Global Cybersecurity Law and Regulatory Landscape

Primary Legislation

A core law (statute, act) passed by a legislature that establishes main rights, obligations, and enforcement powers (e.g., GDPR, LGPD, PIPL).

Regulation (EU context)

A binding legislative act that applies directly and uniformly in all EU Member States without needing national transposition (e.g., GDPR, DORA, Cyber Resilience Act).

Directive (EU context)

An EU legislative act that sets goals for Member States, which must be achieved by transposing the directive into national law (e.g., NIS2 Directive).

Soft Law / Guidance

Non-binding instruments like guidelines, recommendations, and frameworks that shape how binding laws are interpreted and implemented (e.g., EDPB guidelines, NIST CSF).

Data Protection Authority (DPA)

An independent public authority that supervises the application of data protection law, handles complaints, and can issue fines (e.g., CNIL in France, ANPD in Brazil).

FTC (U.S.)

The Federal Trade Commission, a key U.S. regulator that enforces against unfair or deceptive practices, including many privacy and data security violations.

Security-by-design

An approach where security considerations are integrated from the earliest stages of system and product design through deployment and maintenance, rather than added as an afterthought.

Privacy-by-design

A principle (explicitly in GDPR Art. 25) requiring controllers to embed data protection and privacy safeguards into the design of processing activities and systems, including privacy-friendly defaults.

Reasonable security

A flexible legal standard requiring security measures that are appropriate and proportionate to the risks, considering state of the art, costs, context, and potential impact on individuals and operations.

Risk-based approach

A method of designing security by identifying assets and threats, assessing likelihood and impact, and selecting controls proportionate to the level of risk.

Accountability (GDPR Art. 5(2))

The obligation of controllers to comply with data protection principles and to be able to demonstrate that compliance, typically through governance structures and documentation.

Technical and organizational measures (TOMs)

A broad category of security and governance measures—both technical (e.g., encryption, access control) and organizational (e.g., policies, training)—used to protect data and systems.

FTC Act Section 5 – Unfair Practices

Prohibits acts or practices that cause or are likely to cause substantial injury to consumers that is not reasonably avoidable and not outweighed by benefits. Used to enforce **reasonable security** expectations.

FTC Act Section 5 – Deceptive Practices

Prohibits materially misleading statements or omissions. In privacy/security, covers **false or misleading privacy policies, consent claims, and security promises**.

GLBA Safeguards Rule

FTC rule under the Gramm–Leach–Bliley Act requiring many financial institutions to implement a **comprehensive information security program** with administrative, technical, and physical safeguards.

HIPAA Covered Entity

A health plan, most healthcare providers, or a healthcare clearinghouse that transmits health information electronically in connection with certain transactions. Must comply with HIPAA Privacy, Security, and Breach Notification Rules.

COPPA Scope

Applies to operators of websites or online services **directed to children under 13** or that **know** they collect personal data from children under 13. Requires parental consent and reasonable security.

FCRA – Core Purpose

Regulates the **collection, accuracy, and use of consumer report information** for credit, employment, insurance, and similar purposes. Ensures fairness, accuracy, and privacy in credit reporting.

Comprehensive state privacy law

A broad, generally applicable law that governs the processing of personal data about state residents, grants consumer rights (e.g., access, deletion, opt-out), and imposes duties on controllers/processors. Examples include California’s CCPA/CPRA, Colorado, Connecticut, Utah, Virginia, Oregon, Texas, and others.

Reasonable security (state law context)

A flexible standard in many state laws requiring organizations to implement security measures appropriate to the sensitivity, volume, and risks associated with the personal information they hold. Often aligned with industry standards and the concepts discussed in Module 2.

Data breach notification law

A state statute that requires organizations to notify affected individuals (and sometimes regulators or credit bureaus) when certain defined personal information is accessed or acquired by an unauthorized party in a way that compromises its security or is likely to cause harm.

Sensitive data (state privacy laws)

Categories of personal data that receive extra protection, such as precise geolocation, health information, racial/ethnic origin, religious beliefs, sexual orientation, biometric identifiers, and children’s data. Many state laws require opt-in consent or strict limits on processing this data.

Data broker (California context)

A business that knowingly collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship. In California, data brokers must register and, under the Delete Act, honor centralized deletion requests.

California Delete Act

A California law (SB 362, enacted 2023) that strengthens regulation of data brokers and creates a centralized, one-stop mechanism through which California residents can request deletion of their personal data held by registered data brokers, with ongoing compliance and security implications.

Accountability (GDPR Article 5(2))

The principle that the controller is responsible for, and must be able to demonstrate, compliance with GDPR principles, including security and breach obligations.

Technical and Organizational Measures (TOMs)

The combination of technical controls (e.g., encryption, access control) and organizational practices (e.g., policies, training, governance) implemented to ensure an appropriate level of security under Article 32.

Data Protection by Design and by Default (Article 25)

A requirement to integrate data protection and security into systems and processes from the outset and to ensure that, by default, only data necessary for each specific purpose is processed.

Data Protection Impact Assessment (DPIA – Article 35)

A structured risk assessment required when processing is likely to result in a high risk to individuals’ rights and freedoms, documenting processing, risks, and mitigating measures.

Personal Data Breach (Article 4(12))

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Breach Notification to Supervisory Authority (Article 33)

Controllers must notify the competent DPA without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.

NIS2 Directive (Directive (EU) 2022/2555)

The EU’s updated cybersecurity law for essential and important entities in critical sectors, setting requirements for risk management, incident reporting, and supervision. It replaced and expanded the original NIS Directive (2016).

Essential Entity (EE)

An entity in a highly critical sector (often Annex I) or of high importance whose disruption would significantly affect society or the economy. Subject to stricter, often proactive supervision and higher maximum fines under NIS2.

Important Entity (IE)

An entity in other critical sectors (often Annex II) or of significant size/impact, but generally supervised ex post (after incidents or evidence of non‑compliance). Still must meet NIS2 risk management and reporting obligations.

Incident Reporting Stages under NIS2

1) Early warning within 24 hours of awareness, 2) Detailed incident notification within 72 hours, 3) Final report within 1 month, all to the competent authority or CSIRT for significant incidents.

Supply Chain Security (in NIS2)

The requirement to assess and manage cybersecurity risks arising from suppliers and service providers, including contractual security clauses, vendor assessments, and monitoring of third‑party vulnerabilities.

Management Body (NIS2)

The top governing body of an entity (e.g., board of directors) that must approve and oversee cybersecurity risk management measures, receive training, and may be held personally liable for serious non‑compliance under national law.

PDPA (Singapore)

Personal Data Protection Act – Singapore’s main data protection law, imposing protection obligations, accountability (including a DPO), and mandatory breach notification to the PDPC and, in some cases, to individuals.

Cybersecurity Act (Singapore)

A 2018 law focusing on the protection and oversight of Critical Information Infrastructure (CII), including mandatory cybersecurity measures, incident reporting, and powers for the Cyber Security Agency.

Notifiable Data Breaches (Australia)

A scheme under Australia’s Privacy Act requiring organizations to notify the OAIC and affected individuals when a data breach is likely to result in serious harm.

SOCI (Australia)

Security of Critical Infrastructure framework – legislation that imposes risk management and mandatory cyber incident reporting obligations on operators of critical infrastructure assets.

APPI (Japan)

Act on the Protection of Personal Information – Japan’s main privacy law, with risk-based security obligations, breach notification requirements, and PPC guidance on detailed controls.

PIPA (South Korea)

Personal Information Protection Act – a strict privacy law requiring technical, administrative, and physical security measures, with strong enforcement and detailed implementing rules.

LGPD

Brazil’s Lei Geral de Proteção de Dados (Federal Law No. 13,709/2018), comprehensive data protection law in force since 2020, enforced by the ANPD.

ANPD

Autoridade Nacional de Proteção de Dados – Brazil’s national data protection authority responsible for LGPD enforcement and guidance.

LFPDPPP (Mexico)

Federal Law on Protection of Personal Data Held by Private Parties, in force since 2010, enforced by INAI.

AAIP (Argentina)

Agency for Access to Public Information – Argentina’s data protection authority enforcing Law 25,326.

Adequacy (EU context)

A decision by the European Commission that a non‑EU country ensures an essentially equivalent level of data protection, allowing easier data transfers (e.g., Argentina, Uruguay).

Comprehensive data protection law

A single, cross‑sector law covering most personal data processing, often inspired by EU GDPR‑style principles.

Extraterritorial scope

When a law applies to organizations or processing activities **outside** the territory of the law-making country/region, typically based on targeting or affecting individuals in that territory.

Cross-border data transfer

Any movement or remote access of personal data from one country/region to another, including cloud access from abroad, not just physical copying.

Adequacy decision (GDPR)

A formal decision by the European Commission that a non-EU/EEA country ensures a level of data protection essentially equivalent to the EU, allowing transfers without additional mechanisms.

Standard Contractual Clauses (SCCs)

Pre-approved contractual clauses issued by the European Commission that, when properly implemented, provide safeguards for transfers of personal data to non-adequate countries.

Transfer Impact Assessment (TIA)

A structured assessment of whether, in light of the destination country’s laws and practices (especially government access), chosen transfer tools like SCCs can effectively protect personal data.

Binding Corporate Rules (BCRs)

Internal, legally binding data protection rules approved by EU authorities that allow multinational groups to transfer personal data within the group across borders.

Regulatory Monitoring

An ongoing process of tracking new and emerging laws, regulations, guidance, and enforcement actions that may affect an organization’s obligations and risk posture.

Trusted Sources

Authoritative and reliable channels for regulatory information, such as official regulators, reputable law firms, standards bodies, and established industry organizations.

Guidance vs. Regulation

Regulations (or laws) are binding legal rules. Guidance (e.g., guidelines, FAQs, opinions) is usually non‑binding but shows how regulators interpret and apply those rules in practice.

Enforcement Trend

A pattern in regulatory investigations, decisions, or fines that reveals what types of violations and controls regulators are currently prioritizing.

Scan → Filter → Deep‑Read

A workflow for handling information overload: quickly scan sources, filter for relevance and impact, then deep‑read only the most important items with structured note‑taking.

Translating Law into Controls

The process of converting legal and regulatory requirements into concrete policies, technical measures, procedures, and training that engineers and staff can implement.