 manufacturer + authorised representative + importer + distributor + Person Responsible for Regulatory Compliance (PRRC) obligations; Article 16 substantial-modification rule; Articles 17-23 single-use device reprocessing + implant card + EU declaration of conformity + CE marking + special-purpose devices + systems/procedure packs; Article 25 supply-chain identification; Articles 27-30 UDI system + UDI database + device registration; Article 31 economic-operator registration; Article 32 summary of safety and clinical performance (SSCP, public via EUDAMED); Article 33 EUDAMED. Article 51 risk classification (Class I/IIa/IIb/III). Articles 52-60 conformity assessment + Article 54 consultation procedure for certain Class III/IIb + Article 55 scrutiny mechanism for certain Class III/IIb. Articles 61-82 clinical evaluation + clinical investigations including informed consent + vulnerable subject protection + adverse-event recording. Articles 83-90 post-market surveillance + Periodic Safety Update Report (PSUR) + serious-incident reporting + Field Safety Corrective Actions (FSCAs) + trend reporting. Article 109 confidentiality + Article 110-111 data protection. Article 116 civil-liability financial-coverage requirement. Article 120 transitional provisions (as amended by 2023/607).

This corpus node provides a transport-sector application view of the NIS2 Directive (Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union). NIS2 Annex I, Sector 5 lists transport as a critical sector covered as 'Essential Entities' with four sub-sectors: 5(a) Air transport (carriers + airport managing bodies + air traffic management providers), 5(b) Rail transport (infrastructure managers + railway undertakings), 5(c) Water transport (inland-waterway + sea + coastal passenger and freight + port managing bodies + vessel traffic services), 5(d) Road transport (road authorities responsible for traffic management + ITS operators). The substantive obligations come from NIS2 main: Article 21(2)(a)-(j) cybersecurity risk-management measures (10 baseline categories: risk-analysis policies + incident handling + business continuity + supply chain + secure acquisition/development/maintenance + effectiveness assessment + basic cyber hygiene + cryptography + HR security + asset management + multi-factor authentication / secured communications); Article 23 incident reporting (24-hour early warning, 72-hour notification, 1-month final report); Article 24 European cybersecurity certification scheme use; Articles 31-34 supervisory powers + administrative fines (Essential Entities: up to EUR 10 million or 2% of worldwide turnover, whichever is higher). This corpus node tracks the transport-specific application; the main NIS2 Directive is the substantive source. Corpus status: referenced (sector-application view of an existing enacted directive, not a separate enacted instrument).

Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 establishing the Network Code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (NCCS) is the EU's first sector-specific cybersecurity network code, adopted under Article 59(2)(e) of Regulation (EU) 2019/943 (the Electricity Regulation). NCCS entered into force on 13 June 2024 and is directly applicable in all Member States; transposition is not required but Member States must designate competent authorities + ensure operational implementation. NCCS establishes: (a) a four-level cybersecurity risk-assessment cascade (Union-wide, regional, Member State, and entity-level) with the Union-wide assessment coordinated by ENTSO-E + the EU DSO Entity supported by ACER and the Member State competent authorities; (b) a classification of in-scope entities into 'high-impact' and 'critical-impact' categories based on contribution to cross-border electricity flows + Annex criteria; (c) common minimum cybersecurity controls + advanced cybersecurity controls for high-impact + critical-impact entities respectively; (d) a verification + mutual-recognition scheme for cross-border conformity assessment; (e) a cyber-attack reporting + early-warning system + crisis management framework supplementing NIS2 (Directive (EU) 2022/2555) + CER Directive (Directive (EU) 2022/2557) + EU Cyber Solidarity Act (Regulation (EU) 2025/38); (f) supply-chain cybersecurity requirements; (g) information protection regime including handling of sensitive electricity-grid information. NCCS is implemented through the ENTSO-E + EU DSO Entity joint methodology (Article 8) submitted to ACER for approval. The first Union-wide cybersecurity risk assessment cycle began in 2024-2025 with the first results expected 2026-2027.

Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market (PSD2). PSD2 entered into force on 12 January 2016 and Member States transposed it by 13 January 2018. It repealed Directive 2007/64/EC (PSD1) and modernised the EU payments framework by: extending the scope to one-leg-out + third-country-currency transactions; creating two new regulated activities (Payment Initiation Services + Account Information Services) and the corresponding Open Banking regime via the access-to-accounts rules in Articles 65-67; mandating Strong Customer Authentication in Article 97 with three-element elements - knowledge / possession / inherence - and dynamic linking for remote payments; requiring operational + security risk management + incident reporting + the Article 98 EBA Regulatory Technical Standards (Commission Delegated Regulation (EU) 2018/389 on the SCA-RTS and the common + secure open standards of communication); and tightening consumer-liability + refund + safeguarding rules. PSD2 remains in force until the PSD3 Directive + Payment Services Regulation (PSR) (Commission proposals COM(2023) 366 + COM(2023) 367 of 28 June 2023) are adopted and transposed. Note: the PSD2 SCA-RTS (Commission Delegated Regulation (EU) 2018/389) is tracked separately as the 'PSD2 SCA' corpus entry.

Directive (EU) 2024/2853 of 23 October 2024 on liability for defective products is the new EU Product Liability Directive replacing Council Directive 85/374/EEC (which had governed product liability since 1985). The 2024 PLD entered into force on 8 December 2024 and Member States must transpose it by 9 December 2026 (Article 24); 85/374/EEC remains applicable to products placed on the market before 9 December 2026 (Article 22 transitional). Key modernisation points: (a) expanded definition of 'product' in Article 4(1) explicitly including software (whether embedded or supplied separately as a SaaS / standalone product), AI systems, and digital manufacturing files; (b) expanded categories of damage in Article 6 covering destruction or corruption of data not used for professional purposes, medically recognised damage to psychological health, and material losses from data loss; (c) substantial modification rule in Article 4(18) making the modifier liable for the modified product; (d) economic-operator chain liability in Articles 7-8 including manufacturer + authorised representative + importer + fulfilment service provider + distributor + online platform under Article 7(3) where they have a contract with the consumer; (e) disclosure-of-evidence regime in Article 9 (the new procedural rules requiring defendants + third parties to disclose relevant evidence on plaintiff motion) and Article 11 presumptions of defectiveness + causality; (f) cybersecurity-related defect treatment (a cybersecurity defect that compromises product safety qualifies as a 'defect' per Recital 38 + Article 7(2)(d)); (g) limitation periods in Articles 15-16: 3-year claim limitation + 10-year long-stop from the date the actual defective product was placed on the market / put into service / substantially modified, extended to 25 years for latent personal injury. Coordination with the proposed AI Liability Directive (Commission Proposal COM(2022) 496): the Commission withdrew the AILD proposal in February 2025 making the 2024 PLD the operative regime for AI-product liability.

Regulation (EU) 2019/2088 of 27 November 2019 on sustainability-related disclosures in the financial services sector (SFDR). SFDR applied from 10 March 2021 with the level 2 SFDR Regulatory Technical Standards (Commission Delegated Regulation (EU) 2022/1288 of 6 April 2022, applicable from 1 January 2023) operationalising the entity-level Article 4 PAI statement, the pre-contractual disclosures for Articles 8/9 financial products, the website disclosures under Article 10, and the periodic reports under Article 11. SFDR creates: (a) entity-level disclosure obligations on financial market participants (FMPs) and financial advisers (Articles 3-5): sustainability-risk policies, the principal-adverse-impacts statement (PAI 14 mandatory indicators + 2 from each of opt-in lists), and remuneration-policy alignment with sustainability risks; (b) product-level disclosure obligations differentiated by product category: Article 6 mainstream-financial-product disclosure of sustainability-risk integration, Article 7 PAI consideration at product level, Article 8 products that promote environmental or social characteristics ('light-green'), Article 9 products with a sustainable investment objective ('dark-green') including the Article 9(3) carbon-emission-reduction objective using EU Climate Transition Benchmarks (CTB) or EU Paris-Aligned Benchmarks (PAB); (c) website disclosures (Article 10) and periodic reports (Article 11) for Articles 8 + 9 products; (d) marketing-consistency obligation (Article 13). SFDR is the cornerstone of the EU sustainable-finance framework alongside the Taxonomy Regulation (EU) 2020/852 (Article 8 + 9 products must disclose Taxonomy-alignment) and the Corporate Sustainability Reporting Directive (EU) 2022/2464 (CSRD/ESRS - the corporate counterpart of SFDR). The European Commission published a comprehensive SFDR review in 2023 + 2024 considering relabelling of categories and a possible SFDR 2.0; pending that, this regulation remains in force.

Directive 2012/18/EU of 4 July 2012 on the control of major-accident hazards involving dangerous substances (the Seveso III Directive) is the EU's chemical-industry major-accident safety regime. Seveso III entered into force on 13 August 2012, was transposed by Member States by 31 May 2015, and applied to operators from 1 June 2015. It repeals + replaces the earlier Seveso II Directive (96/82/EC). Seveso III is named after the 1976 Seveso disaster in Italy where dioxin was released from an industrial accident; the regime has been progressively strengthened (Seveso I 82/501/EEC, Seveso II 96/82/EC, Seveso III 2012/18/EU) to address industrial chemical accidents. The Directive imposes obligations on the operators of establishments holding dangerous substances above defined qualifying quantities (Annex I), differentiating between LOWER-TIER establishments (Article 6 notification + Article 7 Major-Accident Prevention Policy MAPP) and UPPER-TIER establishments (additionally Article 8 safety report + Article 11 emergency plans + Article 14 public consultation). It also requires Member States to organise inspections (Article 20), maintain information systems including the Seveso Plants Information Retrieval System SPIRS (Article 21), ensure access to information + public participation (Articles 14-15 + 22-23 with Aarhus Convention alignment), and impose effective + proportionate + dissuasive penalties (Article 28). The 2025 Commission Communication on Industrial Safety + ongoing work on a Seveso IV is expected but not yet proposed.

Regulation (EU) 2020/852 of 18 June 2020 establishing a framework to facilitate sustainable investment ('the Taxonomy Regulation'). The Taxonomy Regulation entered into force on 12 July 2020 and is the cornerstone of the EU sustainable finance legislative framework alongside SFDR (Regulation (EU) 2019/2088) and CSRD (Directive (EU) 2022/2464). It creates a unified EU classification system - the 'Taxonomy' - for environmentally sustainable economic activities. An economic activity qualifies as environmentally sustainable under Article 3 if it: (a) makes a substantial contribution to one or more of the six environmental objectives in Article 9 + Articles 10-15; (b) does not significantly harm any of the other objectives (the DNSH test in Article 17); (c) is carried out in compliance with the minimum safeguards laid down in Article 18 (OECD MNE Guidelines + UN Guiding Principles on Business and Human Rights + ILO Declaration on Fundamental Principles and Rights at Work + the International Bill of Human Rights); and (d) complies with the technical screening criteria established by the Commission Delegated Acts under Article 19. The six environmental objectives (Article 9) are: climate change mitigation; climate change adaptation; sustainable use and protection of water and marine resources; transition to a circular economy; pollution prevention and control; protection and restoration of biodiversity and ecosystems. The Commission Delegated Regulations operationalising the technical screening criteria are: (EU) 2021/2139 (Climate Delegated Act, climate change mitigation + adaptation TSC for 13 economic-activity sectors); (EU) 2023/2486 (Environmental Delegated Act, TSC for the four non-climate environmental objectives); (EU) 2021/2178 (Disclosures Delegated Act, the Article 8 KPI disclosure templates for turnover + CapEx + OpEx alignment); (EU) 2022/1214 (Gas + Nuclear Complementary Climate Delegated Act adding specific gas + nuclear activities to the climate objectives under defined conditions). Article 8 imposes the Taxonomy KPI disclosure obligation on undertakings within the scope of NFRD / CSRD: non-financial undertakings disclose the % of turnover + CapEx + OpEx aligned with the Taxonomy; financial undertakings disclose the Green Asset Ratio (GAR) for credit institutions + insurance KPI for insurance undertakings.

Directive (EU) 2016/2102 of 26 October 2016 on the accessibility of the websites and mobile applications of public sector bodies (the Web Accessibility Directive, WAD). WAD entered into force on 22 December 2016, Member States transposed it by 23 September 2018 (Article 12), and the substantive obligations apply on staggered dates per Article 12(3): 23 September 2019 for websites published on or after 23 September 2018; 23 September 2020 for all other public-sector websites; 23 June 2021 for mobile applications. WAD imposes on public-sector bodies (broadly defined to cover State, regional, local authorities, bodies governed by public law + associations) the obligation to make their websites and mobile applications accessible by complying with the four POUR principles (Perceivable + Operable + Understandable + Robust) from WCAG 2.x. The presumption of conformity (Article 6) is established through the harmonised standard EN 301 549 (currently EN 301 549 v3.2.1, expected to evolve to v4.x with WCAG 2.2). Article 5 provides a disproportionate-burden exception with documented cost-benefit analysis. Article 7 requires a model accessibility statement + feedback mechanism + enforcement procedure link on every covered website. Article 8 imposes a periodic 3-year monitoring + Commission reporting obligation on Member States. WAD is complemented by the European Accessibility Act (Directive (EU) 2019/882) which extends accessibility requirements to private-sector products and services starting from 28 June 2025. WAD is the public-sector-only baseline; EAA is the wider private-sector cousin. Both directives reference EN 301 549 as the harmonised standard. Future evolution includes the ongoing EN 301 549 v4.x transition aligning with WCAG 2.2 + Mobile Accessibility Project + the Commission's planned consolidated 2026-2027 accessibility-framework communication.

Directive 2002/58/EC (the ePrivacy Directive) is the EU sectoral lex specialis on privacy in the electronic communications sector, alongside the GDPR (which is the lex generalis for personal data). The 2009/136/EC amendment introduced the prior-consent rule for cookies and similar storage-of-information technologies (Article 5(3)) and the security and personal-data-breach-notification regime (Article 4). The Directive applies to providers of publicly available electronic communications services and to natural and legal persons placing or accessing information stored in subscribers' / users' terminal equipment. The proposed ePrivacy Regulation has been WITHDRAWN by the European Commission (February 2025); the 2002/58/EC Directive remains the in-force instrument until the Commission tables a new proposal. Key operational articles: Article 4 security of services + personal-data-breach notification (60-day model in Article 4(3) feeds the GDPR Art.33-34 baseline); Article 5 confidentiality of the communications + Article 5(3) prior-consent storage-of-information rule (cookies, tracking pixels, fingerprinting); Article 6 traffic data; Article 7 itemised billing; Article 8 calling-line identification; Article 9 location data other than traffic data; Article 13 unsolicited communications (email/SMS/voice marketing).

Egypt's first comprehensive personal data protection law. Law No. 151 of 2020 promulgates the annexed Personal Data Protection Law (14 chapters, 49 articles) governing the electronic processing of personal data of natural persons by holders, controllers and processors, establishing the Personal Data Protection Centre, a licensing/permit regime, data subject rights, cross-border transfer controls, breach notification, and criminal/administrative penalties. Ratified 13 July 2020; effective from 15 October 2020.

The Equator Principles (EP4, July 2020) are a voluntary risk-management framework adopted by ~100 Equator Principles Financial Institutions (EPFIs) for determining, assessing and managing environmental and social risk in project finance. EP4 applies to Project Finance Advisory Services, Project Finance (capital costs >= USD 10 million), Project-Related Corporate Loans and Bridge Loans. The framework references the IFC Performance Standards on Environmental and Social Sustainability and the World Bank Group Environmental, Health and Safety Guidelines as the applicable Environmental and Social Standards for projects in non-Designated Countries. EP4 strengthened EP3 with new requirements on climate change risk assessment (Annex A, including TCFD-aligned reporting and alternatives analysis for high-emission projects), human rights due diligence (Annex B, aligned with the UN Guiding Principles on Business and Human Rights) and the rights of Indigenous Peoples (FPIC).

Estonia's national Personal Data Protection Act (Isikuandmete kaitse seadus, RT I, 04.01.2019, 11, in force from 15 January 2019). The Act applies in conjunction with the GDPR: Chapter 2 implements the GDPR Article 85-89 derogations for journalistic, academic, scientific/historical research and archiving purposes; Chapter 3 covers national specifications including the child's age of consent (set at 13), processing after death of the data subject, processing in connection with violations of obligations, and processing in public places; Chapter 4 implements Directive (EU) 2016/680 (Law Enforcement Directive) for processing by law enforcement authorities, including processing principles, data subject rights, controller/processor obligations, the data protection specialist, security measures, breach notification, and transmission to third countries; Chapter 5 establishes the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) and its competence; Chapters 6-7 set liability, penalties and implementing provisions.

The ETI Base Code is the internationally-recognised code of labour practice maintained by the Ethical Trading Initiative (ETI), a multi-stakeholder alliance of companies, trade unions and NGOs founded in the United Kingdom. The Base Code, founded on the conventions of the International Labour Organisation (ILO), sets out nine provisions for the labour conditions of workers in global supply chains. ETI member companies commit to adopting the Base Code or an equivalent supplier code as the basis of their ethical-trade programme and to working progressively towards its implementation in their supply chains.

Ethiopia's first comprehensive personal data protection law. Personal Data Protection Proclamation No. 1321/2024, passed by the Federal House of Representatives on 4 April 2024 and published in the Federal Negarit Gazette No. 35 on 24 July 2024. The Proclamation has 70 articles governing the processing of personal data, including processing principles, lawfulness and consent, sensitive personal data (with stronger protections for minors), fairness/transparency/purpose limitation/accuracy/storage limitation/integrity/confidentiality/security, cross-border data transfer (with data sovereignty considerations), data subject rights (be informed, access, rectification, erasure, object, restriction, automated decisions, portability), a controller/processor registration regime, Data Protection Officer, security measures and breach notification, records of processing, DPIA, prior authorisation/consultation, data protection by design and by default, accountability, research exceptions, monitoring and enforcement, administrative fines and criminal sanctions.

Directive (EU) 2019/882 of 17 April 2019 on the accessibility requirements for products and services (the European Accessibility Act, EAA). EAA entered into force on 27 June 2019, Member States transposed it by 28 June 2022 (Article 31), and the substantive obligations apply from 28 June 2025 (Article 31(2)). The EAA is the EU's PRIVATE-SECTOR accessibility companion to the Web Accessibility Directive (WAD, 2016/2102) which covers public-sector websites + mobile apps. EAA imposes accessibility requirements on a specific set of products (Article 2(1)) and services (Article 2(2)): products include consumer general-purpose computer hardware + operating systems + self-service terminals (ATMs + ticketing + check-in + interactive self-service for travel + banking + retail), consumer terminal equipment used for electronic communications services + audiovisual media services + e-readers; services include electronic communications services + audiovisual media services access + air-rail-water-bus passenger transport services + consumer banking services + e-commerce services + e-books and dedicated software. Accessibility requirements are set out in Annex I sections I-VII. Economic operators (manufacturer + authorised representative + importer + distributor + service provider) have parallel obligations to those in horizontal product safety + market surveillance (GPSR + 2019/1020 + PLD). Article 14 provides the fundamental-alteration + disproportionate-burden exception + Article 4(5) microenterprise exemption (under 10 staff + EUR 2 million turnover or balance-sheet total). Article 32 transitional rule allows service providers to continue providing services concluded before 28 June 2025 until 28 June 2030 (5-year service-provider transitional rule); self-service-terminal exception extends to 20 years from first deployment (Article 32(2)) for specific categories. The EAA + WAD together form the EU's combined accessibility framework with the same harmonised standard EN 301 549 as the technical-conformance bar.

The EITI Standard 2023 is the global voluntary standard for the transparent and accountable management of natural resources (oil + gas + mining). The 2023 edition was adopted by the EITI Board in June 2023 and is structured in three parts: PART 1 - EITI Principles and Requirements (the substantive disclosure regime); PART 2 - EITI Board oversight and Validation (the assurance regime); PART 3 - EITI governance + management (the EITI Association, the International Secretariat, the EITI Board). EITI applies in 57 implementing countries (oil + gas + mining producers) which voluntarily commit to disclose payments + revenues + production + exports + contracts + licences + beneficial ownership of companies in the extractive value chain. The 2023 Standard introduces strengthened requirements on: (a) beneficial ownership transparency (Requirement 2.5 - extending the 2019-introduced obligation with stricter timelines + verification expectations); (b) contract + licence transparency (Requirement 2.4 - mandatory public disclosure of all new or amended contracts and licences from 1 January 2021 onwards); (c) energy transition + climate-related disclosures including environmental expenditures + greenhouse gas emissions + decarbonisation efforts (Requirement 6.4 - new in 2023); (d) gender + diversity in MSGs + EITI data + workforce (cross-cutting); (e) data accessibility + open data via the new Open Data Reporting Standard (Requirement 7.2). EITI is operationalised through multi-stakeholder groups (MSGs) in each implementing country comprising government + extractive companies + civil society representatives + supported by Independent Administrators. EITI is reinforced by EU + US + UK mandatory disclosure regimes (Directive 2013/34/EU Chapters 9 + 10 on country-by-country payment reporting; US Dodd-Frank Section 1504; UK + Canada equivalents). It serves as the principal transparency framework for the extractive sector and a complement to the UNGPs + OECD MNE Guidelines + the FATF beneficial-ownership regime + the Open Government Partnership.

The 'FAA Cybersecurity Framework for Aviation' is not a single FAA-published document but a DISTRIBUTED U.S. aviation cybersecurity policy stack maintained by the Federal Aviation Administration (FAA) covering: (a) AIRCRAFT cybersecurity airworthiness under 14 CFR Part 25 + Part 23/27/29 (Special Conditions historically + Notice of Proposed Rulemaking 2024 NPRM to codify cybersecurity as a standing airworthiness requirement); (b) ADVISORY CIRCULARS AC 119-1 (Cybersecurity for Operators), AC 25-21 (Aircraft Network Security Architecture), AC 23-XX series (general aviation), AC 27-XX series (rotorcraft); (c) RTCA / EUROCAE INDUSTRY STANDARDS DO-326A / ED-202A (Airworthiness Security Process Specification), DO-356A / ED-203A (Airworthiness Security Methods + Considerations), DO-355A / ED-204A (Information Security Guidance for Continuing Airworthiness), ARINC 811 (Aircraft Network Security Architecture); (d) AIR TRAFFIC MANAGEMENT cybersecurity through the FAA Cybersecurity Strategy + the National Airspace System (NAS) cybersecurity program; (e) AIRPORT cybersecurity coordinated with TSA + DOT cybersecurity initiatives; (f) UAS / DRONE cybersecurity under 14 CFR Part 107 + Remote ID rule + UAS Traffic Management (UTM); (g) SUPPLY CHAIN cybersecurity for aviation including alignment with CISA Cyber Performance Goals (CPGs) + NIST SSDF + Executive Order 14028; (h) FAA INTERNAL information security via FAA Order 1370.123A; (i) INDUSTRY COLLABORATION via the Aviation Cybersecurity Working Group (ACWG) + the Aviation Cyber Initiative (ACI) led by FAA + DOT + DHS / CISA + DOD. This corpus node tracks the framework at sector-application level; substantive technical requirements come from the underlying RTCA / EUROCAE standards (DO-326A family - copyrighted, needs_licensed_copy) + the FAA Advisory Circulars + the applicable 14 CFR airworthiness provisions. Status: referenced (distributed sector-application view of FAA aviation cybersecurity policy stack; substantive obligations live in the RTCA / EUROCAE standards + 14 CFR provisions + FAA ACs + FAA Strategy).

The FATF 40 Recommendations (last comprehensive revision February 2012 with subsequent targeted updates - R.15 Virtual Assets / VASPs 2018-2024, R.24 + R.25 Beneficial Ownership 2022-2024, R.8 Non-Profit Organisations 2016+2023, R.5 Terrorist Financing 2024) are the international standards on combating money laundering + terrorist financing + proliferation financing. The Recommendations are adopted by the Financial Action Task Force (FATF) and applied across 200+ jurisdictions through the FATF Global Network including the FATF-Style Regional Bodies (FSRBs): APG (Asia/Pacific), CFATF (Caribbean), EAG (Eurasian), ESAAMLG (Eastern + Southern Africa), GAFILAT (Latin America), GIABA (West Africa), GABAC (Central Africa), MENAFATF (Middle East + North Africa), MONEYVAL (Council of Europe). Mutual Evaluation cycles (currently the 5th round) assess country compliance through (a) Technical Compliance ratings (C / LC / PC / NC) against the 40 Recommendations + (b) Effectiveness ratings against the 11 Immediate Outcomes. Implementation is supplemented by Best Practices Papers + Methodology + Guidance documents on specific topics (Virtual Assets / VASPs, Beneficial Ownership, NPO sector, Politically Exposed Persons, Risk-Based Approach for various sectors). Non-compliance can lead to inclusion on the FATF Public Statement / 'Grey List' (jurisdictions under increased monitoring) or 'Black List' (High-Risk Jurisdictions Subject to a Call for Action) with severe market-access + correspondent-banking consequences. The 40 Recommendations are the foundational instrument for the EU AMLD6 + AMLD7 (Regulation (EU) 2024/1624 + Directive (EU) 2024/1640) + US Bank Secrecy Act / FinCEN Customer Due Diligence Rule + UK MLR 2017 + global AML/CFT laws.

FATF Recommendation 16 (Wire Transfers) was extended to Virtual Asset Service Providers (VASPs) in October 2018 + June 2019 (R.15 + Interpretive Note to R.15 + the FATF October 2018 Public Statement) operationalising the TRAVEL RULE for virtual asset transfers. The 2024 FATF Targeted Update on Virtual Assets + VASPs (R.15 / R.16) refined implementation expectations. CORE REQUIREMENTS: VASPs must obtain + hold + transmit required originator and beneficiary information for virtual asset transfers; the de minimis threshold is set at USD/EUR 1,000 (lower than for traditional wire transfers); information includes originator name + originator account number / wallet identifier + originator address or national identity number / customer identification number / date and place of birth + beneficiary name + beneficiary account number / wallet identifier. The recipient VASP must conduct counterparty VASP due diligence (CVDD) to determine that the counterparty VASP is licensed/registered + has appropriate AML/CFT controls + risk-rates the counterparty + applies enhanced measures where appropriate. The 'SUNRISE PROBLEM' refers to cross-jurisdictional implementation gaps where some jurisdictions have transposed FATF R.16 for VASPs but others have not - leaving VASPs in compliant jurisdictions transferring to or receiving from VASPs in non-compliant jurisdictions facing ambiguity. UNHOSTED WALLET TRANSFERS (transfers to or from self-hosted / non-custodial wallets) raise additional risks; the 2024 FATF Targeted Update reinforced that VASPs should apply risk-based + enhanced measures + collect originator information for outbound transfers to unhosted wallets + assess incoming transfers from unhosted wallets. EU implementation via Transfer of Funds Regulation (TFR) (Regulation (EU) 2023/1113) + complementing the MiCA + AMLR. US implementation via FinCEN 31 CFR 1010.410(f) (Travel Rule) covering CVCs (Convertible Virtual Currencies). UK implementation via the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Travel Rule technical infrastructure includes the InterVASP Messaging Standard (IVMS101) for data exchange + multiple competing networks (TRP, TRUST, Sygna Bridge, OpenVASP, Notabene, Sumsub Travel Rule). Travel Rule compliance is a precondition for VASP licensing in most jurisdictions + a barrier to market access for non-compliant VASPs.

The FBI Criminal Justice Information Services (CJIS) Security Policy establishes minimum security requirements for access to FBI CJIS Division systems and information including the National Crime Information Center (NCIC), Interstate Identification Index (III), and National Instant Criminal Background Check System (NICS). Version 5.9.4 (2024) applies to all entities accessing criminal justice information (CJI) including law enforcement, contractors, and cloud service providers.

47 CFR Part 64 Subpart U (sections 64.2001 to 64.2011) is the US Federal Communications Commission rulemaking implementing Section 222 of the Communications Act of 1934 + the CPNI Order. CPNI is information that relates to the quantity + technical configuration + type + destination + location + amount of use of a telecommunications service subscribed to by a customer + made available to the carrier by the customer solely by virtue of the carrier-customer relationship. CPNI typically includes: call detail records (CDR) - origination + destination + duration + frequency + time of calls; service plan information + features + billing; geographic / location data; technical configuration of customer service. The CPNI rules apply to: telecommunications carriers + interconnected VoIP providers + (post-2016) broadband internet access service providers under FCC Title II classification (since reversed). Core requirements: (a) use + disclosure restrictions under Section 222 (CPNI may only be used for the provision of telecommunications services + adjacent services unless customer approval is obtained); (b) approval mechanisms - opt-in for non-affiliated third parties + opt-out for affiliated marketing of additional services (Section 64.2004); (c) notice requirements for customer approval (Section 64.2008); (d) safeguards on use + disclosure (Sections 64.2009 + 64.2010 - personnel training + supervisory review + authentication for online + telephone + in-store account access + password protection); (e) DATA BREACH NOTIFICATION (Section 64.2011 - law enforcement notification within 7 business days to USSS + FBI via FCC ECPNI portal + customer notification after the 7-business-day waiting period unless law enforcement extends + recordkeeping for 2 years); (f) annual compliance certification by a corporate officer with personal knowledge (filed with FCC by 1 March each year). The FCC CPNI rules have been amended multiple times: 2007 CPNI Order (pretexting + authentication strengthening following the HP pretexting scandal); 2009 CPNI Order (further authentication + password protection); 2011 Data Breach Order (Section 64.2011 breach notification framework + recordkeeping); 2017 FCC Broadband Privacy rules (FCC 16-148 - REPEALED by Congressional Review Act in April 2017 + replaced by common-carrier rules); 2024 FCC Section 222 enforcement action against major carriers for sale of customer location data (Verizon + AT&T + T-Mobile + Sprint - hundreds of millions in fines).

21 CFR Part 11 (62 FR 13430 March 20 1997) establishes the criteria under which the FDA considers electronic records + electronic signatures to be trustworthy + reliable + equivalent to paper records + handwritten signatures. The regulation applies to ALL electronic records + signatures created + modified + maintained + archived + retrieved + transmitted under any records requirement set forth in any FDA regulation or any electronic records submitted to FDA under the Federal Food + Drug + and Cosmetic Act + Public Health Service Act + Tobacco Control Act. STRUCTURE - 3 Subparts: SUBPART A General Provisions (§11.1 scope + §11.2 implementation + §11.3 definitions); SUBPART B Electronic Records (§11.10 controls for closed systems + §11.30 controls for open systems + §11.50 signature manifestations + §11.70 signature / record linking); SUBPART C Electronic Signatures (§11.100 general requirements + §11.200 signature components + controls + §11.300 controls for identification codes + passwords). Risk-based implementation: per the August 2003 FDA Scope and Application Guidance the agency intends to exercise enforcement discretion regarding specific Part 11 requirements + apply Part 11 requirements based on risk + criticality + intended use. Computer System Validation (CSV) under Part 11 + the GAMP 5 framework + ICH Q9 risk + ICH Q10 PQS coordinate to operationalise the regulation. The 2023 FDA Computer Software Assurance (CSA) draft guidance + the related FDA Software Bill of Materials (SBOM) expectations modernise the validation approach for medical device software + production software. Part 11 is the US counterpart to EU GMP Annex 11 (which covers computerised systems in GMP-regulated pharmaceutical manufacturing) + EMA Q&A on Annex 11 + the EU Medical Device Regulation (MDR) + In Vitro Diagnostic Regulation (IVDR) digital records provisions. Part 11 enforcement examples include FDA warning letters citing inadequate audit trails + lack of validation + electronic-signature controls failures + closed-system control deficiencies in pharmaceutical manufacturing sites + clinical trial sponsors + medical device manufacturers + contract research organisations (CROs).

The new 21 CFR Part 820 (Quality Management System Regulation, QMSR) was published as a Final Rule on 31 January 2024 (89 FR 7496) and applies from 2 FEBRUARY 2026. It HARMONISES the FDA medical device quality system requirements with ISO 13485:2016 by INCORPORATING THAT STANDARD BY REFERENCE under §820.7 + retaining a small number of FDA-specific additions (§820.15 clarifications + §820.35 record controls including audit trail + UDI + reporting + §820.45 device labelling + packaging controls). The QMSR replaces the prior Quality System Regulation (QSR) which had its own elaborate structure (former §820.20 through §820.250 covering management responsibility + design controls + document control + purchasing + production + acceptance + CAPA + labelling + handling + records + servicing + statistical techniques). The QMSR applies to FINISHED MEDICAL DEVICES that are intended for human use + are subject to FDA registration + listing under section 510 of the Federal Food, Drug, and Cosmetic Act. STRUCTURE - the QMSR Final Rule has 7 substantive sections: §820.1 scope; §820.3 definitions; §820.7 incorporation by reference; §820.10 requirements for a quality management system (incorporating ISO 13485:2016 Sections 4-8); §820.15 clarification of concepts (FDA-specific clarifications + glossary harmonisation); §820.35 control of records (record retention + audit trail + UDI + medical-device reporting + corrections and removals records); §820.45 device labelling and packaging controls (FDA-specific). RELATED FRAMEWORKS: ISO 13485:2016 (incorporated by reference + COPYRIGHTED + NEEDS LICENSED COPY); EU MDR (Regulation (EU) 2017/745) + IVDR (Regulation (EU) 2017/746) parallel medical device + IVD regulations; FDA Part 11 (Electronic Records + Electronic Signatures) for computer system validation + audit trail records under §820.35; FDA Cybersecurity Premarket Guidance + Cures Act 524B for medical device software. The 2-YEAR TRANSITION PERIOD requires FDA-regulated medical device manufacturers to fully implement the harmonised QMSR by 2 February 2026 + the FDA has clarified that the transition does not require re-certification - existing QSR-compliant systems will be evaluated against QMSR during routine inspections after the application date.

The Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool helps financial institutions identify cybersecurity risks and determine their preparedness. Based on the NIST Cybersecurity Framework, it assesses inherent risk profile and cybersecurity maturity across five domains. Used by FFIEC member agencies (OCC, FDIC, Federal Reserve, NCUA, CFPB) during examinations.

Federal Financial Institutions Examination Council IT guidance

FIDO2 is the joint FIDO Alliance + W3C standard for passwordless + phishing-resistant authentication composed of: (a) W3C WEB AUTHENTICATION (WebAuthn) Level 3 Recommendation - the browser + relying party API for public-key credential creation + authentication; (b) FIDO CLIENT-TO-AUTHENTICATOR PROTOCOL 2.1 (CTAP2.1) - the protocol between client devices + roaming or platform authenticators; (c) FIDO METADATA SERVICE v3 (MDS3) - the trust + attestation metadata for authenticators including AAGUIDs + status reports + transports + algorithms; (d) DISCOVERABLE CREDENTIALS / PASSKEYS - resident-credential storage on authenticators enabling passwordless workflows + cross-device synchronisation via iCloud Keychain + Google Password Manager + Windows Hello + 1Password / Bitwarden / Dashlane. Core security properties: PHISHING RESISTANCE through origin binding + RP ID validation + channel binding; UNPHISHABLE WITHOUT USER INTERVENTION (no shared secrets); BIOMETRICS + PIN VERIFICATION local to the authenticator (never transmitted); REPLAY RESISTANCE through challenge-based protocol + signature counter + anti-replay timestamping; ENTERPRISE ATTESTATION + AAGUID ALLOWLISTING for managed-device deployments. Adoption: all major browsers (Chrome + Edge + Firefox + Safari) + operating systems (Windows 11 + macOS + iOS + Android) + leading IdPs (Microsoft Entra + Google + Okta + Ping) support FIDO2/WebAuthn. 2023-2025 PASSKEY launch by Apple + Google + Microsoft with cross-device synchronisation + hybrid transport (formerly caBLE) for QR-code-based phone-to-laptop auth. FIDO Alliance certification programs: FIDO2 Server + Authenticator + UAF Server + Authenticator + U2F Server + Authenticator + Biometric Component. FIDO2/WebAuthn is the foundation for NIST SP 800-63B AAL3 phishing-resistant authentication + the basis for executive-order-mandated US federal MFA (M-22-09 + the 2024 ZTA strategy). Coordinated standards: OAuth 2.0 + OpenID Connect + SAML for the federation layer above WebAuthn; W3C Verifiable Credentials for the credential-presentation layer; FIDO Device Onboarding (FDO) for IoT.

The Forum of Incident Response and Security Teams (FIRST) is the leading global organization for Computer Security Incident Response Teams (CSIRTs) + Product Security Incident Response Teams (PSIRTs) + Vulnerability Coordinators + cybersecurity professionals. FIRST maintains a suite of community-developed standards + frameworks. KEY FIRST STANDARDS: (a) CSIRT SERVICES FRAMEWORK V2.1 (published 2019) - the canonical service-catalog defining 5 SERVICE AREAS + 36 SERVICES that CSIRTs deliver: Information Security Event Management; Information Security Incident Management; Vulnerability Management; Situational Awareness; Knowledge Transfer; (b) COMMON VULNERABILITY SCORING SYSTEM (CVSS) - the industry-standard vulnerability severity metric; CVSS v4.0 published 2023 with revised Base + Threat + Environmental + Supplemental metrics + Macro vector + qualitative severity rating (None/Low/Medium/High/Critical); CVSS v3.1 remains in use for prior advisories; CVSS scores feed into vulnerability management + patch prioritisation + the CISA Known Exploited Vulnerabilities (KEV) Catalog + the NVD; (c) TRAFFIC LIGHT PROTOCOL (TLP) v2.0 - the four-color information-sharing classification system (TLP:RED + TLP:AMBER + TLP:AMBER+STRICT + TLP:GREEN + TLP:CLEAR) used by CSIRTs + ISACs + vendors + governments + replaced TLP v1.0 (TLP:WHITE renamed to TLP:CLEAR in v2.0); (d) INFORMATION EXCHANGE POLICY (IEP) v2.0 - a machine-readable extension of TLP enabling automated policy-driven sharing of cyber threat intelligence; (e) MULTI-PARTY COORDINATED VULNERABILITY DISCLOSURE (MPCVD) GUIDELINES - best practices for coordinated disclosure when multiple affected vendors or affected parties exist; (f) PSIRT SERVICES FRAMEWORK - a parallel Product-team-focused service framework; (g) VULNERABILITY COORDINATION BEST PRACTICES GUIDELINES. FIRST is operated as a non-profit consortium + the standards are publicly available + freely-implementable. Coordination: FIRST standards underpin many national CSIRT regimes (US-CERT + DOE CIRC + CISA + UK NCSC + ENISA + AusCERT + JPCERT/CC + KrCERT/CC + many others) + are referenced in NIST SP 800-61 + ISO/IEC 27035 + NIS2 + CIRCIA + MITRE ATT&CK + the EU Cyber Resilience Act (CRA) vulnerability handling obligations.

FISMA is the Federal Information Security Modernization Act of 2014 (Public Law 113-283), amending the Federal Information Security Management Act of 2002 + codified at 44 USC Chapter 35 Subchapter II (sections 3551-3559). FISMA is the US federal statutory framework for information security applying to all federal agencies (excluding national-security systems covered separately) + contractors operating systems on behalf of federal agencies. STATUTORY STRUCTURE: (a) Section 3551 PURPOSES; (b) Section 3552 DEFINITIONS; (c) Section 3553 AUTHORITY AND FUNCTIONS OF THE DIRECTOR OF OMB + CISA (Cybersecurity and Infrastructure Security Agency, at DHS) including BINDING OPERATIONAL DIRECTIVES (BODs) for federal civilian agencies; (d) Section 3554 FEDERAL AGENCY RESPONSIBILITIES - including agency CIO + CISO designations + agency-wide information security programs + risk assessments + incident reporting; (e) Section 3555 ANNUAL INDEPENDENT EVALUATION by agency Inspector General (IG); (f) Section 3556 FEDERAL INFORMATION SECURITY INCIDENT CENTER (US-CERT now CISA); (g) Section 3557 NATIONAL SECURITY SYSTEMS (NSS) - exclusion from FISMA + governed separately by CNSS + Intelligence Community Directive 503; (h) Section 3558 EFFECT ON EXISTING LAW; (i) Section 3559 SAVINGS PROVISIONS. OPERATIONALISATION: FISMA is implemented through: (1) NIST SP 800-53 Rev 5 (Security and Privacy Controls - 1,189 controls) - VERIFIED separately in graph; (2) NIST SP 800-37 Rev 2 (Risk Management Framework - Categorize + Select + Implement + Assess + Authorize + Monitor); (3) NIST SP 800-171 Rev 3 (Protecting Controlled Unclassified Information in Nonfederal Systems) for contractor systems; (4) FIPS 199 (system categorization Low + Moderate + High); (5) FIPS 200 (minimum security requirements); (6) FedRAMP (Federal Risk and Authorization Management Program for cloud) - VERIFIED separately in graph as FedRAMP Moderate + High + Rev 5 Program reference; (7) CISA Binding Operational Directives (BODs - e.g. BOD 22-01 KEV Catalog, BOD 23-01 Asset Visibility, BOD 23-02 Internet-Accessible Networking Devices); (8) OMB Memoranda (M-22-09 Zero Trust + M-22-18 SBOM + M-24-15 FedRAMP modernization). 2024-2025 PRIORITIES: ZERO TRUST ARCHITECTURE per OMB M-22-09 + CISA Zero Trust Maturity Model v2 + the National Cybersecurity Strategy + CIRCIA Final Rule 2026 alignment.

FSSC 22000 is a Global Food Safety Initiative (GFSI)-recognized food safety certification scheme developed + maintained by the FOUNDATION FSSC (Foundation for Food Safety Certification + headquartered in Gorinchem, Netherlands). The scheme provides a comprehensive certification framework for FOOD MANUFACTURERS + PACKAGING + ANIMAL FEED + CATERING + RETAIL + WHOLESALE + BIOCHEMICAL PRODUCT + TRANSPORT-AND-STORAGE operators across the food supply chain. SCHEME STRUCTURE: (a) ISO 22000:2018 - the underlying ISO Food Safety Management System (FSMS) standard (copyrighted - tracked separately as ISO 22000 framework, needs licensed copy); (b) ISO/TS 22002-X SECTOR-SPECIFIC PREREQUISITE PROGRAMS - 22002-1 (Food Manufacturing) + 22002-2 (Catering) + 22002-3 (Farming) + 22002-4 (Food Packaging Manufacturing) + 22002-5 (Transport and Storage) + 22002-6 (Feed and Animal Food Production) (copyrighted); (c) FSSC 22000 ADDITIONAL REQUIREMENTS - the FSSC-specific scheme-level additions (publicly available + downloadable from fssc.com): Food Safety and Quality Culture + Food Defense (TACCP) + Food Fraud Mitigation (VACCP) + Allergen Management + Environmental Monitoring + Product Labelling + Storage and Transport + Logo Use + Management of Services and Purchased Materials + Hazard Control and Allergen Cross-Contamination + others. CERTIFICATION: 3-year certification cycle with annual surveillance audits + unannounced audit (typically 1 every 3 years). VERSIONS: FSSC 22000 v6.0 (published April 2023; effective 1 April 2024); v6.1 expected 2025-2026 with updates on (i) cybersecurity in food chain; (ii) AI in food safety; (iii) climate impact + supply-chain resilience. GFSI RECOGNITION: FSSC 22000 is one of approximately 10 GFSI-recognized schemes alongside BRCGS + IFS Food + SQF + Global G.A.P. + others; GFSI benchmarking ensures equivalence across schemes. COORDINATION: with FDA Food Safety + EU Regulation 178/2002 (General Food Law) + EU Regulation 852/2004 (Hygiene of Foodstuffs) + EU Regulation 1169/2011 (Food Information) + Codex Alimentarius + national food-safety authorities. AUDIT BODIES: FSSC 22000 audits are conducted by ACCREDITED CERTIFICATION BODIES (CABs) under IAF accreditation; major CABs include SGS + Bureau Veritas + DNV + DEKRA + TUV + Lloyd Register Quality Assurance (LRQA) + others; auditor competency requirements per FSSC.

The FTC GLBA Safeguards Rule (16 CFR Part 314) is the Federal Trade Commission regulation implementing Title V of the Gramm-Leach-Bliley Act (15 USC 6801-6809). The Rule applies to NON-BANK FINANCIAL INSTITUTIONS under FTC jurisdiction (consumer reporting agencies + finance companies + auto dealers + mortgage brokers + payday lenders + tax preparers + non-bank lenders + investment advisors + others). Bank-regulator-supervised financial institutions are covered by parallel regulations (12 CFR Part 30 OCC + 12 CFR Part 208 + 225 FRB + 12 CFR Part 364 FDIC + 12 CFR Part 748 NCUA + 17 CFR 248 SEC) issued by the federal banking agencies. REGULATORY HISTORY: (a) 2002 ORIGINAL RULE: required a written information security program + risk assessment + service-provider oversight + adjusting for changes; (b) 2021 AMENDMENTS (effective 9 January 2022 + with January 2023 for elements that required additional time): expanded definition of financial institution to include FINDERS (introducers); added 9 SPECIFIC SAFEGUARD ELEMENTS - (1) ACCESS CONTROLS + role-based + least-privilege + periodic review; (2) DATA INVENTORY + CLASSIFICATION; (3) ENCRYPTION of customer information at rest and in transit; (4) SECURE DEVELOPMENT PRACTICES; (5) MULTI-FACTOR AUTHENTICATION (MFA) for any individual accessing customer information on the network; (6) SECURE DISPOSAL of customer information; (7) CHANGE MANAGEMENT PROCEDURES; (8) MONITORING AND LOGGING of authorized user activity + detecting unauthorized access; (9) CONTINUOUS MONITORING OR ANNUAL PENETRATION TESTING + SEMIANNUAL VULNERABILITY ASSESSMENTS; required QUALIFIED INDIVIDUAL designation responsible for program oversight + Board reporting; required WRITTEN INCIDENT RESPONSE PLAN; (c) 2023 AMENDMENTS: added FTC NOTIFICATION REQUIREMENT for security events affecting 500 OR MORE CONSUMERS within 30 DAYS; (d) 2024-2025 FTC ENFORCEMENT: actions against multiple financial institutions + mortgage brokers + auto dealers for non-compliance with the new elements; (e) 2025 ANTICIPATED: additional amendments on AI-related risk + supply-chain due diligence + interagency coordination. EXEMPTION: institutions maintaining customer information of fewer than 5,000 CONSUMERS may use SIMPLIFIED COMPLIANCE under Section 314.6 (written risk assessment + safeguard elements + service-provider oversight); 5,000+ institutions must comply with full requirements.

The FTC Health Breach Notification Rule (16 CFR Part 318) is the FTC regulation requiring VENDORS OF PERSONAL HEALTH RECORDS (PHR) + PHR-RELATED ENTITIES + THIRD-PARTY SERVICE PROVIDERS to NOTIFY individuals + the FTC + (where applicable) the media of breaches of security involving identifiable health information. The Rule applies to entities NOT COVERED BY HIPAA (Health Insurance Portability and Accountability Act of 1996 + HIPAA Breach Notification Rule at 45 CFR Subpart D) - i.e. consumer-facing health apps + wearables + fitness trackers + reproductive health apps + DTC genetics + mental health apps + smart scales + connected medical devices NOT operated by HIPAA-covered entities. 2009 ORIGINAL RULE: implemented Section 13407 of the HITECH Act (PL 111-5); covered classic PHR vendors. 2024 FINAL RULE AMENDMENTS (effective 29 July 2024 + with 25 April 2025 for delayed elements): EXPANDED SCOPE to (a) MOBILE HEALTH APPS + CONNECTED DEVICES even if not marketed as PHR; (b) NEW DEFINITION OF BREACH explicitly including UNAUTHORIZED DISCLOSURE to advertising/marketing networks + 3rd-party SDKs + data brokers + cross-app tracking + reproductive-health-data scenarios; (c) UPDATED DEFINITION OF PHR IDENTIFIABLE HEALTH INFORMATION; (d) NEW DEFINITION OF HEALTHCARE PROVIDER; (e) THIRD-PARTY SERVICE PROVIDER (TPSP) obligations to upstream notify PHR vendors. NOTIFICATION REQUIREMENTS: (i) INDIVIDUAL NOTIFICATION without unreasonable delay + no later than 60 CALENDAR DAYS after discovery; (ii) FTC NOTIFICATION via online notification form within 60 days (for breaches affecting 500+ individuals) or annual log (<500); (iii) MEDIA NOTIFICATION via prominent media outlet for breaches affecting 500+ individuals in a state or jurisdiction; (iv) CONTENT REQUIREMENTS - brief description + types of info + steps to protect + actions taken + contact info. ENFORCEMENT: FTC may impose civil penalties up to USD 51,744 PER VIOLATION (2025 figure - adjusted annually for inflation per Federal Civil Penalties Inflation Adjustment Act); additional state enforcement under state attorney general consumer protection laws. PRIVATE RIGHT OF ACTION: none under HBNR + but state law claims may apply.

The Fair Labor Association (FLA) Workplace Code of Conduct is a voluntary multi-industry workplace standards code adopted by FLA member companies (apparel + footwear + agriculture + electronics + university licensee sector) and applied across their global supplier networks. The Code was first adopted in 1998 + revised periodically; the current version (post-2017 + ongoing review) consists of 10 principles that operationalise the ILO Declaration on Fundamental Principles and Rights at Work + the UN Guiding Principles on Business and Human Rights + the OECD Guidelines for Multinational Enterprises. The 10 principles are: (1) Employment Relationship; (2) Nondiscrimination; (3) Harassment or Abuse; (4) Forced Labor; (5) Child Labor; (6) Freedom of Association and Collective Bargaining; (7) Health, Safety, and Environment; (8) Hours of Work; (9) Compensation; (10) (varying topical principle covering subcontracting / supply chain responsibility + worker grievance + remediation). The 10 principles are operationalised through 100+ COMPLIANCE BENCHMARKS - specific operational practices that FLA-accredited monitoring + audit programmes assess. FLA-accredited companies submit to periodic Independent External Monitoring (IEM) + Sustainable Compliance Initiative (SCI) audits + remediation oversight + external reporting via the FLA Public Reports system + the FLA Tracking Chart. The FLA Workplace Code is the principal multi-stakeholder voluntary labor-standards code in the apparel + footwear + agriculture sectors alongside the SAC Higg + Better Cotton Initiative + Worldwide Responsible Accredited Production (WRAP) + Social Accountability International SA8000 + amfori BSCI. Substantive content lives in the FLA Workplace Code of Conduct + the FLA Compliance Benchmarks (FLA-member-gated full text but publicly summarised on fairlabor.org).

FERPA is the Family Educational Rights and Privacy Act of 1974 (20 USC 1232g) implemented by 34 CFR Part 99 + administered by the US Department of Education Student Privacy Policy Office (SPPO) + Privacy Technical Assistance Center (PTAC). FERPA protects the privacy of student education records held by educational agencies + institutions receiving funds from any program administered by the Secretary of Education + applies to virtually all US K-12 + postsecondary educational institutions. FERPA confers four core rights on parents (transferred to eligible students at age 18 or upon postsecondary enrollment): (a) the right to INSPECT AND REVIEW education records; (b) the right to REQUEST AMENDMENT of records believed to be inaccurate or misleading; (c) the right to CONSENT to disclosures of personally identifiable information (PII) from education records subject to specified exceptions; (d) the right to FILE A COMPLAINT with the Department of Education for FERPA violations. Educational institutions must provide ANNUAL NOTIFICATION of these rights + the criteria for designating school officials with legitimate educational interest. Disclosures without consent are limited to specific exceptions: school officials + other educational institutions for enrolment + financial aid + accrediting organizations + parents of dependent students + court orders + health/safety emergencies + studies for or on behalf of the institution + audit + evaluation by authorised representatives + directory information after public notice. DIRECTORY INFORMATION (typically name + address + phone + email + photograph + dates of attendance + grade level + sport participation + degrees + honors) may be disclosed without consent if the institution provides annual public notice + a reasonable opportunity to opt-out. DATA SECURITY SAFEGUARDS for PII in education records are required under the studies + audit + evaluation exceptions + the SPPO/PTAC Best Practices Guidance. ENFORCEMENT is by the SPPO (within DoE) + may result in loss of federal funding (the sole statutory remedy). FERPA is coordinated with the Children Online Privacy Protection Act (COPPA) + the Protection of Pupil Rights Amendment (PPRA) + state student privacy laws (SOPIPA + Connecticut + New York + California + ~20 other states). FERPA Final Rule revisions: 1988 + 1995 + 2008 + 2011 (audit + evaluation + studies exceptions clarified) + 2011 directory information + 2020 study by SPPO + ongoing 2024-2025 PTAC guidance updates on AI + cloud + edtech vendor agreements + data breach notification standards.

FedRAMP High baseline, based on NIST SP 800-53 Revision 5, includes all 421 security controls with FedRAMP-specific tailoring and implementation guidance.

FedRAMP Moderate baseline. Federal cloud service authorization built on NIST SP 800-53 Rev 5 with FedRAMP-specific parameters.

FedRAMP is the US Federal Risk and Authorization Management Program established in 2011 by OMB Memorandum M-11-30 + implementing the Federal Information Security Management Act (FISMA) for cloud services used by US federal agencies. FedRAMP Rev 5 is the current version operating against NIST SP 800-53 Revision 5 + the FedRAMP Rev 5 Baselines (Low + Moderate + High + LI-SaaS) with FedRAMP-specific overlay parameters. NB: the substantive control content for the FedRAMP Moderate (323 controls) + FedRAMP High (417 controls) baselines is tracked separately in the graph as 'FedRAMP Moderate' + 'FedRAMP High' frameworks (both verified against NIST 800-53 OSCAL). This corpus node tracks the PROGRAM-LEVEL reference covering: (a) the FedRAMP Program Management Office (PMO) under GSA; (b) FedRAMP authorization paths - JAB (Joint Authorization Board comprising DOD + DHS + GSA) + Agency-ATO (individual agency Authority to Operate); (c) Authorization Boundary documentation including SSP / SAR / POA&M / continuous-monitoring plan; (d) Continuous Monitoring (ConMon) - monthly vulnerability scanning + quarterly POA&M update + annual assessment + reporting via Salesforce + FedRAMP Marketplace; (e) Significant Change Request (SCR) workflow + FedRAMP review; (f) 2024 OMB Memorandum M-24-15 modernising the FedRAMP process + introducing FedRAMP 2.0; (g) Coordination with StateRAMP + GovRAMP + state + local + tribal government cloud authorization; (h) coordination with FISMA + NIST SP 800-37 RMF + the FedRAMP Marketplace listing of authorized CSPs + assessors (3PAOs).

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the UAE PDPL) is the UAE's federal-level personal data protection law adopted on 26 September 2021 + published in the Official Gazette on 28 November 2021 + entered into force on 2 January 2022 (six months after publication). The Law applies to: any natural person whose data is processed; any controller / processor located in the UAE; any controller / processor located OUTSIDE the UAE that processes the personal data of data subjects within the UAE (extraterritorial scope). The Law is administered by the UAE DATA OFFICE which is operational since 2022 + has the authority to issue executive regulations + guidance + handle complaints + investigate breaches + impose administrative penalties. EXCLUSIONS: the Law does NOT apply within the financial free zones - the Dubai International Financial Centre (DIFC) maintains its own sectoral data protection law (DIFC Data Protection Law No. 5 of 2020) + the Abu Dhabi Global Market (ADGM) maintains its own (ADGM Data Protection Regulations 2021). Sectoral data protection laws also exist (Federal Law No. 2 of 2019 on Health Data + cybersecurity-sectoral regulations). KEY PROVISIONS: lawful basis for processing (Article 4); consent (Article 5); sensitive personal data + biometrics (Article 6); children's data (Article 7); data subject rights (Articles 11-16 - access + correction + erasure + restriction + portability + objection + opt-out for automated decision-making); controller + processor obligations (Articles 8-10, 18-21 - records + security + breach notification + DPO + DPIA); cross-border transfers (Articles 22-24 - adequacy / appropriate safeguards / derogations); UAE Data Office establishment + powers (Articles 25-29). The Law incorporates GDPR-aligned protections + applies to data processed in the UAE OR for UAE-resident data subjects from abroad. Executive Regulations + Data Office guidance continue to evolve.

The Fiji Data Protection Bill 2020 (subsequently revised as the Personal Information and Data Protection Bill 2021) was introduced into the Fijian Parliament to establish a comprehensive data-protection regime for Fiji. The Bill is loosely aligned with GDPR + the Australia Privacy Act 1988 + the Singapore Personal Data Protection Act 2012 + provides for a Personal Information and Data Protection Commissioner (PIDPC) + 6 data-protection principles (lawful and fair processing + purpose limitation + data minimisation + accuracy + storage limitation + integrity and confidentiality) + 6 data-subject rights (access + rectification + erasure + data portability + objection + automated decision-making protection) + cross-border transfer controls + breach notification + administrative penalties up to FJD 1 million + appeals to the Fiji High Court. STATUS: The Bill HAS NOT BEEN ENACTED INTO LAW as of 2026. Public-source tracking (DLA Piper data protection laws of the world + IAPP + cms.law + Lexology) indicates the Bill has been in committee stage with revisions + has not progressed to assent. Data protection in Fiji remains governed by sector-specific provisions in the Banking Act + Public Service Act + Information Act 2018 + the common-law action for breach of confidence + the constitutional right to privacy under Section 24 of the 2013 Constitution. The Fiji Online Safety Act 2018 (FOSA) covers harmful electronic communications + cyberbullying but is not a general data-protection regime. ADMINISTRATIVE BODY: pending enactment, the Pacific Privacy Authority Network (PPAN) + the regional Asia-Pacific Privacy Authorities (APPA) provide informal coordination + Fiji participates as observer. RELATED: the Fijian Information Commissioner (under the Information Act) may receive jurisdiction over the eventual data protection regime; the 2024-2025 Pacific Islands Forum data-protection working group has supported regional harmonisation along GDPR-like + Singapore PDPA-like lines.

The Finland Data Protection Act (Tietosuojalaki, 1050/2018) is the Finnish national supplement to the EU General Data Protection Regulation (Regulation (EU) 2016/679). The Act entered into force on 1 January 2019 + repealed the prior Personal Data Act (523/1999). The Act covers the national-level derogations + supplements permitted by GDPR including: (a) lawful basis under public-interest task + official authority for public authorities and statutorily-tasked private entities (Section 4); (b) processing of PERSONAL IDENTITY CODES (Henkilotunnus) - the Finnish national identifier - with strict purpose limitation + need for identification (Section 29); (c) SPECIAL CATEGORIES of personal data with derogations for employment + social security + professional secrecy + research + statistics + archiving + health + occupational safety (Section 6); (d) PROCESSING OF CRIMINAL OFFENCES DATA per Section 7 + the Criminal Records Act; (e) DATA PROTECTION OMBUDSMAN (Tietosuojavaltuutettu) as the supervisory authority with Sanctions Collegium (Seuraamuskollegio) for administrative fines (Sections 8-13); (f) DEROGATIONS from the right of access + rights of data subjects for scientific or historical research purposes + statistical purposes + archiving purposes in the public interest (Section 31); (g) JOURNALISTIC + ACADEMIC + ARTISTIC + LITERARY EXEMPTIONS (Section 27 + Constitution Section 12 freedom of expression); (h) BILINGUAL TRANSPARENCY (Finnish + Swedish per Constitution Section 17 + Language Act 423/2003) for data subject information notices. SECTORAL COORDINATION: the Tietosuojalaki coordinates with the ACT ON PRIVACY IN WORKING LIFE (Laki yksityisyyden suojasta tyoelamassa, 759/2004) for employee data + workplace monitoring + email inspection; the INFORMATION SOCIETY CODE (Sahkoisen viestinnan palveluista annettu laki, SVTSL 917/2014) for cookies + ePrivacy + electronic-marketing (consent + technical-necessity exemption); the ACT ON ELECTRONIC COMMUNICATIONS SERVICES; the Public Information Disclosure Act; and the new Cybersecurity Act 2024 implementing EU NIS2. ENFORCEMENT: Data Protection Ombudsman + 3-member SANCTIONS COLLEGIUM may impose administrative fines up to 4% of global annual turnover or EUR 20 million (whichever higher) - PUBLIC authorities are exempt from administrative fines under Section 24. APPEALS: to the Administrative Court within 30 days. 2024-2025 PRIORITIES: AI Act interplay + cross-border enforcement under GDPR one-stop-shop + Nordic data-protection coordination (Nordic-Baltic Working Group on Data Protection).

The Florida Digital Bill of Rights (FDBR) is the Florida state-level comprehensive privacy law codified at Florida Statutes Sections 501.701 to 501.722 + companion provisions at 501.1735 (Protection of Children Online) + 112.23 (Government-Directed Content Moderation Prohibition). Enacted by Florida Senate Bill 262 (SB 262) during the 2023 legislative session + signed into law by Governor Ron DeSantis on 6 June 2023 + effective 1 July 2024. The FDBR is DISTINCTIVELY NARROW in applicability vs other state privacy laws: it applies only to controllers that (a) conduct business in Florida + collect or process consumer personal data + (b) make in excess of USD 1 BILLION in global gross annual revenue + (c) (i) derive 50% or more of global gross annual revenue from sale of advertisements online; OR (ii) operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; OR (iii) operate an app store or digital distribution platform offering at least 250,000 different software applications. Effectively the FDBR targets BIG TECH companies + leaves small + medium businesses outside the scope. CORE PROVISIONS: (a) CONSUMER RIGHTS - access + correction + deletion + portability + opt-out of sale + targeted advertising + profiling; (b) OPT-OUT of VOICE OR FACIAL RECOGNITION DATA COLLECTION (unique to Florida); (c) SENSITIVE DATA OPT-IN consent; (d) CHILDREN UNDER 18 - heightened protections including consent for processing + ban on targeted advertising + processing for known minors; (e) CONTROLLER + PROCESSOR OBLIGATIONS - privacy notice + data protection assessments + processor contracts; (f) PROTECTION OF CHILDREN ONLINE (501.1735) - age verification + parental controls + minor-appropriate content; (g) GOVERNMENT-DIRECTED CONTENT MODERATION PROHIBITION (112.23) - prohibition on state and local government entities directing or requesting social media + online platforms to moderate content (post-Twitter Files inspiration); (h) SEARCH ENGINE POLITICAL BIAS DISCLOSURE (501.713) - search engines must disclose political bias in search results. ENFORCEMENT: Florida Department of Legal Affairs (within the Office of the Attorney General); CIVIL PENALTIES UP TO USD 50,000 PER VIOLATION + UP TO USD 1.5 MILLION FOR INTENTIONAL VIOLATIONS; 45-day cure period unless intentional. NO PRIVATE RIGHT OF ACTION. COMPARISON: the FDBR is narrower than CCPA/CPRA + Virginia VCDPA + Colorado CPA but adds novel + Florida-specific features (voice/facial recognition opt-out + government content moderation prohibition + search engine political bias disclosure).

The French Sapin II Law (Loi n. 2016-1691 du 9 decembre 2016 relative a la transparence, a la lutte contre la corruption et a la modernisation de la vie economique) is the comprehensive French anti-corruption + transparency + economic modernization statute enacted on 9 December 2016. ARTICLE 17 establishes the MANDATORY 8-PILLAR ANTI-CORRUPTION COMPLIANCE PROGRAM applicable to companies + groups with at least 500 employees + EUR 100 million annual turnover (or French subsidiaries of foreign groups meeting these thresholds): (1) ANTI-CORRUPTION CODE OF CONDUCT; (2) INTERNAL WHISTLEBLOWING SYSTEM (revised by the Waserman Law 2022-401 transposing EU Whistleblower Directive 2019/1937); (3) CORRUPTION RISK MAPPING (cartographie des risques); (4) THIRD-PARTY DUE DILIGENCE (clients + suppliers + intermediaries); (5) ACCOUNTING CONTROL PROCEDURES (controles comptables specifiques); (6) ANTI-CORRUPTION TRAINING (programmes de formation); (7) DISCIPLINARY REGIME (regime disciplinaire); (8) INTERNAL MONITORING AND CONTROL of the program (dispositif de controle et evaluation interne). ENFORCEMENT: AGENCE FRANCAISE ANTICORRUPTION (AFA) - the French Anti-Corruption Agency established by Article 1 of Sapin II + headed by a Director nominated by Presidential Decree; the AFA inspects + assesses + sanctions corporate compliance programs + may impose administrative penalties up to EUR 1 MILLION for legal entities + EUR 200,000 for individuals + judicial sanctions up to EUR 5 MILLION + 10 years imprisonment for individuals; AFA publishes detailed Recommendations (Recommandations) on compliance program standards. CONVENTION JUDICIAIRE D'INTERET PUBLIC (CJIP, Article 41-1-2 Code of Criminal Procedure): deferred prosecution agreement allowing prosecutors to suspend prosecution in exchange for fine + remediation + judicial monitoring; CJIPs typically include AFA monitorship. WASERMAN LAW (Law 2022-401 of 21 March 2022): transposed the EU Whistleblower Directive 2019/1937 + expanded the Sapin II whistleblowing system to all employers with at least 50 employees + strengthened protections + adopted reverse burden of proof in retaliation cases. HATVP (Haute Autorite pour la Transparence de la Vie Publique - High Authority for Transparency in Public Life): maintains LOBBYING REGISTER + scrutinizes elected officials + senior civil servants. 2024-2025 PRIORITIES: AI + algorithmic decision-making anti-corruption + cross-border supply chain due diligence per EU Corporate Sustainability Due Diligence Directive (CSDDD, Directive (EU) 2024/1760) + EU Anti-Corruption Directive proposal.

The Full Range Leadership Model (FRLM) is an academic + practitioner leadership theory developed by Bernard M. Bass (1985 + Bass + Riggio 2006) + Bruce J. Avolio + colleagues + describing leadership behavior across a CONTINUUM from MOST EFFECTIVE (Transformational) through MODERATELY EFFECTIVE (Transactional) to LEAST EFFECTIVE (Passive-Avoidant / Laissez-Faire). The model includes THREE BROAD BEHAVIORAL CATEGORIES + NINE FACTORS: (1) TRANSFORMATIONAL LEADERSHIP - 4 Is + (a) IDEALIZED INFLUENCE - ATTRIBUTED (charismatic + moral exemplar perceived by followers); (b) IDEALIZED INFLUENCE - BEHAVIOR (consistent + ethical conduct + values-driven); (c) INSPIRATIONAL MOTIVATION (compelling vision + meaning + optimism); (d) INTELLECTUAL STIMULATION (questioning assumptions + new perspectives + innovation); (e) INDIVIDUALIZED CONSIDERATION (developmental coaching + mentoring + attention to individual follower needs); (2) TRANSACTIONAL LEADERSHIP - (f) CONTINGENT REWARD (clear expectations + rewards + recognition for performance); (g) MANAGEMENT-BY-EXCEPTION ACTIVE (proactive monitoring + intervention for deviations); (3) PASSIVE-AVOIDANT LEADERSHIP - (h) MANAGEMENT-BY-EXCEPTION PASSIVE (reactive only when problems become serious); (i) LAISSEZ-FAIRE (absence of leadership + decision avoidance). LEADERSHIP OUTCOMES: (1) EXTRA EFFORT (followers exceed expectations); (2) EFFECTIVENESS (organizational results); (3) SATISFACTION (with leadership). MEASUREMENT: the MULTIFACTOR LEADERSHIP QUESTIONNAIRE (MLQ FORM 5X SHORT) is the validated + standardised assessment instrument; the MLQ is COPYRIGHTED + LICENSED EXCLUSIVELY by Mind Garden Inc; commercial + research use requires license; psychometric studies establish reliability + validity across cultures + sectors. AUGMENTATION EFFECT: transformational leadership augments transactional leadership in predicting follower performance + commitment + extra effort. KEY EVIDENCE: 35+ years of empirical research + meta-analyses; applied in business + military + public sector + healthcare + education + military leadership programs (US Air Force + US Army + UK Sandhurst + others); used as leadership development + 360-degree feedback + selection. ETHICAL UNDERPINNING: Bass + Steidlmeier (1999) distinguished AUTHENTIC TRANSFORMATIONAL (values-aligned ethical leadership) from PSEUDO-TRANSFORMATIONAL (manipulative charismatic).

GAMP 5 (Good Automated Manufacturing Practice 5) is the INTERNATIONAL SOCIETY FOR PHARMACEUTICAL ENGINEERING (ISPE) flagship guide for Computerised Systems Validation in GxP-regulated environments (pharmaceutical + medical device + biotech + healthcare manufacturing + laboratories). Current edition GAMP 5 SECOND EDITION published July 2022 + supersedes the 2008 First Edition. KEY CONCEPTS: (a) RISK-BASED APPROACH - effort proportional to risk + complexity + regulatory impact; (b) LIFE CYCLE APPROACH - V-Model lifecycle with Specification + Verification phases mirrored; (c) CRITICAL THINKING - applying judgment over checkbox compliance; (d) LEVERAGE SUPPLIER INVOLVEMENT - reduce duplication via supplier qualification + documentation reuse + audit; (e) SCALABILITY - approach scales from small bench instruments to enterprise ERP/MES; (f) GxP regulatory alignment - 21 CFR Part 11 (FDA Electronic Records + Electronic Signatures) + EU Annex 11 (Computerised Systems) + ICH Q9 Quality Risk Management + ICH Q10 Pharmaceutical Quality System + FDA Computer Software Assurance (CSA) 2023 Draft Guidance. 5 SOFTWARE CATEGORIES (Appendix M4): Category 1 INFRASTRUCTURE (operating systems + databases + network); Category 2 was deprecated in 1st Edition; Category 3 NON-CONFIGURED PRODUCTS (commercial off-the-shelf); Category 4 CONFIGURED PRODUCTS (commercial with configuration); Category 5 CUSTOM APPLICATIONS (in-house developed). 2ND EDITION (2022) UPDATES: AI + machine learning systems; cloud + SaaS; agile + iterative development; DevOps; data integrity by design; explicit critical thinking emphasis; data integrity ALCOA+ deepening; computer software assurance (FDA CSA Draft Guidance 2022) alignment + replacing some traditional CSV. APPLICATION: typical implementation includes URS (User Requirements Specification) + FS (Functional Specification) + DS (Design Specification) + IQ (Installation Qualification) + OQ (Operational Qualification) + PQ (Performance Qualification) + Traceability Matrix + Risk Assessment + Change Control + Periodic Review + Data Integrity Controls + Decommissioning. AUDITORS: FDA + EMA + MHRA + PMDA + Health Canada + Brazilian ANVISA + China NMPA + other regulators inspect against GAMP 5 + Part 11 + Annex 11 + national regulations.

General Data Protection Regulation - EU regulation on data protection and privacy for all individuals within the European Union and European Economic Area

The Greenhouse Gas Protocol (GHG Protocol) is the world's most-widely-used corporate greenhouse gas accounting + reporting framework, developed by the WORLD RESOURCES INSTITUTE (WRI) + WORLD BUSINESS COUNCIL FOR SUSTAINABLE DEVELOPMENT (WBCSD) since 1998. The GHG Protocol comprises a SUITE of standards + guidance covering different scopes + use cases: (a) CORPORATE STANDARD (revised edition 2004) - the foundational standard for entity-level GHG inventories covering Scope 1 (direct) + Scope 2 (purchased energy) emissions; (b) SCOPE 2 GUIDANCE (2015) - location-based + market-based dual reporting methods for purchased electricity + steam + heating + cooling; (c) CORPORATE VALUE CHAIN (Scope 3) STANDARD (2011) - value-chain emissions across 15 categories (8 upstream + 7 downstream); (d) PRODUCT LIFE CYCLE STANDARD (2011) - product-level cradle-to-grave or cradle-to-gate; (e) PROJECT PROTOCOL (2005 + revisions) - GHG reductions from specific projects; (f) MITIGATION GOAL STANDARD (2014) - target-setting + tracking; (g) POLICY AND ACTION STANDARD (2014) - policy-level GHG accounting; (h) LAND SECTOR + REMOVALS GUIDANCE (2025) - new guidance on land use + land use change + forestry (LULUCF) + carbon removals + biomass + bioenergy. KEY CONCEPTS: SCOPE 1 (direct emissions from owned/controlled sources); SCOPE 2 (indirect emissions from purchased electricity + steam + heating + cooling); SCOPE 3 (15 categories of value-chain emissions); 5 REPORTING PRINCIPLES (Relevance + Completeness + Consistency + Transparency + Accuracy); ORGANISATIONAL BOUNDARIES (equity-share + financial control + operational control approaches); OPERATIONAL BOUNDARIES (Scope 1/2/3 classification); BASE YEAR + RECALCULATION; DATA QUALITY + UNCERTAINTY; EXTERNAL VERIFICATION/ASSURANCE. ADOPTION + INTEGRATION: GHG Protocol is the basis for SBTi (Science Based Targets initiative) + CDP (formerly Carbon Disclosure Project) + CSRD/ESRS E1 (Climate Change) + ISSB IFRS S2 + SEC Climate Disclosure Rule + EU CSDDD + EU Taxonomy + IFRS Sustainability Standards + ISO 14064 + national climate reporting requirements. 2024-2025 PIPELINE: comprehensive update underway with consultation 2024-2025 + new editions anticipated 2026-2027 covering AI/ML emissions + cloud computing + improved Scope 2 + Scope 3 + Land Sector Removals Guidance integration + market-based Scope 2 enhancements + carbon market integrity.

The Gramm-Leach-Bliley Act (GLBA, also known as the Financial Services Modernization Act of 1999, Public Law 106-102) is a US federal statute enacted 12 November 1999 that imposes privacy + safeguarding + anti-pretexting obligations on FINANCIAL INSTITUTIONS handling nonpublic personal information (NPI). KEY PROVISIONS: (a) SUBCHAPTER I - DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION (15 USC 6801-6809): policy of privacy obligation + safeguarding standard (Sec. 6801); notice + opt-out obligations on disclosure to nonaffiliated third parties (Sec. 6802); annual privacy notice obligation (Sec. 6803); rulemaking authority delegated to Bureau of Consumer Financial Protection (CFPB) + Securities and Exchange Commission (SEC) + Commodity Futures Trading Commission (CFTC) (Sec. 6804); enforcement by federal banking agencies (OCC + Federal Reserve + FDIC + NCUA + OTS) + SEC + CFTC + FTC + State insurance authorities (Sec. 6805); state insurance preemption (Sec. 6806); relation to other Acts (Sec. 6807); study of information sharing (Sec. 6808); definitions (Sec. 6809). (b) SUBCHAPTER II - FRAUDULENT ACCESS TO FINANCIAL INFORMATION (15 USC 6821-6827): PRETEXTING prohibition (Sec. 6821) - obtaining customer information by false pretenses + including phone + internet + impersonation prohibited; administrative enforcement by FTC + federal banking agencies (Sec. 6822); criminal penalties up to 5 years imprisonment or 10 years if aggravated (Sec. 6823); relation to other laws (Sec. 6824); agency guidance (Sec. 6825); reports (Sec. 6826); definitions (Sec. 6827). OPERATIONALISATION: GLBA establishes the statutory umbrella; substantive operational controls are issued by regulators via subordinate rules: (a) FTC Safeguards Rule 16 CFR Part 314 (last major revision 2021 + 2023 breach-notification amendment effective 2024 + further 2024-2025 amendments - verified separately); (b) FTC Privacy Rule 16 CFR Part 313 + model privacy form; (c) SEC Regulation S-P (17 CFR Part 248) - amended March 2024 + effective 2025-2026 with incident-response + breach-notification + 30-day individual notification + supervisory + record-keeping requirements; (d) BANKING-AGENCY RULES (Interagency Guidelines Establishing Standards for Safeguarding Customer Information + Interagency Guidance on Response Programs for Unauthorized Access to Customer Information + Customer Notice) issued by OCC + Federal Reserve + FDIC + NCUA + OTS - see 12 CFR Part 30 + Part 208 + Part 364 + Part 748; (e) NAIC Insurance Data Security Model Law (NAIC #668) adopted by 20+ states; (f) CFPB enforcement under Dodd-Frank for non-bank financial institutions; (g) HIGHER EDUCATION institutions participating in Title IV (FSA - Federal Student Aid) are FTC Safeguards Rule covered + tracked separately as a sectoral application. 2024-2025 PIPELINE: SEC Reg S-P amendments effective 2025-12-03 large + 2026-06-03 small institutions; FTC Safeguards 2024 30-day FTC notification rule effective; CFPB Section 1033 Open Banking Rule (October 2024) imposes additional safeguarding obligations on screen-scrapers; NAIC Model Bulletin on AI 2023; state privacy laws (CCPA + state DP laws) coordinate. ENGAGEMENT: GLBA is the statutory umbrella - cross-mapping to substantive controls + auditor evidence should target the subordinate FTC Safeguards Rule + FTC Privacy Rule + SEC Reg S-P + banking-agency rule frameworks.

GLI-33 Standards for Event Wagering Systems is the leading independent technical standard for certification of EVENT WAGERING SYSTEMS (sports betting / sportsbook / fantasy sports / fixed-odds wagering / pool wagering / pari-mutuel wagering) operated by regulated gaming operators in jurisdictions where such activities are legalized. Published by GAMING LABORATORIES INTERNATIONAL (GLI) - an independent ISO/IEC 17025 + ISO 9001 + A2LA accredited testing laboratory founded 1989, providing testing + certification + professional services to gaming regulators + operators + suppliers across 480+ jurisdictions globally. CURRENT EDITION: v1.1 issued December 2018; ongoing 2024-2025 update pipeline incorporating new categories (in-play wagering + micro-betting + same-game parlays + futures + cross-state mobile + fantasy + esports + AI-driven anti-fraud + cryptocurrency-funded accounts + integrity-monitoring API). SCOPE: covers all components of an Event Wagering System including (a) Event Wagering Engine + Wager Acceptance Logic; (b) Player Account Management (PAM); (c) Risk Management Engine + Odds Engine; (d) Geolocation Verification (typically third-party GLI-19 certified); (e) Identity Verification / KYC; (f) Payment Processing + Anti-Money-Laundering; (g) Mobile + Internet Wagering Security; (h) Audit + Significant Event Logging; (i) Responsible Gaming Features + Self-Exclusion; (j) Integrity Monitoring + Anti-Fraud + Collusion Detection; (k) Reporting + Regulatory Submissions; (l) Information Security; (m) Disaster Recovery + Business Continuity; (n) Change Management + Software Signature Verification; (o) Random Number Generation (if applicable - typically GLI-19 certified). PUBLICATION + LICENSE: GLI-33 is COPYRIGHTED by Gaming Laboratories International + freely downloadable from gaminglabs.com (older versions) + accessible via member portal; state-regulator incorporations make the standard structure publicly known. COORDINATION + ADOPTION: GLI-33 commonly invoked alongside GLI-19 (Standards for Random Number Generators) + GLI-21 (Standards for Client-Server Systems) + GLI-27 (Standards for Network Security) + state-specific technical standards; in regulated jurisdictions a sports-betting platform typically requires GLI-33 certification + state-regulator approval + ongoing annual audits + change-management notifications. 2024-2025 STATUS: GLI continues to update + version maintenance + new sub-sections for emerging features; US sports betting legal in 38+ states (DC + Puerto Rico) by 2026; international markets expanding including Brazil (legalized 2024) + Argentina + Mexico + Ontario Canada + Latin America + Africa.

GLOBALG.A.P. INTEGRATED FARM ASSURANCE (IFA) STANDARD v6 is the world's leading private-sector pre-farm-gate food safety + agricultural quality + sustainability + social-practice assurance scheme published by FoodPLUS GmbH (Cologne, Germany) - a wholly-owned subsidiary of GLOBALG.A.P. ASSOCIATION. KEY VERSIONS: (a) v5.2 + v5.3 (2017-2022 transition); (b) IFA v6 launched September 2022 + transition period completed 2024; (c) v6.1 amended December 2024 with technical updates + clarifications + remediation handling; (d) IFA v6 SMART launched 2024 as modular sub-scheme allowing risk-based + audit-frequency-flexible certification for established producers. SCOPE: covers PRE-FARM-GATE production for (a) CROPS - fruits + vegetables + nuts + flowers + ornamentals + combinable crops + green coffee + plants + plant propagation material; (b) LIVESTOCK - cattle + sheep + dairy + pigs + poultry + turkey + ducks; (c) AQUACULTURE - fish + crustaceans + molluscs + multi-species farming. SCHEME STRUCTURE: modular hierarchy (i) ALL FARM BASE (AF) - cross-cutting requirements for all subscopes (Management + Workers + Environment + Traceability + Food Safety + GFSI hooks); (ii) BASE STANDARD per subscope (CROPS BASE CB + LIVESTOCK BASE LB + AQUACULTURE BASE AB); (iii) PRODUCT-SPECIFIC STANDARDS (Fruit + Vegetables FV + Combinable Crops + Tea + Coffee + Aquaculture species + etc.) layering on top. Producer certifies one or more product-specific scopes + automatically commits to AF + relevant Base. CONTROL POINTS + COMPLIANCE CRITERIA (CPCCs): each control point has (a) Major Must - 100 percent compliance required + no exception; (b) Minor Must - 95 percent compliance threshold; (c) Recommendation - non-binding; remediation period for Minor Must non-compliance + revocation for repeated Major Must. SUB-PROGRAMS + ADD-ONS: GRASP (GLOBALG.A.P. Risk Assessment on Social Practice) - voluntary social-practice add-on; SPRING (Sustainable Program for Irrigation and Groundwater Use) - water sustainability; PLANET PRO PROGRAM - environmental excellence; FOREST RESPONSIBLE PROGRAM; ALBERT HEIJN PROTOCOL + retailer-specific add-ons. GFSI RECOGNITION: IFA v6 is RECOGNIZED under the Global Food Safety Initiative (GFSI) Benchmarking Requirements + recognized internationally by major food retailers + brands (Tesco + Walmart + Carrefour + Lidl + Aldi + Ahold Delhaize + Sainsbury + Costco + Coles + Woolworths + Whole Foods + many more). CERTIFICATION: by accredited Certification Bodies (~140 CBs globally) operating under ISO/IEC 17065 + GLOBALG.A.P. accreditation criteria; certification valid 1 year + annual surveillance audit + unannounced audits; certificates published in IT system. CIPRO + 2024-2025 PIPELINE: digital transformation + IT-system updates + AI risk-based audit selection + remote audits + sustainability indicators expansion + carbon + biodiversity + water-stewardship integration + alignment with EU Green Deal + Farm-to-Fork Strategy + CSRD ESRS sustainability reporting. PUBLICATION + LICENSE: IFA v6 standard document is COPYRIGHTED by FoodPLUS GmbH + freely available via globalgap.org for producers + certification bodies (with attribution); structure publicly known via globalgap.org publications + GFSI Benchmarking Requirements + industry publications. COORDINATION: GLOBALG.A.P. coordinates with GFSI + FSSC 22000 (verified separately) + BRCGS + IFS + SQF + Codex Alimentarius + ISO 22000 + ISO 9001 + Rainforest Alliance + Fair Trade + UTZ (merged into Rainforest Alliance) + Sustainable Agriculture Initiative (SAI) + Fairtrade.

GRI STANDARDS (Global Reporting Initiative) is the world's most widely-used sustainability reporting framework + GLOBAL DE FACTO STANDARD for corporate sustainability + ESG disclosure. Published by GRI (Global Reporting Initiative), Amsterdam-based independent international organization founded 1997 + governed by GSSB (Global Sustainability Standards Board) + Stakeholder Council + Board. MODULAR SYSTEM: (a) UNIVERSAL STANDARDS - GRI 1: Foundation 2021 (foundational concepts + reporting principles + accordance system); GRI 2: General Disclosures 2021 (organization profile + governance + strategy + policies + activities + stakeholders + 30 disclosures); GRI 3: Material Topics 2021 (materiality determination + management of material topics + 3 disclosures); (b) 33 TOPIC STANDARDS organized in 3 series: GRI 200 ECONOMIC (GRI 201 Economic Performance + GRI 202 Market Presence + GRI 203 Indirect Economic Impacts + GRI 204 Procurement Practices + GRI 205 Anti-Corruption + GRI 206 Anti-Competitive Behavior + GRI 207 Tax + GRI 208 Anti-Discrimination); GRI 300 ENVIRONMENTAL (GRI 301 Materials + GRI 302 Energy + GRI 303 Water + GRI 304 Biodiversity + GRI 305 Emissions including Scope 1/2/3 GHG + GRI 306 Waste + GRI 307 Compliance + GRI 308 Supplier Environmental Assessment); GRI 400 SOCIAL (GRI 401 Employment + GRI 402 Labor + GRI 403 Occupational Health + Safety + GRI 404 Training + GRI 405 Diversity + GRI 406 Non-discrimination + GRI 407 Freedom of Association + GRI 408 Child Labor + GRI 409 Forced Labor + GRI 410 Security Practices + GRI 411 Indigenous Peoples + GRI 412 Human Rights Assessment + GRI 413 Local Communities + GRI 414 Supplier Social Assessment + GRI 415 Public Policy + GRI 416 Customer Health + Safety + GRI 417 Marketing + Labeling + GRI 418 Customer Privacy + GRI 419 Compliance); (c) SECTOR STANDARDS (GRI Sector Programme) - GRI 11 Oil and Gas (2021) + GRI 12 Coal (2022) + GRI 13 Agriculture + Aquaculture + Fishing (2022) + Mining (in development) + Textile + Apparel (in development) + Financial Services (in development) + Banking + Insurance + Asset Management + Real Estate + Construction + Pharma + Healthcare + ICT + others). REPORTING IN ACCORDANCE WITH GRI: organizations report 'In accordance with GRI Standards' (comprehensive) or 'with reference to GRI Standards' (partial); requires GRI 1 + GRI 2 + GRI 3 + applicable Topic Standards + Sector Standards. ADOPTION: 75+ percent of Fortune 250 + 10,000+ organizations globally report using GRI; foundational layer for CSRD/ESRS sustainability disclosures + ISSB IFRS S1/S2 climate + SBTi science-based targets + CDP carbon disclosure + TCFD climate-related financial disclosures + UN Global Compact + UN SDGs reporting. PUBLICATION + LICENSE: GRI Standards are FREELY available + downloadable in 10+ languages from globalreporting.org under Creative Commons Attribution-No Derivatives 4.0 International (CC BY-ND 4.0). 2024-2025 PIPELINE: ongoing Sector Standards rollout (Mining + Textile + Financial Services + others); GRI-ISSB interoperability + GRI-ESRS interoperability; double materiality; biodiversity + human rights enhancements; Taxonomy alignment.

GS1 GLOBAL STANDARDS is the world's foundational supply chain identification + barcode + traceability + data-sharing standards system, published by GS1 (Global Standards 1) - international not-for-profit standards organization headquartered in Brussels Belgium with 116 Member Organisations in 150+ countries. Established 1973 (originally Uniform Code Council UCC + EAN International). GS1 STANDARDS PORTFOLIO: (a) GS1 GENERAL SPECIFICATIONS (annual revision; v25 January 2025) - foundational specification covering all GS1 identifiers + barcodes + Application Identifiers + data structures + rules; (b) GS1 IDENTIFICATION KEYS - GTIN (Global Trade Item Number, 8/12/13/14-digit, formerly UPC/EAN) + GLN (Global Location Number, 13-digit) + SSCC (Serial Shipping Container Code, 18-digit) + GRAI (Global Returnable Asset Identifier) + GIAI (Global Individual Asset Identifier) + GSRN (Global Service Relation Number) + GDTI (Global Document Type Identifier) + GINC (Global Identification Number for Consignment) + GSIN (Global Shipment Identification Number) + GCN (Global Coupon Number) + CPID (Component Part Identifier) + GMN (Global Model Number); (c) GS1 BARCODE SYMBOLOGIES - EAN/UPC + GS1-128 (Code 128) + GS1 DataBar (formerly RSS) + GS1 DataMatrix (2D) + GS1 QR Code (2D) + GS1 Composite + GS1 Code 39 (legacy); (d) GS1 APPLICATION IDENTIFIERS (AIs) - 100+ standardized prefix codes identifying data types (e.g. AI 01 GTIN + AI 17 Expiry Date + AI 10 Batch + AI 21 Serial Number + AI 11 Production Date + AI 240 Additional Item Identification + many more); (e) EPCIS (Electronic Product Code Information Services, GS1 + ISO/IEC 19987) - event-based supply chain data exchange standard answering What + When + Where + Why + Disposition; current v2.0 (2022); (f) CBV (Core Business Vocabulary, GS1 + ISO/IEC 19988) - controlled vocabulary for EPCIS events; (g) GDSN (Global Data Synchronization Network) - global network of certified data pools (GS1 GDP) enabling master-data sharing + synchronization between trading partners; (h) GS1 EDI (Electronic Data Interchange) - traditional EDI + GS1 XML + WebForms for B2B transactions; (i) GS1 DIGITAL LINK - URI-based extension of GTIN + AIs enabling web-resolvable product data + connected packaging + EU 2D Code; (j) GS1 EU 2D CODE MANDATE - phased transition from 1D barcodes to 2D codes (Data Matrix + QR) for EU products starting 2026-2027 + EU Digital Product Passport (DPP) integration. ADOPTION: ~2 million member companies + ~6 BILLION barcodes scanned daily globally; foundational to retail + healthcare + food + apparel + pharmaceuticals + electronics + logistics + e-commerce + Amazon + Walmart + retailers + brand-manufacturer supply chains. REGULATORY COORDINATION: (a) EU FALSIFIED MEDICINES DIRECTIVE (FMD, Directive 2011/62/EU) - serialised GS1 DataMatrix on pharma packs since February 2019; (b) EU MEDICAL DEVICE REGULATION (MDR, Regulation (EU) 2017/745) + IVDR (Regulation (EU) 2017/746) - UDI (Unique Device Identification) via GS1 GTIN; (c) FDA DSCSA (Drug Supply Chain Security Act) - serialised GS1 codes for US pharma; (d) FDA UDI - GTIN-based UDI for medical devices; (e) EU TOBACCO PRODUCTS DIRECTIVE (TPD) - GS1-based traceability for tobacco; (f) ISO 22526-1/2/3 (Carbon Footprint) - coordination with GS1 for product-level reporting; (g) GHS (Globally Harmonized System) - safety + hazard coding; (h) EU DIGITAL PRODUCT PASSPORT (DPP) per ESPR Regulation (EU) 2024/1781 + sectoral delegated acts 2026+ - GS1 Digital Link is the primary identifier mechanism; (i) GS1 in HEALTHCARE - GS1 Healthcare Reference Book; (j) GS1 in FOOD + FOODSERVICE - food traceability + recall capability; (k) UN PCB (Product Classification Beneficiation) - GS1 codes underpin trade statistics. 2024-2025 PIPELINE: EU 2D Code transition + DPP integration + Sunrise 2027 (point-of-sale 2D barcode acceptance) + GS1 Sustainability + Carbon Footprint + AI/ML data quality + blockchain integration + new sectoral standards.

The Georgia Law on Personal Data Protection (Law of Georgia No. 5550-IS of 28 December 2011) is the national personal data protection law of the COUNTRY OF GEORGIA (not the US state). Originally enacted 28 December 2011 + entered into force 1 May 2012; substantially AMENDED + GDPR-ALIGNED by Law No. 3144-RS of 2 June 2023 (effective 1 March 2024 + with delayed elements 1 May 2024 + 1 September 2024). Georgia has European Union accession candidate status + the 2023 amendments significantly approximated GDPR + EU Council of Europe Convention 108+ (updated CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data). KEY PROVISIONS: (1) SCOPE + APPLICABILITY - applies to natural-person + in-Georgia data processing + extraterritorial offering of goods/services to Georgia residents + monitoring of behaviour in Georgia (GDPR-aligned); (2) LAWFUL BASIS for processing aligned with GDPR Article 6 + special categories per Art. 9 + criminal data per Art. 10; (3) ENHANCED DATA SUBJECT RIGHTS - access + rectification + erasure + restriction + portability + objection + automated-decision-making protections; (4) CONSENT requirements (freely given + specific + informed + unambiguous + withdrawable + age-of-digital-consent 16); (5) DATA CONTROLLER + PROCESSOR OBLIGATIONS - lawful + fair + transparent processing + purpose limitation + minimisation + accuracy + storage limitation + integrity + confidentiality + accountability; (6) CROSS-BORDER TRANSFERS - adequacy + appropriate safeguards (SCCs + BCRs) + derogations; (7) DPO MANDATORY for public authorities + large-scale + special-category processing; (8) BREACH NOTIFICATION 72 HOURS to PDPS + without undue delay to high-risk data subjects; (9) DPIA mandatory for high-risk processing; (10) VIDEO SURVEILLANCE specific regime; (11) PERSONAL DATA PROTECTION SERVICE (PDPS) - independent supervisory authority with inspection + sanctions + complaint-handling powers + administrative fines up to GEL 20,000 + criminal sanctions for serious breaches; (12) APPEAL to PDPS + Court. SECTORAL COORDINATION: Constitution Article 15 + Criminal Code + Law of Georgia on Information Security + Law of Georgia on Cybersecurity + Law of Georgia on Electronic Communications + sector-specific laws (banking + healthcare + telecommunications + employment). EU-ACCESSION + COE PROCESS: Georgia is EU candidate country (granted candidate status December 2023) + the 2023 DPL amendments are part of the EU Acquis approximation; Georgia is signatory to CoE Convention 108+ + ratification anticipated.

The Lieferkettensorgfaltspflichtengesetz (LkSG, German Supply Chain Due Diligence Act) was enacted 22 July 2021 + entered into force 1 January 2023 for companies with MORE THAN 3,000 EMPLOYEES + 1 January 2024 for companies with MORE THAN 1,000 EMPLOYEES (including German branches of foreign entities). The Act establishes statutory HUMAN RIGHTS + ENVIRONMENTAL DUE DILIGENCE OBLIGATIONS in supply chains. SCOPE: covers (a) the company's OWN OPERATIONS; (b) DIRECT SUPPLIERS - full due diligence required; (c) INDIRECT SUPPLIERS - risk-based + SUBSTANTIATED KNOWLEDGE-triggered due diligence (not full due diligence at outset). KEY STATUTORY DUTIES (sections 4-10 of LkSG): (1) RISK MANAGEMENT SYSTEM with appropriate + effective procedures; (2) IN-HOUSE RESPONSIBILITY - designated human rights officer or equivalent with direct reporting to senior management; (3) RISK ANALYSIS - annual + ad-hoc + covering own business + direct suppliers + (if substantiated knowledge) indirect suppliers; (4) POLICY STATEMENT - human rights strategy + senior management commitment; (5) PREVENTIVE MEASURES - integrating human rights into business processes + training + supplier commitments + contractual obligations + audit rights; (6) REMEDIAL ACTION - for actual + imminent violations in own operations + direct suppliers; (7) COMPLAINTS PROCEDURE - accessible + confidential + bias-free + with rules of procedure; (8) DOCUMENTATION OF DUE DILIGENCE; (9) ANNUAL REPORT to BAFA + on the company's website. PROTECTED LEGAL POSITIONS: human rights covered include forced labour + child labour + slavery + discrimination + freedom of association + collective bargaining + occupational health and safety + minimum wage + exclusive land rights + security forces conduct + others. ENVIRONMENTAL OBLIGATIONS: covers specifically Minamata Convention on Mercury + Stockholm Convention on POPs + Basel Convention on Hazardous Waste; broader environmental impacts to the extent they lead to human rights violations. ENFORCEMENT: BAFA (Bundesamt fur Wirtschaft und Ausfuhrkontrolle) - inspection + complaints handling + monitoring + administrative fines + public-procurement exclusion. SANCTIONS: administrative fines up to EUR 8 MILLION + UP TO 2% OF GLOBAL ANNUAL TURNOVER FOR COMPANIES WITH MORE THAN EUR 400 MILLION TURNOVER + PUBLIC PROCUREMENT EXCLUSION UP TO 3 YEARS for significant violations. EU CSDDD COORDINATION: the EU Corporate Sustainability Due Diligence Directive (CSDDD - Directive (EU) 2024/1760) entered into force July 2024 + phased transposition deadlines 2027/2028/2029; EU CSDDD will substantially supersede LkSG + expand to value-chain due diligence + civil liability + alignment expected during 2025-2029 transposition; Germany was central in CSDDD negotiation; some LkSG provisions may be tightened or aligned during transposition.

The Ghana Cybersecurity Act 2020 (Act 1038) was enacted 29 December 2020 + entered into force 6 January 2021. The Act establishes the CYBER SECURITY AUTHORITY (CSA Ghana) as the lead national cybersecurity authority + provides a comprehensive cybersecurity legal framework covering: (1) DESIGNATION + PROTECTION OF CRITICAL INFORMATION INFRASTRUCTURE (CII) across 13 sectors including telecommunications + banking + finance + electricity + water + transport + government services + healthcare + emergency services + others; (2) CYBERSECURITY INCIDENT REPORTING by CII owners to CSA within 24 HOURS of incident discovery + follow-up reports; (3) NATIONAL COMPUTER EMERGENCY RESPONSE TEAM (CERT-GH / National CERT) - the operational arm coordinating incident response + threat intelligence + cyber-exercises; (4) CYBERSECURITY SERVICE PROVIDER LICENSING - mandatory licensing for managed security service providers + penetration testing firms + cybersecurity consultants operating in Ghana; (5) CYBERSECURITY PROFESSIONAL ACCREDITATION - registration + certification of individual cybersecurity practitioners; (6) CHILD ONLINE PROTECTION - provisions on offenses against children + reporting obligations + cooperation with law enforcement; (7) LAWFUL ACCESS + PRESERVATION - electronic-evidence regime + interception + preservation orders; (8) CYBERCRIME OFFENCES - unauthorised access + interception + data interference + system interference + computer-related forgery/fraud + content-related offences (coordinated with Budapest Cybercrime Convention which Ghana acceded to in 2018); (9) CYBERSECURITY AWARENESS + EDUCATION; (10) INTERNATIONAL COOPERATION + MUTUAL LEGAL ASSISTANCE. ENFORCEMENT: CSA Ghana - inspection + investigation + sanctions + administrative penalties + criminal referrals; FINES up to GHS 50,000+ + imprisonment for serious cybercrime offences. SECTORAL COORDINATION: with the Data Protection Commission (Ghana DP Act 2012 Act 843) + National Communications Authority (NCA) + Bank of Ghana + Ministry of Communications + Digitalisation + Ministry of National Security + sector regulators. INTERNATIONAL: Budapest Cybercrime Convention party + AU Convention on Cyber Security and Personal Data Protection (Malabo Convention) signatory + ECOWAS Cybersecurity Cooperation + Commonwealth Cybercrime Network participation. 2024-2025 PRIORITIES: AI-related cyber threats + critical infrastructure resilience + child online safety + financial-sector cyber threats + cybersecurity workforce development.

The Ghana Data Protection Act, 2012 (Act 843) is the national personal data protection law of Ghana enacted 16 October 2012 + administered by the DATA PROTECTION COMMISSION (DPC) of Ghana (Sec.1-15). Act 843 was one of the earlier comprehensive African data-protection laws + predates GDPR + draws on Council of Europe Convention 108 + UK Data Protection Act 1998 + ECOWAS Supplementary Act on Personal Data Protection. KEY PROVISIONS: (1) ESTABLISHMENT of the Data Protection Commission as independent body with Director-General + Board + offices + powers including registration + complaints + investigations + audit + enforcement; (2) 8 DATA PROTECTION PRINCIPLES per Sec.17-23 - lawful + fair + transparent processing + purpose limitation + data minimisation + accuracy + storage limitation + integrity + confidentiality + accountability; (3) DATA SUBJECT RIGHTS Sec.30-38 - access + rectification + erasure + objection + data portability (2017 amendments) + automated-decision-making protection + complaints to DPC; (4) DATA CONTROLLER + PROCESSOR registration with DPC + annual fee + renewal + register publicly accessible; (5) SENSITIVE DATA + CHILDREN safeguards including explicit consent + special-category basis; (6) CROSS-BORDER TRANSFERS Sec.47 - adequacy + safeguards + Ministerial approval for sensitive transfers + ECOWAS regional cooperation; (7) BREACH NOTIFICATION Sec.55 - DPC notification + data subject notification for material breaches; (8) ENFORCEMENT - administrative penalties up to GHS 1,000-5,000+ + criminal sanctions up to 10 years imprisonment for serious offences; (9) SECTORAL COORDINATION with Ghana Cybersecurity Act 2020 + Banking Act + Electronic Communications Act + Electronic Transactions Act + sector regulators. 2024-2025 AMENDMENT PIPELINE: GDPR-alignment review + potential amendments to enhance DSR + breach notification + AI/ML + cross-border transfers + fines; the Ghana Data Protection Authority + DPC reviewing amendments to align with EU adequacy aspirations + African Union Malabo Convention.

The Global Cross-Border Privacy Rules (Global CBPR) Forum is an international privacy certification system that succeeded the APEC CBPR System effective 21 April 2022. FOUNDING MEMBERS: United States + Canada + Japan + Republic of Korea + Philippines + Singapore + Taiwan (Chinese Taipei). UNITED KINGDOM acceded 2024 + first non-original-APEC member; additional jurisdictions in discussions including Mexico + Australia + New Zealand + Bahrain + Dubai DIFC + Argentina + Brazil + others. STRUCTURE: (a) GLOBAL CBPR SYSTEM - for CONTROLLERS / personal-information-handling companies / organizations that determine the purposes + means of personal data processing; based on the 9 APEC Privacy Principles (Notice + Collection Limitation + Uses + Choice + Integrity + Security Safeguards + Access + Correction + Accountability + Preventing Harm); 50 program requirements + intake + remediation processes; certified by Accountability Agents; (b) GLOBAL PRP (Privacy Recognition for Processors) - for DATA PROCESSORS / cloud service providers / SaaS / data processors; based on the 50 program requirements adapted for processor role; designed to facilitate Controllers + Processors agreements; (c) GLOBAL FORUM ASSEMBLY - intergovernmental governance; (d) GLOBAL FORUM STEERING COMMITTEE - operational oversight; (e) ACCREDITED ACCOUNTABILITY AGENTS (AAs) - third-party certifiers including TrustArc + Schellman + BBB National Programs + JIPDEC (Japan Information Processing Development Center) + others; AAs operate within their accredited jurisdictions. CERTIFICATION PROCESS: (1) organization completes self-assessment against Program Requirements; (2) engages Accountability Agent for review; (3) AA submits assessment for compliance evaluation + ongoing monitoring + dispute resolution + breach notification; (4) annual recertification + continuous monitoring. KEY BENEFITS: facilitates cross-border data transfers between member jurisdictions; demonstrates accountability; reduces compliance burden vs separate per-jurisdiction certifications; signals privacy commitment to customers + business partners. 2024-2025 STATUS: UK accession 2024 + first non-APEC member; ongoing GDPR-CBPR bridge-mechanism discussions with European Commission (no formal recognition yet); ASEAN model contract clauses coordination; PEP (Privacy Enhancing Technologies) + AI integration guidance pipeline; ongoing UK + Canada + Japan + Korea + Singapore + Philippines + Taiwan + US implementation; multiple new jurisdictions in accession discussions. RECOGNITION: CBPR + PRP certifications are increasingly recognized in US state DP laws (Connecticut + Virginia + Colorado + others recognize as adequacy mechanism) + California CCPA + sectoral privacy frameworks. SPONSORS + STAKEHOLDERS: US Department of Commerce + Federal Trade Commission + USTR; participating jurisdictions national DPAs; industry: Google + Microsoft + Apple + Meta + Amazon + Salesforce + AT&T + Workday + Adobe + IBM + Cisco + ServiceNow + Oracle + many others.

The Goleman Emotional Intelligence Leadership Framework is the most widely-adopted leadership development model based on EMOTIONAL INTELLIGENCE (EI) competencies, developed by Daniel Goleman through a series of influential works: WORKING WITH EMOTIONAL INTELLIGENCE (1998) + LEADERSHIP THAT GETS RESULTS (Harvard Business Review, March-April 2000) + PRIMAL LEADERSHIP (2002, with Richard Boyatzis + Annie McKee) + THE NEW LEADERS (2002) + THE BRAIN AND EMOTIONAL INTELLIGENCE (2011) + ALTERED TRAITS (2017, with Richard Davidson). EI MODEL: 4 DOMAINS encompassing ~12 competencies (per the Goleman/Boyatzis/Hay Group framework used in ESCI): (1) SELF-AWARENESS - Emotional Self-Awareness + Accurate Self-Assessment + Self-Confidence; (2) SELF-MANAGEMENT - Emotional Self-Control + Transparency + Adaptability + Achievement Orientation + Initiative + Positive Outlook + Conscientiousness + Trustworthiness; (3) SOCIAL AWARENESS - Empathy + Organizational Awareness + Service Orientation; (4) RELATIONSHIP MANAGEMENT - Inspirational Leadership + Influence + Coach and Mentor + Change Catalyst + Conflict Management + Building Bonds + Teamwork and Collaboration. 6 LEADERSHIP STYLES (per HBR 2000): (a) VISIONARY (Authoritative) - 'Come with me' - mobilizes people toward a shared vision; (b) COACHING - 'Try this' - connects personal goals with organizational; (c) AFFILIATIVE - 'People come first' - creates harmony + builds emotional bonds; (d) DEMOCRATIC - 'What do you think?' - forges consensus through participation; (e) PACESETTING - 'Do as I do, now' - sets high standards + expects same; (f) COMMANDING (COERCIVE) - 'Do what I tell you' - demands immediate compliance. Goleman demonstrated that effective leaders fluidly switch between styles based on context + situation + team needs + create POSITIVE EMOTIONAL CLIMATE (resonance) which correlates with team + financial performance. ESCI INSTRUMENT: ESCI (Emotional and Social Competency Inventory, formerly ECI) is the operational assessment - 360-degree multi-rater instrument with ~68 items measuring the 12 competencies; published + licensed by KORN FERRY HAY GROUP (acquired Hay Group 2015); COPYRIGHTED + commercially licensed; same copyright-protected academic instrument pattern as Bass + Avolio's MLQ for the Full Range Leadership Model. STATUS: REFERENCED because the ESCI/ECI instrument is copyrighted + commercially licensed by Korn Ferry Hay Group; the conceptual model + 4 domains + 12 competencies + 6 styles are publicly known via Goleman's published books + Harvard Business Review articles + extensive academic literature. ADOPTION: ~2 million+ ESCI assessments administered globally; thousands of organizations + leadership development programs use the framework; Fortune 500 + global corporations + military + government + non-profits + healthcare + education. 2024-2025 PIPELINE: continued academic research + neuroscience integration + ESCI 2.0 updates + AI-driven 360-feedback + integrated leadership development platforms + coordination with positive psychology + transformational leadership + servant leadership + authentic leadership.

Greece Law 4624/2019 (Government Gazette FEK A 137 of 29 August 2019) is the Greek national supplement to the EU GDPR (Regulation (EU) 2016/679) + the implementing statute for the EU Law Enforcement Data Protection Directive (Directive (EU) 2016/680, 'LEDP'). KEY STRUCTURE: 5 Chapters - (A) General Provisions; (B) HDPA (Hellenic Data Protection Authority); (C) GDPR Implementation Provisions; (D) LEDP Implementation Provisions; (E) Sanctions + Final Provisions. KEY GREEK-SPECIFIC PROVISIONS: (a) CHILD AGE OF CONSENT - 15 years old for information society services (below the GDPR 16 default; Greece used the GDPR Art. 8 derogation); (b) PROCESSING OF EMPLOYEE PERSONAL DATA - specific rules for employment context including background-checks + monitoring + biometric + health data + termination; (c) PROCESSING FOR ARCHIVING + RESEARCH + STATISTICAL PURPOSES - specific Greek rules under GDPR Art. 89; (d) PROCESSING FOR JOURNALISTIC + ACADEMIC + ARTISTIC + LITERARY purposes - freedom-of-expression exemptions per GDPR Art. 85; (e) HDPA POWERS + STRUCTURE + PROCEDURES + SANCTIONS - administrative + criminal penalties; (f) PUBLIC SECTOR + PUBLIC INTEREST PROCESSING - lawful basis under GDPR Art. 6(1)(e); (g) DATA PROTECTION OFFICER (DPO) DESIGNATION CRITERIA; (h) UNIQUE IDENTIFICATION NUMBERS PROCESSING RESTRICTIONS (Greek-specific protection of Greek tax/AMKA/social security IDs). HDPA (Hellenic Data Protection Authority - Arhi Prostasias Dedomenon Prosopikou Charaktira) is the supervisory authority + independent constitutional body. Established by Law 2472/1997 (predecessor) + 9-member Board appointed by Greek Parliament + administers GDPR + LEDP + sectoral laws + collaborates with EDPB + EDPS + other EU DPAs. COORDINATION: (a) GREEK CONSTITUTION Article 9A (right to privacy + personal data protection); (b) EU GDPR + LEDP + ePrivacy Directive (Law 3471/2006 implementing Directive 2002/58/EC); (c) Greek Whistleblower Law 4990/2022 transposing EU Directive 2019/1937; (d) Greek Cybersecurity Authority NCSA (Law 4577/2018 transposing NIS1; NIS2 transposition pending); (e) Greek Labor Code + employee privacy protections; (f) Sectoral laws (banking + telecom + healthcare). 2024-2025 PIPELINE: NIS2 transposition (deadline October 2024) + Greek DORA implementation (digital operational resilience for financial entities) + EU AI Act transposition + EU Data Act + EU Data Governance Act implementation + HDPA enforcement actions + ongoing amendments + EU Whistleblower Law 4990/2022 enforcement.

Health Insurance Portability and Accountability Act security standards for protecting electronic protected health information (ePHI)

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is a US federal statute enacted 17 February 2009 as Title XIII of the AMERICAN RECOVERY AND REINVESTMENT ACT (ARRA, Public Law 111-5, Stimulus Act). HITECH represents the most significant amendment to HIPAA since enactment. KEY PURPOSES + ACHIEVEMENTS: (a) promoting EHR adoption + Health Information Technology + Meaningful Use + interoperability across the US healthcare system; (b) substantially enhancing HIPAA Privacy Rule + HIPAA Security Rule (separately verified) enforcement with tier-based civil monetary penalties + criminal sanctions + State Attorney General enforcement authority; (c) extending HIPAA direct liability to BUSINESS ASSOCIATES + subcontractor business associates downstream; (d) establishing the HITECH BREACH NOTIFICATION RULE (45 CFR Part 164 Subpart D); (e) strengthening individual rights including electronic access + accounting of disclosures + restrictions on disclosures to health plans + prohibition on sale of PHI + tightened marketing + fundraising; (f) creating Office of the National Coordinator for Health IT (ONC) with statutory authority. STRUCTURE: 4 Subtitles - SUBTITLE A Promotion of Health Information Technology (42 USC 17901-17915); SUBTITLE B Testing of Health IT (42 USC 17916-17919); SUBTITLE C Grants/Loans/Workforce (42 USC 17921-17924); SUBTITLE D Privacy and Security Provisions (42 USC 17931-17953 - the HITECH Privacy/Security amendments). KEY SUBTITLE D PROVISIONS: (a) Section 17931 application of security provisions + penalties to BAs; (b) Section 17932 BREACH NOTIFICATION (codified at 45 CFR 164.400-414); (c) Section 17933 education on health information privacy; (d) Section 17934 application of privacy provisions + penalties to BAs; (e) Section 17935 restrictions on certain disclosures + sales of PHI; (f) Section 17936 conditions on contacts as part of health care operations; (g) Section 17937 individual access + accounting of disclosures; (h) Section 17938 conditioning compliance + enforcement; (i) Section 17939 enforcement provisions (tier-based civil monetary penalties up to USD 1.5M/year per category); (j) Section 17940 education + outreach. ENFORCEMENT: HHS Office for Civil Rights (OCR) primary enforcer + State Attorneys General authority to pursue HIPAA violations on behalf of state residents; tier-based civil monetary penalties: Tier 1 (did not know) USD 100-50K per violation, USD 25K annual max; Tier 2 (reasonable cause) USD 1K-50K per violation, USD 100K annual max; Tier 3 (willful neglect, corrected) USD 10K-50K per violation, USD 250K annual max; Tier 4 (willful neglect, uncorrected) USD 50K per violation, USD 1.5M annual max (per category; inflation-adjusted). RECENT HHS OCR ENFORCEMENT: substantial penalties including Anthem USD 16M + Premera USD 6.85M + Excellus USD 5.1M + Memorial Healthcare USD 5.5M + Advocate USD 5.55M + many other settlements + corrective action plans + audits. MEANINGFUL USE / PROMOTING INTEROPERABILITY: CMS Promoting Interoperability program (formerly Meaningful Use) for EHR Incentive Payments + later Medicare Quality Payment Program (MIPS); 3 stages + value-based care + 2018+ EHR Reporting + Promoting Interoperability + post-Cures Act + ONC USCDI + Open APIs + Information Blocking Final Rule. ONC (Office of the National Coordinator): statutory authority + HIT Standards + Certification programs + Information Blocking + Trusted Exchange Framework + Common Agreement (TEFCA) + Health Data Networks. SUBSEQUENT REGULATORY ACTIVITY: (1) 2013 HIPAA Omnibus Final Rule implementing HITECH including direct BA liability + breach notification + marketing/fundraising changes + sale of PHI; (2) 2016 21st Century Cures Act + Sec. 4002 ONC Information Blocking + HIT Advisory Committee + ONC USCDI; (3) 2020 ONC Cures Act Final Rule + Information Blocking + Open APIs + FHIR R4 implementation; (4) 2024 HHS Notice of Proposed Rulemaking on HIPAA Security Rule modernisation (NPRM December 2024) + comments closing March 2025 + potential Final Rule 2025-2026 incorporating cybersecurity best practices + MFA + encryption + asset inventory + ransomware response; (5) 2024 HHS final rule on reproductive health privacy + April 2024 enforcement effective; (6) ongoing OCR audits + enforcement priorities + ransomware + HIPAA Security Rule violations. STATUS: REFERENCED because HITECH is statutory umbrella + substantive operational controls live in HIPAA Privacy Rule + HIPAA Security Rule (45 CFR Parts 160 + 164) verified separately in this corpus + Breach Notification Rule + ONC Information Blocking + EHR Certification Programs.

HKMA Cyber Resilience Assessment Framework (C-RAF) is the Hong Kong Monetary Authority (HKMA) MANDATORY cybersecurity assessment + supervisory framework for all Authorised Institutions (AIs) in Hong Kong + part of the broader HKMA CYBERSECURITY FORTIFICATION INITIATIVE (CFI) launched 2016. KEY HISTORY: (a) CFI announced May 2016; (b) C-RAF v1.0 issued December 2016; (c) C-RAF v2.0 issued 6 May 2020 (Circular 20200506e1a1) - major revision incorporating lessons learned + international best practice + iCAST framework; (d) ongoing 2024-2025 enhancements + supervisory communications + threat-landscape evolution. CFI 3 PILLARS: (1) CYBER RESILIENCE ASSESSMENT FRAMEWORK (C-RAF) - tiered + risk-based self-assessment of cybersecurity maturity against inherent risk profile; mandatory for ALL AIs (~150+ banks + RLBs + DTCs); 7 domains; produces Cyber Maturity Profile + Target Maturity Level + remediation roadmap. (2) PROFESSIONAL DEVELOPMENT PROGRAMME (PDP) - industry workforce capability building + Certified Cyber Security Officer (CCSO) + Cyber Risk Management certifications + ongoing professional development; supports Hong Kong banking sector cyber talent pipeline. (3) CYBER INTELLIGENCE SHARING PLATFORM (CISP) - HKMA-operated intelligence-sharing platform + sectoral threat-sharing + indicator-of-compromise (IOC) distribution + tactical + operational + strategic intel + integration with HKCERT + commercial threat-intel feeds. C-RAF ASSESSMENT MODEL: 2-axis maturity model - INHERENT RISK ASSESSMENT (IRA) x CYBER MATURITY ASSESSMENT (CMA). IRA SCORES AI inherent cyber risk based on (a) technology footprint + online services + customer-facing channels; (b) data + transaction volumes + sensitivity; (c) third-party + service-provider dependence + interconnectedness; (d) deposits + scale; (e) cybersecurity threat-environment + history of incidents; result: LOW + MEDIUM + HIGH inherent risk tier. CMA assesses AI cybersecurity maturity across 7 DOMAINS each scored on 5-level scale (Baseline + Evolving + Intermediate + Advanced + Innovative). 7 DOMAINS: (1) GOVERNANCE - cyber strategy + risk management + reporting + culture; (2) IDENTIFICATION - asset management + risk + threat assessment; (3) PROTECTION - access control + data security + infrastructure + application security + training + 3rd-party risk; (4) DETECTION - monitoring + threat intelligence + testing + anomaly detection; (5) RESPONSE AND RECOVERY - incident response planning + execution + recovery + resilience; (6) SITUATIONAL AWARENESS - threat landscape + information sharing; (7) ICAST - intelligence-led cyber attack simulation testing (mandatory for HIGH inherent risk AIs). TARGET MATURITY LEVEL: each AI must achieve target maturity matched to its inherent risk tier (HIGH tier requires Intermediate-to-Advanced + iCAST; MEDIUM Intermediate; LOW Evolving-to-Intermediate); gaps trigger remediation roadmap submitted to HKMA. ICAST INTELLIGENCE-LED CYBER ATTACK SIMULATION TESTING: mandatory for HIGH inherent risk AIs + optional for medium; red team + threat-intelligence + scope + threat scenarios + execution + purple team replay + findings + remediation; modeled on UK CBEST + EU TIBER-EU (separately verified) + intelligence-led red team testing. ASSESSMENT CYCLE: annual self-assessment + 3-year independent + supervisory dialogue + remediation + ongoing monitoring. SUPERVISORY DIALOGUE: HKMA reviews submissions + may impose remediation requirements + escalate findings + monitor through ongoing supervision. COORDINATION: HKMA Supervisory Policy Manual (SPM) Module TM-G-1 (General Principles for Technology Risk Management, verified separately if tracked) + GS-1 + TM-G-3 + others; Singapore MAS TRMG; UK FCA Operational Resilience + ECB TIBER-EU (verified separately) + various banking sectoral cybersecurity. 2024-2025 PIPELINE: ongoing v2.0 enhancements + threat-landscape evolution + AI cybersecurity + quantum-readiness + cloud + DORA-coordination + new SPM modules + ransomware response + post-COVID hybrid + supply chain.

The HKMA SUPERVISORY POLICY MANUAL (SPM) is the foundational umbrella collection of supervisory policy modules + guidance issued by the HONG KONG MONETARY AUTHORITY (HKMA) governing banking + financial institution supervision in Hong Kong SAR. The SPM provides the comprehensive framework for HKMA Authorised Institutions (AIs - licensed banks + restricted-licence banks + deposit-taking companies); supplemented by specific Circulars + sectoral cybersecurity frameworks (notably C-RAF v2.0 + Cybersecurity Fortification Initiative). SPM organises ~60+ modules by SUBJECT AREAS: (a) CG CORPORATE GOVERNANCE - CG-1 (Corporate Governance of Locally Incorporated AIs) + CG-2 (Systems of Control) + CG-3 (Code of Conduct) + CG-5 (Guideline on a Sound Remuneration System) + CG-6 (Competence and Ethical Behaviour); (b) CR CREDIT RISK MANAGEMENT - CR-G General Principles + CR-G-7 (Collateral and Credit Risk Mitigation) + CR-G-13 (Counterparty Credit Risk Management) + numerous sub-modules; (c) IR INTEREST RATE RISK - IR-1 (Interest Rate Risk in Banking Book); (d) LM LIQUIDITY MANAGEMENT - LM-1 (Liquidity Risk Management) + LM-2 + LM-3; (e) MR MARKET RISK MANAGEMENT - MR-G + various sub-modules; (f) OR OPERATIONAL RISK - OR-1 (Operational Risk Management) + OR-2 (Operational Resilience); (g) IC INTERNAL CONTROL + RISK MANAGEMENT - IC-1 (Risk Management Framework) + IC-5 (Stress Testing); (h) AC AUDITING - AC-G + various; (i) TM TECHNOLOGY MANAGEMENT modules - TM-G-1 (General Principles for Technology Risk Management, separately tracked in this corpus as detailed module) + TM-G-2 (Business Continuity Planning) + TM-G-3 (Information Technology Security + Cyber Risk Mgmt) + TM-G-4 (Public Cloud) + TM-E-1 (Risk Management of e-Banking) + TM-M (Monitoring) + TM-N (New Technology) + TM-S (Supervisory); (j) RA RISK-BASED APPROACH modules; (k) AMLO AML/CFT - AML + CFT supervision + AMLO Guidelines; (l) CA CAPITAL ADEQUACY - CA-G-1 (Capital Adequacy Assessment) + Basel III implementation; (m) RR RECOVERY + RESOLUTION PLANNING - RR-1 (Recovery Planning); (n) SA OUTSOURCING - SA-2 (Outsourcing); (o) DI DEPOSIT INSURANCE; (p) various other modules covering reporting + governance + remuneration + sectoral. KEY MODULE NUMBERING: each module has a letter-prefix (e.g. CG + CR + TM) + number (e.g. 1 + 2 + G + E) + sub-number (e.g. G-1 + G-2); modules updated periodically with version control + effective dates + supervisory expectations. KEY MODULES + SUPERVISORY EXPECTATIONS: each module establishes principles + expectations + applicable to AIs based on size + complexity + risk + sophistication; HKMA supervisory dialogue + assessment + reporting + remediation cycle. INTEGRATION: SPM coordinates with HKMA Banking Ordinance + Banking (Capital) Rules + various Cap. 155 sub-regulations + Banking (Disclosure) Rules + Banking (Liquidity) Rules + Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615); Cybersecurity Fortification Initiative (CFI) + C-RAF v2.0 (verified separately) operationalises cybersecurity-specific expectations. INTERNATIONAL COORDINATION: Basel Committee on Banking Supervision (BCBS) standards + IOSCO + FATF + Financial Stability Board (FSB); Singapore MAS + UK PRA + ECB + Australia APRA + Federal Reserve + OCC equivalent supervisory frameworks. RECENT UPDATES + 2024-2025+: ongoing module revisions including Operational Resilience (OR-2) + Climate Risk + ESG-related expectations + AI + cybersecurity + recovery + DORA-coordination + sustainability + DPP-coordination + emerging tech.

HKMA TM-G-1 is the FOUNDATIONAL HKMA Supervisory Policy Manual MODULE on Technology Risk Management + cybersecurity + IT risk for all HKMA AUTHORISED INSTITUTIONS (AIs) in Hong Kong SAR. TM-G-1 GENERAL PRINCIPLES FOR TECHNOLOGY RISK MANAGEMENT covers the comprehensive lifecycle of IT + cyber risk management. KEY STRUCTURE: 26+ subsection control areas organized in 9 sub-modules: (1) GOVERNANCE OF TECHNOLOGY RISK (TM-G-1.2.1-3) - Board + Senior Management Oversight + Technology Risk Management Framework + Roles + Responsibilities; (2) IT STRATEGY + POLICIES (TM-G-1.3.1-3) - IT Strategy + Planning + Policies + Standards + Procedures + Technology Risk Assessment; (3) IT DEVELOPMENT + CHANGE (TM-G-1.4.1-3) - Project + Programme Management + System Development + Acquisition + Change Management; (4) IT OPERATIONS (TM-G-1.5.1-3) - IT Operations Management + Capacity + Performance + Problem + Incident Management; (5) INFORMATION SECURITY (TM-G-1.6.1-8) - Information Security Programme + Access Control + Identity Management + Privileged Access Management + Network Security + Cryptographic Controls + Data Loss Prevention + Vulnerability + Patch Management + Endpoint + Mobile Security; (6) CYBER MONITORING + RESPONSE (TM-G-1.7.1-3) - Security Monitoring + SIEM + Cyber Threat Intelligence + Cyber Incident Response; (7) INDEPENDENT AUDIT (TM-G-1.8.1) - Independent Audit of Technology Risk; (8) OUTSOURCING + CLOUD (TM-G-1.9.1-2) - Outsourcing + 3rd Party Risk + Cloud Computing Risk Management. ADJACENT TM MODULES included in this framework's scope: (a) TM-G-2 Business Continuity Planning (BCG + BIA + Recovery + Backup + Testing); (b) TM-E-1 Risk Management of e-Banking (Governance + Customer Authentication + Transaction Monitoring + Customer Protection + Application Security); (c) OR-2 Operational Resilience (Framework + Severe but Plausible Scenario + 3rd Party Concentration); (d) C-RAF v2.0 (IRA + Maturity Assessment + iCAST) - separately tracked sectoral cybersecurity framework. KEY 2024-2025+ DIRECTIONS: AI + ML governance + generative AI cyber risk + quantum-resistant cryptography + cloud + ransomware + supply chain + DORA coordination + sectoral cyber evolution + recent HKMA supervisory communications + Circulars + sectoral exercises.

The HL7 FHIR Security Framework is the foundational security + privacy + access control framework for FHIR (Fast Healthcare Interoperability Resources) - the global standard for healthcare data exchange APIs. Developed + maintained by HEALTH LEVEL 7 INTERNATIONAL (HL7), the framework covers all aspects of API-based healthcare data exchange security. KEY HISTORY: FHIR DSTU1 (2014) + DSTU2 (2015) + STU3 (2017) + R4 normative (October 2019) + R4B (2022) + R5 (2023) + R6 (planning). FHIR is now the DEFACTO global standard for healthcare interoperability APIs + foundation for ONC Cures Act Final Rule + USCDI + TEFCA + e-prescribing + telehealth + research + EHR-to-EHR + patient + provider + payer + public health + AI + clinical decision support APIs. SECURITY FRAMEWORK PILLARS: (a) TRANSPORT SECURITY - TLS 1.2+ + certificate pinning + secure communications; (b) AUTHENTICATION - SMART App Launch + OAuth 2.0 + OpenID Connect + Backend Services (asymmetric key) + user + system authentication; (c) AUTHORIZATION - OAuth 2.0 scopes (patient/Resource.* + user/* + system/* + scope granularity) + SMART scope syntax + Security Labels + Consent Resource enforcement; (d) AUDIT + PROVENANCE - AuditEvent Resource logging + Provenance tracking + retention + integrity; (e) CONSENT - Consent Resource modeling + enforcement + patient authorization + breach disclosure; (f) BULK DATA - Bulk Data Export Authorization (Backend Services + SMART Bulk Data); (g) DIGITAL SIGNATURES - Resource-level digital signatures + Provenance signatures; (h) CROSS-ORGANIZATIONAL - Backend services to backend services + JWT Bearer Tokens + Asymmetric keys; (i) PRIVACY - de-identification + research + Security Labels + consent integration; (j) EMERGENCY ACCESS - Break the Glass + override procedures; (k) RESILIENCE - Rate Limiting + Anti-Abuse + Server CapabilityStatement security + CORS + Token lifetime + Refresh. SMART ON FHIR (Substitutable Medical Applications + Reusable Technologies): SMART App Launch IG v2.2.0 (current) + EHR-Launch + Standalone-Launch + Backend Services Launch + PKCE + asymmetric key + OAuth 2.1 + OpenID Connect + scopes + capabilities; SMART Health Cards + SMART Health Links + SMART Cards Framework. KEY HL7 FHIR SECURITY SPECIFICATIONS: hl7.org/fhir/security.html (R4/R5 core) + SMART App Launch Implementation Guide + FHIR Bulk Data IG + FHIR Consent Resource + AuditEvent Resource + Provenance Resource + Security Labels + FHIR Operations + FHIR Subscriptions. COORDINATION: (1) HIPAA Privacy + Security Rules (verified separately) - foundational US healthcare privacy + security law; (2) ONC Information Blocking Final Rule (verified separately as HITECH-coordinated) - mandates FHIR-based APIs + Open APIs + USCDI; (3) 21st Century Cures Act - Section 4002 ONC requirements + FHIR + Open APIs; (4) USCDI United States Core Data for Interoperability v1-v4+ - FHIR-mapped data elements; (5) TEFCA Trusted Exchange Framework + Common Agreement (2022+) - voluntary nationwide interoperability + QHINs + FHIR coordination; (6) FDA UDI + DSCSA + clinical research + drug + device registries + FHIR coordination; (7) ONC EHR Certification 2015 Edition Cures Update + FHIR R4 + USCDI + Open APIs; (8) GLOBAL ADOPTION - UK NHS + Israel + Canada + Australia + India + Singapore + Brazil + many countries adopting FHIR for interoperability. 2024-2025+ DIRECTIONS: (a) AI + ML INTEGRATION - FHIR APIs + AI + clinical decision support + agentic AI + Subscriptions; (b) BULK DATA + ANALYTICS + AI - large-scale data exchange + research; (c) QUANTUM-RESISTANT CRYPTOGRAPHY - transition planning for OAuth + TLS + JWT; (d) PATIENT-DIRECTED EXCHANGE - patient access + Apps + 3rd-party + Open Banking-style consent; (e) RANSOMWARE + CYBERSECURITY - sectoral cybersecurity + Change Healthcare crisis + healthcare-specific threat landscape; (f) FHIR R6 PLANNING + further security enhancements + new IGs + Federated Identity + Verifiable Credentials integration. STATUS: HL7 FHIR is FREELY available + open standard published under HL7 SPECIFICATIONS license; broad sectoral adoption + Fortune 500 healthcare + payers + EHRs + Mainland China + global + ongoing R6 planning + emerging cybersecurity + AI + tokenization features.

The Heifetz Adaptive Leadership Framework is among the most influential academic-practitioner leadership theories developed by RONALD A. HEIFETZ (King Hussein bin Talal Senior Lecturer in Public Leadership + Founder + Director of the Center for Public Leadership at Harvard Kennedy School, ~1980s-2025). KEY PUBLICATIONS lineage: (a) LEADERSHIP WITHOUT EASY ANSWERS (Harvard University Press, 1994) - foundational academic text introducing technical vs adaptive challenge typology + leadership with and without authority + holding environment; (b) LEADERSHIP ON THE LINE (with Marty Linsky, Harvard Business Press, 2002) - practitioner-focused with personal dimensions including survival + avoiding traps; (c) THE PRACTICE OF ADAPTIVE LEADERSHIP (with Linsky + Alexander Grashow, Harvard Business Press, 2009) - comprehensive practitioner playbook + diagnostic + intervention tools + cases; (d) REAL LEADERSHIP (2010); (e) numerous Harvard Business Review articles + case studies + Harvard Kennedy School executive education materials. KEY CONCEPTS: (1) TECHNICAL vs ADAPTIVE CHALLENGES - TECHNICAL = clear problem + known solution + current expertise sufficient; ADAPTIVE = no clear known solution + requires learning + behavior change + new ways of operating + value/priority shifts; HYBRID = mix of technical + adaptive components; (2) LEADERSHIP WITH AND WITHOUT FORMAL AUTHORITY - leaders can exercise leadership without formal positional power by mobilizing others around adaptive work; (3) HOLDING ENVIRONMENT - the space + container leaders create to make adaptive work bearable by regulating disequilibrium between insufficient (denial) + overwhelming (avoidance) levels; (4) GETTING ON THE BALCONY - stepping back from the dance floor of action to observe the system + diagnose patterns; (5) IDENTIFYING ADAPTIVE CHALLENGES - distinguishing surface issues from deeper systemic challenges + identifying losses people fear; (6) MAINTAINING PRODUCTIVE DISEQUILIBRIUM - keeping pressure on the system at levels that drive learning without overwhelming; (7) GIVING THE WORK BACK TO THE PEOPLE - resisting over-functioning + helping followers do the adaptive work themselves; (8) PROTECTING VOICES FROM BELOW - amplifying dissenting voices that surface the adaptive challenge; (9) ORCHESTRATING CONFLICT - using conflict productively + managing intensity; (10) NAMING THE WORK + REFRAMING. PERSONAL DIMENSIONS (from Leadership on the Line): managing hungers (power + affirmation + intimacy + competence) + distinguishing self from role + anchoring yourself + finding sanctuary + finding allies + confidants + finding meaning. SECTORAL APPLICATION: extensively applied in public sector (US government + UN + international organizations + multilateral institutions + civil society + NGOs) + healthcare (hospital + health system + public health) + education (universities + K-12 districts) + corporate (executives + change management + transformation + DEI) + military (officers + senior leaders) + non-profit + faith communities + community organizing. PUBLICATION + LICENSE: Heifetz books are COPYRIGHTED by Harvard University Press + Harvard Business Press; conceptual framework + technical-adaptive distinction + key terminology are widely cited + discussed in academic + practitioner literature + executive education; STATUS: REFERENCED because book content is copyrighted (similar pattern to Bass MLQ for FRLM + Goleman ESCI). ADOPTION: thousands of organizations + practitioners use the framework via Cambridge Leadership Associates (CLA) consulting + Harvard Kennedy School (HKS) executive programs + Adaptive Leadership Network + facilitator certifications + leadership development programs globally.

The Hersey + Blanchard Situational Leadership Theory (SLT) is one of the most widely-taught practitioner leadership models, originally developed by PAUL HERSEY + KEN BLANCHARD beginning in 1969 + published in MANAGEMENT OF ORGANIZATIONAL BEHAVIOR (Prentice Hall, 1969 first edition, 10th edition 2012, current 11th edition). KEY PUBLICATIONS lineage: (a) Hersey + Blanchard MANAGEMENT OF ORGANIZATIONAL BEHAVIOR (1969-2012+) - foundational academic textbook; (b) Paul Hersey THE SITUATIONAL LEADER (1985) + numerous CLS publications; (c) Ken Blanchard et al. LEADERSHIP AND THE ONE MINUTE MANAGER (1985) + numerous Blanchard Companies publications; (d) ongoing academic + practitioner literature + revisions; (e) Hersey + Blanchard parted ways professionally + each developed parallel evolved models. CORE MODEL: leader matches style based on follower readiness/development for a specific task; no single leadership style works universally; effective leaders are DIAGNOSTIC + FLEXIBLE + PARTNERING. 4 LEADERSHIP STYLES (HORIZONTAL): (1) S1 TELLING (Hersey) / DIRECTING (Blanchard) - high task + low relationship; specific instructions + close supervision; appropriate for low-readiness/D1 followers; (2) S2 SELLING (Hersey) / COACHING (Blanchard) - high task + high relationship; explains decisions + invites questions; appropriate for some-readiness/D2; (3) S3 PARTICIPATING (Hersey) / SUPPORTING (Blanchard) - low task + high relationship; shares ideas + facilitates; appropriate for moderate-to-high readiness/D3; (4) S4 DELEGATING - low task + low relationship; turns over responsibility; appropriate for high-readiness/D4 followers. 4 FOLLOWER READINESS / DEVELOPMENT LEVELS (VERTICAL): (1) R1/D1 - Hersey: unable + unwilling/insecure; Blanchard: ENTHUSIASTIC BEGINNER (low competence + high commitment); (2) R2/D2 - Hersey: unable but willing; Blanchard: DISILLUSIONED LEARNER (some competence + low commitment); (3) R3/D3 - Hersey: able but unwilling/insecure; Blanchard: CAPABLE BUT CAUTIOUS (moderate-to-high competence + variable commitment); (4) R4/D4 - Hersey: able + willing/confident; Blanchard: SELF-RELIANT ACHIEVER (high competence + high commitment). EFFECTIVE LEADER must (a) DIAGNOSE follower readiness for the specific task; (b) FLEX leader style to match; (c) PARTNER with follower to agree on leadership approach. PARALLEL EVOLUTIONS: (a) HERSEY CENTER FOR LEADERSHIP STUDIES (CLS, situational.com) - continues original Situational Leadership; LEAD-Self + LEAD-Other multi-rater instruments; faculty + facilitators globally; (b) BLANCHARD COMPANIES SLII (kenblanchard.com) - evolved Situational Leadership II with D1-D4 labels + Blanchard language + materials; SLII assessments + SLII certified facilitators globally. PUBLICATION + LICENSE: Hersey textbook + Blanchard publications + CLS + Blanchard Companies materials + LEAD/SLII instruments are COPYRIGHTED + commercially licensed; conceptual framework + 4 styles + 4 readiness levels + diagnosis/flexibility/partnering are widely cited in academic + practitioner literature. STATUS: REFERENCED because books + instruments + facilitator certifications are copyrighted commercial publications + same pattern as Bass MLQ for FRLM + Goleman ESCI + Heifetz books separately tracked. ADOPTION: millions of leaders + managers + trainers globally have been exposed to SLT/SLII through corporate + military + public-sector training; Fortune 500 + government + military + non-profit + education + healthcare; thousands of certified facilitators. ACADEMIC + PRACTITIONER CRITIQUES: (a) some critics question construct validity + empirical support; (b) research effect sizes less robust than initial popularising claims; (c) cultural + cross-cultural validity; (d) over-simplification of leader-follower dynamics; (e) limited integration with newer constructs (psychological safety + adaptive leadership + servant leadership). EVOLUTION: ongoing model refinement + integration with situational + contingency + transformational + adaptive leadership theories.

The Hong Kong Personal Data (Privacy) Ordinance (Cap 486, enacted 1996, significantly amended 2012 and 2021) regulates the collection, use, storage, and transfer of personal data. The Privacy Commissioner for Personal Data (PCPD) oversees compliance. The 2021 amendment criminalised doxxing. Establishes six Data Protection Principles (DPPs) governing the lifecycle of personal data. The PCPD has enhanced enforcement powers including criminal prosecution for doxxing.

Hungary's Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act, amended 2018) supplements the EU GDPR with national provisions. The National Authority for Data Protection and Freedom of Information (NAIH - Nemzeti Adatvédelmi és Információszabadság Hatóság) oversees enforcement. The Act covers both data protection and freedom of information. National provisions include the age of digital consent (16 years), research derogations, public interest data access, and administrative fine procedures.

International Association of Classification Societies (IACS) Unified Requirements E26 (Cyber Resilience of Ships) and E27 (Cyber Resilience of On-Board Systems and Equipment), mandatory from 1 July 2024 for new ship construction contracts. E26 addresses ship-level cyber resilience requirements across the vessel lifecycle. E27 addresses equipment-level cyber security requirements for system integrators and equipment suppliers. Together they establish the first mandatory classification society cyber requirements for new builds. All 12 IACS member classification societies must implement these requirements (covering 90%+ of global tonnage). Aligned with IEC 62443 for industrial automation security.

The IAEA Nuclear Security Series No. 17-T (Rev 1) provides technical guidance on implementing computer security at nuclear facilities. It addresses cybersecurity for nuclear instrumentation and control (I&C) systems, safety systems, and information technology supporting nuclear security. Part of the broader IAEA Nuclear Security framework that includes physical protection, nuclear material accounting, and transport security.

The International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs) provide a globally accepted framework for the supervision of the insurance sector. The 26 ICPs cover licensing, governance, risk management, conduct of business, group supervision, and cross-border cooperation. They serve as the benchmark for insurance regulation globally and are assessed by the IMF and World Bank as part of Financial Sector Assessment Programs (FSAPs).

The IATA Operational Safety Audit (IOSA) is a globally recognised evaluation system for airline operational management and control systems. IOSA registration is a condition of IATA membership and is accepted by regulatory authorities worldwide. The IOSA Standards Manual covers eight operational areas: corporate organisation and management, flight operations, operational control/flight dispatch, aircraft engineering and maintenance, cabin operations, ground handling, cargo operations, and security management. Over 400 airlines on the IOSA registry. Biennial audit cycle.

IATF 16949:2016 is the international quality management system standard for the automotive industry, published by the International Automotive Task Force (IATF). It supplements ISO 9001:2015 with automotive-specific requirements. Required by major OEMs (GM, Ford, Stellantis, BMW, VW, Toyota, etc.) for their supply chain. Covers product safety, warranty management, APQP (Advanced Product Quality Planning), PPAP (Production Part Approval Process), FMEA, SPC, MSA, and control plans. Over 70,000 certified sites worldwide. Certification by IATF-recognised certification bodies only.

ICAO Annex 17 to the Convention on International Civil Aviation establishes international Standards and Recommended Practices (SARPs) for safeguarding civil aviation against acts of unlawful interference. Covers security of airports, aircraft, passengers, baggage, cargo, mail, and in-flight security. All 193 ICAO member states are required to implement Annex 17 standards through national civil aviation security programmes.

Incoterms 2020, published by the International Chamber of Commerce (ICC), are internationally recognised trade terms that define the responsibilities of buyers and sellers in international and domestic commercial transactions. Effective January 1, 2020. Eleven terms in two groups: terms for any mode of transport (EXW, FCA, CPT, CIP, DAP, DPU, DDP) and terms for sea and inland waterway transport (FAS, FOB, CFR, CIF). Each term specifies: delivery point, risk transfer, cost allocation, insurance, export/import customs, and documentation. Used globally in contracts, letters of credit, and trade finance.

ICH E6(R3) Good Clinical Practice (GCP) is the international ethical and scientific quality standard for the design, conduct, performance, monitoring, auditing, recording, analysis, and reporting of clinical trials. The R3 revision (adopted 2023) modernizes GCP for technology-enabled clinical trials, introduces a quality-by-design approach, and addresses decentralized trials, electronic data, and risk-proportionate monitoring.

ICH Q10 describes a comprehensive model for an effective pharmaceutical quality system (PQS) based on ISO quality concepts, applicable GMP regulations, and ICH Q8 (Pharmaceutical Development) and Q9 (Quality Risk Management). It establishes a system for lifecycle management of pharmaceutical products covering development, technology transfer, commercial manufacturing, and product discontinuation. Adopted by FDA, EMA, and PMDA.

The International Council on Mining and Metals (ICMM) Mining Principles establish environmental, social, and governance (ESG) expectations for the responsible mining and metals industry. ICMM members (29 major mining and metals companies and 36 associations) commit to implementing the Mining Principles across their operations. The 2024 update includes 10 principles covering governance, human rights, health and safety, environment, social performance, and stakeholder engagement. Independently validated through ICMM's Validation Framework. Performance expectations and position statements provide detailed requirements.

The International Council of Nurses (ICN) Leadership for Change programme, operational since 1996, building leadership and management capacity of nurses worldwide. Uses a cascading model where ICN trains national facilitators who then train participants in-country. Over 90 countries have participated.

IEC 60601-1 is the international standard for the safety and essential performance of medical electrical equipment. It establishes general requirements for basic safety and essential performance applicable to all medical electrical equipment and medical electrical systems. The standard covers electrical hazards, mechanical hazards, radiation hazards, EMC, and software requirements (through IEC 62304 reference).

IEC 62304 defines the lifecycle requirements for the development and maintenance of medical device software. It specifies processes, activities, and tasks for each stage of the software lifecycle including planning, requirements analysis, architectural design, detailed design, unit implementation, integration testing, system testing, release, and maintenance. Software safety classification (Class A, B, C) determines the rigor of required activities.

IEC 62351 is a series of standards addressing the cybersecurity of communication protocols used in power systems. It provides security specifications for protocols including IEC 61850 (substation automation), IEC 60870-5 (telecontrol), IEC 61968/61970 (CIM), and DNP3. Covers authentication, encryption, access control, and key management for operational technology (OT) communications in the energy sector.

Industrial Automation and Control Systems Security

IEEE Standard for IED Cyber Security Capabilities for substations

IEEE Standard for addressing ethical concerns during system design

IFRS 17 Insurance Contracts, issued by the IASB and effective January 1, 2023, establishes principles for the recognition, measurement, presentation, and disclosure of insurance contracts. It replaces IFRS 4 and provides a consistent global framework for insurance accounting. Key features include the General Measurement Model (building block approach), Premium Allocation Approach for short-duration contracts, and the Contractual Service Margin representing unearned profit.

The ILO Declaration on Fundamental Principles and Rights at Work (1998, amended 2022) identifies ten core labour conventions covering five categories of fundamental rights at work. The 2022 amendment added occupational safety and health as the fifth category. All 187 ILO member states are obligated to respect these principles regardless of ratification. The ten core conventions are: C029 (Forced Labour), C087 (Freedom of Association), C098 (Collective Bargaining), C100 (Equal Remuneration), C105 (Abolition of Forced Labour), C111 (Non-Discrimination), C138 (Minimum Age), C182 (Worst Forms of Child Labour), C155 (Occupational Safety), and C187 (Promotional Framework for OSH).

The sole ILO instrument specifically covering the health sector workforce. Recognizes the vital role of nursing personnel in protecting and improving health and welfare. Adopted 21 June 1977 at the 63rd ILC session. Entered into force 11 July 1979. Ratified by 41 States. Supplemented by Recommendation R157.

The ILO Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy (MNE Declaration, 6th edition 2022) provides guidance to multinational enterprises, governments, and employers' and workers' organisations on employment, training, conditions of work and life, and industrial relations. It is the only ILO instrument that provides direct guidance to enterprises on social policy and inclusive, responsible, and sustainable workplace practices. Voluntary but widely referenced in responsible business conduct frameworks.

The International Maritime Organization (IMO) guidelines on maritime cyber risk management provide recommendations for safeguarding shipping from cybersecurity threats. IMO Resolution MSC.428(98) affirms that maritime cyber risk should be addressed in Safety Management Systems (SMS) as per the ISM Code. Guidelines provide a risk-based approach aligned with NIST CSF. Applicable to ships, port facilities, and maritime organizations.

The Institute of Risk Management (IRM) provides professional risk management standards and qualifications. The IRM Enterprise Risk Management framework guides organisations in developing and implementing ERM. Key publications: IRM Risk Management Standard (2002, with ISO 31000 alignment), IRM Horizon Scanning guidance, IRM Cyber Risk Resources, and IRM Risk Culture guidance. IRM is the world's leading professional body for risk management, with members in 143 countries. IRM qualifications (International Certificate/Diploma/Advanced Diploma in Risk Management) are recognised globally by employers and regulators.

IRS Tax Information Security Guidelines. Required for federal/state/local agencies handling Federal Tax Information.

International Standard on Assurance Engagements (ISAE) 3402, issued by the International Auditing and Assurance Standards Board (IAASB), provides a framework for practitioners to issue assurance reports on controls at a service organisation. Type 1 reports describe controls and their design suitability at a point in time. Type 2 reports also include operating effectiveness testing over a period. Used globally (outside the US where SSAE 18 applies) for service organisation assurance, particularly in financial services, IT outsourcing, and cloud computing.

Information System Security Management and Assessment Program for cloud

Medical devices - Quality management systems

ISO 13485:2016 Medical Devices Quality Management Systems Requirements.

Environmental management systems requirements

ISO 14001:2015 - Environmental management systems - requirements with guidance for use.

ISO 14064 (Parts 1-3) provides specifications and guidance for quantification, monitoring, reporting, and verification of greenhouse gas (GHG) emissions and removals. Part 1 (2018) covers organisation-level GHG inventories. Part 2 (2019) covers project-level GHG emission reductions. Part 3 (2019) covers verification and validation of GHG assertions. Aligned with the GHG Protocol. Used for corporate carbon accounting, emissions trading, and climate disclosure under CSRD, SEC, and ISSB requirements.

ISO 15189:2022 (4th edition) specifies requirements for quality and competence in medical (clinical) laboratories. It covers examination processes (pre-examination, examination, post-examination), quality management systems, and resource requirements specific to medical laboratories. Applicable to clinical chemistry, haematology, microbiology, pathology, immunology, and other medical laboratory disciplines. Accreditation to ISO 15189 is increasingly required by healthcare regulators and insurers. The 2022 revision introduces risk-based thinking and aligns with ISO/IEC 17025:2017 structure.

Guidelines for auditing management systems

ISO 19650 is the international standard series for Building Information Modelling (BIM) and managing information over the whole lifecycle of a built asset. ISO 19650-1:2018 covers concepts and principles, ISO 19650-2:2018 covers the delivery phase, ISO 19650-3:2020 covers the operational phase, and ISO 19650-5:2020 covers security-minded information management. The standard establishes the common data environment (CDE), information delivery processes, and roles/responsibilities for BIM projects. Mandated for public sector projects in the UK and increasingly adopted globally.

IT service management system requirements

ISO 20400 provides guidance for organizations on integrating sustainability into procurement processes. It addresses the principles of sustainable procurement, integrating sustainability into procurement policy and strategy, organizing the procurement function for sustainability, and embedding sustainability into the procurement process. Applicable to any organization regardless of its activity or size.

Food safety management systems

ISO 22301:2019 Business Continuity Management Systems Requirements.

ISO 22313:2020 provides guidance for planning, establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving a business continuity management system (BCMS) as specified in ISO 22301. It provides explanatory text, examples, and good practices for each clause of ISO 22301. Does not add new requirements but helps organisations understand and implement ISO 22301 effectively. Applicable alongside ISO 22301 as an implementation guide.

Organizational resilience principles and attributes

Guidelines for business impact analysis

Continuity of supply chain guidelines

ISO 22320 provides guidelines for emergency management including incident response operations, incident management, and operational coordination. It addresses requirements for effective incident management including command and control, operational information, and cooperation and coordination between organizations.

ISO 22739:2024 (previously ISO 22739:2020) provides the standardised vocabulary for blockchain and distributed ledger technologies (DLT). Part of the ISO/TC 307 (Blockchain and distributed ledger technologies) family of standards. Related standards include: ISO/TR 23455 (Smart Contracts overview), ISO/TR 23244 (Privacy and PII protection), ISO 23257 (Reference Architecture), ISO/TR 23576 (Security management), and ISO/TS 23635 (DLT-based digital asset custody). TC 307 working groups cover: reference architecture, taxonomy, use cases, security, privacy, identity, smart contracts, governance, and interoperability. Adopted by 40+ national standards bodies.

ISO 26000 provides guidance on social responsibility for all types of organizations. It covers the seven core subjects of social responsibility: organizational governance, human rights, labour practices, the environment, fair operating practices, consumer issues, and community involvement and development. It is a guidance standard, not certifiable.

ISO 26262:2018 (2nd edition) is the international standard for functional safety of electrical and electronic (E/E) systems in road vehicles. It addresses hazards caused by malfunctioning behaviour of E/E safety-related systems. Defines Automotive Safety Integrity Levels (ASIL A-D) based on hazard analysis. Covers the full safety lifecycle from concept through decommissioning. 12 parts covering management, system/hardware/software development, production, and field monitoring. The foundational automotive safety standard.

International standard for establishing, implementing, maintaining and continually improving an information security management system (ISMS)

Information security, cybersecurity and privacy protection - Information security controls

Information security risk management guidelines

Code of practice for information security controls based on ISO 27002 for cloud services

Code of practice for protection of PII in public clouds acting as PII processors

Information security controls for the energy utility industry

Incident investigation principles and processes

Information security management in health using ISO 27002

ISO 28001 specifies the requirements and guidance for organizations in international supply chains to develop and implement supply chain security management processes. It establishes best practices for assessing supply chain security threats and implementing appropriate countermeasures. Part of the ISO 28000 series, it supports customs trade partnership programs and Authorized Economic Operator (AEO) status.

Knowledge management systems requirements

ISO 30414:2018 provides guidelines on human capital reporting (HCR) for internal and external stakeholders. It defines 58 metrics across 11 areas covering workforce diversity, leadership, organisational culture, health and safety, productivity, recruitment, turnover, skills and capabilities, succession planning, workforce availability, and compliance. Supports ESG reporting, investor decision-making, and strategic workforce planning. Applicable to organisations of all sizes.

Risk management guidelines and principles

ISO 31000:2018 Risk Management Guidelines (guidance, not certifiable).

ISO 37000:2021 Governance of Organizations - Guidance. Provides guidance on the governance of organizations, establishing principles and key aspects of practice to help governing bodies and other stakeholders. Applicable to all organizations regardless of type, size, or sector. Focuses on purpose, value generation, strategy, oversight, and accountability.

ISO 37000:2021 provides guidance on the governance of organizations. It establishes principles and key aspects of practice to guide governing bodies in fulfilling their governance responsibilities. Covers purpose and value generation, oversight strategy, stakeholder engagement, societal responsibility, accountability, and performance monitoring. Applicable to all types of organizations regardless of type, size, or sector.

Anti-bribery management systems

ISO 37002:2021 provides guidelines for establishing, implementing, maintaining, and improving a whistleblowing management system. It covers receiving, assessing, and addressing reports of wrongdoing. Based on four principles: trust, impartiality, protection, and accessibility. Applicable to all organisations regardless of type, size, or sector. Supports compliance with whistleblowing legislation including the EU Whistleblowing Directive, US SOX, and Dodd-Frank. Complementary to ISO 37001 (anti-bribery) and ISO 37301 (compliance).

Compliance management systems

ISO 39001 specifies requirements for a road traffic safety (RTS) management system to enable organizations that interact with the road traffic system to reduce death and serious injuries from road traffic crashes. Applicable to all organizations regardless of type, size, or nature of product/service, including those managing road networks, designing vehicles, transporting goods/passengers, or generating road traffic through their activities.

ISO 41001:2018 specifies requirements for a facility management (FM) system when an organisation needs to demonstrate effective and efficient delivery of FM that supports the objectives of the organisation. Based on the Harmonised Structure (Annex SL) for integration with ISO 9001, ISO 14001, ISO 45001, and ISO 27001. Covers strategic FM planning, demand management, service delivery, performance measurement, and improvement. Applicable to all types of facilities and organisations.

Occupational health and safety management systems

ISO 45001:2018 Occupational Health and Safety Management Systems Requirements.

ISO 50001:2018 specifies requirements for establishing, implementing, maintaining, and improving an energy management system (EnMS). It enables organizations to follow a systematic approach to achieving continual improvement of energy performance including energy efficiency, use, and consumption. Uses the Plan-Do-Check-Act framework and the High Level Structure for integration with other ISO management systems.

Asset management system requirements

Innovation management system guidance

ISO 8000 is the international standard for data quality. The multi-part standard covers: ISO 8000-1 (overview), ISO 8000-2 (vocabulary), ISO 8000-8 (information and data quality), ISO 8000-61 (data quality management: process reference model), ISO 8000-62 (data quality management: organisational process maturity assessment), ISO 8000-100 series (master data), and ISO 8000-110/115/120 (data quality: syntax, semantics, and completeness). The standard provides a framework for managing data quality across the data lifecycle. Used in manufacturing (product data quality), finance (reference data), healthcare (clinical data), and government (open data quality).

Quality management systems requirements

ISO 9001:2015 Quality Management Systems Requirements.

ISO/IEC 17025:2017 specifies the general requirements for the competence, impartiality, and consistent operation of testing and calibration laboratories. It is the basis for laboratory accreditation worldwide. Applicable to all laboratories regardless of the number of personnel or scope of activities. Covers structural requirements, resource requirements, process requirements, and management system requirements. Over 80,000 accredited laboratories globally. Accreditation by national bodies (UKAS, NATA, A2LA, etc.) under the ILAC Mutual Recognition Arrangement.

ISO/IEC 23837 (Parts 1 and 2) specifies security requirements and evaluation methods for quantum key distribution modules and networks. Part 1 defines security requirements covering: QKD module security, key generation, key management, authentication, physical security, and side-channel resistance. Part 2 defines evaluation methodology. Developed by ISO/IEC JTC 1/SC 27 (Information security) in coordination with ETSI ISG QKD. Provides a Common Criteria-compatible evaluation framework for QKD implementations. Adopted by national QKD certification schemes including BSI (Germany) and ANSSI (France).

Information technology - Artificial intelligence - Guidance on risk management. Provides guidance on how organizations that develop, produce, deploy, or use products, systems and services that utilize AI can manage risk specifically related to AI. Extends ISO 31000 risk management principles to AI contexts. Published February 2023.

ISO/IEC 25012:2008 defines a general data quality model applicable to data retained in a structured format within a computer system. Part of the SQuaRE (Systems and software Quality Requirements and Evaluation) series. It defines 15 data quality characteristics categorised as inherent (accuracy, completeness, consistency, credibility, currentness) and system-dependent (accessibility, compliance, confidentiality, efficiency, precision, traceability, understandability, availability, portability, recoverability).

ISO/IEC 27003:2017 - Information technology - Security techniques - Information security management systems - Guidance. Provides clause-by-clause guidance for implementing ISO/IEC 27001 requirements. Each clause contains Required Activity, Explanation, Guidance, and Other Information. Mirrors ISO 27001 clauses 4-10. Second edition published 2017.

Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation. Provides guidance to assist organizations in evaluating information security performance and effectiveness of the ISMS. Supports ISO 27001 Clause 9.1 requirements.

ISO/IEC 27006 specifies requirements and provides guidance for bodies providing audit and certification of information security management systems (ISMS). It supplements ISO/IEC 17021-1 with ISMS-specific requirements for certification bodies, including auditor competence, audit time, and certification scope determination.

ISO/IEC 27007 provides guidance on managing an ISMS audit programme, conducting audits, and evaluating the competence of ISMS auditors. It supplements ISO 19011 with ISMS-specific auditing guidance for both internal and external audits. Applicable to all organizations needing to conduct internal or external ISMS audits.

ISO/IEC 27010 provides guidelines for information security management for inter-sector and inter-organizational communications. It extends ISO 27001/27002 guidance for situations where organizations share information across sector boundaries, within communities of interest, or between organizations. Applicable to information sharing initiatives, ISACs, and trusted communities.

ISO/IEC 27011 provides guidelines supporting the implementation of information security controls in telecommunications organizations based on ISO/IEC 27002. It addresses sector-specific security requirements for telecommunications operators including network security, service availability, customer data protection, and lawful interception compliance.

Information security, cybersecurity and privacy protection - Governance of information security. Provides guidance on concepts, objectives, and processes for the governance of information security. Intended for governing bodies and top management of organizations. Applicable to all types and sizes of organizations.

ISO/IEC 27018:2019 Code of practice for PII protection in public clouds acting as PII processors.

Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity. Provides a framework of methods and processes for organizations to improve ICT readiness to support business operations during disruptions. Describes the concepts and principles of ICT readiness for business continuity (IRBC).

ISO/IEC 27050 (Parts 1-4) provides guidance on activities related to electronic discovery (eDiscovery) - the process of identifying, preserving, collecting, processing, reviewing, and producing electronically stored information (ESI) in litigation, investigations, and regulatory matters. Part 1 covers overview, Part 2 governance and management, Part 3 code of practice, and Part 4 technical readiness. Aligns with the EDRM (Electronic Discovery Reference Model).

ISO/IEC 27400 provides guidelines for security and privacy in IoT (Internet of Things) solutions. It addresses security and privacy risks throughout the IoT device lifecycle and provides controls for IoT service providers, IoT device developers, and IoT users. Covers device security, data protection, communication security, and trustworthiness of IoT ecosystems.

ISO/IEC 27557:2022 provides guidance on the application of ISO 31000:2018 to the management of privacy risks related to the processing of personally identifiable information (PII). It extends ISO 31000 risk management principles to specifically address privacy risks from the perspective of the organisation. Covers privacy risk identification, analysis, evaluation, and treatment. Complements ISO/IEC 27701 (PIMS) and supports GDPR, CCPA, and other privacy regulation compliance.

ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001 and ISO/IEC 27002, providing requirements and guidance for establishing, maintaining, and continually improving a Privacy Information Management System (PIMS).

Information technology - Security techniques - Privacy framework. Establishes a comprehensive privacy framework including privacy principles, terminology, and concepts for the protection of personally identifiable information (PII). Applicable to organizations involved in specifying, procuring, designing, developing, or operating ICT systems that process PII. Second edition, substantially updated from 2011.

ISO/IEC 29115:2023 specifies a framework for entity authentication assurance in ICT systems. Defines four levels of authentication assurance (LoA 1-4) based on confidence in the identity claim during authentication. LoA 1 provides minimal confidence, LoA 4 provides very high confidence with hardware-based authenticators. The standard covers: authentication threats, assurance levels, credential types, authentication mechanisms, and lifecycle management. Widely referenced by eIDAS, national digital identity schemes, and financial regulators. Applicable to both human and machine (IoT) entity authentication. Complemented by ISO/IEC 29003 (identity proofing) and ISO/IEC 24760 (identity management framework).

Information technology - Security techniques - Guidelines for privacy impact assessment. Provides guidance for a process on privacy impact assessments (PIAs) and a structure and content of a PIA report. Supports GDPR Article 35 Data Protection Impact Assessment (DPIA) requirements. Second edition, published May 2023.

ISO/IEC 29147 provides guidelines for the disclosure of potential vulnerabilities in products and online services. It addresses how vendors should receive vulnerability reports, process them, and publish advisories. Complements ISO/IEC 30111 which covers internal vulnerability handling processes.

ISO/IEC 30111 provides guidelines for the internal handling of reported potential vulnerabilities in products and online services. It covers the processes a vendor should follow from receiving a vulnerability report through remediation and advisory publication. Complements ISO/IEC 29147 (vulnerability disclosure).

ISO/IEC 38500:2024 provides guiding principles for the governance of information technology by the governing body of any organization. It establishes a framework for effective governance of IT to ensure alignment with organizational objectives, delivery of value, management of risks, and responsible resource use. Updated in 2024 with enhanced coverage of emerging technologies, cybersecurity governance, and sustainability.

ISO/IEC 42001:2023 Artificial Intelligence Management System (AIMS), the first AI-specific ISO management system standard.

Road vehicles - Cybersecurity engineering

International Sustainability Standards Board reporting standards

The International Traffic in Arms Regulations (ITAR, 22 CFR Parts 120-130) control the export and import of defence-related articles, services, and technical data on the United States Munitions List (USML). Administered by the State Department's Directorate of Defense Trade Controls (DDTC). ITAR requires registration, licensing, and compliance with end-use restrictions. Violations can result in criminal penalties up to $1 million and 20 years imprisonment.

IT Infrastructure Library for IT service management best practices

The International Telecommunication Union (ITU) Radio Regulations (RR) are the international treaty governing the global use of the radio-frequency spectrum and satellite orbits. Revised at World Radiocommunication Conferences (WRC), most recently WRC-23. For space operations, the ITU regulates satellite frequency coordination, orbital slot allocation, interference protection, and space operations spectrum. ITU-T X.1205 provides cybersecurity guidelines. ITU-R SA series covers space applications spectrum. The Radio Regulations are binding on all 193 ITU member states and form the basis for national spectrum management.

ITU-T Recommendation X.805 (2003, still actively referenced) defines a security architecture for systems providing end-to-end communications. It uses a layered approach across three security layers (infrastructure, services, applications), three security planes (management, control, end-user), and eight security dimensions (access control, authentication, non-repudiation, data confidentiality, communication security, data integrity, availability, privacy). Widely used as a telecom security reference architecture.

Iceland's Act on Data Protection and the Processing of Personal Data (Act No. 90/2018) implements the EU GDPR into Icelandic law via the EEA Agreement. The Icelandic Data Protection Authority (Persónuvernd) oversees enforcement. The Act includes national provisions for processing of national identification numbers (kennitala), processing for journalistic purposes, research and statistics, the age of digital consent (13 years), and health data processing. Iceland applies the GDPR framework fully as an EEA member state.

The Illinois Biometric Information Privacy Act (740 ILCS 14) is the most comprehensive US state biometric privacy law. Enacted in 2008, it regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and biometric information. Notable for its private right of action allowing individuals to sue for violations, with statutory damages of $1,000-$5,000 per violation.

The Reserve Bank of India (RBI) Account Aggregator (AA) framework enables consent-based sharing of financial data between Financial Information Providers (FIPs) and Financial Information Users (FIUs) through licensed Account Aggregators. Operationalised through the RBI Master Direction on NBFC-Account Aggregator (2016, updated 2021). Uses the Data Empowerment and Protection Architecture (DEPA) for consent management. Covers banking, insurance, securities, pension, and tax data.

The Indian Computer Emergency Response Team (CERT-In) Directions of April 2022 mandate cybersecurity practices for service providers, intermediaries, data centres, and government organizations in India. Key requirements include 6-hour incident reporting, 180-day log retention, KYC for VPN/cloud providers, and synchronized system clocks. Applies to all entities covered by the Information Technology Act 2000.

Digital Personal Data Protection Act of India

Indiana Consumer Data Protection Act

Personal Data Protection Law of Indonesia

Iowa Consumer Data Protection Act

Israel's Protection of Privacy Law (5741-1981, amended through 2024) provides the legal framework for data protection, administered by the Privacy Protection Authority (PPA) under the Ministry of Justice. Israel holds EU adequacy recognition (since 2011). The 2024 amendments (Amendment 13) significantly strengthen the framework with expanded PPA enforcement powers, mandatory breach notification, increased penalties, and enhanced data subject rights.

Italy's Personal Data Protection Code (Codice in materia di protezione dei dati personali, Legislative Decree No. 196/2003) was substantially amended by Legislative Decree No. 101/2018 to align with the GDPR. The Garante per la protezione dei dati personali (Italian Data Protection Authority) oversees enforcement. The Code retains significant national provisions alongside the GDPR, including rules on health data, employment data, journalistic processing, video surveillance, and marketing. The Garante is one of the most experienced DPAs in Europe, established in 1997.

Jamaica's Data Protection Act 2020 (effective December 1, 2023) establishes a comprehensive data protection framework. The Office of the Information Commissioner (OIC) serves as the supervisory authority. The Act establishes eight data protection principles, individual rights, registration requirements, and provisions for cross-border transfers. Applies to the processing of personal data by controllers established in Jamaica.

Japanese Social Principles of Human-Centric AI

Japan's Act on Specified Commercial Transactions (ASCT, Act No. 57 of 1976, substantially amended 2021-2023) regulates commercial transactions including online digital services, subscription services, and in-app purchases. The 2021 amendments specifically addressed dark patterns in digital commerce, requiring clear pricing disclosure, prohibition on misleading final confirmation screens, and cooling-off rights for digital subscriptions. Enforced by the Consumer Affairs Agency (CAA). Particularly relevant for gaming microtransactions and digital subscriptions.

The Japan Financial Services Agency (JFSA) Cybersecurity Guidelines provide a comprehensive framework for managing cybersecurity risks in financial institutions. Updated periodically, the guidelines cover governance, risk assessment, preventive controls, detection, response, and recovery. Aligned with the NIST Cybersecurity Framework. Apply to banks, securities firms, insurance companies, and other regulated financial institutions in Japan.

Jordan has been developing comprehensive personal data protection legislation. The Draft Personal Data Protection Law (2022 version under consideration) proposes GDPR-aligned data protection requirements. Currently, data protection is addressed through the Jordanian Constitution (privacy rights), the Cybercrime Law (No. 17/2023), the Telecommunications Law, and sector-specific regulations. The Electronic Transactions Law (No. 15/2015) addresses electronic data security. The Jordan Telecommunications Regulatory Commission (TRC) oversees telecommunications data privacy.

Kazakhstan's Law on Personal Data and Their Protection (No. 94-V, 2013, significantly amended 2023) establishes the data protection framework. The Committee on Information Security of the Ministry of Digital Development oversees enforcement. Key provisions include consent requirements, data subject rights, data localisation for certain categories, cross-border transfer restrictions, and data protection officer requirements. Amendments in 2023 strengthened rights and introduced breach notification obligations.

Kentucky Consumer Data Protection Act

Kenya Data Protection Act 2019 + Data Protection (General) Regulations 2021.

The Kids Online Safety Act (KOSA) establishes a duty of care for covered online platforms to prevent and mitigate harms to minors. It requires platforms to provide safeguards for minors by default, give minors and parents tools to protect against harmful content, and requires the FTC to establish best practices. Enacted as part of broader children's online safety legislation.

David Kolb's experiential learning theory proposing that learning is a process whereby knowledge is created through the transformation of experience. Published in 'Experiential Learning: Experience as the Source of Learning and Development' (1984). The cycle has four stages and maps to four distinct learning styles.

John Kotter's eight-step process for leading organizational change, first published in 'Leading Change' (1996) and updated in 'Accelerate' (2014). The model organizes change leadership into three phases: creating a climate for change, engaging and enabling the organization, and implementing and sustaining change.

Kuwait's data privacy landscape is primarily governed by the Constitution (Article 39, communication privacy), the Cyber Crimes Law (No. 63/2015), and the Capital Markets Authority (CMA) Data Privacy Protection Regulation (2021). The CMA regulation specifically addresses data protection for entities regulated by the CMA. Kuwait does not yet have comprehensive standalone data protection legislation, but a draft Personal Data Protection Law has been under consideration. The Cyber Crimes Law criminalises unlawful access, data theft, and privacy violations in electronic communications.

Kuwait's National Cybersecurity Framework, established by the Communication and Information Technology Regulatory Authority (CITRA) and the National Cyber Security Center (NCSC), provides mandatory cybersecurity requirements for government entities and critical national infrastructure in Kuwait. Covers governance, technical controls, and compliance monitoring.

The LEADS in a Caring Environment framework describes the leadership capabilities needed to lead effectively in health systems. Developed in Canada by Dr. Graham Dickson and colleagues, it comprises five domains - Lead Self, Engage Others, Achieve Results, Develop Coalitions, and Systems Transformation - with four capabilities each. LEADS is used internationally for health leadership development, assessment, and organisational capacity building.

LEED (Leadership in Energy and Environmental Design) v4.1 is the most widely used green building rating system globally, developed by the US Green Building Council (USGBC). Over 110,000 LEED-certified projects in 185 countries. LEED v4.1 includes credits for smart building technologies, energy monitoring, indoor environmental quality monitoring, and sustainable data centre design. LEED covers: Building Design and Construction (BD+C), Interior Design and Construction (ID+C), Building Operations and Maintenance (O+M), Neighbourhood Development (ND), and Cities and Communities. Certification levels: Certified, Silver, Gold, Platinum.

Lei Geral de Protecao de Dados - Brazil's General Data Protection Law

Laos' Law on Prevention and Combating Cybercrime (2015) establishes the legal framework for addressing cybercrime and includes provisions for data protection and cybersecurity. It criminalises unauthorised access, data interference, system interference, and misuse of devices. Includes provisions on electronic evidence, international cooperation, and service provider obligations. The Ministry of Post, Telecommunications and Communication oversees implementation.

Latvia's Personal Data Processing Law (Fizisko personu datu apstrādes likums) of 2018 supplements the EU GDPR with national provisions. The Data State Inspectorate (Datu valsts inspekcija) oversees enforcement. The law includes provisions for processing of national identification numbers (personas kods), processing for journalistic purposes, employment data processing, video surveillance, and the age of digital consent (13 years). Specific provisions for processing by law enforcement and national security services.

Law No. 09-08 (2009) establishes Morocco's data protection framework, creating the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) as the supervisory authority. The law defines data subject rights (access, rectification, opposition, erasure), obligations for data controllers and processors, requirements for lawful processing, cross‑border data transfer restrictions, security measures, and administrative penalties. It was amended by Decree No. 2-20-03 in 2020, which updated provisions on data breach notification, electronic communications, and introduced additional safeguards for sensitive data. The law aligns with many principles of the EU GDPR but is not considered fully equivalent.

Law No. 172-13 on the Protection of Personal Data, the primary data protection legislation in the Dominican Republic.

Côte d'Ivoire's Law No. 2013-450 of 19 June 2013 on the Protection of Personal Data establishes the country's data protection framework. It sets out principles for lawful data processing, consent requirements, data subject rights (including access, rectification, opposition and erasure), obligations for data controllers and processors, and mandates the creation of the Commission de protection des données à caractère personnel (CPDP) as the supervisory authority. The law was complemented by Decree No. 2015‑1025 of 30 November 2015, which details the implementation measures and the functioning of the CPDP.

North Macedonia's Law on Personal Data Protection (Official Gazette No. 42/2020), effective February 2020, replaces the 2005 law and aligns with the EU GDPR. The Agency for Personal Data Protection oversees enforcement. The law incorporates GDPR principles, data subject rights, DPO requirements, data breach notification obligations (added by Law No. 12/2021), and increased administrative fines.

Lebanon's Law No. 81/2018 on Electronic Transactions and Personal Data Protection establishes the legal framework for electronic commerce and data protection. The law covers electronic transactions, electronic signatures, data protection principles, consent requirements, data subject rights, and the establishment of a Personal Data Protection Commission. It is one of the more comprehensive data protection laws in the MENA region. The law applies to processing of personal data by public and private entities in Lebanon. The Personal Data Protection Commission has enforcement powers.

Ecuador's Organic Law on Personal Data Protection (Ley Orgánica de Protección de Datos Personales)

Liechtenstein Data Protection Act

Lithuania's Law on the Legal Protection of Personal Data (No. I-1374, as restated in 2018) supplements the EU GDPR with national provisions. The State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija) oversees enforcement. The law includes provisions for processing of national identification codes (asmens kodas), video surveillance, processing for journalistic purposes, direct marketing, the age of digital consent (14 years), and specific derogations for research and statistics.

Lloyd's of London Minimum Standards establish baseline requirements that all managing agents in the Lloyd's market must meet. The Cyber Security minimum standards, part of the broader Operational Risk framework, require managing agents to implement appropriate cybersecurity controls, conduct risk assessments, and report incidents. Lloyd's also sets standards for underwriting, claims, reserving, and other operational areas. Enforced through Lloyd's supervisory framework.

Lloyd's of London has established requirements and guidance for managing syndicates' cyber insurance exposure. Key requirements include: mandatory systemic cyber risk exclusions (from March 2023), war and state-backed cyber attack exclusions, cyber insurance risk management standards, and exposure management. Lloyd's Market Bulletin Y5381 (2022) requires all standalone cyber policies to exclude state-backed cyber attacks with clear attribution clauses. Managing agents must demonstrate cyber risk management capability. Lloyd's Realistic Disaster Scenarios (RDS) for cyber include cloud outage, mass ransomware, and data exfiltration scenarios.

Luxembourg's Law of 1 August 2018 organising the National Commission for Data Protection (CNPD) and supplements the GDPR with national provisions. The Commission Nationale pour la Protection des Données (CNPD) oversees enforcement. Luxembourg is significant as the EU establishment of many major tech companies (Amazon, PayPal, Skype). The law includes provisions for the age of digital consent (16 years), processing by the public sector, research derogations, and employee data. CNPD has jurisdiction over major data controllers established in Luxembourg.

Minimum Acceptable Risk Standards for Exchanges (Healthcare marketplace)

The Minimum Acceptable Risk Standards for Exchanges (MARS‑E) Version 2.2 establishes security and privacy requirements for state and federal Health Insurance Exchanges (Marketplaces) created under the Affordable Care Act. Based on NIST SP 800‑53 with exchange‑specific overlays, it provides a risk‑based approach to protecting the confidentiality, integrity, and availability of exchange data and systems.

Manufacturer Disclosure Statement for Medical Device Security

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) derived from real-world observations.

MITRE D3FEND is a knowledge base/graph that catalogs cybersecurity countermeasures and maps them to ATT&CK techniques.

Multi-Tier Cloud Security Standard by IMDA Singapore

The Multi-Tier Cloud Security (MTCS) Standard (SS 584) is Singapore's national cloud security standard developed by the Infocomm Media Development Authority (IMDA). Based on ISO 27001, it provides a three-tier framework (Level 1-3) for cloud security certification with increasing requirements. Level 1 covers basic security, Level 2 adds governance and risk management, and Level 3 addresses the most stringent requirements for highly regulated data. Mandatory for Singapore government cloud procurement.

Personal Data Protection Act 2010 of Malaysia

Malta's Data Protection Act (Cap. 586) implements the EU GDPR and replaces the previous 2001 Data Protection Act. The Act sets the age of digital consent at 13 years, defines the powers and duties of the Information and Data Protection Commissioner (IDPC), and includes national provisions on data subject rights, lawful processing, data breach notification, and exemptions for competent authorities. The Act was originally enacted in 2018 and amended in 2020 to clarify certain obligations.

The Maryland Online Data Privacy Act (MODPA) establishes consumer privacy rights and data protection obligations for businesses that process personal data of Maryland residents, with enforcement beginning on October 1, 2025.

Christina Maslach's model combines the Maslach Burnout Inventory (MBI), which measures three dimensions of burnout-emotional exhaustion, depersonalization, and reduced personal accomplishment-and the Areas of Worklife Survey (AWS), which assesses six workplace domains (workload, control, reward, community, fairness, and values) that influence burnout and engagement. The model is used to identify organizational factors contributing to burnout and to guide interventions aimed at prevention and improvement of employee well-being.

Mauritius Data Protection Act

Mexican Federal Law on Protection of Personal Data in Possession of Private Parties (LFPDPPP), originally enacted in 2010 and amended in 2017, overseen by the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).

The Markets in Financial Instruments Directive II (Directive 2014/65/EU) and the Markets in Financial Instruments Regulation (Regulation EU No 600/2014) constitute the EU's comprehensive framework for financial markets. Effective 3 January 2018, the framework sets rules for investment firms, trading venues, market transparency, and investor protection, and has been amended through a series of Delegated Acts and Regulatory Technical Standards (most recently in 2023) to address emerging market practices and regulatory objectives.

Minnesota Consumer Data Privacy Act (MCDPA) - a state law enacted in 2023 that establishes consumer data privacy rights, data protection obligations for businesses, and enforcement mechanisms, effective July 31, 2024.

The Modern Slavery Act 2018 (Cth) requires Australian entities with consolidated revenue of A$100 million or more to report annually on modern slavery risks in their operations and supply chains, and the actions taken to address those risks. Reports are published on the Modern Slavery Register.

Monetary Authority of Singapore Technology Risk Management Guidelines

The Montana Consumer Data Privacy Act (MCDPA) is a state law enacted in 2023 that establishes consumer privacy rights, data protection obligations for businesses, and enforcement mechanisms, effective July 1, 2024.

Montenegro's Law on Personal Data Protection (Official Gazette No. 44/2023), effective August 2023, repeals the 2008 law and aligns the national framework with the EU General Data Protection Regulation (GDPR). The law is enforced by the Agency for Personal Data Protection (Agencija za zaštitu podataka o ličnosti). It introduces GDPR‑style principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. It grants data subjects rights to access, rectification, erasure, restriction of processing, data portability and objection, establishes mandatory data breach notification obligations, and sets conditions for cross‑border data transfers. The law also provides for administrative fines and supervisory powers.

Myanmar's Cybersecurity Law (2023) establishes a cybersecurity and data protection framework. The law covers cybersecurity obligations for digital platform service providers, critical information infrastructure protection, personal data processing requirements, and cybersecurity incident reporting. Administered by the Ministry of Transport and Communications. The law has been criticised for its surveillance provisions and broad scope.

NABERS (National Australian Built Environment Rating System) is an Australian Government initiative that measures the environmental performance of existing buildings, tenancies, and homes. Ratings cover energy, water, waste, and indoor environment quality on a 1‑6 star scale, with higher stars indicating better performance. NABERS Energy ratings are mandatory for certain large commercial buildings under the National Greenhouse and Energy Reporting (NGER) scheme, and participation is voluntary for other sectors. The system provides a transparent, comparable metric to drive improvements in sustainability across the built environment.

The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (Model 668) establishes data security standards for the insurance industry. Adopted by NAIC in 2017, it has been enacted by over 20 US states. It requires insurers and other licensed entities to develop comprehensive information security programs, conduct risk assessments, and notify regulators of cybersecurity events.

NAIC Insurance Data Security Model Law (MDL-668), 4Q2017 with 2025 technical edit.

NATO Allied Quality Assurance Publication AQAP 2110 (Edition E, 2016) establishes quality assurance requirements for NATO defence procurement. AQAP 2110 covers design, development, and production and is referenced in NATO contracts. It supplements ISO 9001 with additional defence-specific requirements including configuration management, first article inspection, and government quality assurance. Used by NATO member nations (31 countries) for procurement from defence industry. Complementary publications include AQAP 2210 (software quality), AQAP 2310 (inspection), and AQAP 2131 (production only).

The NATO cyber defence framework is defined by the NATO Cyber Defence Policy (original 2014, updated 2021) and operationalised through the NATO Computer Incident Response Capability (NCIRC) managed by the NATO Communications and Information Agency (NCI Agency). The CCDCOE provides research and the Tallinn Manual on the International Law Applicable to Cyber Operations, but these are not NATO policy documents. Key references: NATO Cyber Defence Policy (2021), NCIRC Handbook (2022), NCI Agency publications.

STANAG 4774 (Confidentiality Metadata Labels) defines the syntax and semantics for confidentiality labels used in NATO information sharing. STANAG 4778 (Metadata Binding) specifies the mechanisms for binding these labels to data objects, enabling automated policy enforcement, access control, and auditability across NATO networks. The standards support interoperability, data protection, and consistent handling of classified information.

North American Electric Reliability Corporation Critical Infrastructure Protection

NFPA 1600 (2022 edition), published by the National Fire Protection Association, establishes a common set of criteria for disaster/emergency management and business continuity programs. It serves as the U.S. national preparedness standard referenced by the Department of Homeland Security and provides guidance for developing, implementing, and maintaining comprehensive emergency, crisis, and continuity programs.

Evidence‑based framework developed by the NHS Leadership Academy (now NHS Leadership) that defines nine leadership behaviours applicable across all levels of NHS organisations. Updated in 2020 to align with the NHS People Plan, the model outlines four levels of maturity - Emerging, Developing, Proficient and Exemplary - and is used to develop and assess leadership capability.

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, covering essential and important entities.

The NIS2 Directive (EU 2022/2555) Implementing Acts specify detailed cybersecurity risk management measures and significant incident reporting criteria for essential and important entities. The implementing regulation (adopted October 2024) defines technical and methodological requirements for network and information security measures, expanding on the NIS2 Directive's Article 21 risk management obligations. Applicable from October 18, 2024.

NIST AI 600-1: Generative AI Profile is a companion resource to the NIST AI Risk Management Framework (AI RMF 1.0). It provides guidance for managing risks of generative AI systems, identifies 12 distinct risk categories, and maps recommended actions to the AI RMF functions: Govern, Map, Measure, and Manage.

The NIST AI Risk Management Framework (AI RMF 1.0), published January 2023, provides a voluntary framework for managing risks associated with AI systems throughout their lifecycle. It is organized around four core functions: Govern, Map, Measure, and Manage. It is applicable to all organizations that design, develop, deploy, use, or maintain AI systems.

Voluntary framework for managing and reducing cybersecurity risk, organized around six core functions

NIST's Post-Quantum Cryptography (PQC) standardisation effort culminated in August 2024 with the publication of three Federal Information Processing Standards: FIPS 203 (ML-KEM, based on CRYSTALS-Kyber for key encapsulation), FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium for digital signatures), and FIPS 205 (SLH-DSA, based on SPHINCS+ for hash-based digital signatures). These standards are designed to resist attacks from both classical and quantum computers. NIST recommends organisations begin transitioning to PQC algorithms immediately. A fourth standard (FN-DSA, based on FALCON) expected in 2025.

NIST Privacy Framework v1.0. A privacy‑focused counterpart to the NIST Cybersecurity Framework, organized into 5 core functions, 10 categories, and 30 subcategories.

The NIST Privacy Framework (Version 1.0, 2020) is a voluntary tool for improving privacy through enterprise risk management. Designed to complement the NIST Cybersecurity Framework. Five core functions: Identify-P (develop understanding of privacy risks), Govern-P (develop governance structure), Control-P (manage data processing), Communicate-P (promote understanding of data processing), and Protect-P (develop safeguards for data processing). Applicable to all organisations regardless of size or sector. Provides a common vocabulary for privacy risk management across legal, business, and technical domains.

The NIST Privacy Framework Version 1.0 (January 2020) is a voluntary tool for improving privacy through enterprise risk management. Structured similarly to the NIST Cybersecurity Framework with Core, Profiles, and Implementation Tiers. The Core consists of five functions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P. Designed to complement the NIST CSF - together they address the intersection of privacy and cybersecurity risk. Used by organisations of all sizes across sectors.

Securing Distributed Energy Resources for energy sector

Technical Guide to Information Security Testing and Assessment

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Guide to General Server Security

NIST Special Publication 800-124 Revision 2 provides guidelines for managing the security of mobile devices (including smartphones, tablets, and other portable computing devices) in enterprise environments. It outlines security controls, configuration baselines, and best practices for mobile device management (MDM), mobile application security, BYOD policies, mobile threat defense, and enterprise mobility management, aligning with NIST SP 800‑53 security control families.

Guide for Security-Focused Configuration Management

Information Security Continuous Monitoring (ISCM) for Federal Information Systems

Guidelines on Security and Privacy in Public Cloud Computing

The NIST Definition of Cloud Computing

Cloud Computing Synopsis and Recommendations

Guide to Cyber Threat Information Sharing

Systems Security Engineering

Cybersecurity Supply Chain Risk Management Practices

NIST SP 800-161 Rev 1 Cybersecurity Supply Chain Risk Management Practices.

Protecting Controlled Unclassified Information in Nonfederal Systems

NIST SP 800-171 Rev 3 (May 2024). Restructured requirements for CUI protection. Note CMMC 2.0 still references Rev 2.

NIST Special Publication 800-171A provides assessment procedures and methodology for determining the effectiveness of the security requirements described in NIST SP 800-171. It is used by federal agencies, contractors, and assessors (including CMMC assessors) to evaluate whether Controlled Unclassified Information (CUI) protections are implemented and operating as intended.

NIST Special Publication 800-171A Revision 3 (2024) provides assessment procedures for the security requirements in NIST SP 800-171 Rev 3. It defines assessment objectives and methods (examine, interview, test) for each of the 110 security requirements protecting Controlled Unclassified Information (CUI) in nonfederal systems. Used by CMMC assessors, DoD contractors, and federal agencies to verify CUI protection compliance.

Enhanced Security Requirements for Protecting CUI

NICE Cybersecurity Workforce Framework - defines categories, specialty areas, and work roles for the cybersecurity workforce

Special Publication providing security considerations for the Internet of Things (IoT).