Regulatory compliance definition
Regulatory compliance is the process of adhering to laws, regulations, guidelines, and specifications relevant to a business’ operations.
It involves making sure a business is operating within the bounds of the law and taking steps to ensure that the business is meeting all relevant regulatory requirements.
Compliance is necessary for businesses to maintain their licenses and remain in good standing with regulators.
Why is regulatory compliance important?
Regulatory compliance is essential for protecting customers, employees, and assets by ensuring adherence to applicable laws, regulations, and industry standards.
It also helps organizations avoid the costly penalties, fines and reputational damage that occur when an organization fails to comply with the law.
Regulatory compliance boosts customer and investor confidence by ensuring organizations operate safely and responsibly.
Common compliance requirements
In today’s complex regulatory environment, regulatory compliance requires that organizations:
- Grapple with the complexities, costs, and overlaps of governance requirements
- Comply with a wide range of information-related regulation, such as:
- Deal with an increasing exposure to rapidly mutating, sophisticated threats to information and information assets, which exploit a diversity of technical vulnerabilities in IT systems as well as loopholes in procedures and employee behavior
Common regulations
The table below lists the most common regulations that organizations have to comply with, the security areas they cover, and their requirements:
Regulations
|
Who needs to comply
|
Security areas covered
|
Compliance requirements
|
|
HIPAA
|
US healthcare organizations and partners
|
Creating, storing and transmitting electronic protected health information
|
All major best-practice areas
|
|
SOX (Sarbanes–Oxley Act) and accounting standards, COSO, COBIT®, SAS
|
US public companies
|
Defined to secure the public against corporate fraud and misrepresentation
|
All major best-practice security areas
|
|
PCI DSS (Payment Card Industry Data Security Standard)
|
Merchants that take credit cards, and service providers that facilitate card payments
|
Privacy of customer financial data
|
Varies by size of merchant, requires best practices plus third-party assessments
|
|
GLBA – Public Law 106–102, FDIC/FFIEC guidelines, FACT Act, Patriot Act (2001)
|
US financial institutions
|
Privacy of personal information, safety of Internet-based products and services, fair and accurate credit transactions, anti-terrorism
|
Best-practice security, 2FA (two-factor authentication), ensure accuracy and safety, identity verification
|
|
Breach laws in all US states
|
Any company storing, accessing, or sharing personal information
|
Consumer privacy
|
All major "Best Practices Security" areas
|
|
EU GDPR (General Data Protection Regulation)
|
Any organization processing personal data of EU residents
|
Personal data
|
All major best-practice security areas
|
|
FISMA (Federal Information Security Management Act)
|
US federal agencies
|
Information and IT systems
|
NIST has developed its six-step RMF (Risk Management Framework) to enable agencies to achieve compliance
|
|
CCPA (California Consumer Privacy Act)
|
Organizations processing information on California residents or doing business in California
|
Personal data
|
All major best-practice areas
|
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that was enacted in 1996. It aims to make it easier for people to keep their health insurance when they change jobs, to protect the confidentiality and security of health care information, and to help the health care industry control its administrative costs.
Learn more about HIPAA >>
The Sarbanes Oxley Act (SOX)
From 2002, the SOX (Sarbanes-Oxley Act) enforces US organizations to demonstrate corporate governance compliance. SOX requires management to certify the company’s financial reports, and both management and an independent accountant are required to certify the organization’s internal controls. This has a huge dependency on the IT infrastructure and IT systems.
Find out more about the Sarbanes-Oxley Act >>
The Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS (Payment Card Industry Data Security Standard) has been devised to increase security around card transactions. The Standard is acknowledged the world over, and compliance is mandatory for card-accepting organizations. It requires merchants to demonstrate a secure IT network that protects cardholder data, maintain a vulnerability management program, implement access control measures, and regularly test their networks.
Find out more about our PCI DSS solutions and services >>
US breach laws by State
Personal information in the US is protected by federal and state laws with varying rules and authority. Our Data Breach Notification Laws by State page provides more information on individual state obligations.
Find out more >>
The EU General Data Protection Regulation (GDPR)
The GDPR replaces existing national data protection laws in the EU, creating one unified law for organizations to follow. The GDPR is applicable to any organization, regardless of location, that processes and stores personal data of EU residents.
Find out more about the key elements of the EU GDPR >>
Federal Information Security Management Act of 2002 (FISMA)
FISMA is a federal law established in 2002 as part of the E-Government Act of 2002. It requires federal agencies to implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including those provided or managed by other agencies or contractors.
Learn more about FISMA implementation and compliance >>
The California Consumer Privacy Act (CCPA)
The CCPA is a data privacy law that took effect in California on January 1, 2020. It applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU’s GDPR.
It applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU’s GDPR.
Find out more about the CCPA >>
Speak to an expert
Whatever the nature or size of your problem, we are here to help. Get in touch today using one of the contact methods below.