The modern cyber-regulatory landscape has evolved into a dense lattice of overlapping statutes, sectoral rules, and voluntary-but-effectively-mandatory assurance frameworks. Whether an organisation is a multinational bank, a SaaS start-up, or an energy utility, a material data breach now triggers investigations by a half-dozen authorities at once, each empowered to levy its own fines and impose its own remediation timetable. The result is an enforcement environment in which a single control failure reverberates far beyond the direct costs of containment and forensics: regulatory penalties alone now routinely surpass eight figures, while non-monetary sanctions—ranging from certificate withdrawal to loss of market access—can constrain revenue for years after the incident is closed.
Against this backdrop, global “baseline” standards such as ISO/IEC 27001, PCI-DSS 4.0, and SOC 2 Type II have become table stakes for market entry. Although technically voluntary, they function as de facto licences to operate: failure to pass an ISO surveillance audit can disqualify a bidder from public tenders; an un-remediated PCI gap can see card-processing privileges revoked overnight, and a qualified SOC 2 opinion is enough to stall enterprise sales pipelines. Monetary exposure at this tier is comparatively modest—tens or hundreds of thousands of dollars for re-certification, fines, and forensic audits—but the collateral commercial damage is severe: higher cyber-insurance premiums, cancelled contracts, and permanent reputational scars.
In the United States the “soft” standards are overlaid by a patchwork of compulsory federal and state regimes whose penalties scale with industry criticality. A bank that flouts OCC safety-and-soundness expectations, GLBA safeguards, or New York’s DFS Part 500 can realistically expect US \$ 70 - 75 million in civil money penalties for a single incident, while broker-dealers and listed companies face SEC and SOX fines that add several million more. Non-bank financial institutions—fintech lenders, credit bureaus, asset managers—escape the OCC tariff only to confront FTC settlements that now average US \$ 7-8 million, plus CCPA/CPRA exposure of roughly US \$ 1 million and PCI brand assessments of about US \$ 25 000. For mainstream, non-financial companies the regulatory bill is smaller but still punishing: the typical breach today triggers an FTC “unfair practices” order (~US \$ 5 million), a multistate attorney-general settlement (~US \$ 10 million), and, if Californian data are involved, another US \$ 1.2 million under the CPRA—placing the blended regulatory hit for one incident in the US \$ 16-22 million range before class actions or incident-response costs.
Europe raises the stakes further through harmonised, turnover-based fines. The GDPR’s ceiling of 4 percent of global sales (or €20 million) has been well publicised, but newer instruments such as NIS 2 and DORA extend that model into cyber-resilience and financial-sector ICT risk. NIS 2’s 2 percent revenue penalty is paired with personal liability and temporary management bans, while DORA subjects banks, insurers, and their ICT providers to daily fines of 1 percent of average turnover until deficiencies are fixed. In parallel, eIDAS and the EU Cyber-Security Act act as market gatekeepers: losing qualified-trust-service status or failing to achieve a “High” assurance certificate can instantly shut a vendor out of pan-European public procurement.
Outside the trans-Atlantic corridor, jurisdictions are converging on the same enforcement philosophy—high headline fines plus stiff non-monetary remedies. Brazil’s LGPD allows penalties up to 2 percent of domestic revenue (capped at R\$ 50 million), China’s PIPL pairs 5 percent turnover fines with executive blacklisting, and Australia now threatens A\$ 50 million or 30 percent of ill-gotten benefit for serious violations. Even traditionally lighter-touch regimes are tightening: Canada’s Bill C-27 will add C\$ 10 million fines to PIPEDA, and India’s Digital Personal Data Protection Act sets a ₹250 crore (~US \$ 30 million) maximum per breach. Across the Middle East and Africa the pattern repeats—Saudi Arabia’s PDPL imposes SAR 5 million penalties and potential imprisonment, while South Africa’s POPIA layers criminal sanctions atop administrative fines.
Taken together, these trends signal a decisive shift from “check-box” compliance to continuous, evidence-driven assurance. Boards must allocate capital not only for technology controls but also for the audit machinery—control libraries, automated evidence capture, scenario testing—that lets a firm demonstrate compliance to ten regulators at once. Cyber-insurance and contractual indemnities may soften the first financial blow, yet they rarely address the strategic costs of losing a FedRAMP authorisation, an ISO certificate, or a place on the EU Trust List. The lesson for risk officers is clear: invest up-front in integrated governance that maps each control to every applicable statute, because when a breach arrives the bill will be measured not merely in dollars paid but in markets forfeited, licences withdrawn, and trust—once lost—painful to regain.
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| ISO/IEC 27001 – ISMSBaseline for information-security management. | ISO via accredited CBs (BSI, TÜV, UL) | Re-certification & audit costs ≈ US \$ 20 k–100 k; contract losses. | Certificate withdrawal; bid disqualification; higher cyber-insurance premiums. |
| PCI-DSS 4.0 – Card-holder Data** | PCI-SSC; enforced by Visa/Mastercard acquirers | Fines up to US \$ 100 k / month; forensic-audit charges; higher interchange. | Processing privilege revocation; breach notification duty; brand damage. |
| SOC 2 (Type II) – Trust-Services Attestation | AICPA via licensed CPA firms | Remediation & re-audit costs ≈ US \$ 50 k–250 k; lost enterprise deals. | Qualified opinion published; customer churn; reputational harm. |
| ISO 22301 – BCMS** | ISO-accredited CBs | Emergency audit & remediation spend; SLA penalties. | Certificate suspension; loss of regulator trust in critical services. |
| IEC 62443 – ICS / OT Security** | IECEE & national safety regulators | Recall & retrofit costs; safety-law fines; multi-million downtime losses. | Safety-certification loss; site shutdowns; liability in incident probes. |
| ISO/IEC 27031 – ICT Continuity** | ISO CBs; mandated in some telecom/finance regs | Re-certification & regulator fines (up to US \$ 1 M+ where referenced). | Audit failures; licence suspensions; reputational harm after outages. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| FISMA – Federal agencies & contractors** | OMB & CISA | Budget withholdings; multi-million re-architect costs. | ATO revocation; IG scorecard downgrades; congressional scrutiny. |
| DFARS 7012 / NIST 800-171 – DoD CUI** | DoD / DCMA | False-Claims treble damages; contract-termination costs (US \$ 100 k–1 M+). | Cure notices; exclusion from bids; negative past-performance ratings. |
| CMMC 2.0 – DoD supply chain cert.** | DoD CIO & CMMC-AB 3PAOs | Assessment fees US \$ 3 k–100 k; lost defense revenue. | Bid ineligibility; supply-chain disruption; reputation loss. |
| HIPAA – Health data privacy/security** | HHS OCR | Civil: up to US \$ 2 M/yr per type; criminal up to US \$ 250 k. | Corrective-action plans; public breach “wall of shame”. |
| FTC GLBA Safeguards Rule – Financial** | Federal Trade Commission | Un-capped civil fines (recent cases > US \$ 100 M); monitor costs. | 20-yr consent decrees; board-level oversight orders. |
| SOX §404 – Public-company IT controls** | SEC & PCAOB | SEC fines > US \$ 10 M; shareholder litigation damages. | Executive criminal liability; NYSE/Nasdaq delisting risk. |
| California CCPA / CPRA – Consumer privacy** | CPPA & CA AG | US \$ 2 500 (unintent.) / US \$ 7 500 (intent.) per violation; US \$ 100-750 / record civil. | Injunctions; class actions; shrinking cure periods. |
| NY DFS 23 NYCRR 500 – Fin-services cyber** | NY Dept. Financial Services | ~US \$ 1 000 per day; multi-million consent orders. | Licence conditions; public enforcement; exec attestations. |
| NERC CIP – Bulk electric system** | NERC (via FERC) | Up to US \$ 1 M per day per violation; remediation spend. | Mandatory mitigation plans; increased audit oversight. |
| FBI CJIS Security Policy** | FBI CJIS Division | Revenue loss from terminated LE contracts; re-platform costs. | Immediate CJIS lockout; potential criminal charges. |
| FedRAMP – Cloud sold to gov’t** | FedRAMP PMO & JAB | Assessment + monitoring US \$ 250 k–2 M; federal revenue loss if P-ATO revoked. | Removal from marketplace; agency off-boarding; reputational hit. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| GDPR – Personal-data protection** | EDPB & national DPAs | Up to €20 M / 4 % global turnover. | Processing bans; DPIA mandates; civil suits. |
| NIS 2 – Critical-sector cyber** | National CSIRTs & ENISA | Fines ≤ €10 M / 2 % turnover. | Binding orders; exec liability; director bans. |
| DORA – Financial ICT resilience** | ESAs (EBA, ESMA, EIOPA) | Daily penalties ≤ 1 % avg daily turnover. | Forced supplier termination; public reprimands. |
| eIDAS – Qualified trust services** | National supervisory bodies | Fines up to €1 M+ (state-specific); redress costs. | Removal from EU Trust List; status withdrawal. |
| EU Cyber-Security Act – Certification** | ENISA & national cert. auth. | Market-access denial costs; redesign spend. | Sales bans in public procurement & critical sectors. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| UK GDPR & Data Protection Act 2018** | Information Commissioner’s Office (ICO) | Up to £17.5 M / 4 % global turnover. | Enforcement notices; stop-processing orders; audits. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| PIPEDA (Bill C-27 pending)** | Office of the Privacy Commissioner (OPC) | Up to C\$ 10 M / 3 % revenue when amended. | Compliance agreements; court-ordered damages. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| LGPD – Data protection** | ANPD | ≤ 2 % BR revenue; cap R\$ 50 M per infraction. | Daily fines; partial/total processing suspension. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| LFPDPPP – Private-sector privacy** | INAI | Up to ~US \$ 1 M equiv. | Processing bans; criminal charges for illicit transfers. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| Law 25 326 – Data protection** | AAIP | Fines up to ~US \$ 100 k. | Processing suspension; criminal prosecution (aggravated cases). |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| PIPL + Cyber-Security Law** | CAC & MIIT | ≤ ¥50 M / 5 % annual turnover. | Business shutdown; blacklisting; exec liability. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| APPI – Personal information** | PPC | Corporate fines ≤ ¥100 M. | Corrective orders; public naming; criminal cases for resale. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| PIPA – Data protection** | PIPC & KISA | ≤ 3 % revenue; separate criminal fines. | Export suspensions; imprisonment ≤ 5 yrs for severe offences. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| PDPA + MAS TRM** | PDPC & MAS | PDPC ≤ S\$ 1 M (rising to 10 %); MAS civil fines. | Public directions; licence conditions; mandatory audits. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| Digital Personal Data Protection Act 2023** | Data Protection Board (TBA) | ≤ ₹250 crore (~US \$ 30 M) per violation. | Processing suspension; civil liability suits. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| Privacy Act 1988 (amended 2023)** | OAIC | Greater of A\$ 50 M, 30 % benefit, or 3× benefit. | Enforceable undertakings; public determinations; reputational harm. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| Privacy Act 2020** | Privacy Commissioner | ≤ NZ\$ 10 000 per offence (higher in sectoral laws). | Compliance notices; public access directions; reputational damage. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| POPIA – Data protection** | Information Regulator (SA) | Up to R10 M. | Civil damages; imprisonment ≤ 10 yrs. |
| Country / Regime & Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| UAE – DIFC DP Law 2020 (DIFC entities) | DIFC Commissioner | ≤ US \$ 100 k. | Enforcement directions; impact on commercial licence. |
| Qatar – PDPL 2024** | CRA | ≤ QAR 1 M. | Processing suspension; corrective orders. |
| Saudi – PDPL (in force Sept 2025) | SDAIA | ≤ SAR 5 M (~US \$ 1.3 M) per offence. | Criminal liability for cross-border transfers; imprisonment. |
| Regime & Key Scope | Governing Body | Monetary Penalties (typ.) | Non-Monetary Consequences |
|---|---|---|---|
| revFADP 2023 – Data protection** | FDPIC | Criminal fines on individuals ≤ CHF 250 k. | Civil liability; cross-border transfer limits. |
###
In the United States, the regulatory stakes for cyber-security non-compliance differ sharply between financial entities and the broader commercial sector, yet both cohorts now face a multilayered gauntlet of federal and state authorities. For OCC-, Fed-, or FDIC-supervised banks, a single breach typically summons the banking agencies under safety-and-soundness powers as well as the Gramm-Leach-Bliley Act (GLBA) safeguards. Recent consent orders show civil-money penalties clustering around US \$ 70 million per incident, with regulators simultaneously imposing comprehensive remediation plans, third-party monitors, and—increasingly—individual accountability for directors and senior executives. Broker-dealers, investment advisers, and listed companies build additional exposure: SEC actions under Regulation S-P, the new cyber-incident-disclosure rules, and Sarbanes-Oxley §404(b) routinely add another US \$ 2–5 million in fines plus the threat of securities-fraud litigation if disclosures are deemed misleading. Layer on New York’s DFS Part 500 for any institution licensed in that state (≈US \$ 1 million per investigation) and PCI-DSS assessments for compromised card data, and a regulated bank can easily see its regulatory bill crest US \$ 75 million—before counting class actions, customer restitution, or incident-response costs.
Non-bank financial institutions—fintech lenders, credit bureaus, mortgage servicers—escape the OCC tariff but land squarely in the FTC’s cross-hairs. The updated GLBA Safeguards Rule gives the Commission uncapped fining authority, and recent settlements (e.g., BetterHelp, 2023) place the “middle of the envelope” around US \$ 7–8 million per breach. These figures rise rapidly when the same incident triggers SEC penalties for public issuers, New York DFS fines, and California’s Consumer Privacy Rights Act (CPRA) penalties of roughly US \$ 1.2 million. On a blended basis, a medium-sized non-bank financial firm now budgets about US \$ 12 million in regulatory exposure for a material event—an amount that may double if the breach reveals willful misstatements, repeat violations, or inadequate board oversight.
For companies outside the financial vertical, the enforcement constellation shifts but remains punitive. The Federal Trade Commission wields Section 5 of the FTC Act against “unfair or deceptive” security practices, averaging roughly US \$ 5 million per action since 2022 and frequently attaching 20-year consent decrees that mandate annual audits and board-level certification. Parallel multistate attorney-general settlements have emerged as the most expensive state-level sanction, with coordinated investigations settling for about US \$ 10 million, while the CPRA adds a California-specific fine and opens the door to statutory-damage class actions that can eclipse the public-law penalties. Public companies incur an extra SEC overlay—Regulation S-P and the new Form 8-K Item 1.05 cyber-disclosure rule—adding roughly US \$ 2 million in civil penalties and exposing executives to securities-fraud liability if incident details are withheld or misstated.
Beyond the dollar figures lie non-monetary sanctions that frequently outlast the checks written to Washington or Sacramento. Federal agencies can revoke a bank’s authority-to-operate, the FBI can terminate CJIS data access, and the FedRAMP Program Management Office can expel a cloud provider from the federal marketplace—actions that sever revenue streams overnight. At the state level, New York DFS has begun conditioning licences on personal executive attestations, while the CPRA’s rule-making board is shortening cure periods and experimenting with algorithmic disgorgement remedies. Combined with rising cyber-insurance retentions and customers’ contractual indemnity clauses, the American compliance calculus now pairs eight-figure monetary fines with existential operational risks, making proactive, evidence-driven governance the cheapest option left on the table.
| Regime (all compulsory) | “Average” Civil Penalty Seen 2022-25* | Illustrative Enforcement Example | How It Hits a Single Firm |
|---|---|---|---|
| OCC / Federal banking regulators – safety-&-soundness + GLBA §501(b) guidelines | ≈ US \$ 70 million | Citibank CMP \$ 75 M (Oct 2024) (occ.gov); City National Bank CMP \$ 65 M (Jan 2024) (occ.gov) | Applies if the company is a nationally-chartered or FDIC/Fed-supervised bank; penalty is imposed once per enforcement action arising from an incident. |
| SEC Reg S-P / SOX 404(b) (cyber-controls & disclosure) | ≈ US \$ 2 million | R.R. Donnelley & Sons Co. – \$ 2.1 M (Jun 2024) (sec.gov) | Any public issuer, broker-dealer or investment adviser is exposed. |
| NYDFS 23 NYCRR 500 (if licensed in NY) | ≈ US \$ 1 million | First American Title Ins. – \$ 1 M (Nov 2023) (dfs.ny.gov) | One penalty per investigation; larger breaches have reached US \$ 4–5 M. |
| FTC GLBA Safeguards Rule (covers non-bank FIs) | ≈ US \$ 7.8 million | BetterHelp settlement \$ 7.8 M (Jul 2023) (ftc.gov) | Mutually exclusive with OCC banking fines—applies to lenders, fintechs, credit bureaus, etc. |
| PCI-DSS (card-brand assessments) | ≈ US \$ 25,000 | Typical brand assessment range US \$ 5 K-50 K (sprinto.com) | Levied by Visa/Mastercard per breach, billed via the acquiring bank. |
| California CCPA/CPRA (if Calif. data affected) | ≈ US \$ 1.2 million | Sephora CCPA settlement \$ 1.2 M (Aug 2022) (oag.ca.gov) | Civil penalty from CA AG or CPPA; private-action damages add further exposure. |
| Scenario | OCC / FTC | SEC | NYDFS | PCI | CCPA | Blended Total |
|---|---|---|---|---|---|---|
| Regulated bank or credit-union (OCC-supervised) | 70 M | 2 M | 1 M | 0.025 M | 1.2 M | ≈ US \$ 74.3 million per incident |
| Non-bank financial institution (FTC-regulated) | 7.8 M | 2 M | 1 M | 0.025 M | 1.2 M | ≈ US \$ 12.1 million per incident |
Single investigation, multiple dockets: Regulators usually coordinate, so each agency issues one penalty order covering every control breakdown revealed by the incident.
Civil only: Criminal exposure (e.g., willful SEC misstatements) and private class actions (CCPA statutory damages, securities litigation) sit on top of the figures above.
Escalators: Repeat offences, willful misconduct, consumer-impact scale, and refusal to remediate quickly can lift the OCC/SEC/NYDFS numbers well beyond the mid-range shown.
For budgeting and risk-transfer purposes, a U.S. financial-services firm should therefore assume baseline regulatory fines ± US \$ 10 million in the non-bank case and ± US \$ 25 million in the bank case, before counting litigation, customer restitution, and incident-response costs.
Regulatory-fine “ballpark” for a single U.S. company outside the financial-services sector that suffers one material cyber incident
(Figures are mid-range consent-order amounts from 2022-Q1 2025—i.e., neither minimum statutory penalties nor headline-making outliers such as Equifax \$ 575 M. They exclude class-action settlements, incident-response costs, and lost business.)
| Compulsory Regime (typical trigger) | Governing Authority | Avg. Civil \$ \$ Penalty per Incident | Enforcement Examples 2022-25 |
|---|---|---|---|
| FTC Act §5 – “unfair / deceptive” data-security practices | Federal Trade Commission | ≈ US \$ 5 million | BetterHelp \$ 7.8 M (2023), CafePress \$ 0.5 M (2022), Drizzly \$ 0 (injunctive) |
| Multistate AG data-breach settlements (all 50 states + DC have breach-notification laws) | Coalition of State Attorneys-General (lead state negotiates) | ≈ US \$ 10 million | Home Depot \$ 17.5 M (2020), T-Mobile \$ 2.5 M/ state cap (2023) |
| California CCPA / CPRA (if Californians affected) | California Privacy Protection Agency & CA Attorney-General | ≈ US \$ 1.2 million | Sephora \$ 1.2 M (2022), DoorDash draft notice \$ 0.375 M (2024) |
| PCI-DSS brand assessments (if card data compromised) | Visa, Mastercard, Amex, Discover via acquiring banks | ≈ US \$ 25,000 | Breach assessments typically US \$ 5 k–50 k; separate card re-issuance fees can triple this |
| SOX §404 / SEC cyber-disclosure rules (public issuers only) | U.S. Securities & Exchange Commission | ≈ US \$ 2 million | R.R. Donnelley \$ 2.1 M (2024), SolarWinds action pending but guidance range 1–3 M |
| HIPAA Privacy & Security Rules (healthcare & business associates only) | HHS Office for Civil Rights | ≈ US \$ 4 million | Anthem MA \$ 8.7 M (2022 OCR split), Aveanna \$ 1 M (2023) |
| Scenario | FTC §5 | State AGs | CCPA | PCI | SEC / SOX | HIPAA | Blended Total |
|---|---|---|---|---|---|---|---|
| Public, non-health-care company | 5 M | 10 M | 1.2 M | 0.025 M | 2 M | — | ≈ US \$ 18.225 million |
| Private (non-public) company | 5 M | 10 M | 1.2 M | 0.025 M | — | — | ≈ US \$ 16.225 million |
| Healthcare provider / HIPAA BA (public or private) | 5 M | 10 M | 1.2 M | 0.025 M | — / +2 M if public | 4 M | ≈ US \$ 20.2 million (private) – 22.2 million (public) |
One regulator, one check. Each agency generally issues one civil penalty order stemming from the incident, even if multiple rule clauses were violated.
Stackable fines. Nothing bars these penalties from accumulating; they come from different statutes and authorities.
Criminal and civil litigation sit on top. DOJ indictments (for willful deception) and consumer class actions (CCPA statutory damages, securities suits) can easily double or triple the total.
Escalators. Larger customer counts, children’s data, or evidence of concealment can push individual line-items to statutory maxima (e.g., FTC can seek US \$ 50 000 per COPPA-affected child; HIPAA tops at US \$ 2 M per category per year).
For enterprise risk planning, a mainstream U.S. company that is not a bank or broker-dealer should budget ≈ US \$ 15-25 million in regulatory exposure per significant breach, assuming “average” enforcement rather than record-setting cases.
ISO / IEC 27001 – Information-Security Management System (ISMS)
[1] Global baseline for establishing, operating, and continually improving an ISMS.
[2] International Organization for Standardization (ISO) via accredited certification bodies (e.g., BSI, TÜV, UL).
[3] Monetary: loss of multiyear contracts; re-certification costs ≈ US \$ 20 k–100 k; bid bonds forfeited when certification is a tender prerequisite.
[4] Non-monetary: certificate withdrawal, public tender disqualification, increased cyber-insurance premiums.
PCI-DSS 4.0 – Card-holder-Data Security
[1] Mandatory for any entity that stores, processes, or transmits payment-card data.
[2] PCI Security Standards Council; enforced by card brands through acquiring banks.
[3] Up to US \$ 100 000 per month in fines, higher interchange fees, and forensic-audit recovery charges.
[4] Card-processing privileges revoked, customer notification duty, brand damage.
SOC 2 Type II – Trust-Services Attestation
[1] Provides independent assurance on security, availability, processing integrity, confidentiality, and privacy for service organisations.
[2] American Institute of Certified Public Accountants (AICPA) via licensed CPA firms.
[3] Lost revenue from failed bids; remediation and re-audit costs ≈ US \$ 50 k-250 k.
[4] Customer churn, reputational harm when report is qualified or withheld.
ISO 22301 – Business-Continuity Management
[1] Framework for ensuring operational resilience and disaster recovery.
[2] ISO-accredited certification bodies.
[3] Contractual penalties for unmet SLAs; emergency audit costs.
[4] Certificate suspension, loss of regulator confidence in critical-service sectors.
IEC 62443 – Industrial-Control-System (ICS) Cyber-Security
[1] Prescribes product- and process-level security for OT / SCADA environments.
[2] IEC System of Conformity Assessment (IECEE) & national safety regulators.
[3] Product-recall expenses; fines tied to safety legislation; multi-million-dollar plant-downtime losses.
[4] Withdrawal of safety certification, site shutdowns, liability in accident investigations.
FISMA – Federal Information Security Modernization Act
[1] Statutory cyber-risk framework for all federal agencies and their contractors.
[2] Office of Management & Budget (OMB) and Cybersecurity & Infrastructure Security Agency (CISA).
[3] Budget re-programming, withholdings, and re-architecture costs often in the tens of millions.
[4] Revocation of Authority-to-Operate (ATO), adverse Inspector-General scorecards, congressional scrutiny.
DFARS 252.204-7012 / NIST SP 800-171 – DoD Contractor Safeguards
[1] Protects Controlled Unclassified Information (CUI) in the defense supply chain.
[2] U.S. Department of Defense; audits by Defense Contract Management Agency (DCMA).
[3] Contract-termination damages, False Claims Act treble damages, re-implementation costs ≈ US \$ 100 k-1 M+.
[4] Cure notices, exclusion from future solicitations, negative Past-Performance Information Retrieval System (PPIRS) ratings.
CMMC 2.0 – Cybersecurity Maturity Model Certification
[1] Tiered certification (Levels 1-3) soon mandatory for all DoD prime and sub-contractors.
[2] DoD CIO; assessments by CMMC-Accreditation-Body-approved Third-Party Assessment Organisations (3PAOs).
[3] Assessment fees (US \$ 3 k-100 k), bid losses valued in the millions if certification absent.
[4] Ineligibility to bid, supply-chain disruption, reputational loss in defense market.
HIPAA – Health-Insurance Portability & Accountability Act Security / Privacy Rules
[1] Safeguards electronic protected health information (ePHI).
[2] U.S. Dept. of Health & Human Services – Office for Civil Rights (OCR).
[3] Civil penalties up to US \$ 2 million per type of violation per year; criminal fines up to US \$ 250 k.
[4] Corrective-action plans, public breach-listing, loss of patient trust.
FTC GLBA Safeguards Rule
[1] Requires financial institutions to develop and maintain a written information-security program.
[2] Federal Trade Commission.
[3] Civil penalties (uncapped)—historically up to US \$ 100 million; mandated third-party monitoring costs.
[4] Consent decrees imposing 20-year compliance reporting and reputational harm.
Sarbanes-Oxley Act §404 IT Controls
[1] Public companies must attest to internal controls over financial reporting, including IT.
[2] Securities & Exchange Commission; audits overseen by PCAOB.
[3] Restatements trigger shareholder suits and SEC fines (recent cases > US \$ 10 million).
[4] Executive criminal liability, exchange delisting risk.
California CCPA / CPRA – Consumer Privacy
[1] Broad privacy rights and breach-notification mandates for for-profit entities meeting revenue or data thresholds.
[2] California Privacy Protection Agency (CPPA) & CA Attorney-General.
[3] Administrative fines up to US \$ 7 500 per intentional violation; private-right statutory damages US \$ 100-750 per affected consumer.
[4] Mandatory cure periods shrinking, class-action exposure, injunctions.
New York DFS 23 NYCRR 500 – Financial-Services Cyber-Security
[1] Prescriptive controls and annual certification for NY-licensed banks, insurers, virtual-currency firms.
[2] New York Dept. of Financial Services.
[3] Penalties ~ US \$ 1 000 per day per violation; multimillion-dollar settlements common.
[4] Public consent orders, licence restrictions, executive attestation liabilities.
NERC CIP – Bulk-Electric-System Security
[1] Protection of North-American power-grid critical infrastructure.
[2] North American Electric Reliability Corporation (delegated by FERC).
[3] Civil fines up to US \$ 1 million per day per violation; remediation costs for utilities.
[4] Mandatory mitigation plans, public enforcement actions, increased oversight audits.
FBI CJIS Security Policy
[1] Security controls for access to Criminal Justice Information Systems.
[2] FBI CJIS Division.
[3] Contract revenue loss from terminated law-enforcement agreements; re-platform costs.
[4] Immediate suspension of CJIS access, potential criminal charges for misuse.
FedRAMP – Cloud Services for U.S. Government
[1] Baseline security authorisation for SaaS, PaaS, and IaaS offerings sold to federal agencies.
[2] FedRAMP PMO & Joint Authorisation Board (DOD, DHS, GSA).
[3] Assessment & continuous-monitoring costs (US \$ 250 k-2 M); loss of federal revenue if P-ATO revoked.
[4] Removal from FedRAMP marketplace, agency off-boarding, reputational impact in public sector.
GDPR – General Data Protection Regulation
[1] Comprehensive privacy regime covering all processing of EU residents’ personal data.
[2] European Data Protection Board + national Supervisory Authorities.
[3] Fines up to €20 million or 4 % of global annual turnover.
[4] Processing bans, mandatory DPIAs, civil suits by data subjects.
NIS 2 Directive – Cyber-Resilience for Essential & Important Entities
[1] Cyber-security requirements and incident-reporting for critical sectors (energy, health, cloud, etc.).
[2] National competent authorities & EU Agency for Cybersecurity (ENISA).
[3] Fines up to €10 million or 2 % of worldwide revenue.
[4] Binding remediation orders, personal liability for executives, temporary management bans.
DORA – Digital Operational Resilience Act (Financial Sector)
[1] Harmonised ICT-risk rules for banks, insurers, and critical ICT third parties.
[2] European Supervisory Authorities (EBA, ESMA, EIOPA).
[3] Periodic penalty payments up to 1 % of average daily turnover until compliance.
[4] Forced service termination, public reprimands, third-party contract voidance.
eIDAS – Qualified Trust-Service Provider Rules
[1] Sets security, audit, and liability for qualified electronic signatures, seals, and timestamps.
[2] National supervisory bodies.
[3] Administrative fines (varies by state, up to €1 million+), cost of consumer redress.
[4] Withdrawal of qualified status, removal from EU Trust List.
EU Cyber-Security Act – Union-wide Certification Schemes
[1] Creates “Basic”, “Substantial”, and “High” assurance certificates for ICT products and services.
[2] ENISA with Member-State certification authorities.
[3] Market-access denial costs; re-engineering expenses to reach “High” assurance.
[4] Product sales bans in EU public procurement and critical sectors.
UK GDPR & Data Protection Act 2018
[1] UK’s post-Brexit privacy regime mirroring core GDPR obligations.
[2] Information Commissioner’s Office (ICO).
[3] Fines up to £17.5 million or 4 % global turnover.
[4] Enforcement notices, stop-processing orders, mandatory audits.
PIPEDA – Personal Information Protection & Electronic Documents Act
[1] Federal privacy law for private-sector organisations.
[2] Office of the Privacy Commissioner of Canada (OPC).
[3] Proposed Bill C-27 adds administrative fines up to C\$ 10 million or 3 % of revenue.
[4] Compliance agreements, Federal Court orders for damages and injunctions.
LGPD – Lei Geral de Proteção de Dados
[1] Brazil’s omnibus data-protection law.
[2] Autoridade Nacional de Proteção de Dados (ANPD).
[3] Fines up to 2 % of Brazilian revenue, capped at R\$ 50 million per violation.
[4] Daily penalties, partial or total data-processing suspension.
LFPDPPP – Federal Law on Protection of Personal Data Held by Private Parties
[1] Comprehensive privacy statute for private-sector data controllers.
[2] National Institute for Transparency, Access to Information & Personal Data Protection (INAI).
[3] Monetary fines up to ~US \$ 1 million equivalent.
[4] Temporary processing bans, criminal penalties for unlawful transfers.
Law 25 326 – Personal Data Protection
[1] Sets rules for collection and treatment of personal data.
[2] Agency of Access to Public Information (AAIP).
[3] Fines scaled by severity (currently up to ~US \$ 100 k).
[4] Data-processing suspension, criminal prosecution in aggravated cases.
PIPL & Cyber-Security Law
[1] Governs personal-data processing, cross-border transfers, and critical-information infrastructure.
[2] Cyberspace Administration of China (CAC) & Ministry of Industry and Information Technology (MIIT).
[3] Fines up to ¥50 million or 5 % of annual turnover.
[4] Business shutdowns, blacklisting, personal executive liability.
APPI – Act on the Protection of Personal Information
[1] National privacy law, recently amended to strengthen breach notification.
[2] Personal Information Protection Commission (PPC).
[3] Corporate fines up to ¥100 million.
[4] Corrective orders, public naming, criminal charges for illicit sales.
PIPA – Personal Information Protection Act
[1] Strict consent-centric privacy regime with extraterritorial reach.
[2] Personal Information Protection Commission (PIPC) plus KISA for technical enforcement.
[3] Fines up to 3 % of revenue, separate criminal fines.
[4] Export-suspension orders, imprisonment up to 5 years for severe offences.
PDPA + MAS Technology Risk Management
[1] Data-protection law plus stringent cyber controls for financial institutions.
[2] Personal Data Protection Commission (PDPC) & Monetary Authority of Singapore (MAS).
[3] PDPC fines up to S\$ 1 million (moving to 10 % of turnover); MAS imposes additional civil penalties.
[4] Public directions, licence conditions, mandatory third-party audits.
Digital Personal Data Protection Act 2023
[1] India’s first comprehensive data-protection statute.
[2] Data Protection Board of India (to be established).
[3] Penalties up to ₹250 crore (~US \$ 30 million) per violation.
[4] Suspension of processing, civil liability suits.
Privacy Act 1988 (amended 2023)
[1] Overarching federal privacy law and mandatory data-breach notification scheme.
[2] Office of the Australian Information Commissioner (OAIC).
[3] Fines up to A\$ 50 million, 30 % of turnover benefit, or 3× benefit obtained.
[4] Enforceable undertakings, public determinations, reputational harm.
Privacy Act 2020
[1] Modernised privacy law with mandatory breach reporting.
[2] Office of the Privacy Commissioner.
[3] Fines up to NZ\$ 10 000 per offence; higher penalties under sectoral laws.
[4] Compliance notices, public access directions, reputational damage.
POPIA – Protection of Personal Information Act
[1] Comprehensive data-protection law aligned with GDPR principles.
[2] Information Regulator (South Africa).
[3] Administrative fines up to R10 million.
[4] Civil damages, imprisonment up to 10 years for serious offences.
| Country | Regime | Key Points |
|---|---|---|
| UAE | DIFC Data Protection Law 2020 • [1] Applies to entities in Dubai International Financial Centre. • [2] DIFC Commissioner of Data Protection. • [3] Fines up to US \$ 100 000. • [4] Enforcement directions affecting commercial licence. | |
| Qatar | Personal Data Privacy Law 2024 • [1] Nation-wide privacy statute replacing 2016 rules. • [2] Communications Regulatory Authority (CRA). • [3] Monetary penalties up to QAR 1 million. • [4] Suspension of processing permissions, corrective orders. | |
| Saudi Arabia | Personal Data Protection Law (PDPL) • [1] Extraterritorial privacy law; grace period ends Sept 2025. • [2] Saudi Data & AI Authority (SDAIA). • [3] Fines up to SAR 5 million (~US \$ 1.3 million) per offence. • [4] Criminal liability for cross-border transfers, possible imprisonment. |
Revised Federal Act on Data Protection (revFADP 2023)
[1] Updates Swiss privacy law to align with GDPR adequacy.
[2] Federal Data Protection & Information Commissioner (FDPIC).
[3] Criminal fines on individuals up to CHF 250 000.
[4] Civil liability, cross-border-transfer restrictions.
Purpose & Enforcement
[1] Guidance for ICT-readiness in business-continuity management.
[2] ISO certification bodies; required in telecom and financial-sector regulations in several countries.
[3] Loss of certification fees; regulator-imposed financial penalties where referenced (e.g., telecom fines up to US \$ 1 million+).
[4] Service-continuity audit failures, licence suspensions, reputational harm during outages.