Standards & Regulations#
Reference of the international, regional, and US standards operators encounter daily, across security, privacy, infrastructure, communication, and industry compliance.
For sanctions, see Sanctions Lists. For protocols, see Network Protocols. For specific tools / frameworks, see the topical references.
Cybersecurity / privacy frameworks#
Standard |
Notes |
|---|---|
NIST CSF |
Cybersecurity Framework v2.0 (2024); Govern / Identify / Protect / Detect / Respond / Recover. |
NIST SP 800-53 |
security + privacy controls catalog (Rev 5). |
NIST SP 800-171 |
CUI controls for non-fed orgs. |
NIST SP 800-37 |
Risk Management Framework (RMF). |
NIST SP 800-86 |
forensics / IR. |
NIST SP 800-115 |
pen-test technical guide. |
NIST SP 800-207 |
Zero Trust Architecture. |
NIST 800-218 |
Secure Software Development Framework (SSDF). |
ISO/IEC 27001 |
ISMS certification standard. |
ISO/IEC 27002 |
controls. |
ISO/IEC 27017/27018 |
cloud-specific. |
ISO/IEC 27701 |
privacy (PIMS) extension to 27001. |
ISO/IEC 22301 |
Business Continuity (BCMS). |
SOC 1 / 2 / 3 |
AICPA service-organization audits. |
SOC 2 Trust Crit. |
Security, Availability, Processing Integrity, Confidentiality, Privacy. |
PCI DSS |
v4.0 (2024); payment-card data. |
HIPAA |
US healthcare (HHS). |
HITRUST |
healthcare-aligned framework. |
FedRAMP |
US fed cloud authorization; Low / Mod / High / IL5. |
DoD CMMC |
v2; defense supplier maturity (Levels 1-3). |
StateRAMP |
US state-level FedRAMP equivalent. |
IRAP |
Australian gov. |
IL2-IL6 |
DoD impact levels. |
CIS Controls v8 |
Center for Internet Security; 18 controls. |
CSA CCM |
Cloud Security Alliance Cloud Controls Matrix. |
COBIT 2019 |
ISACA governance. |
ITIL 4 |
service management. |
ISO/IEC 31000 |
risk management. |
Privacy / data protection#
Regulation |
Notes |
|---|---|
GDPR |
EU; 2018; €20M / 4% global turnover max fine. |
EU AI Act |
2024; risk-tiered AI regulation; Aug 2026 / Aug 2027 compliance dates. |
EU NIS2 |
cyber resilience directive (2024). |
EU DORA |
Digital Operational Resilience Act (financial); 2025. |
EU CER Directive |
critical entities resilience. |
EU CRA |
Cyber Resilience Act for products with digital elements. |
EU eIDAS 2 |
electronic identification + digital wallet. |
UK GDPR |
post-Brexit version. |
UK DSIT / Online Safety Act |
Online Safety Act 2023. |
PIPL (China) |
Personal Information Protection Law (2021). |
DSL / CSL (China) |
Data Security Law / Cybersecurity Law. |
APPI (Japan) |
Act on Protection of Personal Info. |
PDPA (Singapore) |
Personal Data Protection Act. |
LGPD (Brazil) |
Lei Geral de Proteção de Dados. |
PIPEDA (Canada) |
Personal Information Protection and Electronic Doc Act. |
POPIA (S. Africa) |
Protection of Personal Info Act. |
CCPA / CPRA |
California Consumer Privacy Act + Privacy Rights Act. |
HIPAA (US) |
health info. |
GLBA (US) |
financial. |
COPPA (US) |
children’s online privacy. |
FERPA (US) |
education records. |
NYDFS Part 500 |
NY DFS cyber regulation. |
SEC 17a-4 / SCI |
broker-dealer recordkeeping + system controls. |
Financial / banking#
Standard |
Notes |
|---|---|
SWIFT CSP |
Customer Security Programme; mandatory controls. |
ISO 20022 |
modern financial-messaging standard; replacing SWIFT MT. |
PCI DSS |
see above. |
PSD2 / PSD3 |
EU Payment Services Directive; SCA + open banking. |
SOX |
Sarbanes-Oxley; US public-company financial-control. |
Basel III/IV |
international banking capital + risk. |
MIFID II / MIFIR |
EU markets in financial instruments. |
EMIR / Dodd-Frank |
derivatives transparency. |
FATCA (US) / CRS (OECD) |
cross-border tax reporting. |
SEPA / TARGET2 |
EU payments rails. |
FedNow / RTP / UK F |
PS real-time payments. |
ISDA Master Agree. |
derivatives contract. |
Telecom / wireless#
Standard |
Notes |
|---|---|
3GPP |
4G / 5G / 6G specifications. |
GSMA |
global mobile-operator association. |
ETSI |
European Telecommunications Standards Institute; many IoT / M2M. |
ITU-T |
telecom + UN treaty body. |
ITU-R |
radio regulations. |
IEEE 802.11 |
Wi-Fi (a / b / g / n / ac / ax / be); 7th gen 2024. |
IEEE 802.15.4 |
Zigbee / 6LoWPAN / Thread. |
IEEE 802.3 |
Ethernet. |
LoRaWAN |
LPWAN. |
ONVIF |
IP video surveillance. |
DOCSIS |
cable internet. |
Web / internet#
Standard |
Notes |
|---|---|
RFC (IETF) |
Request for Comments; the standard internet standards series. |
W3C |
World Wide Web Consortium; HTML / CSS / WCAG. |
WHATWG |
“living standard” HTML / DOM / Fetch. |
ECMAScript / TC39 |
JavaScript language standard. |
IANA |
Internet Assigned Numbers Authority (port / IP / TLD registries). |
ICANN |
domain governance. |
IDN, IRI |
internationalised domain / IRI. |
WCAG 2.2 / 3.0 |
accessibility guidelines (W3C). |
ARIA |
accessible web roles. |
Crypto algorithms#
Standard |
Notes |
|---|---|
NIST FIPS 140-3 |
crypto-module validation. |
NIST SP 800-131A |
transition guidance. |
NIST PQC standards |
ML-KEM (Kyber, FIPS 203), ML-DSA (Dilithium, FIPS 204), SLH-DSA (SPHINCS+, FIPS 205); selected 2022, codified 2024. |
TLS 1.3 |
RFC 8446. |
PKIX / X.509 |
RFCs 5280 + family. |
ASN.1 |
OID-based encoding. |
JOSE / JWT / JWS / |
JWE RFCs 7515-7519. |
COSE |
CBOR Object Signing and Encryption. |
PKCS |
Public-Key Crypto Standards (1, 7, 8, 11, 12). |
Industry#
Industry |
Standards |
|---|---|
Aviation |
DO-178C, DO-254, DO-326A; ICAO Annex 17 (security). |
Maritime |
IMO MSC.428(98) (cyber); ISM Code; SOLAS. |
Automotive |
ISO 26262 (functional safety); ISO/SAE 21434 (cyber); UNECE WP.29 R155 / R156. |
Medical |
ISO 13485 (QMS); IEC 62304 (software); FDA Premarket Guidance for Cybersecurity 2023. |
Pharma |
21 CFR Part 11; GxP (GMP/GLP/GCP). |
Energy / utilities |
NERC CIP (US bulk power); NIS2 (EU). |
Industrial control |
IEC 62443 series. |
Building auto |
ISO 27001 + IEC 62443. |
Rail |
EN 50126 / 50128 / 50129 (RAMS). |
Space |
ECSS standards; CCSDS protocols. |
Defense |
DoDI 8500.01, DoDI 8510.01 (RMF); NIST 800-171; CMMC. |
Quality / management#
Standard |
Notes |
|---|---|
ISO 9001 |
QMS. |
ISO 14001 |
EMS (environmental). |
ISO 45001 |
OH&S. |
ISO 50001 |
energy management. |
ISO 19011 |
audit guidelines. |
References#
Security, where these controls land in practice.