Home / Publication Type / Law / RegulationLaw / Regulation
Laws and regulations form the binding legal foundation that organizations must comply with, establishing mandatory security, risk management, and incident reporting obligations, often backed by supervisory oversight and sanctions. Laws are typically adopted by a legislative body and set high-level legal principles and rights (such as data protection, critical infrastructure security, or cybercrime offenses), while regulations provide more detailed, enforceable rules and technical requirements to operationalize those principles. For example, the General Data Protection Regulation imposes strict obligations on personal data security and breach notification, and the NIS2 Directive strengthens cybersecurity risk management and incident reporting duties for essential and important entities across the EU. Unlike standards or frameworks, compliance with these instruments is not voluntary: failure to meet their requirements can result in fines, liability, or other legal consequences.