Find out which cybersecurity compliances apply to your business
Answer five questions about your business — location, states, industry, data types, and key characteristics. We'll show you exactly which frameworks apply, why they apply to you, and what they require.
What does it mean to be
compliance ready?
Compliance readiness means your business has the security controls, policies, evidence, and processes in place to meet the regulatory and industry requirements that apply to you. It's not just about passing an audit once. It's about being able to prove at any point that you're protecting data, managing risk, and following the rules.
For most small businesses, compliance readiness comes down to four things: having the right security tools deployed (endpoint protection, access controls, encryption), having documented policies (data handling, incident response, acceptable use), collecting ongoing evidence (logs, training records, scan results), and being able to produce audit-ready reports when someone asks.
The challenge for small businesses is that compliance frameworks were designed with large organizations in mind. The requirements are real, but the way most vendors and consultants deliver them assumes you have a dedicated compliance team. You probably don't. That's the gap SecurityPulse fills.
How SecurityPulse makes your business
compliance ready.
Builds your compliance foundation
RunWay deploys the security controls that compliance frameworks require — no manual setup.
- Endpoint protection & malware monitoring
- Auto-generated security policies tailored to your business
- Employee training with phishing simulations
- Password management & enforced strong credentials
- Vulnerability scanning & patch evidence
- Log collection for a complete audit trail
- Google Workspace & Microsoft 365 integration
Everything RunWay does creates documentation that maps directly to framework requirements.
Keeps you continuously compliant
Compliance isn't a one-time event. Autopilot handles ongoing monitoring and evidence automatically.
- 24/7 monitoring proves continuous security operations
- Automated alert triage & threat response
- On-demand compliance reports (PDPA, CSA CE, GDPR…)
- Gap analysis: see exactly what's missing
- Risk scoring across devices, users & integrations
When an auditor asks "show me your evidence for the last 90 days," you click one button.
Compliance frameworks
explained.
PDPA (Singapore)
Applies to: Any organization collecting, using, or disclosing personal data in Singapore.
Requirements: Obtain consent before collecting personal data. Implement reasonable security arrangements. Notify PDPC of data breaches within 3 calendar days of assessment. Appoint a Data Protection Officer. Retention limitation: don't keep data longer than necessary.
How SecurityPulse helps: RunWay generates data protection policies and collects evidence of security arrangements. Autopilot monitors for potential data breaches and generates PDPA-aligned compliance reports.
CSA Cyber Essentials 2025 (Singapore)
Applies to: All organizations in Singapore, especially SMEs. Required for government tenders and enterprise contracts. Published as Singapore Standard SS 712.
Requirements: Five categories: Assets, Secure/Protect (endpoint security, access controls), Update (patching), Backup, and Respond (incident response).
How SecurityPulse helps: RunWay covers all five categories. Autopilot provides continuous monitoring and generates evidence mapped to the self-assessment template.
CMMC 2.0 (US Defense Contractors)
Applies to: All contractors in the DoD supply chain that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Phase 2 mandatory from November 10, 2026 — the most time-sensitive US compliance add.
Requirements: Level 1 (17 practices, annual self-assessment). Level 2 (110 NIST SP 800-171 practices, third-party assessment every 3 years). Level 3 (134 practices + NIST SP 800-172, government-led assessment).
How SecurityPulse helps: RunWay deploys and documents the technical controls required for Level 1 and Level 2 self-assessment. Autopilot provides the continuous monitoring evidence required for sustained compliance.
NIST SP 800-171 (Federal Contractors)
Applies to: Any non-federal organization handling Controlled Unclassified Information (CUI) under a federal contract, even non-DoD. Underlies CMMC Level 2.
Requirements: 110 security requirements across 14 families including Access Control, Audit and Accountability, Incident Response, Risk Assessment, and System and Communications Protection.
How SecurityPulse helps: RunWay maps directly to NIST 800-171 control families. Autopilot generates the continuous monitoring evidence required to demonstrate sustained compliance with all 110 requirements.
NIST CSF 2.0 (US Baseline)
Applies to: Voluntary — but the de facto US cybersecurity baseline referenced by regulators, cyber insurers, and enterprise buyers across every sector. Version 2.0 added a Govern function and strengthened supply chain focus.
Requirements: Six functions: Govern, Identify, Protect, Detect, Respond, Recover. Implementation tiers from Partial (Tier 1) to Adaptive (Tier 4).
How SecurityPulse helps: RunWay and Autopilot together cover all six NIST CSF 2.0 functions. Autopilot provides the Detect, Respond, and Govern evidence that most tools miss.
FTC Safeguards Rule / GLBA (US Financial Services)
Applies to: Financial institutions broadly — including mortgage brokers, auto dealers, tax preparers, CPAs, insurance agents, investment advisors (non-SEC registered), and finders. Small-business exemption applies only if you hold fewer than 5,000 customer records. 30-day breach notification to the FTC has been in effect since January 2024.
Requirements: Written information security program, risk assessment, designated security coordinator, MFA for system access, encryption, annual penetration testing, bi-annual vulnerability assessments, incident response plan, 30-day FTC breach notification.
How SecurityPulse helps: RunWay deploys the required technical controls. Autopilot handles continuous monitoring and generates the written program documentation and breach detection evidence required by the rule.
HIPAA Security Rule (US Healthcare)
Applies to: Healthcare providers, health plans, healthcare clearinghouses, and their business associates handling ePHI.
Requirements: Administrative safeguards (risk analysis, workforce training, access management). Physical safeguards (facility access, workstation security). Technical safeguards (access controls, audit controls, encryption, integrity controls). Breach notification to HHS and affected individuals.
How SecurityPulse helps: RunWay deploys endpoint protection, access controls, and encryption. Autopilot provides audit trail logging and generates evidence for HIPAA compliance reviews and OCR investigations.
CCPA / CPRA (California)
Applies to: Businesses meeting any one threshold: $25M+ annual revenue, OR processing data of 100,000+ California consumers/households, OR deriving 50%+ of revenue from selling California consumer data. As of January 2026, adds mandatory cybersecurity audits and ADMT risk assessments.
Requirements: Consumer rights (access, deletion, correction, opt-out of sale/sharing), privacy notices, data minimization, purpose limitation, annual cybersecurity audit (2026 forward), data protection risk assessments for sensitive processing.
How SecurityPulse helps: RunWay implements the technical security controls needed to pass CCPA cybersecurity audits. Autopilot produces the continuous monitoring evidence that supports annual audit submissions.
NY DFS 23 NYCRR 500 (New York Financial Services)
Applies to: Entities licensed under New York Banking Law, Insurance Law, or Financial Services Law — banks, insurance companies, mortgage brokers, money transmitters licensed in New York. 2023 amendments fully phased in by late 2025.
Requirements: Risk assessments, CISO appointment with board reporting, 72-hour incident notification, annual penetration testing, bi-annual vulnerability assessments, MFA, encryption, third-party service provider oversight, governance documentation.
How SecurityPulse helps: RunWay deploys MFA, encryption, and access controls. Autopilot provides continuous monitoring, generates the board-level compliance reports required, and creates the audit trail for DFS examinations.
SEC Cybersecurity Disclosure Rules (Public Companies)
Applies to: All SEC-reporting companies including smaller reporting companies (included June 2024). Foreign private issuers reporting on Form 6-K/20-F. SPACs.
Requirements: Disclose material cybersecurity incidents within 4 business days on Form 8-K (Item 1.05). Annual disclosure of cybersecurity risk management strategy on Form 10-K. Board-level oversight description. Management cybersecurity expertise disclosure.
How SecurityPulse helps: Autopilot provides real-time incident detection and response documentation. RunWay ensures the underlying controls are in place to demonstrate a mature risk management program in annual disclosures.
Multi-State Privacy Laws (US)
Applies to: 20 states now have comprehensive consumer privacy laws. Indiana, Kentucky, and Rhode Island went live January 1, 2026. Key active states: California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Nebraska, Iowa, Tennessee, Florida, Utah.
Requirements: Consumer rights (access, deletion, correction, portability, opt-out of targeted advertising and sale of data). Privacy notices. Data protection assessments for high-risk processing. No processing of sensitive data without consent.
How SecurityPulse helps: RunWay implements the technical safeguards required. Autopilot provides continuous monitoring evidence and helps detect data incidents within the breach notification windows required by each state law.
FedRAMP (Federal Cloud Service Providers)
Applies to: Cloud service providers (SaaS, IaaS, PaaS) selling to US federal agencies. Moderate baseline is the most common tier.
Requirements: 325 security controls at Moderate baseline. Continuous monitoring program with monthly deliverables. Annual reassessment of one-third of controls. FedRAMP-authorized Third-Party Assessment Organization (3PAO) assessment.
How SecurityPulse helps: Autopilot provides the continuous monitoring layer required by the FedRAMP ConMon program. RunWay deploys the underlying controls that map to NIST 800-53 Moderate baseline.
GDPR (EU/UK)
Applies to: Any business that processes personal data of EU or UK residents, regardless of where the business is located.
Requirements: Lawful basis for data processing. Data subject rights (access, rectification, erasure, portability). Data breach notification within 72 hours. Data protection impact assessments for high-risk processing. DPO appointment in certain cases.
How SecurityPulse helps: RunWay implements security measures required under Article 32. Autopilot monitors for breaches and helps meet the 72-hour notification window. Compliance reports map evidence to GDPR obligations.
SOC 2 Type II (Global)
Applies to: Service organizations, SaaS companies, and any business where enterprise customers require evidence of security controls over a 6–12 month observation period.
Requirements: Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. Documented policies, access controls, monitoring, incident response, risk assessment, vendor management — all evidenced continuously throughout the observation window.
How SecurityPulse helps: RunWay establishes the baseline controls. Autopilot generates continuous monitoring evidence, incident triage records, and compliance reports that support SOC 2 audit preparation.
PCI DSS 4.0 (Global)
Applies to: Any business that stores, processes, or transmits credit card data. Continuous monitoring now explicitly mandatory as of March 2025.
Requirements: 12 core requirements covering network security, data protection, vulnerability management, access controls, monitoring, penetration testing, and information security policies.
How SecurityPulse helps: RunWay covers endpoint protection, vulnerability scanning, access controls, and log collection. Autopilot provides continuous monitoring and audit evidence for requirements around logging and incident detection.
ISO 27001:2022 (Global)
Applies to: Any organization seeking to demonstrate a mature information security management system. Often required by enterprise customers and partners globally.
Requirements: Risk-based ISMS. 93 Annex A controls across four domains. Documented policies and procedures. Internal audits. Management reviews. Continuous improvement cycle.
How SecurityPulse helps: RunWay generates foundational policies and implements security controls. Autopilot provides ongoing risk assessment, monitoring evidence, and gap analysis. Note: SecurityPulse supports ISO 27001 readiness; formal certification requires a third-party audit.
NIS2 Directive (EU)
Applies to: Essential and important entities in the EU across 18 sectors including energy, transport, health, banking, digital infrastructure, and ICT service management. In force since October 2024.
Requirements: Risk management measures, incident reporting within 24 hours (early warning) and 72 hours (notification), supply chain security, business continuity, encryption, MFA, management board accountability.
How SecurityPulse helps: RunWay deploys the required technical controls. Autopilot provides continuous monitoring and the 24/72-hour incident detection and reporting capability required by the directive.
Want a side-by-side comparison of all 17 frameworks — with real audit costs, timelines, and penalty data? Read our Cybersecurity Compliance: The Complete 2026 Practitioner's Guide. For the monitoring architecture — see our Continuous Compliance Monitoring guide.
What happens when you're
not compliant.
Financial penalties
PDPA fines up to S$1 million or 10% of turnover. GDPR penalties up to 20 million euros or 4% of global revenue. HIPAA fines up to $1.5 million per year. These aren't theoretical. Enforcement is increasing year over year.
Lost business
Enterprise buyers increasingly require SOC 2, ISO 27001, or CSA certification from their vendors. Government tenders in Singapore now reference CSA Cyber Essentials. Without compliance, you lose deals before the conversation starts.
Breach costs
The average data breach costs a small business over $100,000. That includes investigation, notification, legal fees, and lost customers. Compliance doesn't guarantee you won't be breached, but it dramatically reduces the risk and the cost.
Questions about
compliance readiness.
How do I know which compliance frameworks apply to my business?
Use the compliance finder tool at the top of this page. Select your location, industry, and data types, and it will show you which frameworks are relevant. If you're still unsure, book a free consultation and we'll walk through it with you.
What's the difference between compliance and security?
Security is the set of tools and practices that protect your business. Compliance is proving to regulators, customers, and partners that you have those tools and practices in place. You need both. SecurityPulse handles both.
Can SecurityPulse help us get CSA Cyber Essentials certified?
Yes. RunWay deploys the controls required across all five CSA Cyber Essentials categories, and Autopilot generates the evidence you need for the self-assessment. We guide you through the process.
We operate in multiple countries. Can SecurityPulse handle that?
Yes. SecurityPulse supports multiple compliance frameworks simultaneously. If you operate in Singapore and the EU, for example, we cover both PDPA and GDPR in one platform.
How long does it take to become compliance ready?
Most businesses are deployment-ready within a day. Building a full compliance evidence trail typically takes 30 to 90 days of continuous operation, depending on the framework. The earlier you start, the less you scramble when audit time comes.
Do we still need a consultant or auditor?
For some frameworks like ISO 27001 or SOC 2 Type II, you need a third-party auditor for formal certification. SecurityPulse prepares all the evidence and documentation so the audit process is fast and smooth. For frameworks like CSA Cyber Essentials, the self-assessment can be done directly through SecurityPulse.
What if we fail a compliance assessment?
SecurityPulse's gap analysis tells you exactly what's missing before you submit for any assessment. You can fix gaps proactively instead of finding out during an audit.
Is compliance a one-time thing?
No. Most frameworks require ongoing evidence of security operations, regular assessments, and updated documentation. Autopilot handles this continuously so you don't fall out of compliance between audit cycles.