Loading...
Fact-based overviews of EU and international cybersecurity regulations. Official sources, article references, and enforcement timelines.
19
Regulations Tracked
10
Jurisdictions
100%
Officially Sourced
EU 2022/2557
Entities comply May 2027
Physical and operational resilience for critical entities across 11 sectors — complements NIS2 with business continuity and supply chain obligations.
EU 2024/2847
Reporting Sep 2026, Full Dec 2027
Cybersecurity requirements for products with digital elements — mandatory CE marking, vulnerability handling, and incident reporting.
EU 2022/2555 → Cbw
Expected Q2 2026
Expanded scope to 18 sectors, personal liability for management, 24-hour incident reporting, and supply chain security obligations.
COM(2026) 11
Proposed Jan 2026
Expands the Cybersecurity Act with ICT supply chain security, high-risk supplier restrictions, expanded EUCS certification, and enhanced ENISA powers.
EU 2022/2065
Enforced Feb 2024
Harmonised rules for digital intermediaries — content moderation transparency, algorithmic audits, systemic risk assessments for VLOPs, and enhanced user protection.
EU 2023/2854
Design rules Sep 2026, Full Sep 2027
Data access rights for connected products, FRAND B2B sharing terms, cloud switching with 2-month max, and B2G emergency data access.
EU 2025/327
In force, applies Mar 2027
European Health Data Space — patient access rights, EHR interoperability, secondary use data permits, and MyHealth@EU cross-border infrastructure.
EU 2024/1689
High-risk Aug 2026, Full Aug 2027
Risk-based AI classification with prohibitions, conformity assessments for high-risk systems, transparency obligations, and GPAI model requirements.
Proposed (Nov 2025)
Adoption expected Q3 2026
Amends GDPR, AI Act, NIS2, ePrivacy, Data Act, and Cybersecurity Act. Standardised breach notification, AI training basis, SME exemptions.
EU 2022/2554
Enforced Jan 2025
ICT risk management framework for financial entities — applies to banks, insurers, investment firms, and their critical ICT providers.
EU 2023/1114
Enforced Dec 2024
Comprehensive framework for crypto-asset service providers, ART/EMT issuers — authorisation, white paper disclosures, reserve requirements, and consumer protection.
EU 2024/1366
Enforced Jun 2024
First sector-specific EU cybersecurity code for electricity — mandatory risk assessments, incident reporting, and supply chain security for TSOs and DSOs.
UK 2022 c.46
Enforced Apr 2024
Baseline cybersecurity for consumer IoT — bans default passwords, mandates vulnerability disclosure, and requires security update transparency.
SEC 33-11216
Enforced Dec 2023
Material incident disclosure within 4 business days on Form 8-K. Annual cybersecurity governance disclosure on Form 10-K for all US-listed companies.
Royal Decree M/19
Enforced Sep 2024
Comprehensive data protection for all sectors — consent-based processing, 72-hour breach notification, cross-border transfer restrictions, and DPO requirements.
Brazil Law 13.709/2018
Enforced Aug 2021
Brazil's GDPR-equivalent — consent-based processing, data subject rights, DPIAs, breach notification, and extraterritorial reach to all organisations targeting Brazilian residents.
Cap. 224 / Act 40 of 2020
Enhanced Oct 2022
10 data protection obligations for all private sector organisations — mandatory breach notification, enhanced penalties, data portability, and private right of action.
India 2023 No. 22
Full compliance May 2027
Consent-based data protection with extraterritorial reach. 72-hour breach notification, mandatory encryption, and penalties up to INR 250 crore (~EUR 28M).
Act 2024A00128 (Cth)
In effect Dec 2024, phased to Dec 2026
Landmark reform — statutory tort for privacy invasions, tiered civil penalties, automated decision-making disclosures, and anti-doxxing criminal offences.
Whether you're mapping your obligations or preparing for audit, our team helps you turn regulatory requirements into actionable security programmes.