Part of our Compliance & Regulation series
Read the complete guideCybersecurity Regulatory Requirements by Region: A Compliance Map for Global Businesses
Over 70 countries have enacted or updated cybersecurity regulations since 2023. The regulatory landscape is evolving faster than most companies can track. What was voluntary guidance two years ago is now enforceable law with significant penalties. This guide maps the cybersecurity regulatory requirements across major regions, helping global businesses understand their obligations and prioritize compliance.
Key Takeaways
- NIS2 (EU) expanded cybersecurity obligations to 160,000+ organizations, with personal liability for management
- SEC cybersecurity disclosure rules require US public companies to report material incidents within 4 business days
- APAC regulations vary widely: Singapore and Australia lead, while others are still developing frameworks
- A unified security framework (ISO 27001 or NIST CSF) satisfies 60-80% of regional requirements globally
Regional Regulatory Map
European Union
| Regulation | Effective | Scope | Key Requirements | Penalties |
|---|---|---|---|---|
| NIS2 Directive | October 2024 | Essential and important entities (18 sectors) | Risk management, incident reporting (24hr/72hr), supply chain security, management accountability | EUR 10M or 2% revenue (essential), EUR 7M or 1.4% (important) |
| DORA | January 2025 | Financial sector (banks, insurance, investment, ICT providers) | ICT risk management, incident classification/reporting, resilience testing, third-party risk | Proportionate to entity size |
| Cyber Resilience Act | 2027 (phased) | Products with digital elements | Secure by design, vulnerability handling, SBOM, CE marking | EUR 15M or 2.5% revenue |
| GDPR (security aspects) | 2018 | Any organization processing EU personal data | "Appropriate technical and organizational measures" | EUR 20M or 4% revenue |
NIS2 key changes from NIS1:
- Expanded from ~10,000 to ~160,000 organizations
- Management bodies personally liable for compliance
- Mandatory 24-hour "early warning" for significant incidents
- Supply chain security requirements
- Minimum EUR 10M penalties for essential entities
United States
| Regulation | Effective | Scope | Key Requirements | Penalties |
|---|---|---|---|---|
| SEC Cybersecurity Rules | December 2023 | US public companies | Material incident disclosure (4 business days), annual risk governance reporting | SEC enforcement actions |
| CISA Reporting (CIRCIA) | 2026 (proposed) | Critical infrastructure (16 sectors) | 72-hour incident reporting, 24-hour ransomware payment reporting | Civil penalties |
| FTC Act (Section 5) | Ongoing | Companies engaged in commerce | "Reasonable" security practices, enforcement for "unfair" practices | Varies (consent orders, fines) |
| State privacy laws (CA, CO, CT, VA, etc.) | Various | Companies meeting state thresholds | Security practices, breach notification (varies by state) | State AG enforcement |
| HIPAA Security Rule | 2005 (updated) | Healthcare entities and business associates | Administrative, physical, technical safeguards for PHI | Up to $1.9M per violation category per year |
| GLBA Safeguards Rule | Updated 2023 | Financial institutions | Risk assessment, access controls, MFA, encryption, incident response | Federal agency enforcement |
United Kingdom
| Regulation | Effective | Scope | Key Requirements | Penalties |
|---|---|---|---|---|
| UK NIS Regulations | 2018 (updated) | Essential services, digital services | Risk management, incident reporting, supply chain | GBP 17M |
| UK GDPR | 2021 | Organizations processing UK resident data | Security measures, breach notification (72hr) | GBP 17.5M or 4% revenue |
| FCA Requirements | Ongoing | Financial services firms | Operational resilience, incident reporting, third-party risk | FCA enforcement |
| Proposed Cyber Security and Resilience Bill | 2025-2026 | Expanded from current NIS scope | Enhanced incident reporting, supply chain requirements | TBD |
Asia-Pacific
| Country | Regulation | Key Requirements | Penalties |
|---|---|---|---|
| Singapore | Cybersecurity Act 2018 | CII operators: incident reporting, audits, risk assessments | SGD 100K |
| Australia | SOCI Act 2022 (amended) | Critical infrastructure: risk management, incident reporting (12-72hr) | Civil penalties |
| Japan | Economic Security Act 2022 | Critical infrastructure: supply chain screening | Administrative orders |
| South Korea | Network Act + PIPA | Data breach notification, security measures | KRW 50M + 3% revenue |
| India | CERT-In Directions 2022 | 6-hour incident reporting, log retention (180 days) | Imprisonment + fines |
| China | CSL + DSL + PIPL | Critical infrastructure: localization, security reviews, incident reporting | Up to 5% revenue |
Middle East and Africa
| Country | Regulation | Key Requirements | Penalties |
|---|---|---|---|
| UAE | NESA Standards + PDPL | Critical infrastructure: security controls, incident reporting | Fines + license revocation |
| Saudi Arabia | NCA ECC Framework | Government/critical: compliance assessments, monitoring | Regulatory enforcement |
| South Africa | POPIA + ECTA | Security safeguards, breach notification | ZAR 10M or imprisonment |
| Kenya | Data Protection Act 2019 | Security measures, breach notification | KSh 5M or 1% revenue |
Building a Universal Compliance Framework
Map Controls to Regulations
Instead of implementing separate controls for each regulation, build a unified framework:
| Control Domain | NIS2 | SEC | DORA | UK NIS | Singapore CSA |
|---|---|---|---|---|---|
| Risk assessment | Required | Required | Required | Required | Required |
| Incident response plan | Required | Disclosed | Required | Required | Required |
| Incident reporting | 24hr/72hr | 4 bus. days | Classification-based | 72hr | Required |
| Supply chain security | Required | Disclosed | Required | Required | Recommended |
| MFA / access control | Required | Recommended | Required | Required | Required |
| Encryption | Required | Recommended | Required | Required | Required |
| Penetration testing | Required | Recommended | Required annually | Required | Required |
| Board oversight | Required (personal liability) | Required (disclosure) | Required | Recommended | Recommended |
| Security awareness training | Required | Recommended | Required | Required | Required |
| Business continuity | Required | Disclosed | Required (resilience testing) | Required | Required |
Recommended Base Framework
Start with NIST Cybersecurity Framework 2.0 or ISO 27001:2022 as your foundation:
- NIST CSF 2.0: Free, flexible, widely recognized in US and internationally
- ISO 27001: Certifiable, preferred in EU and by enterprise customers
Both frameworks cover the core control domains required by most regulations. Add regulatory-specific requirements (reporting timelines, documentation formats) on top.
Incident Reporting Comparison
| Jurisdiction | Reporting Deadline | Report To | Content Required |
|---|---|---|---|
| EU (NIS2) | 24hr early warning, 72hr full | National CSIRT/authority | Impact, indicators, cross-border impact |
| EU (GDPR) | 72hr (to authority), "without undue delay" (to individuals if high risk) | Supervisory authority | Nature, categories, approximate records, consequences, measures |
| EU (DORA) | Depends on classification (1hr to 1 month) | Financial supervisory authority | Classification-based detail |
| US (SEC) | 4 business days (material incidents) | SEC filing (8-K) | Nature, scope, timing, material impact |
| US (CISA) | 72hr incidents, 24hr ransomware | CISA | Incident details, impact, indicators |
| UK (NIS) | 72hr | NCSC/relevant authority | Impact assessment, measures taken |
| India (CERT-In) | 6 hours | CERT-In | Incident type, affected systems, impact |
| Australia (SOCI) | 12hr (critical), 72hr (significant) | ACSC | Impact, response actions, indicators |
| Singapore (CSA) | Prescribed timeframe | CSA | Incident details, impact, response |
Compliance Prioritization
For Companies Operating in Multiple Regions
- Implement ISO 27001 or NIST CSF as the foundation (satisfies 60-80% of all requirements)
- Map regulatory gaps for each jurisdiction where you operate
- Prioritize by penalty severity: EU (NIS2/GDPR) and SEC rules carry the highest penalties
- Harmonize reporting: Build one incident reporting process that meets the strictest deadline (6 hours for India) and adapt outputs for each authority
- Document everything: Most regulations require demonstrable compliance, not just security
Frequently Asked Questions
Does NIS2 apply to our company?
NIS2 applies if you operate in the EU and fall within one of 18 sectors (energy, transport, banking, healthcare, digital infrastructure, public administration, space, postal, waste, food, manufacturing, chemicals, research, and ICT services). Essential entities are large enterprises in critical sectors. Important entities are medium enterprises in those sectors. The expanded scope captures far more companies than NIS1. Even if you are not directly in scope, your clients may require NIS2 compliance from their supply chain.
How do we comply with cybersecurity regulations in multiple countries?
Build a unified security framework (ISO 27001 or NIST CSF) that covers the common requirements. Create a regulatory mapping document that shows which framework controls satisfy which regulations. For requirements unique to specific jurisdictions (reporting timelines, documentation formats), create addendums to your base framework. This is far more efficient than building separate compliance programs.
Are there cybersecurity requirements for ERP systems specifically?
Not specific to ERP, but ERP systems typically fall under multiple regulatory scopes because they process financial data (SOX, DORA), personal data (GDPR, NIS2), and are often considered critical business systems. Ensure your ERP has: role-based access control, audit logging, encryption, regular patching, and incident response procedures. ECOSIRE provides Odoo security hardening that addresses these requirements.
What Comes Next
Cybersecurity regulatory compliance is one dimension of your governance program. Combine it with data governance for data-specific regulations, employee data privacy for workforce data, and cookie consent implementation for web properties.
Contact ECOSIRE for cybersecurity compliance consulting across multiple jurisdictions.
Published by ECOSIRE -- helping businesses navigate the global regulatory landscape.
Written by
ECOSIRE TeamTechnical Writing
The ECOSIRE technical writing team covers Odoo ERP, Shopify eCommerce, AI agents, Power BI analytics, GoHighLevel automation, and enterprise software best practices. Our guides help businesses make informed technology decisions.
ECOSIRE
Grow Your Business with ECOSIRE
Enterprise solutions across ERP, eCommerce, AI, analytics, and automation.
Related Articles
Cybersecurity for E-commerce: Protect Your Business in 2026
Complete ecommerce cybersecurity guide for 2026. PCI DSS 4.0, WAF setup, bot protection, payment fraud prevention, security headers, and incident response.
ERP for Chemical Industry: Safety, Compliance & Batch Processing
How ERP systems manage SDS documents, REACH and GHS compliance, batch processing, quality control, hazmat shipping, and formula management for chemical companies.
ERP for Import/Export Trading: Multi-Currency, Logistics & Compliance
How ERP systems handle letters of credit, customs documentation, incoterms, multi-currency P&L, container tracking, and duty calculation for trading companies.
More from Compliance & Regulation
Cybersecurity for E-commerce: Protect Your Business in 2026
Complete ecommerce cybersecurity guide for 2026. PCI DSS 4.0, WAF setup, bot protection, payment fraud prevention, security headers, and incident response.
ERP for Chemical Industry: Safety, Compliance & Batch Processing
How ERP systems manage SDS documents, REACH and GHS compliance, batch processing, quality control, hazmat shipping, and formula management for chemical companies.
ERP for Import/Export Trading: Multi-Currency, Logistics & Compliance
How ERP systems handle letters of credit, customs documentation, incoterms, multi-currency P&L, container tracking, and duty calculation for trading companies.
Sustainability & ESG Reporting with ERP: Compliance Guide 2026
Navigate ESG reporting compliance in 2026 with ERP systems. Covers CSRD, GRI, SASB, Scope 1/2/3 emissions, carbon tracking, and Odoo sustainability.
Audit Preparation Checklist: Getting Your Books Ready
Complete audit preparation checklist covering financial statement readiness, supporting documentation, internal controls documentation, auditor PBC lists, and common audit findings.
Australian GST Guide for eCommerce Businesses
Complete Australian GST guide for eCommerce businesses covering ATO registration, the $75,000 threshold, low value imports, BAS lodgement, and GST for digital services.