Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
GRC Fundamentals

Common Cybersecurity Laws

Cybersecurity laws create binding legal obligations regardless of whether an organization chooses to comply. This page provides a concise reference for the most impactful cybersecurity and data protection laws globally — their scope, who they apply to, penalties, and how the SCF CCF™ maps to each.

Go to the SCF Download PageIncluded Laws, Regulations & Frameworks
Common Controls Framework™

The SCF is the exclusive, trademarked Common Controls Framework™ (CCF™) — every law on this page is mapped to specific SCF controls via the STRM methodology. Organizations implementing the SCF CCF™ satisfy the security and privacy requirements of all applicable laws through a single unified control set.

All laws on this page create MCR (Minimum Compliance Requirement) obligations. Download the SCF to see the exact control-to-law mappings for each.

US Federal & State Laws

Key US Cybersecurity & Privacy Laws

The United States has a fragmented, sector-based approach to cybersecurity law — different industries face different mandatory regimes, and state privacy laws add additional layers of obligation.

HIPAA / HITECH

Health Insurance Portability & Accountability Act

US Federal
Healthcare
Applies to
Covered entities (health plans, providers, clearinghouses) and their business associates handling PHI
Key Requires
Annual risk assessment; security policies; breach notification; BAAs with all PHI processors; minimum necessary standard
Penalties
Up to $1.9M per violation category per year; criminal prosecution for willful neglect
SCF Domains
PRI, DCH, CRY, IAC, IRO, TPM, GOV
Deep Dive: HIPAA / HITECH →

GLBA

Gramm-Leach-Bliley Act — Safeguards Rule

US Federal
Financial Services
Applies to
Financial institutions — banks, mortgage lenders, insurance companies, financial advisors, tax preparers
Key Requires
Written Information Security Program (WISP); annual penetration testing; MFA; encryption; incident response; vendor oversight
Penalties
Up to $100,000 per violation; officers liable up to $10,000; criminal prosecution possible
SCF Domains
GOV, RA, IAC, CRY, TPM, IRO, MON
Deep Dive: GLBA →

SOX

Sarbanes-Oxley Act — IT Controls

US Federal
Public Companies
Applies to
Publicly traded companies and their auditors; IT general controls (ITGC) that support financial reporting
Key Requires
IT General Controls (change management, access controls, operations); annual management assessment; external auditor attestation
Penalties
Up to $5M fines and 20 years imprisonment for executives who certify false reports
SCF Domains
GOV, IAC, CHG, CFG, MON, BCD
Deep Dive: SOX →

CCPA / CPRA

California Consumer Privacy Act / Privacy Rights Act

US — California
Privacy
Applies to
For-profit businesses serving CA residents meeting any threshold: $25M revenue, 100K+ consumer records, or 50%+ revenue from selling data
Key Requires
Privacy notice; opt-out rights; DSAR fulfillment within 45 days; data security; annual cybersecurity audit (high-risk)
Penalties
Up to $7,500 per intentional violation; $750 per consumer per incident for data breaches
SCF Domains
PRI, DCH, TPM, IRO
Deep Dive: CCPA / CPRA →

FedRAMP

Federal Risk and Authorization Management Program

US Federal
Cloud / Federal IT
Applies to
Any cloud service provider (CSP) seeking to provide cloud services to federal agencies
Key Requires
Full NIST SP 800-53 control implementation; third-party assessment; Authority to Operate (ATO); continuous monitoring
Penalties
Loss of ATO; removal from FedRAMP Marketplace; contract termination; loss of federal revenue
SCF Domains
All 33 SCF domains
Deep Dive: FedRAMP →

TX SB 2610

Texas Cybersecurity Act — Business Obligations

US — Texas
All Businesses
Applies to
Businesses operating in Texas that collect, process, or store personal information of Texas residents
Key Requires
Reasonable cybersecurity measures; incident reporting; vendor management; data disposal requirements
Penalties
Civil penalties; attorney general enforcement; private right of action for data breach victims
SCF Domains
GOV, RA, IRO, TPM, DCH
Deep Dive: TX SB 2610 →
International Laws

Key International Cybersecurity & Privacy Laws

International laws apply to organizations outside their originating jurisdiction — GDPR applies to any organization processing EU resident data regardless of where the organization is located. Cross-border compliance is a global operational reality.

GDPR

General Data Protection Regulation

This is some text inside of a div block.
This is some text inside of a div block.
Deep Dive: GDPR →

NIS2 Directive

Network and Information Security Directive 2

This is some text inside of a div block.
This is some text inside of a div block.
Deep Dive: NIS2 →

DORA

Digital Operational Resilience Act

This is some text inside of a div block.
This is some text inside of a div block.
Deep Dive: DORA →

GDPR

General Data Protection Regulation

EU / EEA
Extraterritorial
Privacy
Applies to
Any organization worldwide that processes personal data of EU/EEA residents — extraterritorial by design
Key Requires
Lawful basis; privacy notice; ROPA; individual rights; DPIA for high-risk; DPAs; 72-hour breach notification; DPO (in some cases)
Penalties
Up to €20M or 4% of global annual turnover — whichever is higher
SCF Domains
PRI, DCH, CRY, TPM, IRO, GOV
Deep Dive: GDPR →

NIS2 Directive

Network and Information Security Directive 2

EU
Critical Infrastructure
Applies to
Medium and large organizations in critical sectors (energy, transport, health, digital, water, finance) operating in EU member states
Key Requires
Risk management measures; supply chain security; incident reporting (24hrs initial / 72hrs detailed); board accountability; cybersecurity governance
Penalties
Up to €10M or 2% of global turnover for essential entities; executive personal liability
SCF Domains
GOV, RA, IRO, TPM, NET, BCD
Deep Dive: NIS2 →

DORA

Digital Operational Resilience Act

EU
Financial Services
Applies to
EU financial entities — banks, investment firms, insurance companies, payment processors, crypto-asset service providers, and their critical ICT providers
Key Requires
ICT risk management framework; incident classification and reporting; digital operational resilience testing (TLPT); ICT third-party risk management
Penalties
Up to 1% of average daily global turnover per day of violation; executive personal liability
SCF Domains
GOV, RA, IRO, BCD, TPM, MON
Deep Dive: DORA →
Penalty Reference

Cybersecurity Law Penalty Comparison

Maximum statutory penalties vary dramatically across laws. This reference table covers the headline maximums — actual penalties depend on severity, willfulness, harm caused, and remediation efforts.

Law
Jurisdiction
Max Civil Penalty
Criminal Exposure?
Private Right of Action?
GDPR
EU / Global
€20M or 4% global turnover
Member state discretion
Yes — GDPR Article 82
HIPAA / HITECH
US Federal
$1.9M per violation category/year
Yes — up to 10 years
Limited; via state AG
CCPA / CPRA
California
$7,500 per intentional violation
No
Yes — $100–$750 per consumer
NIS2
EU
€10M or 2% global turnover
Executive personal liability
No
DORA
EU
1% daily global turnover (per day)
Executive personal liability
No
GLBA
US Federal
$100,000 per violation
Yes — officers up to 10 years
No
SOX
US Federal
$5M per false certification
Yes — up to 20 years
Limited
FedRAMP
US Federal
Loss of ATO / contract
No (regulatory)
No
TX SB 2610
Texas
Civil penalties; AG discretion
No
Yes — breach victims

Maximum penalties shown. Actual penalties vary based on severity, cooperation, and remediation. This is not legal advice.

This is some text inside of a div block.

Cybersecurity Law Penalty Comparison

Maximum statutory penalties vary dramatically across laws. This reference table covers the headline maximums — actual penalties depend on severity, willfulness, harm caused, and remediation efforts.

Get started

See Every Law Mapped in the SCF

Every law on this page — and 80+ more — is mapped to specific SCF controls in the free SCF download. One unified control set. Every applicable law satisfied.

Go to the SCF Download PageIncluded Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap