This post features regulations related to IT security.
The post focuses on regulations that establish IT security controls. To read a more general post about compliance on general IT security regulations, visit this post.
If you want to know regulations that prosecute malicious behavior related to computers or IT and IT crime, please check this post.
IT Security Regulations by Country
Take into account that some regulations (like EU’s GDPR) apply as soon your organization handles information related to this area. In the GDPR example, it is not necessary that you are established within EU to need to abide by this regulation.
USA IT Security Compliance Regulations and Standards
Some of IT Security Compliance Regulations and Standards that are applicable in the USA:
- Data Privacy
- HIPAA (Health Insurance Portability and Accountability Act)
- CCPA (California Consumer Policy Act) – California, USA
- Electrical
- North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
- Other
- Federal Information Security Management Act (FISMA)
- Cybersecurity Enhancement Act
- National Security Protection Act
- Federal Risk and Authorization Management Program (FedRAMP)
- NIST 800.171 (DIB)
- International Traffic in Arms Regulations (ITAR)
- Internal Revenue Service (IRS) Publication 1075
- Department of Defense (DoD) Impact Level 2 (IL2)
- L4 & L5
- Criminal Justice Information Services (CJIS)
FISMA
Federal Information Security Management Act (FISMA) requires that USA federal agencies and their contractors implement an information security program.
FISMA implementation guidelines are developed by NIST.
FISMA was passed in 2002.
The Federal Information System Modernization Act (know as 2014 FISMA, sharing the same acronym) modified the 2002 FISMA.
Predecessor of FISMA was Government Information Security Reform Act (GISRA), that expired in November 2022.
Cybersecurity Enhancement Act of 2014
Cybersecurity Enhancement Act charged NIST with responsibility for coordinating nationwide work on voluntary cybersecurity standards.
It was passed in 2014.
The 2002 version was part of the Home Security (HSA), that was passed in 2002 together with the Critical Structure Information Act of 2002.
National Security Protection Act
National Security Protection Act charged the Department of Homeland Security with establishing a national cybersecurity and communication integration center. It serves as a communication nexus for public federal and private institutions regarding cybersecurity.
UK IT Security Compliance Regulations and Standards
IT Security Compliance Regulations and Standards that are applicable in the United Kingdom:
- Privacy
- Data Protection Act 2018
- UK General Data Protection Regulation (GDPR)
- Privacy and Electronic Communications (EC Directive) Regulations 2003
The Information Commissioner’s Office (ICO) is the organism within the UK government that legislate most of these regulations.
A Subject Access Request (SAR) is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.
An Organisation Code (ODS) is required for all organizations that work for the NHS.
EU IT Security Compliance Regulations and Standards
IT Security Compliance Regulations and Standards that are applicable in the European Union:
- IT Security
- Data Privacy
- General Data Protection Regulation (GDPR) (post)
- Banking
- Revised Payment Service Directive (PSD2)
- Automotive
- UNECE/R155 (post)
EU agencies:
- European Banking Authority (EBA)
- European Insurance and Occupational Pensions Authority (EIOPA)
Germany IT Security Compliance Regulations and Standards
Regulatories agencies in Germany:
- Federal Office for Information Security (BSI, from the German Bundesamt für Sicherheit in der Informationstechnik)
France IT Security Compliance Regulations and Standards
Non-exhaustive list of IT Security Compliance Regulations and Standards that are applicable in France:
- Critical Infrastructures
- Loid de Programmation Militaire (LPM)
- Point-of-Sale (POS)
- Certification des Systèmes de Caisse
Regulatory agencies in France:
- ANSII
Spain IT Security Compliance Regulations and Standards
Non-exhaustive list of IT Security Compliance Regulations and Standards that are applicable in Spain:
- IT Security
- Esquema Nacional de Seguridad (ENS)
- Data Privacy
- LOPD-GDD (Ley Orgánica de Protección de Datos-Garantía de Derechos Digitales)
- Finance
- SCIIF / SCIINF (Sistema de Control Interno de la Información Financiera)
Regulatory agencies in Spain:
- Agencia Española de Protección de Datos (AEPD), Spanish Agency for Data Protection
- CNMV
- CNMC
- Banco de España (BdE), Bank of Spain
Colombia IT Security Compliance Regulations and Standards
Non-exhaustive list of IT Security Compliance Regulations and Standards that are applicable in Colombia:
- Data Privacy
- Ley 1581/2012 – Colombia
Countries featured on this post:
- EU
- Spain
- USA
EU IT Security Regulations
EU IT security regulations:
Germany IT Security Regulations
Germany IT security regulations featured on this post:
- Federal Office for Information Security (BSI, from the German Bundesamt für Sicherheit in der Informationstechnik)
Spain IT Security Regulations
Spain IT security regulations:
USA IT Security Regulations
USA IT security regulations:
- Federal Information Security Management Act (FISMA)
- Cybersecurity Enhancement Act
- National Security Protection Act
FISMA
Federal Information Security Management Act (FISMA) requires that USA federal agencies and their contractors implement an information security program.
FISMA implementation guidelines are developed by NIST.
FISMA was passed in 2002.
The Federal Information System Modernization Act (know as 2014 FISMA, sharing the same acronym) modified the 2002 FISMA.
Predecessor of FISMA was Government Information Security Reform Act (GISRA), that expired in November 2022.
Cybersecurity Enhancement Act of 2014
Cybersecurity Enhancement Act charged NIST with responsibility for coordinating nationwide work on voluntary cybersecurity standards.
It was passed in 2014.
The 2002 version was part of the Home Security (HSA), that was passed in 2002 together with the Critical Structure Information Act of 2002.
National Security Protection Act
National Security Protection Act charged the Department of Homeland Security with establishing a national cybersecurity and communication integration center. It serves as a communication nexus for public federal and private institutions regarding cybersecurity.