Standards & Regulations#

Reference of the international, regional, and US standards operators encounter daily, across security, privacy, infrastructure, communication, and industry compliance.

For sanctions, see Sanctions Lists. For protocols, see Network Protocols. For specific tools / frameworks, see the topical references.

Cybersecurity / privacy frameworks#

Standard

Notes

NIST CSF

Cybersecurity Framework v2.0 (2024); Govern / Identify / Protect / Detect / Respond / Recover.

NIST SP 800-53

security + privacy controls catalog (Rev 5).

NIST SP 800-171

CUI controls for non-fed orgs.

NIST SP 800-37

Risk Management Framework (RMF).

NIST SP 800-86

forensics / IR.

NIST SP 800-115

pen-test technical guide.

NIST SP 800-207

Zero Trust Architecture.

NIST 800-218

Secure Software Development Framework (SSDF).

ISO/IEC 27001

ISMS certification standard.

ISO/IEC 27002

controls.

ISO/IEC 27017/27018

cloud-specific.

ISO/IEC 27701

privacy (PIMS) extension to 27001.

ISO/IEC 22301

Business Continuity (BCMS).

SOC 1 / 2 / 3

AICPA service-organization audits.

SOC 2 Trust Crit.

Security, Availability, Processing Integrity, Confidentiality, Privacy.

PCI DSS

v4.0 (2024); payment-card data.

HIPAA

US healthcare (HHS).

HITRUST

healthcare-aligned framework.

FedRAMP

US fed cloud authorization; Low / Mod / High / IL5.

DoD CMMC

v2; defense supplier maturity (Levels 1-3).

StateRAMP

US state-level FedRAMP equivalent.

IRAP

Australian gov.

IL2-IL6

DoD impact levels.

CIS Controls v8

Center for Internet Security; 18 controls.

CSA CCM

Cloud Security Alliance Cloud Controls Matrix.

COBIT 2019

ISACA governance.

ITIL 4

service management.

ISO/IEC 31000

risk management.

Privacy / data protection#

Regulation

Notes

GDPR

EU; 2018; €20M / 4% global turnover max fine.

EU AI Act

2024; risk-tiered AI regulation; Aug 2026 / Aug 2027 compliance dates.

EU NIS2

cyber resilience directive (2024).

EU DORA

Digital Operational Resilience Act (financial); 2025.

EU CER Directive

critical entities resilience.

EU CRA

Cyber Resilience Act for products with digital elements.

EU eIDAS 2

electronic identification + digital wallet.

UK GDPR

post-Brexit version.

UK DSIT / Online Safety Act

Online Safety Act 2023.

PIPL (China)

Personal Information Protection Law (2021).

DSL / CSL (China)

Data Security Law / Cybersecurity Law.

APPI (Japan)

Act on Protection of Personal Info.

PDPA (Singapore)

Personal Data Protection Act.

LGPD (Brazil)

Lei Geral de Proteção de Dados.

PIPEDA (Canada)

Personal Information Protection and Electronic Doc Act.

POPIA (S. Africa)

Protection of Personal Info Act.

CCPA / CPRA

California Consumer Privacy Act + Privacy Rights Act.

HIPAA (US)

health info.

GLBA (US)

financial.

COPPA (US)

children’s online privacy.

FERPA (US)

education records.

NYDFS Part 500

NY DFS cyber regulation.

SEC 17a-4 / SCI

broker-dealer recordkeeping + system controls.

Financial / banking#

Standard

Notes

SWIFT CSP

Customer Security Programme; mandatory controls.

ISO 20022

modern financial-messaging standard; replacing SWIFT MT.

PCI DSS

see above.

PSD2 / PSD3

EU Payment Services Directive; SCA + open banking.

SOX

Sarbanes-Oxley; US public-company financial-control.

Basel III/IV

international banking capital + risk.

MIFID II / MIFIR

EU markets in financial instruments.

EMIR / Dodd-Frank

derivatives transparency.

FATCA (US) / CRS (OECD)

cross-border tax reporting.

SEPA / TARGET2

EU payments rails.

FedNow / RTP / UK F

PS real-time payments.

ISDA Master Agree.

derivatives contract.

Telecom / wireless#

Standard

Notes

3GPP

4G / 5G / 6G specifications.

GSMA

global mobile-operator association.

ETSI

European Telecommunications Standards Institute; many IoT / M2M.

ITU-T

telecom + UN treaty body.

ITU-R

radio regulations.

IEEE 802.11

Wi-Fi (a / b / g / n / ac / ax / be); 7th gen 2024.

IEEE 802.15.4

Zigbee / 6LoWPAN / Thread.

IEEE 802.3

Ethernet.

LoRaWAN

LPWAN.

ONVIF

IP video surveillance.

DOCSIS

cable internet.

Web / internet#

Standard

Notes

RFC (IETF)

Request for Comments; the standard internet standards series.

W3C

World Wide Web Consortium; HTML / CSS / WCAG.

WHATWG

“living standard” HTML / DOM / Fetch.

ECMAScript / TC39

JavaScript language standard.

IANA

Internet Assigned Numbers Authority (port / IP / TLD registries).

ICANN

domain governance.

IDN, IRI

internationalised domain / IRI.

WCAG 2.2 / 3.0

accessibility guidelines (W3C).

ARIA

accessible web roles.

Crypto algorithms#

Standard

Notes

NIST FIPS 140-3

crypto-module validation.

NIST SP 800-131A

transition guidance.

NIST PQC standards

ML-KEM (Kyber, FIPS 203), ML-DSA (Dilithium, FIPS 204), SLH-DSA (SPHINCS+, FIPS 205); selected 2022, codified 2024.

TLS 1.3

RFC 8446.

PKIX / X.509

RFCs 5280 + family.

ASN.1

OID-based encoding.

JOSE / JWT / JWS /

JWE RFCs 7515-7519.

COSE

CBOR Object Signing and Encryption.

PKCS

Public-Key Crypto Standards (1, 7, 8, 11, 12).

Industry#

Industry

Standards

Aviation

DO-178C, DO-254, DO-326A; ICAO Annex 17 (security).

Maritime

IMO MSC.428(98) (cyber); ISM Code; SOLAS.

Automotive

ISO 26262 (functional safety); ISO/SAE 21434 (cyber); UNECE WP.29 R155 / R156.

Medical

ISO 13485 (QMS); IEC 62304 (software); FDA Premarket Guidance for Cybersecurity 2023.

Pharma

21 CFR Part 11; GxP (GMP/GLP/GCP).

Energy / utilities

NERC CIP (US bulk power); NIS2 (EU).

Industrial control

IEC 62443 series.

Building auto

ISO 27001 + IEC 62443.

Rail

EN 50126 / 50128 / 50129 (RAMS).

Space

ECSS standards; CCSDS protocols.

Defense

DoDI 8500.01, DoDI 8510.01 (RMF); NIST 800-171; CMMC.

Quality / management#

Standard

Notes

ISO 9001

QMS.

ISO 14001

EMS (environmental).

ISO 45001

OH&S.

ISO 50001

energy management.

ISO 19011

audit guidelines.

References#