Comprehensive EU data protection law covering any organization that processes personal data of EU residents — regardless of where the company is located. Applies to 450M+ EU citizens.

California privacy law giving residents rights over their personal data. Applies to for-profit businesses meeting any one threshold: $25M+ annual revenue, processes data of 100K+ consumers/households, or derives 50%+ revenue from selling personal data.

Federal US law protecting Protected Health Information (PHI). Applies to Covered Entities (healthcare providers, health plans, clearinghouses) and their Business Associates (any vendor that creates, receives, maintains, or transmits PHI on their behalf).

World's first comprehensive AI law. Classifies AI systems by risk level and applies tiered requirements. Applies to providers and deployers of AI systems in the EU — including companies outside the EU whose AI systems are used in the EU.

AICPA security certification demonstrating that a service organization's controls meet the Trust Services Criteria. Not legally required but commercially essential — most enterprise buyers require it before signing contracts. Type I covers design; Type II covers operating effectiveness over 6–12 months.

International standard for Information Security Management Systems (ISMS). Provides a framework of 93 controls across 4 themes (organizational, people, physical, technological). Required for many government contracts worldwide and increasingly expected by enterprise buyers in the EU and APAC.

Security standard required by Visa, Mastercard, American Express, Discover, and JCB for any organization that stores, processes, or transmits cardholder data. Non-compliance can result in fines and loss of the ability to accept card payments — effectively shutting down an e-commerce business.

US federal law requiring publicly traded companies to maintain strict financial controls and reporting. Section 302: CEO/CFO must personally certify financial statements. Section 404: annual assessment of internal controls over financial reporting. Criminal penalties for knowing violations.

Published December 2023. The first international standard for AI Management Systems (AIMS). Often called 'the SOC 2 for AI' — increasingly required by enterprise customers before purchasing AI products. Aligns closely with the EU AI Act's requirements for high-risk AI systems.

Federal US law protecting the privacy of student education records. Applies to all educational institutions receiving federal funding (virtually all schools and universities). Gives parents and eligible students rights to access, review, and request corrections to education records.

EU regulation effective January 17, 2025, requiring financial entities to manage ICT risks and ensure operational resilience. Applies to banks, insurers, investment firms, crypto asset service providers, and their critical ICT third-party providers. Significant new obligations for cloud providers and SaaS companies serving EU financial institutions.