Regulations, Standards & Frameworks 101: A Beginner’s Survival Kit

In a fast-moving world full of risks, regulation transforms best practices into must-do actions. It steps in when innovation races ahead of oversight, serving as an unspoken agreement: if you want to be part of the game, you need to follow the rules.

Regulations aren’t just guidelines — they are obligations, often coming into focus when crises like data breaches or system failures make the news. Different regions — whether the EU, USA, or Asia — are shaping their own regulations based on their perspectives and needs. The EU has been rapidly regulating digital governance to improve cybersecurity. Over the past few years, it has introduced comprehensive laws like the NIS Directive and the Cyber Resilience Act (CRA) among others. Moving forward, the EU is expected to continue driving stricter regulations to ensure resilience against evolving cybersecurity threats in order to  maintain a secure digital landscape.

Essential regulatory terminology 

 A directive outlines the desired goal but allows each Member State to decide how to achieve it, necessitating adaptation to their national laws. However, if a directive isn't implemented on time, the Member State may face legal consequences from the European Commission.

In contrast, a regulation or an act in the EU, is a binding legislative source that applies directly and uniformly to all Member States without needing to be transposed into national law. This means that once a regulation is passed, it has immediate legal force across all EU countries. This distinction is crucial, especially in areas like cybersecurity, privacy, and digital resilience, where any delays or deviations can create vulnerabilities.

A standard acts like a strict rulebook, where every requirement must be followed, while a framework offers more flexibility, allowing you to select the components that suit your needs best. A framework is a broader set of guidelines aimed at improving a company’s overall security posture. Companies can be formally certified against a standard, but not against a framework. However, using a framework can help you meet a standard.

 Regulations

The General Data Protection Regulation (GDPR)      serves as the foundation of data privacy in the EU, holding businesses responsible for protecting personal data and ensuring transparency to the individuals whose data they process. Failure to comply can lead to substantial fines and significant damage to a company’s reputation, making compliance essential. Keep in mind that personal data refers to any information that can be linked to an identifiable individual, whether directly or indirectly, even in some cases including IP addresses. It covers all actions involving personal data—such as collection, storage, use, sharing, or deletion—throughout the entire lifecycle.

     The Cyber Resilience Act     (CRA) is the first regulation specifically focused on ensuring digital products, such as Internet of Things (IoT) devices, are secure from the outset. Manufacturers are now required to address vulnerabilities before products are made available to consumers, helping to prevent security risks in everyday technology. In certain cases, even software may need to have a CE marking to demonstrate compliance with this new regulation, signaling that it meets necessary cybersecurity standards. 

     The Digital Operational Resilience Act (DORA) is definitely one of the lengthiest      ones, targeting           financial institutions and      ensuring they maintain resilience against disruptions, including cyber incidents. It requires financial organizations to manage third-party risks and meet stringent cybersecurity standards across their entire operational chain.  

     The Health Insurance Portability and Accountability Act (HIPAA)      is primarily a privacy law for USA residents, not specifically a cybersecurity regulation, though it does include crucial cybersecurity components. It serves as the backbone of patient data protection, establishing standards to safeguard health information from unauthorized disclosure. HIPAA enforces stringent requirements for healthcare providers, insurers, and their business associates, including specific cybersecurity measures to protect sensitive data, such as encryption, secure access controls, and regular audits, ensuring the security and confidentiality of patient information.

Directives

The Network and Information Systems Directive (NIS2 Directive) takes the

original NIS Directive further by expanding cybersecurity requirements to additional

sectors. It brings stricter rules for reporting and security, helping to reduce

weaknesses in key services and making them more resilient to cyberattacks. For

instance, industries like healthcare and energy now have to step up their security

measures to protect against cyber threats that could cause major disruptions.

Additionally, they need to report incidents more quickly, so issues can be rapidly

addressed .

Standards

In InfoSec, we like to add a little “salt and pepper” to passwords to enhance their security, just as we mix in standards and frameworks alongside regulations to make things more robust. These serve as valuable tools for achieving compliance and emphasizing the importance of security. The choice depends on the company, but even when they are not required, these industry best practices are always worth a shot. 

The ISO27000 series is the go-to standard for companies in sectors like finance, healthcare, energy, the public sector, telecoms, critical infrastructure, or those handling sensitive data – comprising a total of 46 standards. You might wonder which one to crack open; however, it sounds more complex than it is.  Start with 27001 as your big picture guide and use ISO27002 as your trusty handbook, providing guidance on each information security topic. Then, there are other standards in the ISO27000 series standards that get into the nitty-gritty, like ISO27301, providing you with detailed requirements for business continuity. Basically, the ISO27000 series is a buffet of standards – something for everyone, no matter what your appetite is, while also providing a strong foundation for meeting previously mentioned NIS2 requirements. 

     The Payment Card Industry Data Security Standard (PCI DSS      is non-negotiable if you’re working in a company that stores, transmits, accepts or processes cardholder data – you have no option, and you are obligated to enforce the security controls outlined by PCI DSS. Harsh? Maybe. Necessary? Yes, if we want to keep our money as safe as possible. 

 Frameworks

The NIST Cyber Security Framework – a collection of frameworks, differs from ISO27002 by offering more detailed and technically specific controls. This time your trusty handbook is called NIST 800-53.  However, you can supplement this handbook with other NIST guides, such as NIST SP 800-61for incident handling. As you might recall, these are recommendations not requirements. Though implementing practices outlined by NIST CSF is highly recommended, simply because the framework can fit any type and size of organization in relation to improving security practices and preventing cybersecurity incidents. 

In today’s fast-evolving digital landscape, directives, regulations, standards, and frameworks are essential for managing risk and ensuring compliance. It’s crucial to understand which ones matter most to your industry and how your operations align with them. Hopefully this article serves as 101 guidance to all that need a basic understanding of these topics.

Guest writers: