Skip to content
    Home / Publication Type / Law / Regulation

    Law / Regulation

    Laws and regulations form the binding legal foundation that organizations must comply with, establishing mandatory security, risk management, and incident reporting obligations, often backed by supervisory oversight and sanctions. Laws are typically adopted by a legislative body and set high-level legal principles and rights (such as data protection, critical infrastructure security, or cybercrime offenses), while regulations provide more detailed, enforceable rules and technical requirements to operationalize those principles. For example, the General Data Protection Regulation imposes strict obligations on personal data security and breach notification, and the NIS2 Directive strengthens cybersecurity risk management and incident reporting duties for essential and important entities across the EU. Unlike standards or frameworks, compliance with these instruments is not voluntary: failure to meet their requirements can result in fines, liability, or other legal consequences.

    Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Final Rule; Release No. 33-11216)

    This regulation requires public companies to enhance and standardize their disclosures regarding cybersecurity to provide investors with more consistent and decision-useful information. It mandates two primary types of reporting: the… Read More »Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Final Rule; Release No. 33-11216)

    California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA)

    The CCPA/CPRA represents the most comprehensive data privacy framework in the United States, granting California residents extensive rights over their personal information, including the right to know, delete, correct, and… Read More »California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA)