Regulatory Compliance Landscape
The cybersecurity regulatory compliance landscape is the set of laws, regulations, standards, and contractual requirements that govern how organizations protect data, systems, and operations.
Continue your mission
The cybersecurity regulatory compliance landscape is the set of laws, regulations, standards, and contractual requirements that govern how organizations protect data, systems, and operations.
# Regulatory Compliance Landscape
The cybersecurity regulatory compliance landscape is the set of laws, regulations, standards, and contractual requirements that govern how organizations protect data, systems, and operations. The landscape is complex, overlapping, and expanding: a mid-market healthcare SaaS company may simultaneously face HIPAA, SOC 2, state breach notification laws, state privacy laws, PCI DSS (if processing payments), and NIST CSF (if serving federal customers). Each framework has different requirements, different enforcement mechanisms, and different penalties.
Understanding the landscape is the prerequisite for building an efficient compliance program. Organizations that address each framework independently (separate projects, separate control sets, separate evidence collections) multiply their compliance burden unnecessarily. Organizations that map common controls across frameworks (multi-framework alignment) reduce the operational burden by 40% to 60% while satisfying all applicable requirements simultaneously.
This article provides the meta-view: which frameworks exist, which industries they apply to, how they overlap, and how CDA's PDM and RGA methodology organize compliance operations across the full landscape.
Regulatory frameworks fall into five categories based on their source and applicability:
Federal regulations (U.S.). Laws enacted by Congress and regulations issued by federal agencies. Mandatory for entities within their scope. Non-compliance carries regulatory penalties enforced by federal agencies.
HIPAA Security Rule: healthcare (covered entities and business associates). Enforced by HHS OCR. Penalties up to $1.5 million per violation category per year.
GLBA Safeguards Rule: financial institutions. Enforced by FTC and federal banking regulators. Updated in 2023 with specific technical requirements (MFA, encryption, incident response).
FERPA: educational institutions that receive federal funding. Enforced by the Department of Education.
FISMA/FedRAMP: federal agencies and cloud service providers serving federal agencies. Enforced through agency authorization processes.
CMMC 2.0: defense contractors handling CUI. Enforced through DOD contract requirements. Three levels: Level 1 (self-assessment, 15 practices), Level 2 (third-party assessment, 110 NIST 800-171 practices), Level 3 (government assessment, 110+ enhanced practices).
SEC cybersecurity disclosure rules: public companies. Material incident disclosure within 4 business days. Annual disclosure of cybersecurity governance, strategy, and risk management.
State regulations (U.S.). Laws enacted by individual states. Mandatory within the state's jurisdiction. Enforced by state attorneys general.
Breach notification laws: all 50 states plus territories. Different definitions of personal information, different notification timelines, different exemptions.
State privacy laws: California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and 10+ additional states with enacted legislation. Each with different consumer rights, business obligations, and enforcement mechanisms.
New York DFS Cybersecurity Regulation (23 NYCRR 500): financial services companies regulated by the NY Department of Financial Services. One of the most prescriptive state cybersecurity regulations: specific requirements for CISO designation, risk assessment, MFA, encryption, penetration testing, and incident reporting.
International regulations. Laws enacted by foreign governments or international bodies. Mandatory for organizations operating in or serving customers in those jurisdictions.
GDPR: organizations that process personal data of EU/EEA residents, regardless of where the organization is located. Fines up to 4% of global revenue. The most influential privacy regulation globally.
NIS2 Directive: essential and important entities in the EU. Cybersecurity risk management, incident reporting, and supply chain security requirements. Enacted 2024, enforcement began 2025.
UK Data Protection Act 2018 / UK GDPR: post-Brexit equivalent of GDPR for organizations processing UK residents' data.
DORA (Digital Operational Resilience Act): financial entities in the EU. ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management. Effective January 2025.
Industry standards. Voluntary or contractually mandated standards developed by industry bodies. Not legally binding unless adopted by regulation or required by contract.
PCI DSS 4.0: organizations that process, store, or transmit payment card data. Enforced through card brand (Visa, Mastercard) compliance programs and acquirer requirements. Not a law but effectively mandatory for any organization accepting credit cards.
SOC 2: service organizations providing services to other businesses. Not legally required but commercially required by enterprise customers (included in procurement requirements, security questionnaires, and contract terms).
ISO 27001: international ISMS certification. Commercially required for organizations operating in Europe and increasingly required by global enterprise customers.
CIS Controls v8: community-developed prioritized security controls. Referenced by multiple frameworks and used as a practical implementation guide. CIS Controls map to Implementation Groups (IG1, IG2, IG3) based on organizational size and risk.
Contractual requirements. Security obligations embedded in customer contracts, partner agreements, and insurance policies. Not regulatory but commercially binding.
Enterprise customer security requirements (often referencing SOC 2, ISO 27001, or specific control requirements). Cyber insurance underwriting requirements (MFA, EDR, backups, IR plan). Business associate agreements (HIPAA BAAs). Data processing agreements (GDPR DPAs).
| Industry | Primary Frameworks | |----------|-------------------| | Healthcare | HIPAA, SOC 2, state breach/privacy laws, HITRUST | | Financial services | GLBA, PCI DSS, SOC 2, NY DFS 23 NYCRR 500, DORA (if EU) | | Defense/government | CMMC, NIST 800-171, FedRAMP, FISMA | | Technology/SaaS | SOC 2, ISO 27001, state privacy laws, GDPR (if EU customers) | | Retail/e-commerce | PCI DSS, state breach/privacy laws, CCPA/CPRA | | Education | FERPA, state breach/privacy laws, COPPA (if under-13 data) | | Critical infrastructure | NERC CIP (energy), TSA directives (transportation), CISA CPGs | | General (all industries) | State breach notification laws, SEC rules (if public), cyber insurance requirements |
Most organizations face 3 to 7 overlapping frameworks. The number increases with geographic diversity (each country adds its own requirements), industry complexity (a healthcare company that also processes payments faces both HIPAA and PCI DSS), and customer base (enterprise customers may require SOC 2 or ISO 27001 regardless of the organization's industry).
The compliance burden becomes manageable when common controls are mapped across frameworks. An MFA control satisfies requirements in HIPAA, PCI DSS, NIST 800-171, SOC 2, ISO 27001, GLBA, and state privacy laws simultaneously. Implementing MFA once and mapping it to all seven frameworks is dramatically more efficient than implementing and documenting MFA seven times.
Common control mapping uses a cross-reference matrix: each control (MFA, encryption, vulnerability scanning, access reviews, incident response planning) maps to the specific requirements in each applicable framework. CDA's RGA-H01 mission (Multi-Framework Compliance Alignment, 24 hours) produces this matrix.
The mapping also identifies framework-specific requirements that do not overlap: CMMC requires specific handling procedures for CUI that HIPAA does not address. PCI DSS requires specific cardholder data environment segmentation that SOC 2 does not specify. GDPR requires data subject rights fulfillment processes that HIPAA does not require. Framework-specific requirements must be implemented in addition to the common control set.
The compliance landscape is not static. The trajectory over the last five years reveals clear patterns:
More prescriptive. Frameworks are shifting from principles-based ("implement appropriate controls") to prescriptive ("implement MFA using phishing-resistant methods within 90 days"). The HIPAA proposed update, the GLBA Safeguards Rule update, and CMMC Level 2 all specify controls that earlier versions left to organizational discretion.
Faster reporting. Breach notification timelines are compressing. GDPR: 72 hours. SEC: 4 business days. CIRCIA: 72 hours for incidents, 24 hours for ransom payments. NIS2: 24-hour early warning. The trend is toward near-real-time notification that requires pre-built communication plans and automated detection.
Broader scope. Regulations are expanding to cover more entities. HIPAA covers business associates. CMMC covers the entire defense supply chain. NIS2 expanded the scope of covered entities significantly beyond NIS1. GDPR applies to any organization processing EU resident data, regardless of location.
Supply chain focus. NIST CSF 2.0 elevated supply chain risk management to a full category. NIS2 requires supply chain security. CMMC flows requirements down the defense supply chain. Executive Order 14028 mandates SBOMs from software suppliers. The regulatory expectation is clear: organizations are accountable for their third parties' security.
Personal accountability. SEC enforcement against the SolarWinds CISO. Proposed SEC rules on cybersecurity expertise at the board level. State attorney general investigations targeting specific executives. The trend is toward personal accountability for cybersecurity leaders, not just organizational accountability.
Compliance certification (SOC 2, ISO 27001, HIPAA) is a market requirement, not a differentiator. Enterprise customers require it. Government contracts mandate it. Insurance carriers evaluate it. Organizations that cannot demonstrate compliance are excluded from opportunities regardless of their actual security posture. Compliance is the minimum. Security is the objective.
Regulatory penalties are increasing. GDPR fines exceed 4 billion euros in aggregate. HIPAA settlements reach tens of millions. PCI DSS non-compliance carries card brand fines, increased processing fees, and potential inability to accept payment cards. State privacy law penalties reach $7,500 per intentional violation per record. SEC enforcement for disclosure failures carries financial penalties and reputational damage. The cost of compliance is measurable and budgetable. The cost of non-compliance is unpredictable and potentially existential.
No organization can efficiently manage 5+ overlapping frameworks through ad hoc processes. The compliance landscape requires a structured program (see Compliance Program Design) with multi-framework alignment (see RGA-H01), automated evidence collection, and continuous monitoring. Organizations that treat each framework as an independent project will drown in duplicative work. Organizations that treat compliance as a unified program with common controls and mapped requirements will manage the complexity efficiently.
The regulatory compliance landscape is the operating environment for the RGA (Risk Governance and Assurance) domain of the Planetary Defense Model. RGA is the strategic envelope: it ensures the organization meets its external obligations while sustaining the five inner domains that provide operational security.
CDA's Perpetual Compliance Assurance (PCA) methodology addresses the landscape's complexity through three mechanisms:
RGA-R01 (Compliance Landscape Mapping, 16 hours) identifies which frameworks apply to the specific organization based on industry, geography, customer base, and data types processed. The mapping eliminates uncertainty: the organization knows exactly which frameworks it must comply with and which requirements apply.
RGA-H01 (Multi-Framework Compliance Alignment, 24 hours) maps common controls across all applicable frameworks, creating the cross-reference matrix that eliminates duplicative implementation and evidence collection.
RGA-B02 (Compliance Program Build, 60 hours) builds the unified compliance infrastructure: policies, controls, evidence collection, and internal audit that satisfy all applicable frameworks through a single operational program.
CDA approaches the compliance landscape with one principle: compliance is a byproduct of operational security, not a separate activity. An organization that operates effective DPS, VSD, SPH, IAT, and TID programs is already compliant with the majority of requirements across the majority of frameworks. The RGA layer documents, reports, and certifies that compliance. The operational controls are the substance. The compliance program is the evidence that the substance exists.
Word count: 1,964
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.