Skip to content

Compliance Requirements by Industry

A quick reference guide to key compliance and regulatory requirements by industry sector.

Purpose

Different industries face different regulatory requirements for cybersecurity, data protection, and privacy. This guide provides an overview of key compliance frameworks and regulations by sector to help organisations quickly identify applicable requirements.

Healthcare

United Kingdom

NHS Data Security and Protection Toolkit (DSPT)

Applicability: All NHS organisations and third parties with access to NHS patient data

Purpose: Annual self-assessment demonstrating compliance with data security standards

Key Requirements: - Data security training for all staff - Role-based access control - Encryption of data in transit and at rest - Incident management and reporting - Business continuity planning

Submission: Annual (by June 30th)

Link: NHS DSPT

UK GDPR (Healthcare Context)

Applicability: All organisations processing health data of UK residents

Key Requirements (Healthcare-Specific):

  • Special category data (health) requires explicit consent or legal basis
  • Data Processing Impact Assessment (DPIA) for high-risk processing
  • Data subject rights (access, rectification, erasure)
  • Breach notification within 72 hours to ICO

Link: ICO

Care Quality Commission (CQC) - Digital Standards

Applicability: Registered health and social care providers (England)

Key Areas:

  • Safe and secure use of digital systems
  • Record keeping and data quality
  • Staff competence with digital tools

Link: CQC

United States

HIPAA (Health Insurance Portability and Accountability Act)

Applicability: Covered entities (healthcare providers, health plans, clearinghouses) and business associates

Key Components:

Privacy Rule (164.500):

  • Minimum necessary standard
  • Patient rights (access, amendment, accounting of disclosures)
  • Notice of Privacy Practices

Security Rule (164.300):

  • Administrative safeguards (risk analysis, workforce training, BA agreements)
  • Physical safeguards (facility access, workstation security)
  • Technical safeguards (access control, audit controls, encryption)

Breach Notification Rule:

  • Notify HHS within 60 days (500+ individuals)
  • Individual notification within 60 days
  • Media notification if 500+ affected in same state

Enforcement: HHS Office for Civil Rights (OCR)

Penalties: Up to $1.5M per violation category per year

Link: HHS HIPAA

HITRUST CSF (Health Information Trust Alliance Common Security Framework)

Applicability: Voluntary certification for healthcare organisations

Purpose: Combines HIPAA, NIST, ISO 27001, and other frameworks into single certifiable framework

Benefits:

  • Demonstrates security posture to business partners
  • Reduces audit burden (accepted by many organisations in lieu of audits)
  • Risk-based approach

Link: HITRUST

Financial Services

United Kingdom

FCA Handbook (Financial Conduct Authority)

Applicability: FCA-regulated firms (banks, insurers, investment firms)

Key Sections:

SYSC 4 (Management and Control):

  • Senior management responsibility for operational resilience
  • Third-party management

Operational Resilience Requirements (2022):

  • Identify important business services
  • Set impact tolerances
  • Map resources and dependencies (including third parties)
  • Test resilience scenarios

Link: FCA Handbook

PRA Requirements (Prudential Regulation Authority)

Applicability: Banks, building societies, insurers

Key Areas:

  • Operational resilience (similar to FCA)
  • Outsourcing and third-party risk management
  • Supervisory Statement SS2/21: Outsourcing and third party risk management

Link: PRA

PCI DSS (Payment Card Industry Data Security Standard)

Applicability: Any organisation that stores, processes, or transmits payment card data

Current Version: PCI DSS v4.0 (March 2024)

12 Requirements:

  1. Install and maintain network security controls
  2. Apply secure configurations
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission
  5. Protect systems from malware
  6. Develop and maintain secure systems and software
  7. Restrict access to cardholder data
  8. Identify users and authenticate access
  9. Restrict physical access to cardholder data
  10. Log and monitor all access
  11. Test security systems and processes regularly
  12. Support information security with organisational policies

Compliance Levels:

  • Level 1: 6M+ transactions/year (annual onsite audit by QSA)
  • Level 2: 1M-6M transactions (annual SAQ)
  • Level 3-4: <1M transactions (annual SAQ)

Link: PCI Security Standards

United States

SOX (Sarbanes-Oxley Act)

Applicability: Publicly traded companies in US

Key IT Requirements (Section 404): - Internal controls over financial reporting (ICFR) - IT general controls (ITGC): Access controls, change management, backups - Annual attestation by management and external auditors

Link: SEC SOX

GLBA (Gramm-Leach-Bliley Act)

Applicability: Financial institutions (banks, insurers, securities firms)

Key Requirements:

  • Financial Privacy Rule (consumer privacy notice)
  • Safeguards Rule (security programme for customer information)
  • Pretexting provisions (protect against social engineering)

FTC Safeguards Rule (Updated 2023):

  • Risk assessment
  • Access controls and authentication
  • Encryption of customer information
  • Incident response plan
  • Annual penetration testing

Link: FTC GLBA

SEC Cybersecurity Rules (2023)

Applicability: Public companies (US)

Key Requirements:

  • Disclose material cybersecurity incidents on Form 8-K (within 4 business days)
  • Annual disclosure of cybersecurity risk management and governance (Form 10-K)
  • Board oversight of cybersecurity risk

Link: SEC Cybersecurity

European Union

DORA (Digital Operational Resilience Act)

Applicability: EU financial entities (banks, insurers, investment firms, crypto-asset providers)

Effective: January 2025

Key Requirements:

  • ICT risk management framework
  • Incident reporting (major incidents to regulators)
  • Digital operational resilience testing (including threat-led penetration testing - TLPT)
  • Third-party ICT risk management
  • Information sharing on cyber threats

Link: EU DORA

Markets in Crypto-Assets Regulation (MiCA)

Applicability: Crypto-asset service providers in EU

Effective: 2024

Key Areas: Authorisation, operational resilience, customer protection

Government & Public Sector

United Kingdom

Cyber Essentials & Cyber Essentials Plus

Applicability: Mandatory for central government suppliers bidding on contracts involving sensitive information

Purpose: Basic cyber hygiene certification

5 Controls:

  1. Firewalls and internet gateways
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Patch management

Levels:

  • Cyber Essentials: Self-assessment questionnaire
  • Cyber Essentials Plus: Technical verification by certification body

Link: NCSC Cyber Essentials

Government Security Classifications

Applicability: All government departments and contractors

Classifications:

  • OFFICIAL: Routine public sector business (majority of data)
  • OFFICIAL-SENSITIVE: Damaging consequences if compromised
  • SECRET: Serious damage to national security
  • TOP SECRET: Exceptionally grave damage

Handling Requirements: Access controls, encryption, clearance levels vary by classification

Link: UK Government Security Classifications

Baseline Personnel Security Standard (BPSS)

Applicability: All government employees and contractors with access to government assets

Checks:

  • Identity verification
  • Right to work
  • Employment history (3 years)
  • Criminal record check (Basic DBS)

Higher Clearances: Counter-Terrorist Check (CTC), Security Check (SC), Developed Vetting (DV) for SECRET/TOP SECRET

United States

FISMA (Federal Information Security Management Act)

Applicability: Federal agencies and contractors

Purpose: Framework for securing federal information and systems

Key Requirements:

  • Categorise information systems (FIPS 199)
  • Select security controls (NIST SP 800-53)
  • Implement controls
  • Assess controls
  • Authorize systems (ATO - Authority to Operate)
  • Continuously monitor

Link: CISA FISMA

FedRAMP (Federal Risk and Authorization Management Program)

Applicability: Cloud service providers (CSPs) serving federal agencies

Purpose: Standardised approach to cloud security assessment and authorization

Impact Levels:

  • Low: Limited harm
  • Moderate: Serious harm (most common)
  • High: Catastrophic harm

Authorization Types:

  • JAB P-ATO (Joint Authorization Board Provisional ATO)
  • Agency ATO
  • CSP Supplied Package

Link: FedRAMP

CMMC (Cybersecurity Maturity Model Certification)

Applicability: Department of Defense (DoD) contractors

Current Version: CMMC 2.0

Levels:

  • Level 1: Foundational (self-assessment) - safeguard Federal Contract Information (FCI)
  • Level 2: Advanced (C3PAO assessment) - safeguard Controlled Unclassified Information (CUI) per NIST SP 800-171
  • Level 3: Expert (government assessment) - protect CUI from Advanced Persistent Threats (APTs)

Effective: Phased rollout (2024-2026)

Link: CMMC

Critical Infrastructure & Energy

United Kingdom

NIS Regulations (Network and Information Systems Regulations 2018)

Applicability: Operators of Essential Services (OES) in UK - energy, transport, health, water, digital infrastructure

Key Requirements:

  • Implement appropriate security measures
  • Incident reporting to relevant authority within 72 hours (if significant impact)
  • Supply chain security

Enforcing Authorities: Sector-specific regulators (Ofgem, ICO, etc.)

Link: NCSC NIS

European Union

NIS2 Directive

Applicability: Essential and Important entities across EU (energy, transport, banking, health, digital, etc.)

Effective: October 2024

Enhanced Requirements vs NIS:

  • Broader scope (medium and large organisations)
  • Supply chain risk management
  • Vulnerability disclosure
  • Incident reporting (24 hours early warning, 72 hours full report)
  • Personal liability for management

Link: EU NIS2

United States

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection)

Applicability: Bulk electric system operators (utilities)

Standards: CIP-002 through CIP-014

Key Areas:

  • Asset identification and categorization
  • Personnel and training
  • Electronic security perimeters
  • Physical security
  • Incident reporting

Enforcement: Mandatory and enforceable, significant penalties for non-compliance

Link: NERC CIP

General Data Protection & Privacy

United Kingdom

UK GDPR & Data Protection Act 2018

Applicability: All organisations processing personal data of UK residents

Key Principles:

  1. Lawfulness, fairness, transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Key Requirements:

  • Lawful basis for processing
  • Data Protection Impact Assessment (DPIA) for high-risk processing
  • Data Protection Officer (DPO) if public authority or large-scale special category data
  • Data subject rights (access, rectification, erasure, portability, objection)
  • Breach notification (72 hours to ICO if risk to individuals)

Penalties: Up to £17.5M or 4% of global annual turnover (whichever is higher)

Link: ICO GDPR

European Union

EU GDPR (General Data Protection Regulation)

Applicability: Organisations processing personal data of EU residents (extraterritorial)

Same as UK GDPR with minor differences

Penalties: Up to €20M or 4% of global annual turnover

Link: EU GDPR

United States

CCPA & CPRA (California Consumer Privacy Act & California Privacy Rights Act)

Applicability: Businesses operating in California meeting thresholds (revenue, data volume)

Effective: CCPA 2020, CPRA 2023

Key Rights:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale/sharing
  • Right to correct inaccurate information (CPRA)
  • Right to limit use of sensitive personal information (CPRA)

Enforcement: California Privacy Protection Agency (CPPA)

Link: California Privacy Protection Agency

State Privacy Laws (Expanding)

Other US States with Privacy Laws:

  • Virginia (VCDPA)
  • Colorado (CPA)
  • Connecticut (CTDPA)
  • Utah (UCPA)
  • And growing...

Trend: Similar rights to CCPA, state-specific variations

Technology & SaaS

SOC 2 (System and Organization Controls)

Applicability: Service providers (SaaS, cloud, hosting) - voluntary

Purpose: Demonstrates security controls to customers

Trust Service Criteria:

  • Security (required)
  • Availability (optional)
  • Processing Integrity (optional)
  • Confidentiality (optional)
  • Privacy (optional)

Types:

  • SOC 2 Type I: Design of controls at point in time
  • SOC 2 Type II: Operating effectiveness over period (6-12 months)

Audit: Performed by licensed CPA firm

Link: AICPA SOC 2

ISO/IEC 27001:2022

Applicability: Any organisation (voluntary certification)

Purpose: International standard for Information Security Management System (ISMS)

Annex A: 93 controls across 4 themes (Organizational, People, Physical, Technological)

Certification: External audit by accredited certification body

Link: ISO 27001

Telecommunications

UK

Telecommunications Security Act 2021

Applicability: UK telecoms providers

Key Requirements:

  • Security duties for network resilience
  • Supply chain security (restrictions on high-risk vendors)
  • Ofcom enforcement

Retail & E-Commerce

PCI DSS

See Financial Services section above - applies to any merchant accepting payment cards

Manufacturing & Industrial

IEC 62443

Applicability: Industrial Automation and Control Systems (IACS)

Purpose: Security standards for operational technology (OT) environments

Components: System security requirements, component requirements, security levels

Link: IEC 62443

Quick Selection Guide by Industry

Industry Key Regulations (UK) Key Regulations (US) Key Regulations (EU/International)
Healthcare GDPR, DSPT, CQC HIPAA, HITECH GDPR, ISO 27001
Financial Services FCA, PRA, PCI DSS, GDPR SOX, GLBA, PCI DSS, SEC Rules GDPR, DORA, PCI DSS, MiCA
Government Cyber Essentials, BPSS, Security Classifications FISMA, FedRAMP, CMMC NIS2, GDPR
Energy/Utilities NIS Regulations, GDPR NERC CIP NIS2, GDPR
Technology/SaaS GDPR, ISO 27001 SOC 2, ISO 27001, state privacy laws GDPR, ISO 27001
Retail/E-commerce GDPR, PCI DSS PCI DSS, CCPA/state laws GDPR, PCI DSS
Telecoms Telecommunications Security Act, GDPR FCC regulations GDPR, NIS2
Manufacturing/OT NIS Regulations (if critical), GDPR NIST, IEC 62443 NIS2, IEC 62443, GDPR

Compliance Timeline Summary

Regulation Reporting Requirement Timeline
UK GDPR / EU GDPR Data breach to authority 72 hours
HIPAA Breach to HHS 60 days (500+ individuals)
PCI DSS Breach to card brands Immediately
SEC (US) Material cyber incident 4 business days
NIS Regulations Significant incident 72 hours
NIS2 Directive Early warning / Full report 24 hours / 72 hours
DORA Major ICT incident Per regulatory technical standards