Compliance Frameworks

Every cybersecurity compliance framework, explained.

Plain-English guides to every major framework — what it requires, who needs it, real penalty data, audit timelines, and how to actually get there. Not sure which apply to you? Use our 5-step framework finder →

Pick a framework to get started.

⚖️ Mandatory by Law

PDPA

🇸🇬 Singapore

Any business handling Singapore personal data

Max fine / risk S$1M or 10% turnover
Time to comply 4–8 weeks
Read the guide →
⚖️ Mandatory by Law

HIPAA Security Rule

🇺🇸 United States

Healthcare providers, plans, business associates

Max fine / risk Up to $1.9M/yr per category
Time to comply 3–6 months
Read the guide →
🤝 Contractually Required

SOC 2 Type II

🌍 Global

SaaS & service organizations selling to enterprise

Max fine / risk Lost enterprise deals
Time to comply 6–12 months
Read the guide →
🤝 Contractually Required

ISO 27001:2022

🌍 Global

Any organization seeking global ISMS certification

Max fine / risk Lost global contracts
Time to comply 9–18 months
Read the guide →
⚖️ Mandatory by Law

GDPR

🇪🇺 EU / UK

Any business processing EU/UK resident data

Max fine / risk €20M or 4% global turnover
Time to comply 3–6 months
Read the guide →
🤝 Contractually Required Guide coming soon

CSA Cyber Essentials

🇸🇬 Singapore

Singapore SMEs & government tender bidders

Max fine / risk Lost tenders & contracts
Time to comply 6–10 weeks
🤝 Contractually Required Guide coming soon

CSA Cyber Trust Mark

🇸🇬 Singapore

Singapore organizations with mature operations

Max fine / risk Lost regulated contracts
Time to comply 4–6 months
⚖️ Mandatory by Law Guide coming soon

CMMC 2.0

🇺🇸 United States

All DoD contractors handling FCI / CUI

Max fine / risk Loss of all DoD contracts
Time to comply 3–12 months
⚖️ Mandatory by Law Guide coming soon

NIST SP 800-171

🇺🇸 United States

Federal contractors handling CUI

Max fine / risk Contract termination
Time to comply 3–6 months
✅ Recommended Baseline

NIST CSF 2.0

� Global

Any organisation seeking a single cybersecurity posture framework

Max fine / risk Weaker insurance & deals
Time to comply 3–6 months
Read the guide →
⚖️ Mandatory by Law Guide coming soon

PCI DSS 4.0

🌍 Global

Any business storing/processing card data

Max fine / risk $5K–$100K/month
Time to comply 3–6 months
⚖️ Mandatory by Law Guide coming soon

FTC Safeguards Rule

🇺🇸 United States

Financial institutions including auto/mortgage/tax

Max fine / risk Civil penalties + consent orders
Time to comply 4–8 weeks
⚖️ Mandatory by Law Guide coming soon

CCPA / CPRA

🇺🇸 California

Businesses with California consumers (above thresholds)

Max fine / risk Up to $7,500 per violation
Time to comply 2–3 months
⚖️ Mandatory by Law Guide coming soon

Multi-State Privacy Laws

🇺🇸 20 states

Businesses with consumers in multiple US states

Max fine / risk $7,500–$10K per violation
Time to comply 1–3 months
⚖️ Mandatory by Law Guide coming soon

NY DFS 23 NYCRR 500

🇺🇸 New York

NY-licensed financial services firms

Max fine / risk $100M+ in DFS fines issued
Time to comply 3–6 months
⚖️ Mandatory by Law Guide coming soon

FedRAMP

🇺🇸 United States

Cloud providers selling to federal agencies

Max fine / risk Barred from federal sales
Time to comply 12–24 months
⚖️ Mandatory by Law Guide coming soon

SEC Cybersecurity Rules

🇺🇸 United States

All public companies (Form 8-K Item 1.05)

Max fine / risk SEC actions + securities liability
Time to comply 2–4 weeks
⚖️ Mandatory by Law Guide coming soon

NIS2 Directive

🇪🇺 European Union

Essential & important entities in 18 EU sectors

Max fine / risk €10M or 2% global turnover
Time to comply 6–12 months

Don't know which frameworks apply to you?

Try the Compliance Finder