Compliance Frameworks

Title 21 Code of Federal Regulations Part 211 establishes the minimum current good manufacturing practice (cGMP) requirements for the preparation of drug products (finished pharmaceuticals) for administration to humans or animals. Covers all aspects of pharmaceutical manufacturing from personnel and facilities to production controls and record keeping. Enforced by the FDA.

Title 21 Code of Federal Regulations Part 58 establishes Good Laboratory Practice (GLP) regulations for nonclinical laboratory studies supporting applications for research or marketing permits for FDA-regulated products. Covers organization, facilities, equipment, testing operations, records, and reporting requirements to ensure the quality and integrity of safety data.

3GPP Technical Specification 33.501 defines the security architecture and procedures for 5G Systems. Covers authentication, key management, security between network functions, and user plane security. Key features include: 5G-AKA and EAP-AKA' authentication, SUPI/SUCI privacy protection (subscriber identity concealment), service-based architecture security, network slicing security, and interconnect security (SEPP for roaming). Applicable to all 5G network operators and equipment vendors worldwide. 3GPP specifications are implemented by national regulators and are the basis for global 5G deployment.

3GPP Telecommunications Security Specifications

3GPP TS 33.501 specifies the security architecture and procedures for 5G systems. It defines security features for authentication, key management, confidentiality, integrity protection, and network domain security in 5G networks. Covers security for 5G New Radio (NR), 5G Core (5GC), network slicing, edge computing, and interworking with 4G LTE. Mandatory for all 5G mobile network deployments worldwide.

Australian Accounting Standards Board Standard S2 requires entities to disclose climate-related risks and opportunities. Based on IFRS S2 issued by the ISSB. Structured around four pillars: Governance, Strategy, Risk Management, and Metrics and Targets. Commenced as a legislative instrument on 31 December 2024.

The AICPA Privacy Management Framework (PMF) provides a comprehensive framework for CPA practitioners and organisations to manage and report on privacy risk. It builds on the Generally Accepted Privacy Principles (GAPP) and SOC 2 Trust Services Criteria for Privacy. The PMF includes nine privacy components: management, agreement/notice/communication, collection, use/retention/disposal, access, disclosure to third parties, security, quality, and monitoring/enforcement. Used in SOC 2 privacy engagements and privacy programme assessments.

Service Organization Controls for financial reporting

Trust Services Criteria for general use reporting

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) establishes a regulatory framework requiring Australian businesses providing designated services to identify, mitigate and manage money laundering and terrorism financing risks. Administered by AUSTRAC.

French National Cybersecurity Agency framework

The APEC Cross-Border Privacy Rules (CBPR) System is a voluntary accountability-based framework for facilitating cross-border data flows among APEC economies while protecting personal information. Participating companies self-certify compliance with programme requirements, verified by APEC-recognised accountability agents. Based on the APEC Privacy Framework. Participating economies include US, Japan, Canada, South Korea, Australia, Singapore, and others. Being transitioned to the Global CBPR Forum.

Pipeline SCADA Security for petroleum and natural gas

Act on Protection of Personal Information (Japan)

Australian Prudential Regulation Authority Prudential Standard CPS 220 sets out requirements for APRA-regulated entities to have an effective risk management framework, including the Board's responsibility for risk oversight, a Chief Risk Officer, and the 'three lines of defence' model. Applies to ADIs, insurers, and RSE licensees.

Australian Prudential Regulation Authority Prudential Standard CPS 230 sets out requirements for APRA-regulated entities to effectively manage operational risks, maintain business continuity, and manage risks from service provider arrangements. Effective 1 July 2025.

Australian Prudential Regulation Authority Information Security Standard

APRA Prudential Standard CPS 234 (effective July 2019) establishes information security requirements for APRA-regulated entities in Australia: authorised deposit-taking institutions (banks), general insurers, life insurance companies, private health insurers, and registrable superannuation entity (RSE) licensees. CPS 234 requires entities to maintain an information security capability commensurate with the size and extent of threats to their information assets. Key requirements include Board and senior management accountability, information security capability, policy framework, information asset identification and classification, and incident management.

Australian Prudential Regulation Authority Prudential Standard SPS 220 sets out risk management requirements specifically for RSE licensees (superannuation trustees). It requires RSE licensees to maintain a Board-approved risk management framework covering material risks to the business operations and to the interests of beneficiaries.

AS9100D (SAE International) is the aerospace quality management system standard based on ISO 9001:2015 with additional aerospace-specific requirements. It addresses the unique quality, safety, and reliability requirements of the aviation, space, and defense industries. Required for certification of aerospace manufacturers and suppliers. Recognized by major aerospace OEMs (Boeing, Airbus, Lockheed Martin, etc.) as a prerequisite for supplier qualification.

AS9100D:2016 (equivalent to EN 9100:2018 in Europe) is the quality management system standard for the aviation, space, and defence (AS&D) industry. Based on ISO 9001:2015 with additional AS&D-specific requirements. Published by SAE International (IAQG — International Aerospace Quality Group). Covers product safety, counterfeit parts prevention, risk management, configuration management, and special processes. Required by major aerospace primes (Boeing, Airbus, Lockheed Martin, Rolls-Royce) for their supply chain. Over 20,000 certified organisations worldwide.

Defines four maturity levels (0-3) for each of the ASD Essential Eight mitigation strategies, with specific ISM control requirements at each level. Published by the Australian Signals Directorate.

The Australian Signals Directorate Information Security Manual is the Australian Government's primary cyber security framework. It provides a comprehensive set of cyber security principles and guidelines for protecting systems and data at all classification levels. The ISM contains over 870 controls organized across system hardening, management, monitoring, development, networking, cryptography, gateways, and data transfer guidelines.

A prioritised list of 37 mitigation strategies published by the Australian Signals Directorate to help organisations protect themselves against cyber threats. The Essential Eight is a subset of these strategies.

The ASEAN Data Management Framework provides a common framework for ASEAN member states to harmonize data governance across the region. It covers data lifecycle management, cross-border data flows, data protection measures, and organizational accountability. Designed to facilitate trusted data flows within ASEAN while maintaining appropriate safeguards.

The ASEAN Guide on AI Governance and Ethics provides a practical framework for ASEAN member states and organizations to deploy AI responsibly. Based on principles of transparency, fairness, security, accountability, and human-centricity, it provides guidance for both AI developers and deployers. Complements existing national AI strategies across ASEAN member states.

The Australian Securities and Investments Commission sets expectations for cyber resilience of regulated entities in the financial services sector. Based on ASIC Report 429 (2015) and Report 716 (2022), it outlines good practices for boards and management in managing cyber security risks. Applies to Australian financial services licensees, credit licensees, and market operators.

ASIS SPC.1-2009 (Organizational Resilience: Security, Preparedness, and Continuity Management Systems — Requirements with Guidance for Use) is an American National Standard that establishes requirements for a management system to enhance organizational resilience. Published by ASIS International, it integrates security management, emergency management, and business continuity into a unified resilience management system. Certifiable standard used primarily in North America.

Amazon Web Services security best practices framework

The American Water Works Association (AWWA) provides comprehensive cybersecurity guidance for water and wastewater utilities. Key publications include: AWWA Cybersecurity Risk & Responsibility in the Water Sector (2019), Process Control System Security Guidance for the Water Sector, and collaboration with WaterISAC. AWWA serves 50,000+ members representing water utilities, treatment plants, and suppliers. The guidance addresses unique challenges of water sector OT systems including SCADA, PLCs, and chemical dosing systems. Aligned with NIST Cybersecurity Framework, EPA requirements, and America's Water Infrastructure Act (AWIA) Section 2013.

The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014) is the first continental framework addressing cybersecurity and data protection in Africa. It establishes obligations for AU member states in electronic commerce, personal data protection, cybersecurity, and cybercrime. Entered into force June 2023 after achieving 15 ratifications.

The Aged Care Quality Standards set out the level of care and services expected of aged care providers in Australia. Enforced by the Aged Care Quality and Safety Commission. All Commonwealth-funded aged care providers must comply with these 8 standards. Set out in Schedule 2 of the Quality of Care Principles 2014.

Albania's Law on Protection of Personal Data (Law No. 9887/2008, amended by Law No. 48/2014) establishes the data protection framework. The Information and Data Protection Commissioner oversees enforcement. The law was initially based on the EU Data Protection Directive and has been progressively updated toward GDPR alignment as part of Albania's EU accession process. Covers processing principles, consent, data subject rights, cross-border transfers, and DPO requirements. A new GDPR-aligned law has been under development.

Angola's Law No. 22/11 on the Protection of Personal Data (2011) establishes the country's data protection framework. The Agência de Protecção de Dados (APD) serves as the supervisory authority. The law establishes data processing principles, individual rights, controller obligations, and provisions for cross-border transfers. Applies to processing of personal data by controllers established in Angola.

Argentina Personal Data Protection Act (Ley 25.326)

Chris Argyris's theory of organizational learning distinguishing between single-loop learning (correcting errors within existing frameworks) and double-loop learning (questioning and modifying underlying assumptions, values, and policies). Published in 'Organizational Learning' (1978, with Donald Schon) and 'On Organizational Learning' (1999).

Armenia's Law on Protection of Personal Data (2015) establishes the data protection framework. The Agency for Protection of Personal Data (subsequently integrated into the Human Rights Defender's Office) oversees compliance. The law establishes processing principles, consent requirements, data subject rights, and cross-border transfer provisions. Armenia has been working to strengthen alignment with European standards through Council of Europe Convention 108+ ratification.

Australian AI Ethics Principles

The Australian Consumer Data Right (CDR) for banking, mandated under the Competition and Consumer Act 2010 (amended by the Treasury Laws Amendment), gives consumers the right to share their banking data with accredited third parties. Administered by the ACCC (accreditation), OAIC (privacy), and Data Standards Body (technical standards). Effective July 2020, covering transaction accounts, credit cards, and lending products. Expanding to energy and telecommunications sectors.

The Information Security Registered Assessors Program (IRAP) is an Australian Government initiative administered by the Australian Signals Directorate (ASD). IRAP provides a framework for assessing the implementation and effectiveness of security controls against the Australian Government Information Security Manual (ISM). IRAP assessors are endorsed by ASD to conduct security assessments for Australian Government agencies and cloud service providers seeking to host government data. Assessment against ISM controls at OFFICIAL, PROTECTED, and SECRET levels.

The My Health Records Act 2012 establishes the legal framework for Australia's national digital health record system (My Health Record). Managed by the Australian Digital Health Agency, it enables individuals and healthcare providers to access a summary of health information online. The system operates on an opt-out basis (since 2018). The Act establishes strict access controls, penalties for misuse, and governance by the System Operator.

The Australian National Health and Medical Research Council (NHMRC) National Statement on Ethical Conduct in Human Research (2007, updated 2018) sets out the ethical framework for research involving humans. It covers consent, privacy, data management, governance, and the role of Human Research Ethics Committees (HRECs). Compliance is mandatory for NHMRC-funded research and widely adopted across Australian research institutions. Key principles: research merit, justice, beneficence, and respect for persons. Specifically addresses data governance, biobanks, genetic research, and Aboriginal and Torres Strait Islander research.

The Australian Online Safety Act 2021 establishes the eSafety Commissioner as the independent regulator for online safety. The Act creates a complaints-based system for removing harmful online content, with powers to issue removal notices to platforms, hosting services, and internet service providers. Key provisions include the Online Content Scheme (replacing the Broadcasting Services Act schedules), cyber-bullying scheme for children, image-based abuse scheme, and Basic Online Safety Expectations. Applies to online services with an Australian link.

The Australian eSafety Commissioner, established under the Online Safety Act 2021, has regulatory powers to protect Australians from online harms. Key instruments include: Basic Online Safety Expectations (BOSE) for online services, mandatory industry codes and standards, cyberbullying schemes, image-based abuse schemes, and online content schemes. The eSafety Commissioner can issue removal notices for seriously harmful content, conduct investigations, and impose penalties. BOSE requires services to take reasonable steps to ensure safety, implement reporting mechanisms, and provide transparency about safety measures. Specific focus on child safety online.

The Australian Energy Sector Cyber Security Framework is developed by the Australian Energy Market Operator (AEMO) in collaboration with the Australian Cyber Security Centre. It provides a maturity model approach to cyber security for Australia's energy sector, incorporating elements from NIST CSF, C2M2, and the ASD Essential Eight. Applies to electricity and gas market participants.

The 13 Australian Privacy Principles form the cornerstone of the privacy protection framework in the Privacy Act 1988, regulating how organisations and agencies handle personal information.

Austria's Data Protection Act (Datenschutzgesetz, DSG) as amended in 2018 supplements the EU GDPR with national provisions. The Datenschutzbehörde (DSB — Austrian Data Protection Authority) oversees enforcement. The DSG retains a constitutional right to data protection (Section 1 DSG has constitutional rank). Notable provisions include the age of digital consent (14 years), broad research derogations, specific rules for image processing (Bildaufnahme), and administrative and criminal penalties. Austria's data protection has constitutional status since 2000.

Authorised Economic Operator (AEO) programmes are globally implemented supply chain security and trade facilitation initiatives based on the WCO SAFE Framework. Over 97 countries operate AEO programmes. AEO status is granted to economic operators (importers, exporters, customs brokers, carriers, warehouse operators) that demonstrate compliance with customs requirements, financial solvency, and supply chain security standards. Mutual recognition arrangements (MRAs) between countries provide reciprocal AEO benefits. Key programmes include EU AEO, US C-TPAT, Japan AEO, China AEO, and Australia Trusted Trader.

Automotive SPICE (ASPICE) v4.0 (2023) is a process assessment model for software development in the automotive industry. Based on ISO/IEC 33020 process measurement framework. ASPICE defines process reference models and process assessment indicators for system engineering, software engineering, hardware engineering, and machine learning engineering. Used by OEMs to assess supplier development process capability. Capability levels 0-5. ASPICE assessments are a de facto requirement for automotive Tier 1/2 suppliers.

Azerbaijan's Law on Personal Data (2010) establishes the personal data protection framework. The State Service for Special Communication and Information Security oversees implementation. The law establishes processing principles, consent requirements, data subject rights, data security obligations, and cross-border transfer provisions. Azerbaijan ratified Council of Europe Convention 108 in 2010. The law applies to processing of personal data by state bodies and private entities in Azerbaijan.

Microsoft Azure cloud security best practices and controls

Basel Committee Principles for Effective Risk Data Aggregation

BIMCO Guidelines on Cyber Security Onboard Ships

The BRCGS (Brand Reputation Compliance Global Standards) Global Standard for Food Safety Issue 9 (2022) is a GFSI-benchmarked food safety certification standard for food manufacturers. Originally developed by the British Retail Consortium. Over 30,000 certified sites in 130+ countries. Covers senior management commitment, HACCP, food safety and quality management systems, site standards, product control, process control, and personnel. Grades: AA, A, B, C, D (unannounced option gives higher grade). Published and managed by BRCGS (LGC ASSURE).

BREEAM (Building Research Establishment Environmental Assessment Method) is the world's oldest green building certification scheme, established in 1990 by BRE Global. It assesses and certifies the sustainability performance of buildings across their lifecycle. Categories include management, health and wellbeing, energy, transport, water, materials, waste, land use and ecology, and pollution. Rating levels: Pass, Good, Very Good, Excellent, and Outstanding. Over 590,000 buildings certified in 90+ countries.

BS 65000:2014, published by BSI (British Standards Institution), provides guidance on organizational resilience encompassing an organisation's ability to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper. It provides a holistic approach integrating business continuity, risk management, crisis management, and security management. Describes the resilience journey from awareness through to adaptive resilience. Predecessor to ISO 22316.

The Cloud Computing Compliance Criteria Catalogue (C5) is the German Federal Office for Information Security (BSI) standard for assessing the security of cloud services. C5:2020 defines minimum security requirements that cloud providers must meet, organized into 17 topic areas with 121 criteria. Used by German federal agencies and widely adopted by European organizations for cloud security assurance. C5 attestation reports are issued by qualified auditors.

German Federal Office for Information Security baseline protection

Building Security In Maturity Model

Bahrain Personal Data Protection Law

The Bank Secrecy Act (31 U.S.C. 5311-5332) and implementing regulations (31 CFR Chapter X) establish requirements for financial institutions to detect and prevent money laundering, terrorist financing, and other financial crimes. Key components include AML compliance programs, customer identification/due diligence, suspicious activity reporting, currency transaction reporting, and recordkeeping. Amended by USA PATRIOT Act (2001), CDD Rule (2016), and AML Act (2020).

The Barbados Data Protection Act 2019 (Cap. 380A) establishes a data protection framework for Barbados. The Data Protection Commissioner oversees compliance. The Act establishes processing principles, individual rights, and provisions for cross-border transfers. Modelled on Caribbean Community (CARICOM) model data protection legislation. Applies to the processing of personal data by controllers in Barbados.

Basel III: International regulatory framework for banks, developed by the Basel Committee on Banking Supervision (BCBS). Strengthens bank capital requirements, introduces new requirements on bank liquidity and leverage, and enhances risk management. Published 2010-2017, with final reforms (sometimes called Basel IV) finalized in December 2017. Implementation ongoing through 2028.

Belgian Centre for Cybersecurity CyberFundamentals Framework

Belgium's Data Protection Act of 30 July 2018 supplements the EU GDPR with national provisions. The Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données, GBA/APD) oversees enforcement. The Act includes provisions for the age of digital consent (13 years), processing of national identification numbers (Rijksregisternummer/Numéro de registre national), journalistic exemptions, employment data, and administrative penalties. Belgium's DPA is notable for its Litigation Chamber and significant fine decisions.

The Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct (2020) establishes cybersecurity expectations for BMA-regulated entities including insurers, reinsurers, banks, and trust companies. Bermuda is a major international insurance and reinsurance hub. The Code covers cyber risk governance, risk management, incident response, third-party management, and reporting. Proportionate approach based on entity size, complexity, and cyber risk profile. Compliance monitored through BMA supervisory reviews and examinations.

Bermuda's Personal Information Protection Act 2016 (PIPA, substantially in force January 1, 2025) establishes a comprehensive privacy framework. The Privacy Commissioner for Bermuda oversees compliance. PIPA establishes processing principles, individual rights, mandatory breach notification, and provisions for cross-border transfers. Designed to support Bermuda's EU adequacy application for the insurance/reinsurance sector.

Bosnia and Herzegovina's Law on Protection of Personal Data (Official Gazette BiH No. 49/06, 76/11) establishes the data protection framework. The Personal Data Protection Agency of Bosnia and Herzegovina (AZLP) oversees enforcement. The law was modelled on the EU Data Protection Directive (95/46/EC). It covers processing principles, consent, data subject rights, cross-border transfers, and registration obligations. Amendments and alignment with GDPR have been under discussion as part of EU accession negotiations.

The Botswana Data Protection Act provides a comprehensive framework for the protection of personal data in Botswana. It establishes data protection principles, individual rights, obligations for data controllers and processors, and provisions for cross-border data transfers. Creates the Data Protection Commissioner to oversee implementation and enforcement.

Brazilian AI regulatory framework

Brazil's Open Finance framework, established by the Central Bank of Brazil (BCB) through Resolução Conjunta No. 1/2020 and subsequent regulations, creates one of the world's most comprehensive open financial data ecosystems. Mandatory for regulated financial institutions, it covers banking, insurance, investments, pensions, and foreign exchange data sharing. Phases implemented from 2021-2023. Uses standardised APIs managed by the Open Finance Brasil governance structure.

Brunei Darussalam's Personal Data Protection Order 2024 (PDPO), issued under the Emergency Orders, establishes a comprehensive data protection framework for Brunei. The Authority for Info-communications Technology Industry (AITI) oversees compliance. The PDPO follows the APEC Privacy Framework and ASEAN Framework on Personal Data Protection. It establishes data protection obligations for organisations, individual rights, and cross-border transfer provisions. Applies to organisations processing personal data in Brunei.

The Customs-Trade Partnership Against Terrorism (C-TPAT) is a voluntary government-business partnership program managed by U.S. Customs and Border Protection (CBP). C-TPAT members implement security measures throughout their supply chains in exchange for trade facilitation benefits including reduced inspections, expedited processing, and front-of-line privileges. Applies to importers, carriers, brokers, consolidators, and foreign manufacturers.

Cybersecurity Capability Maturity Model for energy sector

Cloud Computing Compliance Criteria Catalogue by BSI Germany

Consensus Assessment Initiative Questionnaire for cloud providers

California Consumer Privacy Act / California Privacy Rights Act

The Consultative Committee for Space Data Systems (CCSDS) 350.0-G-3 (The Application of Security to CCSDS Protocols) provides security guidance for space mission communications. CCSDS is the international standardisation body for space data systems with all major space agencies as members (NASA, ESA, JAXA, ROSCOSMOS, etc.). The security framework covers authentication, encryption, and access control for space-ground communications, telemetry, telecommand, and space data links. Key standards include CCSDS 352.0-B (Space Data Link Security Protocol) and CCSDS 355.0-B (Space Missions Key Management). Applicable to all civilian and scientific space missions.

CDP runs the global disclosure system for environmental impact. Through its annual questionnaires, CDP collects data from companies, cities, states, and regions on climate change, water security, and forests/deforestation. Over 23,000 companies disclose through CDP, which scores responses A through D-. CDP questionnaires are aligned with TCFD recommendations and increasingly with ISSB standards. Used by 740+ investors with $136 trillion in assets.

CDP (formerly Carbon Disclosure Project) global environmental disclosure system. The CDP Corporate Questionnaire is the primary mechanism through which over 23,000 companies disclose environmental information to investors and stakeholders. Covers climate change, water security, forests, biodiversity, and plastics. Aligned with TCFD and TNFD recommendations.

The Commodity Futures Trading Commission (CFTC) System Safeguards rules establish cybersecurity and system integrity requirements for designated contract markets (DCMs), swap execution facilities (SEFs), derivatives clearing organizations (DCOs), and swap data repositories (SDRs). Requirements include cybersecurity testing, business continuity, disaster recovery, and incident response. Updated through subsequent guidance including staff advisories.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Pub.L. 117-103, Division Y) requires covered critical infrastructure entities to report covered cyber incidents to CISA within 72 hours and ransom payments within 24 hours. Administered by the Cybersecurity and Infrastructure Security Agency (CISA). NPRM published April 2024; final rule expected Fall 2025.

Center for Internet Security Critical Security Controls - prioritized set of actions to protect organizations and data from known cyber attack vectors

CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risk to critical infrastructure operations. Aligned with the NIST Cybersecurity Framework, CPGs provide a common set of protections that all critical infrastructure entities should implement. Version 2.0 organizes goals across 8 practice areas.

The Cybersecurity and Infrastructure Security Agency (CISA) provides industrial control systems (ICS) security guidance through its ICS-CERT (now integrated into CISA). Key programmes include: ICS-CERT Advisories (vulnerability disclosures for ICS/SCADA products), Recommended Practices for ICS cybersecurity, Cyber Security Evaluation Tool (CSET), and Validated Architecture Design Reviews (VADR). CISA's ICS programme covers all critical infrastructure sectors. Published advisories cover products from Siemens, Schneider Electric, ABB, Rockwell Automation, and other major ICS vendors. Free assessment services available to critical infrastructure operators.

CISA's Secure by Design initiative establishes principles for technology manufacturers to build security into their products from the ground up, rather than relying on customers to implement security after deployment. The guidance calls on manufacturers to take ownership of customer security outcomes, embrace radical transparency, and build organizational structures that prioritize security. Developed jointly with international cybersecurity agencies.

CISA Zero Trust Maturity Model for federal agencies

Cybersecurity Maturity Model Certification for defense industrial base

The Cloud Native Computing Foundation (CNCF) Security Technical Advisory Group (TAG) provides security guidance for cloud-native technologies. Key publications include: CNCF Cloud Native Security Whitepaper (v2, 2022), CNCF Software Supply Chain Best Practices, and CNCF Security Assessment process. CNCF hosts critical security projects: Falco (runtime security), OPA/Gatekeeper (policy), cert-manager (certificate management), Notary/TUF (content trust), and SPIFFE/SPIRE (identity). The CNCF graduated project security criteria require external security audits, vulnerability disclosure processes, and security documentation.

Control Objectives for Information and Related Technologies - governance framework for enterprise IT management

Children's Online Privacy Protection Act

Committee of Sponsoring Organizations Enterprise Risk Management framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Framework (2017) integrates ERM with strategy and performance. Five components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information, Communication, and Reporting. 20 principles across the five components. Key concept: risk appetite and entity-level portfolio view of risk. The 2017 update emphasises: aligning risk appetite and strategy, enhancing risk responses, reducing performance variability, improving resource deployment, and identifying emerging risks. Used by majority of S&P 500 companies.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control — Integrated Framework, updated in 2013 from the original 1992 framework. Defines internal control as a process designed to provide reasonable assurance regarding achievement of objectives in operations, reporting, and compliance. Contains 5 components and 17 principles.

Cloud Security Alliance Cloud Controls Matrix - cybersecurity control framework for cloud computing

The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) programme provides a comprehensive framework for cloud security assurance. Based on the CSA Cloud Controls Matrix (CCM), STAR offers three levels of assurance: self-assessment (Level 1), third-party audit (Level 2 — SOC 2 or ISO 27001 based), and continuous monitoring (Level 3). The CCM provides 197 control objectives across 17 domains mapped to major standards and regulations.

EU Corporate Sustainability Reporting Directive

The 2024 CWE Top 25 Most Dangerous Software Weaknesses published by MITRE Corporation and supported by CISA. Based on analysis of 31,770 CVE records scored by frequency multiplied by severity (CVSS). Identifies the most common and impactful software weaknesses that developers and organizations should prioritize. Released November 19, 2024.

California IoT security law (SB-327)

Cambodia's Sub-Decree No. 134 on the Management of Personal Data in the Digital Sector (2024) establishes the first comprehensive data protection framework for Cambodia. Issued under the E-Commerce Law, it covers personal data processing principles, consent requirements, data subject rights, data protection officer requirements, and cross-border transfer restrictions. The Ministry of Post and Telecommunications (MPTC) oversees compliance. Applies to digital businesses processing personal data of individuals in Cambodia.

The Artificial Intelligence and Data Act (AIDA), proposed as Part 3 of Bill C-27, establishes Canada's regulatory framework for AI systems. It creates obligations for those responsible for high-impact AI systems including risk assessment, monitoring, record-keeping, and transparency requirements. Applies to persons who design, develop, make available, or manage the operation of AI systems in the course of international or interprovincial trade and commerce.

ITSG-33 (IT Security Risk Management: A Lifecycle Approach) is the Canadian Centre for Cyber Security (CCCS) standard for managing IT security risks in Government of Canada (GC) departments and agencies. It defines a security control catalogue aligned with the Treasury Board Policy on Government Security and Directive on Security Management. Security controls organised into technical, operational, and management families. Security profiles for different system sensitivity levels. Mandatory for GC information systems.

Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) regulates the sending of commercial electronic messages (CEMs), the installation of computer programs, and the unauthorized collection of electronic addresses. Enforced by the CRTC (electronic messages), Competition Bureau (false/misleading representations), and Office of the Privacy Commissioner (personal information collection). One of the strictest anti-spam laws globally.

The Cayman Islands Data Protection Act 2017 (as amended) establishes a comprehensive data protection framework for the Cayman Islands. The Office of the Ombudsman serves as the Data Protection Authority. The Act is modelled on the EU GDPR and includes data processing principles, individual rights, breach notification, and cross-border transfer provisions. Important for the Cayman Islands' significant financial services sector.

Chile Data Protection Law

Chile's reformed Personal Data Protection Law (Law No. 21.719, enacted December 2024) replaces the outdated Law 19.628 of 1999. It creates an autonomous Data Protection Agency, establishes GDPR-aligned data protection principles, introduces mandatory breach notification, cross-border transfer restrictions, and significant penalties. Chile becomes the first Latin American country with EU adequacy recognition potential under the new framework. Two-year transition period.

Chinese regulations on algorithmic recommendations and AI-generated content

The Cybersecurity Law of the People's Republic of China (effective June 2017) is China's foundational cybersecurity legislation. It establishes requirements for network operators and critical information infrastructure (CII) operators including multi-level protection scheme (MLPS), personal information protection, CII security, data localization, and security review mechanisms. Enforced by the Cyberspace Administration of China (CAC).

The Data Security Law of the People's Republic of China (effective September 2021) establishes a comprehensive framework for data security governance. It introduces a data classification and grading system, cross-border data transfer restrictions, government data security obligations, and a national data security review mechanism. Applies to data processing activities within China and extra-territorially where national security is affected.

Personal Information Protection Law of the People's Republic of China

The Personal Information Protection Law (PIPL), effective November 1, 2021, is China's comprehensive personal information protection legislation. It establishes rules for personal information processing, cross-border data transfers, individual rights, and enforcement by the Cyberspace Administration of China (CAC). Applies to processing of personal information of natural persons within China, and extraterritorially to processing outside China targeting or analysing behaviour of individuals within China.

Colombia's Statutory Law 1581 of 2012 establishes the general data protection framework, regulated by Decree 1377 of 2013. The Superintendence of Industry and Commerce (SIC) oversees data protection through its Delegated for Personal Data Protection. The law covers processing principles, consent, data subject rights (including habeas data), national registry of databases, and cross-border transfer provisions. Applies to processing of personal data in Colombia. Notable for its unique treatment of semi-private data.

Colombia Statutory Law on Habeas Data

Colorado Senate Bill 24-205: Concerning Consumer Protections for Artificial Intelligence. The first comprehensive US state law regulating high-risk AI systems. Requires developers and deployers of high-risk AI systems to use reasonable care to protect consumers from algorithmic discrimination. Signed May 17, 2024; effective February 1, 2026.

Colorado Privacy Act

The Colorado Privacy Act (effective July 1, 2023) provides comprehensive consumer privacy rights for Colorado residents. It applies to controllers conducting business in Colorado or producing products/services targeted to Colorado residents that control or process personal data of 100,000+ consumers annually, or 25,000+ consumers while deriving revenue from sale of personal data. Includes universal opt-out mechanism requirements.

Connecticut Data Privacy Act

The Connecticut Data Privacy Act (effective July 1, 2023) provides comprehensive consumer privacy rights. Applies to entities conducting business in Connecticut that control or process personal data of 100,000+ consumers, or 25,000+ consumers while deriving over 25% of gross revenue from personal data sales. Notable for requiring universal opt-out mechanism recognition and consent for sensitive data processing.

Australia's Consumer Data Right framework, established under Part IVD of the Competition and Consumer Act 2010, enables consumers to securely share their data with accredited third parties. Covers banking, energy, and non-bank lending sectors. Regulated by ACCC (competition), OAIC (privacy), and Data Standards Body (technical standards).

The Cook Islands Electronic Transactions Act 2003 provides the legal framework for electronic commerce and transactions. The Act addresses electronic signatures, records, and contracts. Privacy provisions are embedded in sector-specific legislation including the Financial Transactions Reporting Act (anti-money laundering) and the Crimes Act. The Cook Islands does not have standalone comprehensive data protection legislation but relies on sector-specific privacy protections and the common law duty of confidentiality.

Costa Rica's Law for the Protection of Persons Regarding the Processing of Their Personal Data (Law No. 8968 of 2011) establishes a comprehensive data protection framework. The Agency for the Protection of Inhabitants' Data (PRODHAB) oversees compliance. The law establishes data processing principles, data subject rights, database registration requirements, and provisions for international data transfers.

Made under Part 2A of the Security of Critical Infrastructure Act 2018, the CIRMP Rules require responsible entities for critical infrastructure assets to adopt and maintain a critical infrastructure risk management program covering cyber security, personnel, supply chain, and physical security hazards. Commenced 17 February 2023.

Croatia's Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018) supplements the EU GDPR with national provisions. The Croatian Personal Data Protection Agency (AZOP — Agencija za zaštitu osobnih podataka) oversees enforcement. The Act covers the age of digital consent (16 years), processing by public authorities, video surveillance, processing for journalism and research, genetic and biometric data, and administrative fine procedures. Croatia was the last EU member to join (2013) and aligned its data protection framework with GDPR from May 2018.

The Customs-Trade Partnership Against Terrorism (C-TPAT) is a voluntary US Customs and Border Protection (CBP) supply chain security programme. Partners include importers, carriers, consolidators, licensed customs brokers, and manufacturers. Members implement security measures across their supply chains in exchange for expedited cargo processing and reduced inspections. Minimum Security Criteria updated regularly. Over 11,000 certified partners processing 52%+ of US imports.

UK government-backed scheme to protect against common cyber attacks

Australia's first standalone cyber security legislation introducing mandatory security standards for smart devices, ransomware payment reporting, limited use obligations for ASD-shared information, and a Cyber Incident Review Board.

The Czech Republic's Act on Personal Data Processing (Act No. 110/2019 Sb.) supplements the EU GDPR with national provisions. The Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ) oversees enforcement. The Act includes provisions for the age of digital consent (15 years), processing for journalistic purposes, research derogations, video surveillance, and administrative fine procedures. The Czech Republic has a strong tradition of data protection dating to its 2000 Act on Personal Data Protection.

Côte d'Ivoire's Law No. 2013-450 of June 2013 on the Protection of Personal Data establishes the country's data protection framework. The Autorité de Régulation des Télécommunications/TIC (ARTCI) serves as the supervisory authority. The law establishes processing principles, consent requirements, registration obligations, and individual rights. Part of the broader ECOWAS data protection harmonisation effort.

The DAMA International Data Management Body of Knowledge (DAMA-DMBOK2, 2017) is the definitive guide to data management disciplines. Covers 11 knowledge areas: Data Governance, Data Architecture, Data Modelling and Design, Data Storage and Operations, Data Security, Data Integration and Interoperability, Document and Content Management, Reference and Master Data, Data Warehousing and Business Intelligence, Metadata Management, and Data Quality. The DMBOK wheel places Data Governance at the centre with 10 surrounding knowledge areas. DAMA International has 20,000+ members in 60+ chapters worldwide. The Certified Data Management Professional (CDMP) certification is based on DMBOK2.

Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires Department of Defense (DoD) contractors and subcontractors to provide adequate security for Covered Defense Information (CDI) and report cyber incidents. Contractors must implement NIST SP 800-171 security requirements, report cyber incidents within 72 hours to the DoD Cyber Crime Center (DC3), and preserve images for 90 days. Foundational requirement flowing down through the defense industrial base (DIB).

Defense Information Systems Agency (DISA) STIGs provide technical security configuration standards for DOD information systems. Based on Security Requirements Guides (SRGs), STIGs contain technical guidance for hardening systems across operating systems, applications, network devices, databases, and cloud environments. Used by US Department of Defense and widely adopted commercially.

DO-178C (RTCA) / ED-12C (EUROCAE) — Software Considerations in Airborne Systems and Equipment Certification is the primary standard for safety-critical avionics software development. It defines objectives for software lifecycle processes based on software criticality levels (Design Assurance Levels A-E). Referenced by FAA (AC 20-115D), EASA (AMC 20-115D), and Transport Canada for airborne software certification.

Airborne Electronic Hardware Security for aviation

Digital Operational Resilience Act for EU financial entities

The Defence Industry Security Program is a risk management and assurance program administered by the Australian Department of Defence. It enables industry partners to understand and meet their security obligations when working with or for Defence. DISP membership requires compliance across governance, personnel, physical, information, and cyber security domains.

The Defence Security Principles Framework sets out security principles and controls for the Australian Department of Defence and its industry partners. It is a principles-based framework supporting a progressive protective security culture. All Defence personnel, contractors, consultants and outsourced service providers must adhere to the DSPF.

Delaware Personal Data Privacy Act

Denmark's Data Protection Act (Databeskyttelsesloven, Act No. 502 of 2018) supplements the EU GDPR with national provisions. The Danish Data Protection Agency (Datatilsynet) oversees enforcement. The Act includes provisions for processing of national civil registration numbers (CPR-nummer), processing for journalistic purposes, employee data, the age of digital consent (13 years), and video surveillance. Denmark maintains a National Data Protection Board that decides on matters of principle. The Act also addresses processing by the courts.

The Digital Economy Partnership Agreement (DEPA), signed by New Zealand, Singapore, and Chile in June 2020, is the first standalone digital economy trade agreement. South Korea acceded in 2023; China and Canada have applied to join. DEPA covers 16 modules including data flows, digital identity, electronic payments, AI governance, competition policy, and emerging technologies. It establishes rules for cross-border data flows, prohibits data localisation (with exceptions), requires personal data protection, and promotes interoperability. DEPA is seen as a template for future digital trade rules.

Department of Defense Zero Trust Reference Architecture

Dominican Republic Data Protection Law

The Export Administration Regulations (EAR, 15 CFR Parts 730-774) regulate the export and re-export of commercial and dual-use items on the Commerce Control List (CCL). Administered by the Bureau of Industry and Security (BIS) under the US Department of Commerce. EAR controls items based on technical parameters, destination, end-use, and end-user. Includes Entity List restrictions and deemed export provisions.

EASA (European Union Aviation Safety Agency) Part-IS (Information Security) regulations establish information security requirements for aviation organizations under the EASA regulatory framework. Part-IS requires organizations to establish an Information Security Management System (ISMS) to protect aviation safety from information security threats. Applies to organizations holding EASA approvals including airlines, maintenance organizations, design organizations, and air traffic management providers. Effective October 2025 (large organizations) and 2026 (smaller entities).

The European Banking Authority (EBA) Guidelines on ICT and Security Risk Management (EBA/GL/2019/04, revised 2024 to align with DORA) establish requirements for financial institutions' management of ICT and security risks. They cover ICT governance, risk management framework, information security, ICT operations, business continuity, and payment service security. Apply to credit institutions, investment firms, and payment service providers in the EU/EEA.

European Central Bank Threat Intelligence-based Ethical Red Teaming

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European Central Bank's framework for intelligence-led red team testing of financial entities' cyber resilience. It provides a standardised approach across the EU for simulating real-world cyber attacks against critical functions of financial entities. Tests are conducted by accredited threat intelligence and red team providers. Adopted by multiple EU member states and aligned with similar frameworks (CBEST, iCAST, TLPT under DORA).

The European Cooperation for Space Standardisation (ECSS) software engineering standards (ECSS-E-ST-40C, ECSS-Q-ST-80C) establish requirements for space software development used by the European Space Agency (ESA) and European space industry. ECSS-E-ST-40C covers the software engineering lifecycle including requirements, design, coding, testing, and maintenance. ECSS-Q-ST-80C covers software product assurance including criticality analysis, verification, and quality management. Applicable to mission-critical and safety-critical space systems.

The CDMC (Cloud Data Management Capabilities) framework, developed by the EDM Council with major cloud providers (AWS, Azure, Google Cloud), financial institutions, and regulators, establishes data management standards for cloud environments. The framework addresses 14 key capabilities across 6 themes: Governance and Accountability, Cataloguing and Classification, Accessibility and Usage, Protection and Privacy, Lifecycle, and Technical Architecture. CDMC is the first industry-consensus framework specifically addressing data management in cloud. Developed by 100+ contributor organisations. Supports cloud migration compliance for regulated industries.

The DCAM (Data Management Capability Assessment Model) is developed by the Enterprise Data Management (EDM) Council, a global association of financial services firms. DCAM provides a comprehensive framework for assessing and benchmarking data management capabilities. Used by 300+ financial institutions globally. DCAM covers 8 components, 14 capabilities, and 37 sub-capabilities: Data Management Strategy, Business Case and Funding, Programme Operating Model, Data Governance, Data Architecture, Technology Architecture, Data Quality, and Data Stewardship. DCAM assessment provides a maturity score enabling benchmarking against peers. Aligned with BCBS 239 (Risk Data Aggregation) requirements.

The European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on Information and Communication Technology Security and Governance (EIOPA-BoS-20/600, 2020) set supervisory expectations for ICT governance and risk management by insurance and reinsurance undertakings in the EU. The guidelines complement Solvency II and are aligned with the forthcoming DORA (Digital Operational Resilience Act). Key areas include ICT strategy, ICT risk management, information security, ICT operations, ICT project management, business continuity, and outsourcing. Applied through national supervisory authorities on a comply-or-explain basis.

EMV 3-D Secure (3DS2, version 2.3.1) is the payment authentication protocol developed by EMVCo to enable secure card-not-present (CNP) transactions. It replaces the original 3DS1 protocol with improved user experience and risk-based authentication. 3DS2 supports SCA (Strong Customer Authentication) requirements under PSD2/PSD3 in the EU. Key components: Access Control Server (ACS), Directory Server, 3DS Server, and 3DS SDK. Browser, app, and 3RI (requestor-initiated) flows. Mandated by card schemes for CNP transactions in many markets.

EN 301 549 v3.2.1 (2021) is the European harmonised standard for accessibility of ICT products and services. It provides the presumption of conformity with the EU Web Accessibility Directive (2016/2102) and the European Accessibility Act (2019/882). Published by ETSI, CEN, and CENELEC. Covers web content (WCAG 2.1 Level AA), electronic documents, software, hardware, and telecommunications. Includes functional accessibility requirements, testing methodology, and conformance criteria. Used for EU public procurement of ICT.

EN 301 549 is the European standard for ICT accessibility requirements, harmonized under the European Accessibility Act and the Web Accessibility Directive. Version 3.2.1 (2021) incorporates WCAG 2.1 Level AA requirements and extends them to non-web ICT including software, hardware, and electronic documents. It is the mandatory standard for public sector ICT procurement in the EU and referenced in US Section 508 compliance.

The EN 5012x family of European standards governs RAMS (Reliability, Availability, Maintainability, Safety) for railway applications. EN 50126 addresses the RAMS lifecycle, EN 50128 covers software for railway control and protection systems, and EN 50129 covers safety-related electronic systems. Together they form the railway safety case framework mandated for signaling, train control, and safety-critical railway systems across Europe.

The European Union Agency for Cybersecurity (ENISA) publishes guidance on Privacy Enhancing Technologies (PETs) for implementing data protection by design. ENISA PETs reports cover: data pseudonymisation techniques, anonymisation approaches, differential privacy, homomorphic encryption, secure multi-party computation, zero-knowledge proofs, trusted execution environments, federated learning, and synthetic data. ENISA's work supports GDPR implementation by providing technical guidance on state-of-the-art privacy technologies referenced in Article 25 (data protection by design) and Article 32 (security of processing). Used by DPAs, organisations, and technology developers across the EU.

The European Cooperation for Space Standardization (ECSS) ECSS-E-ST-40C (2009) establishes software engineering requirements for space systems. Applicable to all ESA missions and widely adopted by national space agencies and industry. Covers the complete software lifecycle from requirements to operations including safety-critical and mission-critical software. Includes provisions for software security, quality assurance, verification, and validation. Complemented by ECSS-Q-ST-80C (Software Product Assurance) and ECSS-E-ST-10C (System Engineering). ECSS standards are mandatory for ESA contracts and widely adopted commercially.

The Entertainment Software Rating Board (ESRB) Privacy Certified programme is an FTC-approved COPPA Safe Harbor programme that allows member companies to demonstrate compliance with children's privacy requirements. The programme reviews and certifies websites, apps, and online services that collect personal information from children under 13. Members display the ESRB Privacy Certified seal. Ongoing monitoring and enforcement by ESRB. Covers COPPA requirements, general privacy practices, and specific gaming industry considerations.

Cyber Security for Consumer IoT - Baseline Requirements

ETSI Industry Specification Group on Quantum Key Distribution (ISG QKD) develops standards for quantum key distribution technology. QKD uses quantum mechanical properties to enable two parties to produce a shared random secret key. Key standards include: ETSI GS QKD 004 (Application Interface), ETSI GS QKD 008 (QKD Module Security), ETSI GS QKD 014 (Protocol and Data Format), ETSI GS QKD 015 (Security proofs), and ETSI GS QKD 018 (Orchestration interface). QKD is deployed in EuroQCI (European Quantum Communication Infrastructure), China's quantum networks, and commercial offerings from ID Quantique, Toshiba, and others.

European Union Artificial Intelligence Act regulating AI systems by risk level

The proposed EU AI Liability Directive (COM/2022/496) establishes uniform rules for damage claims related to AI systems. It introduces a rebuttable presumption of causality between non-compliance with the AI Act and AI output/failure to produce output, and provides rights to disclosure of evidence from providers and deployers of high-risk AI systems. Complements the AI Act and revised Product Liability Directive.

The EU 6th Anti-Money Laundering Directive (AMLD6, Directive 2018/1673) strengthens the criminal law framework for combating money laundering across the EU. Building on AMLD5, it harmonises the definition of money laundering offences, extends criminal liability to legal persons, establishes minimum penalties, and broadens the scope of predicate offences. Member States were required to transpose by December 2020. The EU Anti-Money Laundering Authority (AMLA) was established in 2024 to coordinate EU-wide AML supervision. An EU AML Regulation (AMLR) providing a single rulebook is being finalised.

The revised EU Audiovisual Media Services Directive (AVMSD, Directive 2018/1808, amending Directive 2010/13/EU) establishes the EU regulatory framework for audiovisual media services, including traditional TV broadcasts, on-demand services (Netflix, Amazon Prime), and video-sharing platforms (YouTube, TikTok). Key provisions include protection of minors, prohibition of incitement to hatred, advertising rules, European works promotion, and platform obligations. Transposed into national law across all 27 EU Member States. Complemented by the Digital Services Act for broader platform regulation.

The EU Better Internet for Kids+ (BIK+) Strategy, adopted May 2022, updates the 2012 European Strategy for a Better Internet for Children. It establishes a framework for protecting children online through three pillars: safe digital experiences, digital empowerment, and active participation. It supports implementation of the DSA, GDPR Article 8 (children's consent), and the AVMSD provisions for minors. Guides EU member state approaches to age-appropriate design.

The EU Carbon Border Adjustment Mechanism (Regulation 2023/956), in its transitional phase from October 1, 2023 and fully operational from January 1, 2026, addresses carbon leakage by requiring importers of certain goods into the EU to purchase CBAM certificates corresponding to the carbon price that would have been paid if the goods were produced under EU carbon pricing rules. Covers cement, iron and steel, aluminium, fertilisers, electricity, and hydrogen. Importers must report embedded emissions and surrender CBAM certificates.

The European Chips Act (Regulation (EU) 2023/1781), entered into force September 2023, strengthens the EU's semiconductor ecosystem through investment, design capacity, and supply chain resilience. It establishes the Chips for Europe Initiative, a framework for monitoring semiconductor supply chains, and emergency measures for supply crises. Aims to achieve 20% global semiconductor production share by 2030.

Regulation (EU) No 536/2014 on clinical trials on medicinal products for human use. Replaces the Clinical Trials Directive 2001/20/EC. Establishes a harmonised framework for authorising and supervising clinical trials across the EU through the Clinical Trials Information System (CTIS). Fully applicable since January 2023.

The EU Code of Conduct for Research Data Management, developed under GDPR Article 40, provides practical guidance for research organisations on GDPR-compliant research data management. Endorsed by the European Data Protection Board (EDPB). Covers lawful bases for research processing, consent in research contexts, data minimisation, pseudonymisation, data sharing, cross-border transfers, and rights in research. Applicable to universities, research institutes, clinical trial organisations, and public health bodies across the EEA.

The EU Critical Raw Materials Act (CRMA), entered into force May 2024, establishes a framework for ensuring a secure and sustainable supply of critical and strategic raw materials essential for the EU's green and digital transitions. It sets benchmarks for domestic extraction (10%), processing (40%), and recycling (25%), diversification targets (no more than 65% from single third country), and mandatory supply chain due diligence for large companies.

EU regulation on cybersecurity requirements for products with digital elements

The EU Cyber Solidarity Act establishes a framework for EU-wide cybersecurity preparedness, detection, and response. It creates the European Cybersecurity Shield (network of national and cross-border Security Operations Centres), a Cybersecurity Emergency Mechanism for mutual assistance, and a European Cybersecurity Incident Review Mechanism. Entered into force February 2025.

The EU Data Act (Regulation (EU) 2023/2854) establishes rules on fair access to and use of data generated by connected products and related services. Effective September 12, 2025, it creates rights for users to access data generated by their IoT devices, enables data sharing between businesses, and allows public sector bodies to access private sector data in emergencies. It also addresses cloud switching and data interoperability.

Regulation (EU) 2022/868 on European data governance (Data Governance Act) creates a framework for facilitating data sharing across the EU. It establishes conditions for re-use of public sector data, provides a notification framework for data intermediation services, creates a framework for data altruism, and establishes the European Data Innovation Board. Effective September 2023.

The EU Deforestation Regulation (Regulation 2023/1115) requires operators and traders placing specified commodities on the EU market to demonstrate products are deforestation-free and legally produced. Covers cattle, cocoa, coffee, oil palm, rubber, soya, and wood plus derived products. Operators must exercise due diligence using satellite monitoring, geolocation data, and supply chain traceability. Full application from December 30, 2025 (extended from original June 2025).

Regulation (EU) 2022/1925 on contestable and fair markets in the digital sector. Establishes rules for gatekeeper platforms (those with significant impact on the internal market, providing a core platform service as an important gateway, and enjoying an entrenched and durable position). Imposes specific dos and don'ts on designated gatekeepers.

Regulation (EU) 2022/2065 on a Single Market For Digital Services. Establishes harmonised rules for intermediary services in the EU covering content moderation, transparency, online advertising, and user protections. Applies to all intermediary services with graduated obligations based on size and risk.

The EU Digital Services Act (DSA, Regulation 2022/2065) includes specific provisions for the protection of minors online. Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) must: implement measures to ensure a high level of privacy, safety, and security for minors, not present advertisements based on profiling using minors' personal data, and conduct risk assessments specifically addressing risks to minors. Additional measures include: age verification mechanisms, parental controls, and transparency reporting on content moderation affecting minors. VLOPs include: Meta, TikTok, YouTube, Snapchat, Instagram, and X (Twitter).

The EU Digital Services Act (Regulation 2022/2065) establishes horizontal obligations for online platforms including gaming and entertainment platforms. Gaming platforms must implement content moderation, algorithmic transparency, minor protection, and dark pattern prohibitions. Very Large Online Platforms (VLOPs, 45M+ EU users) face enhanced obligations including systemic risk assessments, independent audits, and data access for researchers. Fully applicable from February 17, 2024.

The EU Energy Performance of Buildings Directive (EPBD) recast (Directive 2024/1275, 2024) significantly enhances building energy performance requirements and introduces digital building elements. Key provisions include: mandatory digital building logbooks, building renovation passports, smart readiness indicator (SRI), building automation and control systems (BACS), and the zero-emission building (ZEB) standard by 2030 for new buildings. The directive requires Member States to establish national building data infrastructure, digital building twins, and energy performance certificate (EPC) databases. Buildings account for 40% of EU energy consumption.

Regulation (EU) 2025/327 establishing the European Health Data Space. Creates a common framework for sharing and using health data across the EU, covering both primary use (direct healthcare) and secondary use (research, policymaking, AI). Entered into force 26 March 2025, with primary use from 2027 and secondary use from 2029.

The European Media Freedom Act (Regulation 2024/1083), applicable from August 2025, establishes a common framework for media services in the EU's internal market. It protects editorial independence, media pluralism, and journalistic sources. Key provisions include prohibition of spyware against journalists, transparency of media ownership, independence of public service media, and establishment of the European Board for Media Services. Complements the Digital Services Act and Audiovisual Media Services Directive.

EU GMP Annex 11 (revised 2011) provides guidance on the application of Good Manufacturing Practice (GMP) to computerised systems used in pharmaceutical manufacturing and quality control. Published by the European Commission as part of EudraLex Volume 4. Covers the complete lifecycle of computerised systems from specification through decommissioning. Key topics include risk management, validation, data integrity, electronic signatures, batch release, and cloud computing. Applicable to all computerised systems used in GMP-regulated activities.

The EU General Product Safety Regulation (GPSR, Regulation 2023/988), applicable from 13 December 2024, replaces the General Product Safety Directive (2001/95/EC). The GPSR establishes safety requirements for consumer products placed on the EU market, including for the first time explicit coverage of digital products, AI-enabled products, and cybersecurity risks as product safety concerns. Key provisions include: cybersecurity risks in product safety assessment, online marketplace obligations (Art. 22), product traceability requirements, serious risk rapid alert system (Safety Gate), and mandatory product recalls. Applies to all consumer products not covered by sector-specific EU legislation.

The EU In Vitro Diagnostic Regulation (EU 2017/746) establishes the regulatory framework for IVD medical devices in the European Union. Effective May 26, 2022 (with transitional provisions through 2028), it replaces the IVD Directive 98/79/EC. IVDR introduces a new risk-based classification system (Class A-D), strengthened conformity assessment, and enhanced post-market surveillance requirements.

The EU Machinery Regulation (Regulation (EU) 2023/1230, replacing Directive 2006/42/EC) establishes health and safety requirements for machinery and related products placed on the EU market. Effective January 20, 2027, it addresses digital technologies, AI integration, cybersecurity of safety functions, and autonomous machinery. Introduces mandatory third-party conformity assessment for high-risk machinery categories.

The EU Maritime Single Window Environment Regulation (EU 2019/1239) establishes a harmonised framework for electronic reporting by ships arriving at and departing from EU ports, effective from 15 August 2025. The European Maritime Safety Agency (EMSA) provides cybersecurity guidelines for the maritime sector aligned with NIS2. The EU maritime regulatory framework includes: the Port Facility Security Directive (2005/65/EC) implementing the ISPS Code, MRV Regulation for shipping emissions monitoring, and EMSA's role in maritime cybersecurity capacity building. The Maritime Single Window requires secure data exchange between port authorities, customs, and maritime administrations across all EU member states.

The Markets in Crypto-Assets Regulation (Regulation 2023/1114 — MiCA), applicable from December 30, 2024 (with earlier dates for stablecoins), establishes a comprehensive EU regulatory framework for crypto-assets not covered by existing financial services legislation. MiCA covers issuance and trading of crypto-assets, stablecoins (ARTs and EMTs), and crypto-asset service providers (CASPs). Supervised by national competent authorities with EBA and ESMA coordination. First comprehensive crypto regulation globally.

The EU Markets in Crypto-Assets Regulation (MiCA, Regulation 2023/1114), fully applicable from 30 December 2024, is the world's first comprehensive regulatory framework for crypto-assets. MiCA covers: asset-referenced tokens (stablecoins), e-money tokens, utility tokens, and other crypto-assets. Key requirements include: authorisation for crypto-asset service providers (CASPs), white paper requirements, reserve requirements for stablecoins, market abuse prevention, and consumer protection. Supervised by national competent authorities with ESMA and EBA coordination. Applies to all CASPs operating in the EU and crypto-assets offered to EU residents.

Regulation (EU) 2017/745 on medical devices replaces Directives 90/385/EEC and 93/42/EEC. It establishes a comprehensive regulatory framework for medical devices in the EU covering the entire product lifecycle from design and manufacturing through post-market surveillance. Applies to all medical devices placed on the EU market. Fully applicable since May 2021.

The EU Network and Information Security Directive 2 (NIS2, Directive 2022/2555), applicable from October 2024, significantly strengthens cybersecurity requirements for the energy sector. Energy entities (electricity, oil, gas, hydrogen, district heating) are classified as essential entities under NIS2, subject to the highest tier of requirements. Key obligations include cybersecurity risk management measures, supply chain security, incident reporting (24-hour early warning, 72-hour notification), management body accountability, and cooperation with national CSIRTs. Penalties up to EUR 10M or 2% of global turnover.

The NIS2 Directive (Directive 2022/2555) includes transport as an essential sector requiring enhanced cybersecurity measures. This covers air transport (carriers, airports, ATMS), rail transport (operators, infrastructure managers), water transport (shipping companies, ports, VTS), and road transport (ITS operators, road authorities). Transport entities must implement risk management measures, incident reporting, supply chain security, and business continuity. National transposition deadline was October 17, 2024.

The EU Network Code on Cybersecurity for the Electricity Sector (Commission Delegated Regulation 2024/1366) establishes sector-specific cybersecurity rules for cross-border electricity flows. Adopted under the Electricity Regulation (2019/943), it requires electricity entities to implement cybersecurity risk management, conduct risk assessments, and report incidents. Supervised by national competent authorities with ENISA and ACER coordination. Covers TSOs, DSOs, electricity market operators, and critical service providers.

The proposed EU Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR), published by the European Commission in June 2023, will replace PSD2. Key changes include enhanced fraud prevention (IBAN/name matching), improved open banking (dedicated data access interface requirements), stronger consumer protection, and a new framework for non-bank PSPs to access payment systems. PSR will be directly applicable; PSD3 requires national transposition.

The EU Pay Transparency Directive (2023/970), adopted in May 2023 with Member State transposition by June 7, 2026, establishes binding measures to strengthen the principle of equal pay between men and women. Key requirements include pay transparency in job advertisements, prohibition on salary history questions, employee right to pay information, gender pay gap reporting (for employers with 100+ employees), and joint pay assessments when gaps exceed 5%. Enforcement through compensation, penalties, and reversal of burden of proof.

The EU Platform Work Directive (2024/2831), adopted in October 2024 with Member State transposition by December 2, 2026, establishes rules to improve working conditions for platform workers and regulate algorithmic management. Key provisions include a legal presumption of employment relationship (rebuttable), transparency and fairness requirements for algorithmic management systems, human oversight of automated decisions, and data protection provisions. Applies to digital labour platforms operating in the EU.

The revised EU Product Liability Directive (Directive (EU) 2024/2853, replacing Directive 85/374/EEC) modernizes strict liability rules for defective products. Key updates include explicit coverage of software (including AI), digital manufacturing files, and online platforms. Introduces disclosure of evidence obligations, eases burden of proof in complex cases (especially AI), and covers damage to data. Effective 2026.

Regulation (EU) 2019/2088 on sustainability-related disclosures in the financial services sector. Requires financial market participants and financial advisers to disclose sustainability risks and adverse impacts of investment decisions. Supplemented by Delegated Regulation (EU) 2022/1288 establishing Regulatory Technical Standards including mandatory Principal Adverse Impact (PAI) indicators.

The Seveso III Directive (Directive 2012/18/EU) on the control of major-accident hazards involving dangerous substances establishes requirements for the prevention of major accidents and the limitation of their consequences for human health and the environment. It classifies establishments as lower-tier or upper-tier based on quantities of dangerous substances present. Requires safety reports, emergency plans, land-use planning, and public information.

The EU Taxonomy Regulation (2020/852) establishes a classification system for environmentally sustainable economic activities. It defines six environmental objectives and technical screening criteria that economic activities must meet to qualify as sustainable. Companies subject to CSRD must disclose the proportion of their turnover, capital expenditure, and operating expenditure associated with Taxonomy-aligned activities. Applies to financial market participants, large companies, and EU member states.

The EU Taxonomy Regulation (2020/852) establishes a classification system for environmentally sustainable economic activities. Companies subject to CSRD must report the proportion of their turnover, capital expenditure, and operating expenditure associated with Taxonomy-aligned activities. Six environmental objectives: climate change mitigation, climate change adaptation, sustainable use of water, transition to circular economy, pollution prevention, and protection of biodiversity. Technical screening criteria defined in delegated acts.

The EU Taxonomy Regulation (2020/852) establishes a classification system for environmentally sustainable economic activities. Applicable from 2022 for climate objectives and 2024 for all six environmental objectives. Companies subject to CSRD must report the proportion of their turnover, capex, and opex that qualifies as taxonomy-aligned. Six environmental objectives: climate change mitigation, climate change adaptation, sustainable use of water, transition to a circular economy, pollution prevention, and protection of biodiversity. Technical screening criteria define substantial contribution thresholds and do-no-significant-harm (DNSH) criteria for each activity. Minimum social safeguards must also be met.

The EU Union Customs Code (UCC, Regulation 952/2013), applicable since May 2016, modernises EU customs legislation and includes significant data processing, security, and risk management provisions. The UCC establishes the legal framework for customs IT systems processing trade data. Key data elements include EORI (Economic Operators Registration and Identification), Entry Summary Declarations, and customs declarations. Data protection is governed by GDPR in conjunction with customs-specific data retention and sharing rules. The UCC also establishes the EU AEO programme.

The EU Web Accessibility Directive (Directive 2016/2102) requires websites and mobile applications of public sector bodies in EU Member States to be accessible to persons with disabilities. Transposed into national law across all 27 Member States. Technical standard: EN 301 549 (WCAG 2.1 Level AA). Covers websites (compliance from September 2020) and mobile applications (compliance from June 2021). Requires accessibility statements, feedback mechanisms, and regular monitoring. European Commission oversight with Member State enforcement bodies.

Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (Whistleblower Protection Directive). Establishes minimum standards for protecting whistleblowers reporting breaches of EU law in areas including public procurement, financial services, product safety, environmental protection, food safety, public health, consumer protection, data protection, and more.

Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive). As amended by Directive 2009/136/EC, it covers confidentiality of communications, cookies and tracking, direct marketing, traffic and location data, and caller ID. Complements the GDPR for electronic communications.

Ecuador Organic Law on Personal Data Protection

Egypt's Personal Data Protection Law (Law No. 151 of 2020) establishes Egypt's comprehensive data protection framework. It creates the Data Protection Center under the Information Technology Industry Development Agency (ITIDA) as the regulatory authority. The law establishes data processing principles, consent requirements, individual rights, and cross-border transfer restrictions. Applies to processing of personal data by controllers and processors in Egypt.

The Equator Principles (EP4, July 2020) are a financial industry framework for identifying, assessing, and managing environmental and social risk in project finance, project-related corporate loans, bridge loans, and project-related refinance. Adopted by 138 financial institutions in 38 countries covering the majority of international project finance. Based on IFC Performance Standards and World Bank EHS Guidelines. EP4 covers climate change, human rights, Indigenous Peoples, biodiversity, and stakeholder engagement. Equator Principles Financial Institutions (EPFIs) commit to not financing projects that fail to meet EP requirements.

Estonia's Personal Data Protection Act (Isikuandmete kaitse seadus, IKS) of 2019 supplements the EU GDPR with national provisions. The Data Protection Inspectorate (Andmekaitse Inspektsioon) oversees enforcement. Estonia's Act includes provisions for processing of national identification codes (isikukood), processing of personal data in employment relationships, video surveillance, scientific research and statistics, and the age of digital consent (13 years). Estonia is notable for its advanced e-government and digital identity infrastructure (X-Road, e-Residency).

The Ethical Trading Initiative (ETI) Base Code is an internationally recognised code of labour practice founded on ILO core conventions. The ETI is a UK-based alliance of companies, trade unions, and NGOs promoting respect for workers' rights globally. The Base Code comprises nine clauses covering employment conditions. ETI members commit to implementing the Base Code in their supply chains. Over 100 corporate members including major UK and international retailers and brands. The Base Code is widely used as the benchmark for labour standards in global supply chain auditing.

Ethiopia's Personal Data Protection Proclamation No. 1321/2024, enacted in July 2024, establishes a comprehensive data protection framework. It creates the Information Network Security Administration (INSA) as the supervisory authority. The law establishes processing principles, data subject rights, controller obligations, and cross-border transfer restrictions. Applies to processing of personal data by public and private entities in Ethiopia.

The European Accessibility Act (EAA, Directive (EU) 2019/882) establishes common accessibility requirements for key products and services in the EU. Effective June 28, 2025, it covers computers, smartphones, ATMs, ticketing machines, e-commerce, banking services, e-books, and audiovisual media services. Harmonized accessibility requirements based on EN 301 549. Applies to economic operators placing products or providing services in the EU internal market.

The Extractive Industries Transparency Initiative (EITI) Standard (2023 edition) is the global standard for the good governance of oil, gas, and mineral resources. 57 implementing countries. The EITI requires disclosure of information along the extractive industry value chain: from contracts and licences, to production, revenue collection, revenue allocation, and social/economic spending. Multi-stakeholder governance with government, industry, and civil society representation. Countries undergo validation to assess compliance with the EITI Standard. The EITI Board oversees global implementation.

The Federal Aviation Administration (FAA) cybersecurity framework addresses cybersecurity risks in civil aviation systems including air traffic management, aircraft systems, and airport infrastructure. FAA Order 1370.82A establishes the agency's cybersecurity programme aligned with NIST CSF. The framework covers airborne systems (DO-326A/ED-202A), ground systems, and organisational security. The Aviation Cybersecurity Strategy (2023) outlines the FAA's approach to evolving cyber threats including connected aircraft and remotely piloted systems.

Financial Action Task Force (FATF) Recommendations on International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation. The global standard for anti-money laundering (AML) and counter-terrorist financing (CFT). Adopted 2012, regularly updated. 40 Recommendations organized across 7 thematic groups.

FATF (Financial Action Task Force) Recommendation 16 (the Travel Rule) as applied to virtual assets requires Virtual Asset Service Providers (VASPs) to obtain, hold, and transmit originator and beneficiary information for virtual asset transfers exceeding USD/EUR 1,000. Adopted in 2019 as part of FATF's Updated Guidance on Virtual Assets and VASPs. Implementation varies by jurisdiction: EU via Transfer of Funds Regulation (TFR) recast, US via FinCEN rules, Singapore via PSA, Japan via JFSA guidance. Key challenge: technical implementation for blockchain transactions lacking a natural messaging layer. Solutions include TRUST (Travel Rule Universal Solution Technology), OpenVASP, and Shyft Network.

The FBI Criminal Justice Information Services (CJIS) Security Policy establishes minimum security requirements for access to FBI CJIS Division systems and information including the National Crime Information Center (NCIC), Interstate Identification Index (III), and National Instant Criminal Background Check System (NICS). Version 5.9.4 (2024) applies to all entities accessing criminal justice information (CJI) including law enforcement, contractors, and cloud service providers.

The US Federal Communications Commission (FCC) Customer Proprietary Network Information (CPNI) rules (47 CFR Part 64, Subpart U) protect the confidentiality of customer telecommunications data. Updated in 2023 to include a comprehensive data breach notification rule. CPNI includes: call records, services purchased, network usage information, and device information. The 2023 FCC Data Breach Notification Rule requires carriers to notify the FCC within 30 days, consumers without unreasonable delay, and FBI/Secret Service for breaches affecting 500+ customers. Applies to all telecommunications carriers, VoIP providers, and TRS providers.

Electronic Records; Electronic Signatures (pharmaceutical/medical devices)

The FDA Quality Management System Regulation (QMSR), effective February 2026, replaces the Quality System Regulation (21 CFR Part 820) by incorporating ISO 13485:2016 by reference. It aligns FDA quality system requirements for medical device manufacturers with the international standard, reducing regulatory burden for manufacturers operating globally while maintaining FDA-specific requirements for design controls and post-market surveillance.

Family Educational Rights and Privacy Act

The Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool helps financial institutions identify cybersecurity risks and determine their preparedness. Based on the NIST Cybersecurity Framework, it assesses inherent risk profile and cybersecurity maturity across five domains. Used by FFIEC member agencies (OCC, FDIC, Federal Reserve, NCUA, CFPB) during examinations.

Federal Financial Institutions Examination Council IT guidance

FIDO2 is the passwordless authentication standard developed by the FIDO Alliance and W3C. FIDO2 consists of two components: WebAuthn (W3C Web Authentication API) and CTAP2 (Client-to-Authenticator Protocol). FIDO2 enables passwordless, phishing-resistant authentication using public key cryptography. Supported by all major browsers (Chrome, Firefox, Safari, Edge), operating systems (Windows Hello, macOS/iOS Face ID/Touch ID, Android biometrics), and platforms (Google Passkeys, Apple Passkeys, Microsoft Passkeys). Over 12 billion accounts can use FIDO2. FIDO Alliance has 300+ member companies. FIDO2 passkeys are the recommended replacement for passwords by NIST, CISA, and ENISA.

FIDO2 (Fast IDentity Online) comprises the W3C Web Authentication (WebAuthn) specification and the FIDO Alliance Client-to-Authenticator Protocol (CTAP). WebAuthn Level 3 (2025) enables passwordless authentication using public key cryptography. Authenticators include platform authenticators (biometrics), roaming authenticators (security keys), and passkeys (synced credentials). Supported by all major browsers and operating systems. Over 15 billion accounts enabled for passkey sign-in.

The Forum of Incident Response and Security Teams (FIRST) is the global organisation of Computer Security Incident Response Teams (CSIRTs). FIRST has 700+ member teams across 107 countries. Key frameworks include: FIRST CSIRT Services Framework 2.1 (defines 42 services across 5 areas), SIM3 (Security Incident Management Maturity Model), FIRST PSIRT Services Framework (for product vendors), and Traffic Light Protocol (TLP) 2.0 for information sharing. FIRST also maintains the Common Vulnerability Scoring System (CVSS) and the Exploit Prediction Scoring System (EPSS). FIRST standards are the basis for CSIRT establishment and maturity assessment worldwide.

Federal Information Security Modernization Act

FSSC 22000 is a GFSI-benchmarked certification scheme for food safety management systems based on ISO 22000, sector-specific technical specifications (ISO/TS 22002 series), and additional FSSC 22000 requirements. Version 6.0 (2023) covers food manufacturing, catering, animal feed, packaging, biochemicals, and food storage. Recognised by the Global Food Safety Initiative (GFSI) and major food retailers worldwide.

The FTC's Standards for Safeguarding Customer Information (Safeguards Rule, revised 2021, effective June 2023) implements the Gramm-Leach-Bliley Act (GLBA) requirements for financial institutions. It mandates a comprehensive information security programme with specific technical controls including encryption, MFA, access controls, and incident response. Applies to non-banking financial institutions including auto dealers, mortgage brokers, and tax preparers.

The FTC Health Breach Notification Rule (16 CFR Part 318) requires vendors of personal health records (PHR) and PHR-related entities to notify individuals, the FTC, and in some cases the media following a breach of unsecured personally identifiable health information. Updated in 2024 to clarify applicability to health apps, wearables, and other digital health technologies not covered by HIPAA.

Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act. 16 CFR Part 314 requires FTC-regulated financial institutions to develop, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards to protect customer information. Revised final rule effective June 9, 2023; breach notification amendment effective May 13, 2024.

The Fair Labor Association (FLA) Workplace Code of Conduct establishes labour standards for the supply chains of FLA participating companies. Based on ILO standards and internationally recognised labour rights. The FLA conducts independent external monitoring (IEM) assessments at supplier factories. FLA accreditation certifies that a company has implemented a comprehensive social compliance programme. Participating companies include major apparel, footwear, and agriculture brands. The FLA is a multi-stakeholder initiative with industry, university, and civil society members.

Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by US federal agencies. Based on NIST SP 800-53 Rev 5, FedRAMP defines Low, Moderate, High, and LI-SaaS impact baselines with specific control requirements and parameters for cloud service providers.

Fiji's Data Protection Bill (introduced 2020) proposes a comprehensive data protection framework for Fiji, modelled on the EU GDPR. The bill covers processing principles, data subject rights, consent requirements, cross-border transfer provisions, and breach notification obligations. The Office of the Information Commissioner would serve as the supervisory authority. While not yet enacted, the bill represents Fiji's move toward comprehensive data protection legislation aligned with international standards.

Finland's Data Protection Act (Tietosuojalaki, 1050/2018) supplements the EU GDPR with national provisions. The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) oversees enforcement. The Act covers processing of special categories of data, national identification numbers (henkilötunnus), processing for research and statistics, the age of digital consent (13 years), and enforcement procedures. Finland also has sector-specific legislation including the Act on Electronic Communications Services and the Act on the Openness of Government Activities.

The Florida Digital Bill of Rights (SB 262, 2023, codified as F.S. 501.701-501.721) is Florida's comprehensive consumer data privacy law. Unlike most US state privacy laws, it applies only to businesses with global gross annual revenues exceeding $1 billion. Includes specific provisions for children's data, social media platforms, and search engine transparency. Effective July 1, 2024.

The Florida Digital Bill of Rights (SB 262), signed into law in June 2023 and effective July 1, 2024, establishes consumer data privacy protections for Florida residents. Applies to for-profit entities with global revenues exceeding $1 billion that conduct substantial business in Florida. Notable for its high revenue threshold (limiting scope to large technology companies), children's online protections, and restrictions on government surveillance via consumer data purchases.

The French Sapin II Law (Law No. 2016-1691 of 2016) on transparency, anti-corruption, and modernisation of economic life establishes anti-corruption compliance obligations for French companies. Article 17 requires companies with 500+ employees and EUR 100M+ revenue to implement eight anti-corruption measures. The Agence Française Anticorruption (AFA) monitors and enforces compliance. Also establishes whistleblower protection provisions.

Comprehensive leadership theory by Bernard M. Bass (1985) and Bruce J. Avolio integrating a spectrum from passive-avoidant through transactional to transformational leadership. Operationalized through the Multifactor Leadership Questionnaire (MLQ 5X) measuring nine leadership factors plus three outcome variables. Research shows transformational leadership augments transactional, yielding superior organizational outcomes.

GAMP 5 (Good Automated Manufacturing Practice Guide, 2nd Edition 2022) is an ISPE guidance document providing a risk-based approach to the validation of computerized systems in the pharmaceutical and healthcare industries. It aligns with regulatory expectations from FDA, EMA, and other agencies. Covers the complete system lifecycle from concept through retirement with emphasis on critical thinking and leveraging supplier activities.

General Data Protection Regulation - EU regulation on data protection and privacy for all individuals within the European Union and European Economic Area

The Greenhouse Gas Protocol Corporate Accounting and Reporting Standard (Revised Edition 2004/2015) and Corporate Value Chain (Scope 3) Accounting and Reporting Standard (2011). Published by the World Resources Institute (WRI) and the World Business Council for Sustainable Development (WBCSD). The most widely used international accounting tool for government and business to understand, quantify, and manage greenhouse gas emissions.

Gramm-Leach-Bliley Act Safeguards Rule for financial institutions

GLI-33 (Event Wagering Systems) is a technical standard published by Gaming Laboratories International (GLI) for online and mobile sports betting systems. It covers system requirements for event wagering platforms including security, data integrity, account management, geolocation, and responsible gambling. Referenced by gaming regulators in the United States and internationally as the basis for sports betting system certification.

GLOBALG.A.P. (Good Agricultural Practices) Integrated Farm Assurance (IFA) Standard Version 6 (2022) is the world's leading farm certification programme. It covers food safety, sustainability, workers' wellbeing, and animal welfare across crops, livestock, and aquaculture. Over 200,000 certified producers in 135+ countries. GFSI-benchmarked for primary production. Key modules include food safety, environment, workers' health and safety, and traceability. IFA v6 introduced the add-on GRASP (Risk Assessment on Social Practice) module.

Global Reporting Initiative sustainability reporting standards

GS1 is the global standards organisation for supply chain identification and data exchange, serving over 2 million member companies in 116 countries. GS1 standards underpin global retail, healthcare, and logistics operations. Key standards include: GTIN (Global Trade Item Number/barcode), GLN (Global Location Number), SSCC (Serial Shipping Container Code), GDSN (Global Data Synchronisation Network), GS1 Digital Link, EPCIS (Electronic Product Code Information Services) for supply chain visibility, and GS1 Healthcare. GS1 standards are mandated by major retailers (Walmart, Amazon, Carrefour), healthcare regulators (FDA UDI, EU MDR), and logistics operators. Data security and integrity provisions protect product authenticity.

Georgia's Law on Personal Data Protection (2012, amended 2023) establishes a comprehensive data protection framework aligned with European standards. The State Inspector's Service (now reorganised as the Special Investigation Service) oversees data protection. The 2023 amendments strengthened alignment with the EU GDPR as part of Georgia's EU accession process. Covers processing principles, lawful bases, data subject rights, cross-border transfers, and DPO requirements.

The German Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz — LkSG), effective January 1, 2023, requires companies to identify, prevent, and mitigate human rights and environmental risks in their supply chains. Initially applicable to companies with 3,000+ employees (2023), extended to 1,000+ employees (2024). The Federal Office for Economic Affairs and Export Control (BAFA) is the enforcement authority. Civil liability provisions and administrative fines up to 2% of global turnover.

Ghana Cybersecurity Act 2020

The Ghana Data Protection Act 2012 (Act 843) establishes the Data Protection Commission and provides for the protection of individual privacy and personal data. It regulates the collection, use, storage, and disclosure of personal data. Applies to data processing by both public and private entities in Ghana. The Commission registers data controllers, handles complaints, and enforces compliance.

The Global Cross-Border Privacy Rules (Global CBPR) Forum, established in April 2022, is an international certification system for data privacy. Building on the APEC CBPR system, it is open to any economy worldwide. Founding members include the US, Canada, Japan, South Korea, Singapore, Australia, and others (with the UK, EU, and others as observers). The Global CBPR provides two certification programmes: CBPR for data controllers and PRP (Privacy Recognition for Processors) for data processors.

Daniel Goleman's framework mapping emotional and social competencies to leadership effectiveness, developed from research on 500+ competency models at global organizations. The framework includes four EI domains with competencies measured by the ESCI (Emotional and Social Competency Inventory), plus six leadership styles showing how EI manifests in distinct leadership approaches.

Greece's Law 4624/2019 supplements the EU GDPR with national provisions and establishes the Hellenic Data Protection Authority (HDPA — Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) as the supervisory authority. The law includes provisions for the age of digital consent (15 years), processing by law enforcement (transposing the LED Directive 2016/680), employee data, video surveillance, and research derogations. Greece also transposed the LED for criminal law enforcement data processing in the same legislation.

Health Insurance Portability and Accountability Act security standards for protecting electronic protected health information (ePHI)

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, promotes the meaningful use of health information technology. It strengthens HIPAA enforcement, establishes breach notification requirements for unsecured protected health information, increases penalties for HIPAA violations, and extends HIPAA requirements directly to business associates.

The Hong Kong Monetary Authority (HKMA) Cyber Resilience Assessment Framework (C-RAF) provides a comprehensive framework for authorized institutions to assess their cyber resilience maturity. Introduced in 2016 and enhanced through subsequent guidance, it establishes inherent risk profiling and maturity assessment across governance, identification, protection, detection, and response/recovery domains.

Hong Kong Monetary Authority Supervisory Policy Manual - Technology Risk

The HL7 FHIR (Fast Healthcare Interoperability Resources) Security Framework provides security and privacy specifications for FHIR-based health data exchange. It defines authentication, authorization, audit logging, and consent management patterns for FHIR APIs. Includes SMART on FHIR (Substitutable Medical Applications and Reusable Technologies) for OAuth 2.0-based authorization. Central to US ONC interoperability rules and international health data exchange.

Ronald Heifetz's framework for mobilizing people to tackle tough challenges and thrive, distinguishing between technical problems and adaptive challenges. Developed at Harvard Kennedy School and published across Leadership Without Easy Answers (1994), Leadership on the Line (2002), and The Practice of Adaptive Leadership (2009).

Paul Hersey and Ken Blanchard's Situational Leadership Theory proposing that leaders must adapt their style to the maturity (readiness) level of followers. Originally developed in 1969 as the Life Cycle Theory of Leadership, updated through multiple editions. Blanchard's SLII version (2013) uses 'development level' instead of 'maturity.'

The Hong Kong Personal Data (Privacy) Ordinance (Cap 486, enacted 1996, significantly amended 2012 and 2021) regulates the collection, use, storage, and transfer of personal data. The Privacy Commissioner for Personal Data (PCPD) oversees compliance. The 2021 amendment criminalised doxxing. Establishes six Data Protection Principles (DPPs) governing the lifecycle of personal data. The PCPD has enhanced enforcement powers including criminal prosecution for doxxing.

Hungary's Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act, amended 2018) supplements the EU GDPR with national provisions. The National Authority for Data Protection and Freedom of Information (NAIH — Nemzeti Adatvédelmi és Információszabadság Hatóság) oversees enforcement. The Act covers both data protection and freedom of information. National provisions include the age of digital consent (16 years), research derogations, public interest data access, and administrative fine procedures.

International Association of Classification Societies (IACS) Unified Requirements E26 (Cyber Resilience of Ships) and E27 (Cyber Resilience of On-Board Systems and Equipment), mandatory from 1 July 2024 for new ship construction contracts. E26 addresses ship-level cyber resilience requirements across the vessel lifecycle. E27 addresses equipment-level cyber security requirements for system integrators and equipment suppliers. Together they establish the first mandatory classification society cyber requirements for new builds. All 12 IACS member classification societies must implement these requirements (covering 90%+ of global tonnage). Aligned with IEC 62443 for industrial automation security.

The IAEA Nuclear Security Series No. 17-T (Rev 1) provides technical guidance on implementing computer security at nuclear facilities. It addresses cybersecurity for nuclear instrumentation and control (I&C) systems, safety systems, and information technology supporting nuclear security. Part of the broader IAEA Nuclear Security framework that includes physical protection, nuclear material accounting, and transport security.

The International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICPs) provide a globally accepted framework for the supervision of the insurance sector. The 26 ICPs cover licensing, governance, risk management, conduct of business, group supervision, and cross-border cooperation. They serve as the benchmark for insurance regulation globally and are assessed by the IMF and World Bank as part of Financial Sector Assessment Programs (FSAPs).

The IATA Operational Safety Audit (IOSA) is a globally recognised evaluation system for airline operational management and control systems. IOSA registration is a condition of IATA membership and is accepted by regulatory authorities worldwide. The IOSA Standards Manual covers eight operational areas: corporate organisation and management, flight operations, operational control/flight dispatch, aircraft engineering and maintenance, cabin operations, ground handling, cargo operations, and security management. Over 400 airlines on the IOSA registry. Biennial audit cycle.

IATF 16949:2016 is the international quality management system standard for the automotive industry, published by the International Automotive Task Force (IATF). It supplements ISO 9001:2015 with automotive-specific requirements. Required by major OEMs (GM, Ford, Stellantis, BMW, VW, Toyota, etc.) for their supply chain. Covers product safety, warranty management, APQP (Advanced Product Quality Planning), PPAP (Production Part Approval Process), FMEA, SPC, MSA, and control plans. Over 70,000 certified sites worldwide. Certification by IATF-recognised certification bodies only.

ICAO Annex 17 to the Convention on International Civil Aviation establishes international Standards and Recommended Practices (SARPs) for safeguarding civil aviation against acts of unlawful interference. Covers security of airports, aircraft, passengers, baggage, cargo, mail, and in-flight security. All 193 ICAO member states are required to implement Annex 17 standards through national civil aviation security programmes.

Incoterms 2020, published by the International Chamber of Commerce (ICC), are internationally recognised trade terms that define the responsibilities of buyers and sellers in international and domestic commercial transactions. Effective January 1, 2020. Eleven terms in two groups: terms for any mode of transport (EXW, FCA, CPT, CIP, DAP, DPU, DDP) and terms for sea and inland waterway transport (FAS, FOB, CFR, CIF). Each term specifies: delivery point, risk transfer, cost allocation, insurance, export/import customs, and documentation. Used globally in contracts, letters of credit, and trade finance.

ICH E6(R2) (International Council for Harmonisation, 2016, with R3 under development) establishes international ethical and scientific quality requirements for designing, conducting, recording, and reporting clinical trials. The guideline includes specific provisions for electronic systems, data integrity, and computerised systems used in clinical trials. ICH E6 is implemented in law by regulatory authorities worldwide (FDA, EMA, PMDA, NMPA). Key areas include investigator responsibilities, sponsor obligations, essential documents, quality management systems, and data quality.

ICH E6(R3) Good Clinical Practice (GCP) is the international ethical and scientific quality standard for the design, conduct, performance, monitoring, auditing, recording, analysis, and reporting of clinical trials. The R3 revision (adopted 2023) modernizes GCP for technology-enabled clinical trials, introduces a quality-by-design approach, and addresses decentralized trials, electronic data, and risk-proportionate monitoring.

ICH Q10 describes a comprehensive model for an effective pharmaceutical quality system (PQS) based on ISO quality concepts, applicable GMP regulations, and ICH Q8 (Pharmaceutical Development) and Q9 (Quality Risk Management). It establishes a system for lifecycle management of pharmaceutical products covering development, technology transfer, commercial manufacturing, and product discontinuation. Adopted by FDA, EMA, and PMDA.

The International Council on Mining and Metals (ICMM) Mining Principles establish environmental, social, and governance (ESG) expectations for the responsible mining and metals industry. ICMM members (29 major mining and metals companies and 36 associations) commit to implementing the Mining Principles across their operations. The 2024 update includes 10 principles covering governance, human rights, health and safety, environment, social performance, and stakeholder engagement. Independently validated through ICMM's Validation Framework. Performance expectations and position statements provide detailed requirements.

The International Council of Nurses (ICN) Leadership for Change programme, operational since 1996, building leadership and management capacity of nurses worldwide. Uses a cascading model where ICN trains national facilitators who then train participants in-country. Over 90 countries have participated.

IEC 60601-1 is the international standard for the safety and essential performance of medical electrical equipment. It establishes general requirements for basic safety and essential performance applicable to all medical electrical equipment and medical electrical systems. The standard covers electrical hazards, mechanical hazards, radiation hazards, EMC, and software requirements (through IEC 62304 reference).

IEC 62304 defines the lifecycle requirements for the development and maintenance of medical device software. It specifies processes, activities, and tasks for each stage of the software lifecycle including planning, requirements analysis, architectural design, detailed design, unit implementation, integration testing, system testing, release, and maintenance. Software safety classification (Class A, B, C) determines the rigor of required activities.

IEC 62351 is a series of standards addressing the cybersecurity of communication protocols used in power systems. It provides security specifications for protocols including IEC 61850 (substation automation), IEC 60870-5 (telecontrol), IEC 61968/61970 (CIM), and DNP3. Covers authentication, encryption, access control, and key management for operational technology (OT) communications in the energy sector.

Industrial Automation and Control Systems Security

IEEE Standard for IED Cyber Security Capabilities for substations

IEEE Standard for addressing ethical concerns during system design

IFRS 17 Insurance Contracts, issued by the IASB and effective January 1, 2023, establishes principles for the recognition, measurement, presentation, and disclosure of insurance contracts. It replaces IFRS 4 and provides a consistent global framework for insurance accounting. Key features include the General Measurement Model (building block approach), Premium Allocation Approach for short-duration contracts, and the Contractual Service Margin representing unearned profit.

The ILO Declaration on Fundamental Principles and Rights at Work (1998, amended 2022) identifies ten core labour conventions covering five categories of fundamental rights at work. The 2022 amendment added occupational safety and health as the fifth category. All 187 ILO member states are obligated to respect these principles regardless of ratification. The ten core conventions are: C029 (Forced Labour), C087 (Freedom of Association), C098 (Collective Bargaining), C100 (Equal Remuneration), C105 (Abolition of Forced Labour), C111 (Non-Discrimination), C138 (Minimum Age), C182 (Worst Forms of Child Labour), C155 (Occupational Safety), and C187 (Promotional Framework for OSH).

The sole ILO instrument specifically covering the health sector workforce. Recognizes the vital role of nursing personnel in protecting and improving health and welfare. Adopted 21 June 1977 at the 63rd ILC session. Entered into force 11 July 1979. Ratified by 41 States. Supplemented by Recommendation R157.

The ILO Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy (MNE Declaration, 6th edition 2022) provides guidance to multinational enterprises, governments, and employers' and workers' organisations on employment, training, conditions of work and life, and industrial relations. It is the only ILO instrument that provides direct guidance to enterprises on social policy and inclusive, responsible, and sustainable workplace practices. Voluntary but widely referenced in responsible business conduct frameworks.

The International Maritime Organization (IMO) guidelines on maritime cyber risk management provide recommendations for safeguarding shipping from cybersecurity threats. IMO Resolution MSC.428(98) affirms that maritime cyber risk should be addressed in Safety Management Systems (SMS) as per the ISM Code. Guidelines provide a risk-based approach aligned with NIST CSF. Applicable to ships, port facilities, and maritime organizations.

The Institute of Risk Management (IRM) provides professional risk management standards and qualifications. The IRM Enterprise Risk Management framework guides organisations in developing and implementing ERM. Key publications: IRM Risk Management Standard (2002, with ISO 31000 alignment), IRM Horizon Scanning guidance, IRM Cyber Risk Resources, and IRM Risk Culture guidance. IRM is the world's leading professional body for risk management, with members in 143 countries. IRM qualifications (International Certificate/Diploma/Advanced Diploma in Risk Management) are recognised globally by employers and regulators.

IRS Publication 1075 (Rev. 2024) provides guidance for federal, state, and local agencies and their contractors/agents to ensure the security of Federal Tax Information (FTI) received from the IRS. It establishes requirements based on NIST SP 800-53 for safeguarding FTI throughout its lifecycle. Compliance is mandatory for all entities receiving FTI under IRC Section 6103.

International Standard on Assurance Engagements (ISAE) 3402, issued by the International Auditing and Assurance Standards Board (IAASB), provides a framework for practitioners to issue assurance reports on controls at a service organisation. Type 1 reports describe controls and their design suitability at a point in time. Type 2 reports also include operating effectiveness testing over a period. Used globally (outside the US where SSAE 18 applies) for service organisation assurance, particularly in financial services, IT outsourcing, and cloud computing.

Information System Security Management and Assessment Program for cloud

Medical devices - Quality management systems

Environmental management systems requirements

ISO 14064 (Parts 1-3) provides specifications and guidance for quantification, monitoring, reporting, and verification of greenhouse gas (GHG) emissions and removals. Part 1 (2018) covers organisation-level GHG inventories. Part 2 (2019) covers project-level GHG emission reductions. Part 3 (2019) covers verification and validation of GHG assertions. Aligned with the GHG Protocol. Used for corporate carbon accounting, emissions trading, and climate disclosure under CSRD, SEC, and ISSB requirements.

ISO 15189:2022 (4th edition) specifies requirements for quality and competence in medical (clinical) laboratories. It covers examination processes (pre-examination, examination, post-examination), quality management systems, and resource requirements specific to medical laboratories. Applicable to clinical chemistry, haematology, microbiology, pathology, immunology, and other medical laboratory disciplines. Accreditation to ISO 15189 is increasingly required by healthcare regulators and insurers. The 2022 revision introduces risk-based thinking and aligns with ISO/IEC 17025:2017 structure.

Guidelines for auditing management systems

ISO 19650 is the international standard series for Building Information Modelling (BIM) and managing information over the whole lifecycle of a built asset. ISO 19650-1:2018 covers concepts and principles, ISO 19650-2:2018 covers the delivery phase, ISO 19650-3:2020 covers the operational phase, and ISO 19650-5:2020 covers security-minded information management. The standard establishes the common data environment (CDE), information delivery processes, and roles/responsibilities for BIM projects. Mandated for public sector projects in the UK and increasingly adopted globally.

IT service management system requirements

ISO 20400 provides guidance for organizations on integrating sustainability into procurement processes. It addresses the principles of sustainable procurement, integrating sustainability into procurement policy and strategy, organizing the procurement function for sustainability, and embedding sustainability into the procurement process. Applicable to any organization regardless of its activity or size.

Food safety management systems

Business continuity management systems requirements

ISO 22313:2020 provides guidance for planning, establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving a business continuity management system (BCMS) as specified in ISO 22301. It provides explanatory text, examples, and good practices for each clause of ISO 22301. Does not add new requirements but helps organisations understand and implement ISO 22301 effectively. Applicable alongside ISO 22301 as an implementation guide.

Organizational resilience principles and attributes

Guidelines for business impact analysis

Continuity of supply chain guidelines

ISO 22320 provides guidelines for emergency management including incident response operations, incident management, and operational coordination. It addresses requirements for effective incident management including command and control, operational information, and cooperation and coordination between organizations.

ISO 22739:2024 (previously ISO 22739:2020) provides the standardised vocabulary for blockchain and distributed ledger technologies (DLT). Part of the ISO/TC 307 (Blockchain and distributed ledger technologies) family of standards. Related standards include: ISO/TR 23455 (Smart Contracts overview), ISO/TR 23244 (Privacy and PII protection), ISO 23257 (Reference Architecture), ISO/TR 23576 (Security management), and ISO/TS 23635 (DLT-based digital asset custody). TC 307 working groups cover: reference architecture, taxonomy, use cases, security, privacy, identity, smart contracts, governance, and interoperability. Adopted by 40+ national standards bodies.

ISO 26000 provides guidance on social responsibility for all types of organizations. It covers the seven core subjects of social responsibility: organizational governance, human rights, labour practices, the environment, fair operating practices, consumer issues, and community involvement and development. It is a guidance standard, not certifiable.

ISO 26262:2018 (2nd edition) is the international standard for functional safety of electrical and electronic (E/E) systems in road vehicles. It addresses hazards caused by malfunctioning behaviour of E/E safety-related systems. Defines Automotive Safety Integrity Levels (ASIL A-D) based on hazard analysis. Covers the full safety lifecycle from concept through decommissioning. 12 parts covering management, system/hardware/software development, production, and field monitoring. The foundational automotive safety standard.

International standard for establishing, implementing, maintaining and continually improving an information security management system (ISMS)

Information security, cybersecurity and privacy protection - Information security controls

Information security risk management guidelines

Code of practice for information security controls based on ISO 27002 for cloud services

Code of practice for protection of PII in public clouds acting as PII processors

Information security controls for the energy utility industry

Incident investigation principles and processes

Privacy information management extension to ISO 27001 and ISO 27002

Information security management in health using ISO 27002

ISO 28001 specifies the requirements and guidance for organizations in international supply chains to develop and implement supply chain security management processes. It establishes best practices for assessing supply chain security threats and implementing appropriate countermeasures. Part of the ISO 28000 series, it supports customs trade partnership programs and Authorized Economic Operator (AEO) status.

Knowledge management systems requirements

ISO 30414:2018 provides guidelines on human capital reporting (HCR) for internal and external stakeholders. It defines 58 metrics across 11 areas covering workforce diversity, leadership, organisational culture, health and safety, productivity, recruitment, turnover, skills and capabilities, succession planning, workforce availability, and compliance. Supports ESG reporting, investor decision-making, and strategic workforce planning. Applicable to organisations of all sizes.

Risk management guidelines and principles

ISO 37000:2021 Governance of Organizations — Guidance. Provides guidance on the governance of organizations, establishing principles and key aspects of practice to help governing bodies and other stakeholders. Applicable to all organizations regardless of type, size, or sector. Focuses on purpose, value generation, strategy, oversight, and accountability.

ISO 37000:2021 provides guidance on the governance of organizations. It establishes principles and key aspects of practice to guide governing bodies in fulfilling their governance responsibilities. Covers purpose and value generation, oversight strategy, stakeholder engagement, societal responsibility, accountability, and performance monitoring. Applicable to all types of organizations regardless of type, size, or sector.

Anti-bribery management systems

ISO 37002:2021 provides guidelines for establishing, implementing, maintaining, and improving a whistleblowing management system. It covers receiving, assessing, and addressing reports of wrongdoing. Based on four principles: trust, impartiality, protection, and accessibility. Applicable to all organisations regardless of type, size, or sector. Supports compliance with whistleblowing legislation including the EU Whistleblowing Directive, US SOX, and Dodd-Frank. Complementary to ISO 37001 (anti-bribery) and ISO 37301 (compliance).

Compliance management systems

ISO 39001 specifies requirements for a road traffic safety (RTS) management system to enable organizations that interact with the road traffic system to reduce death and serious injuries from road traffic crashes. Applicable to all organizations regardless of type, size, or nature of product/service, including those managing road networks, designing vehicles, transporting goods/passengers, or generating road traffic through their activities.

ISO 41001:2018 specifies requirements for a facility management (FM) system when an organisation needs to demonstrate effective and efficient delivery of FM that supports the objectives of the organisation. Based on the Harmonised Structure (Annex SL) for integration with ISO 9001, ISO 14001, ISO 45001, and ISO 27001. Covers strategic FM planning, demand management, service delivery, performance measurement, and improvement. Applicable to all types of facilities and organisations.

Artificial intelligence management system requirements

Occupational health and safety management systems

ISO 50001:2018 specifies requirements for establishing, implementing, maintaining, and improving an energy management system (EnMS). It enables organizations to follow a systematic approach to achieving continual improvement of energy performance including energy efficiency, use, and consumption. Uses the Plan-Do-Check-Act framework and the High Level Structure for integration with other ISO management systems.

Asset management system requirements

Innovation management system guidance

ISO 8000 is the international standard for data quality. The multi-part standard covers: ISO 8000-1 (overview), ISO 8000-2 (vocabulary), ISO 8000-8 (information and data quality), ISO 8000-61 (data quality management: process reference model), ISO 8000-62 (data quality management: organisational process maturity assessment), ISO 8000-100 series (master data), and ISO 8000-110/115/120 (data quality: syntax, semantics, and completeness). The standard provides a framework for managing data quality across the data lifecycle. Used in manufacturing (product data quality), finance (reference data), healthcare (clinical data), and government (open data quality).

Quality management systems requirements

ISO/IEC 17025:2017 specifies the general requirements for the competence, impartiality, and consistent operation of testing and calibration laboratories. It is the basis for laboratory accreditation worldwide. Applicable to all laboratories regardless of the number of personnel or scope of activities. Covers structural requirements, resource requirements, process requirements, and management system requirements. Over 80,000 accredited laboratories globally. Accreditation by national bodies (UKAS, NATA, A2LA, etc.) under the ILAC Mutual Recognition Arrangement.

ISO/IEC 23837 (Parts 1 and 2) specifies security requirements and evaluation methods for quantum key distribution modules and networks. Part 1 defines security requirements covering: QKD module security, key generation, key management, authentication, physical security, and side-channel resistance. Part 2 defines evaluation methodology. Developed by ISO/IEC JTC 1/SC 27 (Information security) in coordination with ETSI ISG QKD. Provides a Common Criteria-compatible evaluation framework for QKD implementations. Adopted by national QKD certification schemes including BSI (Germany) and ANSSI (France).

Information technology - Artificial intelligence - Guidance on risk management. Provides guidance on how organizations that develop, produce, deploy, or use products, systems and services that utilize AI can manage risk specifically related to AI. Extends ISO 31000 risk management principles to AI contexts. Published February 2023.

ISO/IEC 25012:2008 defines a general data quality model applicable to data retained in a structured format within a computer system. Part of the SQuaRE (Systems and software Quality Requirements and Evaluation) series. It defines 15 data quality characteristics categorised as inherent (accuracy, completeness, consistency, credibility, currentness) and system-dependent (accessibility, compliance, confidentiality, efficiency, precision, traceability, understandability, availability, portability, recoverability).

ISO/IEC 27003:2017 - Information technology - Security techniques - Information security management systems - Guidance. Provides clause-by-clause guidance for implementing ISO/IEC 27001 requirements. Each clause contains Required Activity, Explanation, Guidance, and Other Information. Mirrors ISO 27001 clauses 4-10. Second edition published 2017.

Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation. Provides guidance to assist organizations in evaluating information security performance and effectiveness of the ISMS. Supports ISO 27001 Clause 9.1 requirements.

ISO/IEC 27006 specifies requirements and provides guidance for bodies providing audit and certification of information security management systems (ISMS). It supplements ISO/IEC 17021-1 with ISMS-specific requirements for certification bodies, including auditor competence, audit time, and certification scope determination.

ISO/IEC 27007 provides guidance on managing an ISMS audit programme, conducting audits, and evaluating the competence of ISMS auditors. It supplements ISO 19011 with ISMS-specific auditing guidance for both internal and external audits. Applicable to all organizations needing to conduct internal or external ISMS audits.

ISO/IEC 27010 provides guidelines for information security management for inter-sector and inter-organizational communications. It extends ISO 27001/27002 guidance for situations where organizations share information across sector boundaries, within communities of interest, or between organizations. Applicable to information sharing initiatives, ISACs, and trusted communities.

ISO/IEC 27011 provides guidelines supporting the implementation of information security controls in telecommunications organizations based on ISO/IEC 27002. It addresses sector-specific security requirements for telecommunications operators including network security, service availability, customer data protection, and lawful interception compliance.

Information security, cybersecurity and privacy protection - Governance of information security. Provides guidance on concepts, objectives, and processes for the governance of information security. Intended for governing bodies and top management of organizations. Applicable to all types and sizes of organizations.

Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity. Provides a framework of methods and processes for organizations to improve ICT readiness to support business operations during disruptions. Describes the concepts and principles of ICT readiness for business continuity (IRBC).

ISO/IEC 27050 (Parts 1-4) provides guidance on activities related to electronic discovery (eDiscovery) — the process of identifying, preserving, collecting, processing, reviewing, and producing electronically stored information (ESI) in litigation, investigations, and regulatory matters. Part 1 covers overview, Part 2 governance and management, Part 3 code of practice, and Part 4 technical readiness. Aligns with the EDRM (Electronic Discovery Reference Model).

ISO/IEC 27400 provides guidelines for security and privacy in IoT (Internet of Things) solutions. It addresses security and privacy risks throughout the IoT device lifecycle and provides controls for IoT service providers, IoT device developers, and IoT users. Covers device security, data protection, communication security, and trustworthiness of IoT ecosystems.

ISO/IEC 27557:2022 provides guidance on the application of ISO 31000:2018 to the management of privacy risks related to the processing of personally identifiable information (PII). It extends ISO 31000 risk management principles to specifically address privacy risks from the perspective of the organisation. Covers privacy risk identification, analysis, evaluation, and treatment. Complements ISO/IEC 27701 (PIMS) and supports GDPR, CCPA, and other privacy regulation compliance.

Information technology - Security techniques - Privacy framework. Establishes a comprehensive privacy framework including privacy principles, terminology, and concepts for the protection of personally identifiable information (PII). Applicable to organizations involved in specifying, procuring, designing, developing, or operating ICT systems that process PII. Second edition, substantially updated from 2011.

ISO/IEC 29115:2023 specifies a framework for entity authentication assurance in ICT systems. Defines four levels of authentication assurance (LoA 1-4) based on confidence in the identity claim during authentication. LoA 1 provides minimal confidence, LoA 4 provides very high confidence with hardware-based authenticators. The standard covers: authentication threats, assurance levels, credential types, authentication mechanisms, and lifecycle management. Widely referenced by eIDAS, national digital identity schemes, and financial regulators. Applicable to both human and machine (IoT) entity authentication. Complemented by ISO/IEC 29003 (identity proofing) and ISO/IEC 24760 (identity management framework).

Information technology - Security techniques - Guidelines for privacy impact assessment. Provides guidance for a process on privacy impact assessments (PIAs) and a structure and content of a PIA report. Supports GDPR Article 35 Data Protection Impact Assessment (DPIA) requirements. Second edition, published May 2023.

ISO/IEC 29147 provides guidelines for the disclosure of potential vulnerabilities in products and online services. It addresses how vendors should receive vulnerability reports, process them, and publish advisories. Complements ISO/IEC 30111 which covers internal vulnerability handling processes.

ISO/IEC 30111 provides guidelines for the internal handling of reported potential vulnerabilities in products and online services. It covers the processes a vendor should follow from receiving a vulnerability report through remediation and advisory publication. Complements ISO/IEC 29147 (vulnerability disclosure).

ISO/IEC 38500:2024 provides guiding principles for the governance of information technology by the governing body of any organization. It establishes a framework for effective governance of IT to ensure alignment with organizational objectives, delivery of value, management of risks, and responsible resource use. Updated in 2024 with enhanced coverage of emerging technologies, cybersecurity governance, and sustainability.

Road vehicles - Cybersecurity engineering

GAMP 5 (Good Automated Manufacturing Practice, 2nd Edition 2022) is an industry guideline published by ISPE (International Society for Pharmaceutical Engineering). It provides a risk-based approach to the validation and management of computerised systems in the regulated life sciences industry. GAMP 5 is the de facto standard for computerised system validation (CSV) globally. The 2022 revision introduces Critical Thinking and simplifies approaches for modern systems including cloud, SaaS, and AI/ML. Covers the complete system lifecycle and applies to GMP, GLP, GCP, and pharmacovigilance.

International Sustainability Standards Board reporting standards

The International Traffic in Arms Regulations (ITAR, 22 CFR Parts 120-130) control the export and import of defence-related articles, services, and technical data on the United States Munitions List (USML). Administered by the State Department's Directorate of Defense Trade Controls (DDTC). ITAR requires registration, licensing, and compliance with end-use restrictions. Violations can result in criminal penalties up to $1 million and 20 years imprisonment.

IT Infrastructure Library for IT service management best practices

The International Telecommunication Union (ITU) Radio Regulations (RR) are the international treaty governing the global use of the radio-frequency spectrum and satellite orbits. Revised at World Radiocommunication Conferences (WRC), most recently WRC-23. For space operations, the ITU regulates satellite frequency coordination, orbital slot allocation, interference protection, and space operations spectrum. ITU-T X.1205 provides cybersecurity guidelines. ITU-R SA series covers space applications spectrum. The Radio Regulations are binding on all 193 ITU member states and form the basis for national spectrum management.

ITU-T Recommendation X.805 (2003, still actively referenced) defines a security architecture for systems providing end-to-end communications. It uses a layered approach across three security layers (infrastructure, services, applications), three security planes (management, control, end-user), and eight security dimensions (access control, authentication, non-repudiation, data confidentiality, communication security, data integrity, availability, privacy). Widely used as a telecom security reference architecture.

Icelandic Data Protection Act

Iceland's Act on Data Protection and the Processing of Personal Data (Act No. 90/2018) implements the EU GDPR into Icelandic law via the EEA Agreement. The Icelandic Data Protection Authority (Persónuvernd) oversees enforcement. The Act includes national provisions for processing of national identification numbers (kennitala), processing for journalistic purposes, research and statistics, the age of digital consent (13 years), and health data processing. Iceland applies the GDPR framework fully as an EEA member state.

The Illinois Biometric Information Privacy Act (740 ILCS 14) is the most comprehensive US state biometric privacy law. Enacted in 2008, it regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and biometric information. Notable for its private right of action allowing individuals to sue for violations, with statutory damages of $1,000-$5,000 per violation.

The Reserve Bank of India (RBI) Account Aggregator (AA) framework enables consent-based sharing of financial data between Financial Information Providers (FIPs) and Financial Information Users (FIUs) through licensed Account Aggregators. Operationalised through the RBI Master Direction on NBFC-Account Aggregator (2016, updated 2021). Uses the Data Empowerment and Protection Architecture (DEPA) for consent management. Covers banking, insurance, securities, pension, and tax data.

The Indian Computer Emergency Response Team (CERT-In) Directions of April 2022 mandate cybersecurity practices for service providers, intermediaries, data centres, and government organizations in India. Key requirements include 6-hour incident reporting, 180-day log retention, KYC for VPN/cloud providers, and synchronized system clocks. Applies to all entities covered by the Information Technology Act 2000.

Digital Personal Data Protection Act of India

Indiana Consumer Data Protection Act

Personal Data Protection Law of Indonesia

Iowa Consumer Data Protection Act

Israel's Protection of Privacy Law (5741-1981, amended through 2024) provides the legal framework for data protection, administered by the Privacy Protection Authority (PPA) under the Ministry of Justice. Israel holds EU adequacy recognition (since 2011). The 2024 amendments (Amendment 13) significantly strengthen the framework with expanded PPA enforcement powers, mandatory breach notification, increased penalties, and enhanced data subject rights.

Italy's Personal Data Protection Code (Codice in materia di protezione dei dati personali, Legislative Decree No. 196/2003) was substantially amended by Legislative Decree No. 101/2018 to align with the GDPR. The Garante per la protezione dei dati personali (Italian Data Protection Authority) oversees enforcement. The Code retains significant national provisions alongside the GDPR, including rules on health data, employment data, journalistic processing, video surveillance, and marketing. The Garante is one of the most experienced DPAs in Europe, established in 1997.

Jamaica Data Protection Act

Jamaica's Data Protection Act 2020 (effective December 1, 2023) establishes a comprehensive data protection framework. The Office of the Information Commissioner (OIC) serves as the supervisory authority. The Act establishes eight data protection principles, individual rights, registration requirements, and provisions for cross-border transfers. Applies to the processing of personal data by controllers established in Jamaica.

Japanese Social Principles of Human-Centric AI

Japan's Act on Specified Commercial Transactions (ASCT, Act No. 57 of 1976, substantially amended 2021-2023) regulates commercial transactions including online digital services, subscription services, and in-app purchases. The 2021 amendments specifically addressed dark patterns in digital commerce, requiring clear pricing disclosure, prohibition on misleading final confirmation screens, and cooling-off rights for digital subscriptions. Enforced by the Consumer Affairs Agency (CAA). Particularly relevant for gaming microtransactions and digital subscriptions.

The Japan Financial Services Agency (JFSA) Cybersecurity Guidelines provide a comprehensive framework for managing cybersecurity risks in financial institutions. Updated periodically, the guidelines cover governance, risk assessment, preventive controls, detection, response, and recovery. Aligned with the NIST Cybersecurity Framework. Apply to banks, securities firms, insurance companies, and other regulated financial institutions in Japan.

Jordan has been developing comprehensive personal data protection legislation. The Draft Personal Data Protection Law (2022 version under consideration) proposes GDPR-aligned data protection requirements. Currently, data protection is addressed through the Jordanian Constitution (privacy rights), the Cybercrime Law (No. 17/2023), the Telecommunications Law, and sector-specific regulations. The Electronic Transactions Law (No. 15/2015) addresses electronic data security. The Jordan Telecommunications Regulatory Commission (TRC) oversees telecommunications data privacy.

Kazakhstan's Law on Personal Data and Their Protection (No. 94-V, 2013, significantly amended 2023) establishes the data protection framework. The Committee on Information Security of the Ministry of Digital Development oversees enforcement. Key provisions include consent requirements, data subject rights, data localisation for certain categories, cross-border transfer restrictions, and data protection officer requirements. Amendments in 2023 strengthened rights and introduced breach notification obligations.

Kentucky Consumer Data Protection Act

Data Protection Act of Kenya

The Kenya Data Protection Act No. 24 of 2019 establishes Kenya's comprehensive data protection framework. It creates the Office of the Data Protection Commissioner (ODPC) as the supervisory authority. The Act establishes data processing principles, data subject rights, registration requirements for controllers and processors, and provisions for cross-border data transfers. Applies to processing of personal data by controllers and processors within and outside Kenya where data subjects are in Kenya.

The Kids Online Safety Act (KOSA) establishes a duty of care for covered online platforms to prevent and mitigate harms to minors. It requires platforms to provide safeguards for minors by default, give minors and parents tools to protect against harmful content, and requires the FTC to establish best practices. Enacted as part of broader children's online safety legislation.

David Kolb's experiential learning theory proposing that learning is a process whereby knowledge is created through the transformation of experience. Published in 'Experiential Learning: Experience as the Source of Learning and Development' (1984). The cycle has four stages and maps to four distinct learning styles.

John Kotter's eight-step process for leading organizational change, first published in 'Leading Change' (1996) and updated in 'Accelerate' (2014). The model organizes change leadership into three phases: creating a climate for change, engaging and enabling the organization, and implementing and sustaining change.

Kuwait's data privacy landscape is primarily governed by the Constitution (Article 39, communication privacy), the Cyber Crimes Law (No. 63/2015), and the Capital Markets Authority (CMA) Data Privacy Protection Regulation (2021). The CMA regulation specifically addresses data protection for entities regulated by the CMA. Kuwait does not yet have comprehensive standalone data protection legislation, but a draft Personal Data Protection Law has been under consideration. The Cyber Crimes Law criminalises unlawful access, data theft, and privacy violations in electronic communications.

Kuwait's National Cybersecurity Framework, established by the Communication and Information Technology Regulatory Authority (CITRA) and the National Cyber Security Center (NCSC), provides mandatory cybersecurity requirements for government entities and critical national infrastructure in Kuwait. Covers governance, technical controls, and compliance monitoring.

The LEADS in a Caring Environment framework describes the leadership capabilities needed to lead effectively in health systems. Developed in Canada by Dr. Graham Dickson and colleagues, it comprises five domains — Lead Self, Engage Others, Achieve Results, Develop Coalitions, and Systems Transformation — with four capabilities each. LEADS is used internationally for health leadership development, assessment, and organisational capacity building.

LEED (Leadership in Energy and Environmental Design) v4.1 is the most widely used green building rating system globally, developed by the US Green Building Council (USGBC). Over 110,000 LEED-certified projects in 185 countries. LEED v4.1 includes credits for smart building technologies, energy monitoring, indoor environmental quality monitoring, and sustainable data centre design. LEED covers: Building Design and Construction (BD+C), Interior Design and Construction (ID+C), Building Operations and Maintenance (O+M), Neighbourhood Development (ND), and Cities and Communities. Certification levels: Certified, Silver, Gold, Platinum.

Lei Geral de Protecao de Dados - Brazil's General Data Protection Law

Laos' Law on Prevention and Combating Cybercrime (2015) establishes the legal framework for addressing cybercrime and includes provisions for data protection and cybersecurity. It criminalises unauthorised access, data interference, system interference, and misuse of devices. Includes provisions on electronic evidence, international cooperation, and service provider obligations. The Ministry of Post, Telecommunications and Communication oversees implementation.

Latvia's Personal Data Processing Law (Fizisko personu datu apstrādes likums) of 2018 supplements the EU GDPR with national provisions. The Data State Inspectorate (Datu valsts inspekcija) oversees enforcement. The law includes provisions for processing of national identification numbers (personas kods), processing for journalistic purposes, employment data processing, video surveillance, and the age of digital consent (13 years). Specific provisions for processing by law enforcement and national security services.

Lebanon's Law No. 81/2018 on Electronic Transactions and Personal Data Protection establishes the legal framework for electronic commerce and data protection. The law covers electronic transactions, electronic signatures, data protection principles, consent requirements, data subject rights, and the establishment of a Personal Data Protection Commission. It is one of the more comprehensive data protection laws in the MENA region. The law applies to processing of personal data by public and private entities in Lebanon. The Personal Data Protection Commission has enforcement powers.

Liechtenstein Data Protection Act

Lithuania's Law on the Legal Protection of Personal Data (No. I-1374, as restated in 2018) supplements the EU GDPR with national provisions. The State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija) oversees enforcement. The law includes provisions for processing of national identification codes (asmens kodas), video surveillance, processing for journalistic purposes, direct marketing, the age of digital consent (14 years), and specific derogations for research and statistics.

Lloyd's of London Minimum Standards establish baseline requirements that all managing agents in the Lloyd's market must meet. The Cyber Security minimum standards, part of the broader Operational Risk framework, require managing agents to implement appropriate cybersecurity controls, conduct risk assessments, and report incidents. Lloyd's also sets standards for underwriting, claims, reserving, and other operational areas. Enforced through Lloyd's supervisory framework.

Lloyd's of London has established requirements and guidance for managing syndicates' cyber insurance exposure. Key requirements include: mandatory systemic cyber risk exclusions (from March 2023), war and state-backed cyber attack exclusions, cyber insurance risk management standards, and exposure management. Lloyd's Market Bulletin Y5381 (2022) requires all standalone cyber policies to exclude state-backed cyber attacks with clear attribution clauses. Managing agents must demonstrate cyber risk management capability. Lloyd's Realistic Disaster Scenarios (RDS) for cyber include cloud outage, mass ransomware, and data exfiltration scenarios.

Luxembourg's Law of 1 August 2018 organising the National Commission for Data Protection (CNPD) and supplements the GDPR with national provisions. The Commission Nationale pour la Protection des Données (CNPD) oversees enforcement. Luxembourg is significant as the EU establishment of many major tech companies (Amazon, PayPal, Skype). The law includes provisions for the age of digital consent (16 years), processing by the public sector, research derogations, and employee data. CNPD has jurisdiction over major data controllers established in Luxembourg.

Minimum Acceptable Risk Standards for Exchanges (Healthcare marketplace)

The Minimum Acceptable Risk Standards for Exchanges (MARS-E) Version 2.2 establishes security and privacy requirements for state and federal Health Insurance Exchanges (Marketplaces) created under the Affordable Care Act. Based on NIST SP 800-53 with exchange-specific overlays, it provides a risk-based framework for protecting personally identifiable information (PII) and Federal Tax Information (FTI) in the health insurance marketplace ecosystem.

Monetary Authority of Singapore Technology Risk Management Guidelines

Manufacturer Disclosure Statement for Medical Device Security

MITRE ATT&CK knowledge base of adversary tactics and techniques

MITRE D3FEND knowledge graph of cybersecurity countermeasures

Multi-Tier Cloud Security Standard by IMDA Singapore

The Multi-Tier Cloud Security (MTCS) Standard (SS 584) is Singapore's national cloud security standard developed by the Infocomm Media Development Authority (IMDA). Based on ISO 27001, it provides a three-tier framework (Level 1-3) for cloud security certification with increasing requirements. Level 1 covers basic security, Level 2 adds governance and risk management, and Level 3 addresses the most stringent requirements for highly regulated data. Mandatory for Singapore government cloud procurement.

Personal Data Protection Act 2010 of Malaysia

Malta's Data Protection Act (Chapter 586 of the Laws of Malta, 2018) supplements the EU GDPR with national provisions. The Information and Data Protection Commissioner (IDPC) oversees enforcement. The Act includes provisions for the age of digital consent (13 years), processing by competent authorities for criminal law purposes (LED transposition), genetic and biometric data, research derogations, and administrative penalties. Malta's small size and EU membership make it a significant jurisdiction for online gaming, fintech, and blockchain companies.

Maryland Online Data Privacy Act

Christina Maslach's model for understanding, measuring, and preventing occupational burnout with three dimensions measured by the Maslach Burnout Inventory (MBI) and six areas of worklife (AWS) identifying organizational factors driving burnout or engagement. Core insight: burnout is a problem of organizational context, not individual weakness.

Mauritius Data Protection Act

The Mauritius Data Protection Act 2017 (replacing the 2004 Act) provides a comprehensive data protection framework aligned with international standards. The Data Protection Office under the Data Protection Commissioner supervises compliance. The Act establishes processing principles, individual rights, registration requirements, and provisions for cross-border data transfers. Mauritius holds EU adequacy recognition for certain sectors.

Mexican Federal Law on Protection of Personal Data in Possession of Private Parties

The Markets in Financial Instruments Directive II (2014/65/EU) and Markets in Financial Instruments Regulation (EU No 600/2014) form the EU's comprehensive framework for financial markets. MiFID II/MiFIR establishes rules for investment firms, trading venues, market transparency, investor protection, and reporting. Replaced MiFID I from January 3, 2018. Applies to investment firms, credit institutions providing investment services, and trading venues operating in the EU.

Minnesota Consumer Data Privacy Act

The Modern Slavery Act 2018 (Cth) requires Australian entities with consolidated revenue of A$100 million or more to report annually on modern slavery risks in their operations and supply chains, and the actions taken to address those risks. Reports are published on the Modern Slavery Register.

Montana Consumer Data Privacy Act

Montenegro's Law on Personal Data Protection (Official Gazette No. 44/2023), effective August 2023, replaces the 2008 law and is fully aligned with the EU GDPR. The Agency for Personal Data Protection and Free Access to Information oversees enforcement. The new law incorporates GDPR principles, data subject rights, DPO requirements, DPIA, breach notification, and GDPR-level administrative fines. Enacted as part of Montenegro's advanced EU accession negotiations (Chapter 23 — Judiciary and Fundamental Rights).

Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data establishes Morocco's data protection framework. Administered by the Commission Nationale de Controle de la Protection des Donnees a Caractere Personnel (CNDP), it aligns with European data protection standards and provides comprehensive rights for individuals and obligations for data processors.

Myanmar's Cybersecurity Law (2023) establishes a cybersecurity and data protection framework. The law covers cybersecurity obligations for digital platform service providers, critical information infrastructure protection, personal data processing requirements, and cybersecurity incident reporting. Administered by the Ministry of Transport and Communications. The law has been criticised for its surveillance provisions and broad scope.

NABERS (National Australian Built Environment Rating System) is an Australian Government initiative that measures the environmental performance of buildings, tenancies, and homes. Ratings cover energy, water, waste, and indoor environment on a 1-6 star scale. NABERS Energy ratings are mandatory for commercial office buildings over 1,000m2 in Australia under the Commercial Building Disclosure (CBD) programme. Over 80% of Australian office space is NABERS rated. Managed by the NSW Department of Climate Change, Energy, the Environment and Water.

The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (Model 668) establishes data security standards for the insurance industry. Adopted by NAIC in 2017, it has been enacted by over 20 US states. It requires insurers and other licensed entities to develop comprehensive information security programs, conduct risk assessments, and notify regulators of cybersecurity events.

NATO Allied Quality Assurance Publication AQAP 2110 (Edition E, 2016) establishes quality assurance requirements for NATO defence procurement. AQAP 2110 covers design, development, and production and is referenced in NATO contracts. It supplements ISO 9001 with additional defence-specific requirements including configuration management, first article inspection, and government quality assurance. Used by NATO member nations (31 countries) for procurement from defence industry. Complementary publications include AQAP 2210 (software quality), AQAP 2310 (inspection), and AQAP 2131 (production only).

NATO's cyber defence framework includes the NATO Cyber Defence Policy (2014, updated 2021), the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Tallinn Manual, and the NATO Computer Incident Response Capability (NCIRC). Key documents include: NATO Communications and Information Agency (NCIA) security standards, AC/322 Information Assurance series, Cyber Defence Pledge (2016), and the 2021 Comprehensive Cyber Defence Policy recognising cyberspace as an operational domain. NATO nations committed to the Cyber Defence Pledge at the 2016 Warsaw Summit, with enhanced commitments at the 2023 Vilnius Summit including the Virtual Cyber Incident Support Capability (VCISC).

NATO STANAG 4774 defines the confidentiality metadata label syntax for NATO information sharing, while STANAG 4778 specifies the metadata binding mechanism for associating security labels with data objects. Together they enable automated security policy enforcement, access control, and information sharing across NATO nations and mission partners. Labels encode classification, caveats, releasability, and handling instructions in a machine-readable format. Essential for cross-domain solutions and secure information exchange.

North American Electric Reliability Corporation Critical Infrastructure Protection

NFPA 1600 (2024 edition), published by the National Fire Protection Association, establishes a common set of criteria for disaster/emergency management and business continuity programmes. It serves as the US national preparedness standard referenced by the Department of Homeland Security. Covers programme management, planning, implementation, training, exercises, and programme improvement. Applicable to public, private, and nonprofit organisations. Required for Emergency Management Accreditation Program (EMAP) accreditation.

Evidence-based framework by the NHS Leadership Academy describing observable leadership behaviours applicable to all levels of healthcare organisations. Nine dimensions with four maturity levels (Essential, Proficient, Strong, Exemplary). Developed through strategic interviews, focus groups, and extensive research with the Open University and Korn Ferry.

Network and Information Security Directive 2 for essential and important entities in the EU

The NIS2 Directive (EU 2022/2555) Implementing Acts specify detailed cybersecurity risk management measures and significant incident reporting criteria for essential and important entities. The implementing regulation (adopted October 2024) defines technical and methodological requirements for network and information security measures, expanding on the NIS2 Directive's Article 21 risk management obligations. Applicable from October 18, 2024.

NIST Artificial Intelligence 600-1: Generative AI Profile. A companion resource to the NIST AI Risk Management Framework (AI RMF 1.0) providing guidance for managing risks of generative AI systems. Identifies 12 unique risks of GAI and maps suggested actions to the AI RMF Govern, Map, Measure, and Manage functions. Published July 2024.

The NIST AI Risk Management Framework (AI RMF 1.0), published January 2023, provides a voluntary framework for managing risks associated with AI systems throughout their lifecycle. It is organized around four core functions: Govern, Map, Measure, and Manage. Applicable to all organizations designing, developing, deploying, or using AI systems. Includes the AI RMF Playbook with suggested actions and resources.

Voluntary framework for managing and reducing cybersecurity risk, organized around six core functions

NIST's Post-Quantum Cryptography (PQC) standardisation effort culminated in August 2024 with the publication of three Federal Information Processing Standards: FIPS 203 (ML-KEM, based on CRYSTALS-Kyber for key encapsulation), FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium for digital signatures), and FIPS 205 (SLH-DSA, based on SPHINCS+ for hash-based digital signatures). These standards are designed to resist attacks from both classical and quantum computers. NIST recommends organisations begin transitioning to PQC algorithms immediately. A fourth standard (FN-DSA, based on FALCON) expected in 2025.

The NIST Privacy Framework (Version 1.0, 2020) is a voluntary tool for improving privacy through enterprise risk management. Designed to complement the NIST Cybersecurity Framework. Five core functions: Identify-P (develop understanding of privacy risks), Govern-P (develop governance structure), Control-P (manage data processing), Communicate-P (promote understanding of data processing), and Protect-P (develop safeguards for data processing). Applicable to all organisations regardless of size or sector. Provides a common vocabulary for privacy risk management across legal, business, and technical domains.

The NIST Privacy Framework Version 1.0 (January 2020) is a voluntary tool for improving privacy through enterprise risk management. Structured similarly to the NIST Cybersecurity Framework with Core, Profiles, and Implementation Tiers. The Core consists of five functions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P. Designed to complement the NIST CSF — together they address the intersection of privacy and cybersecurity risk. Used by organisations of all sizes across sectors.

Securing Distributed Energy Resources for energy sector

Technical Guide to Information Security Testing

Guide to Protecting the Confidentiality of PII

Guide to General Server Security

NIST Special Publication 800-124 Revision 2 provides guidelines for managing and securing mobile devices in enterprise environments. Covers mobile device management (MDM), mobile threat defense, app vetting, BYOD policies, and enterprise mobility management. Addresses smartphones, tablets, and other mobile devices used to process, store, or transmit organizational data.

Guide for Security-Focused Configuration Management

Information Security Continuous Monitoring

Guidelines on Security and Privacy in Public Cloud Computing

The NIST Definition of Cloud Computing

Cloud Computing Synopsis and Recommendations

Guide to Cyber Threat Information Sharing

Systems Security Engineering

Cybersecurity Supply Chain Risk Management Practices

Protecting Controlled Unclassified Information in Nonfederal Systems

NIST Special Publication 800-171A Revision 3 (2024) provides assessment procedures for the security requirements in NIST SP 800-171 Rev 3. It defines assessment objectives and methods (examine, interview, test) for each of the 110 security requirements protecting Controlled Unclassified Information (CUI) in nonfederal systems. Used by CMMC assessors, DoD contractors, and federal agencies to verify CUI protection compliance.

NIST Special Publication 800-171A provides assessment procedures and methodology for determining the effectiveness of security requirements described in NIST SP 800-171. Used by federal agencies, contractors, and assessors (including CMMC assessors) to evaluate whether CUI protections are implemented correctly, operating as intended, and producing the desired outcome.

Enhanced Security Requirements for Protecting CUI

NICE Cybersecurity Workforce Framework

Networks of Things - IoT security framework

Guide to LTE Security for telecommunications

Application Container Security Guide

Zero Trust Architecture

Secure Software Development Framework (SSDF)

Guide for Conducting Risk Assessments

NIST Special Publication 800-34 Revision 1 provides instructions, recommendations, and considerations for federal information system contingency planning. It covers the entire contingency planning lifecycle from business impact analysis through plan testing and maintenance. Applicable to all federal systems including general support systems, client/server, and cloud environments.

Risk Management Framework for Information Systems and Organizations

Managing Information Security Risk

Security and privacy controls for information systems and organizations

Assessing Security and Privacy Controls

Computer Security Incident Handling Guide

Digital Identity Guidelines