Laws and regulations on information security and business continuity by country

As part of ISO 27001 or ISO 22301 implementation, you’ll need to list all applicable laws and regulations on information security (or business continuity). So, we collected this information with the help of voluntary contributions from our readers, and we also invite anyone else to contribute as well – please let us know if there is some legislation that is not listed here.

Argentina

  • Personal Data Protection Act of 2000 (aka Habeas Data)
  • Data Protection infringements and penalties. Provision 1/2003
  • Security measures for the treatment and maintenance of personal data contained in files, records, databanks or databases. Provision 11/2006
  • BANCO CENTRAL DE LA REPÚBLICA ARGENTINA – COMUNICACIÓN “A“ 4609 (12/2006)
  • Ley de Delitos Informáticos (2008) – Ley 26.388

Austria

  • Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999 (Datenschutzgesetz 2000 or DSG 2000)

Australia

  • Privacy Act of 1988
  • Protective Security Framework – June 2010 (Australian Government – Attorney General‘s Department (AGD))
  • Prudential Standard CPS232 Business Continuity Management (Australian Prudential Regulation Authority (APRA))
  • Prudential Standard SPS232 Business Continuity Management
  • Prudential Standard APS 222 Associations with Related Entities (APRA)
  • Prudential Standard CPS 231 Outsourcing (APRA)
  • Prudential Practice Guide PPG 231 Outsourcing (APRA)
  • Prudential Practice Guide SPG 231 Outsourcing (APRA)
  • Prudential Practice Guide CPG 233 Pandemic Planning (APRA)
  • Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology (APRA)
  • Prudential Practice Guide LPG 232 Business Continuity Management (APRA)
  • Prudential Practice Guide SPG 232 Business Continuity Management (APRA)

Victorian Legislation

  • Crimes Act 1958 (Vic.)
  • Essential Services Act 1958 (Vic)
  • Evidence Act 2008 (Vic)
  • Freedom of Information Act 1982 (Vic)
  • Surveillance Devices Act 1999 (Vic)
  • Audit Act 1994 (Vic)
  • Employment Law Act 2009
  • Public Records Act 1973 (Vic)
  • Australian Security Intelligence Organisation Act 1979 (Cth)

Commonwealth

  • Crimes Act 1914 (Cth)
  • Criminal Code Act 1995 (Cth)
  • Cybercrime Act 2001 (Cth)
  • Electronic Transactions Act 1999 (Cth)
  • Intelligence Services Act 2001 (Cth)
  • National Security Information (Criminal and Civil Proceedings) Act 2004 (Cth)
  • Privacy Act 1988 (Cth)
  • Spam Act 2003 (Cth)
  • Telecommunications Act 1997 (Cth)
  • Telecommunications (Interception and Access) Act 1979 (Cth)
  • Do Not Call Register Act 2006

Standards

  • Telemarketing and Research Industry Standard 2007
  • Fax Marketing Industry Standard 2011
  • Data deletion standards
  • Victorian Electronic Records Strategy (VERS)
  • Victorian Recordkeeping Standards


Bahamas

  • Disaster Preparedness and Response Act 2006; Emergency Relief Guarantee Fund Act 1999 (National Emergency Management Agency (NEMA))
  • PU19-0406 – Supervisory and Regulatory Guidelines – Business Continuity 1st May 2007 (The Central Bank of the Bahamas)

Barbados

  • Operational Risk Guidelines, June 2007 (The Central Bank of Barbados)

Belgium

  • Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog
  • The National Bank of Belgium (NBB)
  • The Financial Services and Markets Authority (FSMA)

Bolivia

  • N/A

Bosnia and Herzegovina

  • Personal Data Protection Act / Zakon o zaštiti ličnih podataka (“Sl. glasnik BiH“ broj: 49/06)
  • Pravilnik o načinu vođenja i obrascu evidencije o zbirkama ličnih podataka (“Sl. glasnik BiH“ broj: 52/09)
  • Pravilnik o načinu čuvanja i posebnim mjerama tehničke zaštite ličnih podataka (“Sl. glasnik BiH“ broj: 67/09)
  • Pravilnik o inspekcijskom nadzoru u oblasti zaštite ličnih podataka (“Sl. glasnik BiH“ broj: 51/09)
  • Pravilnik o postupku po prigovoru nosioca podataka u Agenciji za zaštitu ličnih podataka u Bosni i Hercegovini (“Sl. glasnik BiH“ broj: 51/09)
  • Instrukcija o načinu provjere obrade ličnih podataka prije uspostavljanja zbirke ličnih podataka (“Sl. glasnik BiH“ broj: 76/09)

Brazil

  • Constituição Federal, arts. 5, 23, 37 e 216
  • Código Civil, arts. 927 e 932
  • Consolidação das Leis do Trabalho – CLT, art. 482
  • Código de Conduta da Alta Administração, arts. 5 e 14
  • Decreto nº 1.171/94 (Código de Ética do Servidor Público), Seções I e II.
  • Código de Defesa do Consumidor, arts. 43 e 44
  • Código Penal, arts. 151-154, 184, 266, 297, 298, 305, 307, 311, 313, 314, 325
  • Código Processo Penal, arts. 20, 207, 745
  • Código Tributário Nacional, art. 198
  • Código de Processo Civil, arts. 347 e 406
  • Lei nº 12.965, de 23 abril de 2014. (Marco Civil da Internet)
  • Lei Geral de Proteção de Dados Pessoais, Lei nº 13.709/2018
  • Política Nacional de Segurança da Informação, DECRETO Nº 9.637, DE 26 DE DEZEMBRO DE 2018

Bulgaria

  • Law on classified information – ЗАКОН ЗА ЗАЩИТА НА КЛАСИФИЦИРАНАТА ИНФОРМАЦИЯ – ДВ. бр.109 от 20 Декември 2007г
  • Law on personal data protection – ЗАКОН ЗА ЗАЩИТА НА ЛИЧНИТЕ ДАННИ – ДВ. бр.57 от 13 Юли 2007г.
  • Law on free access to public information – ЗАКОН ЗА ДОСТЪП ДО ОБЩЕСТВЕНА ИНФОРМАЦИЯ – Доп. – ДВ, бр. 49 от 2007 г.
  • Telecommunications Act – Promulgated State Gazette No. 88/7.10.2003, effective 7.10.2003, amended and supplemented, SG No. 19/1.03.2005, SG No. 77/27.09.2005, SG No. 88/4.11.2005
  • E-Commerce Law – ЗАКОН ЗА ЕЛЕКТРОННАТА ТЪРГОВИЯ – ДВ. бр.41 от 22 Май 2007г.
  • Law for data in electronic form and electronic signature – ЗАКОН ЗА ЕЛЕКТРОННИЯ ДОКУМЕНТ И ЕЛЕКТРОННИЯ ПОДПИС – ДВ. бр.38 от 11 Май 2007г.
  • Law on Copyright and related rights – ЗАКОН ЗА АВТОРСКОТО ПРАВО И СРОДНИТЕ МУ ПРАВА – ДВ. бр.59 от 20 Юли 2007г.
  • Law on electronic data – ЗАКОН ЗА ЕЛЕКТРОННИТЕ СЪОБЩЕНИЯ -ДВ. бр.109 от 20 Декември 2007г.
  • Law on electronic management – ЗАКОН ЗА ЕЛЕКТРОННОТО УПРАВЛЕНИЕ – ДВ. бр.46 от 12 Юни 2007г.
  • Law on crises management – ЗАКОН ЗА УПРАВЛЕНИЕ ПРИ КРИЗИ – ДВ. бр.78 от 28 Септември 2007г.

Canada

  • The Privacy Act – July 1983
  • Personal Information Protection and Electronic Data Act (PIPEDA)
  • Emergency Management Act of 2007 (Canadian Government)
  • Emergency Management & Civil Protection Act – Ontario Regulation (Province of Ontario)
  • Ontario Regulation 380/04
  • IDA By-Law 17.19 – Business Continuity Plan Requirement (OSC (Ontario Securities Commission))
  • Letter to Federally Regulated Financial Institutions, Insurance Companies, CBA etc March 2006

Chile

  • Act on the Protection of Personal Data, August 1998

China (People’s Republic of China)

  • Guidelines on the Risk Management of Commercial Banks’ Information Technology
  • Information Security Technology – Guide of Personal Information Protection (Release on 30 Jan 2011, Draft and Under Consultation)
  • 商业银行信息科技风险管理指引
  • 银行、证券跨行业信息系统突发事件应急处置工作指引
  • 银行业重要信息系统突发事件应急管理规范(试行)
  • 银行业金融机构信息系统风险管理指引
  • 银行业金融机构外包风险管理指引
  • 银行业金融机构重要信息系统投产及变更管理办法
  • 商业银行业务连续性监管指引

Colombia

  • Two laws affecting data privacy – Law 1266 of 2008 and Law 1273 of 2009
  • Ley 599 de 2000, Derechos de autor: Articulo 270. Violación a los derechos morales de autor.
  • Ley 599 de 2000: Por la cual se expide el Código Penal. En esta se mantuvo la estructura del tipo penal de “violación ilícita de comunicaciones”, se creó el bien jurídico de los derechos de autor y se incorporaron algunas conductas relacionadas indirectamente con el delito informático, tales como el ofrecimiento, venta o compra de instrumento apto para interceptar la comunicación privada entre personas. Se tipificó el “Acceso abusivo a un sistema informático”, así: “Art. 195. El que abusivamente se introduzca en un sistema informático protegido con medida de seguridad o se mantenga contra la voluntad de quien tiene derecho a excluirlo, incurrirá en multa.”
  • Decreto 2649 del 1993 articulo 134: Retención de registros información financiera
  • Resolución 0275 de 2001, Gobierno corporativo Superintendencia de valores: Se establecen los requisitos que deben acreditar las personas jurídicas públicas y privadas que pretendan ser destinatarias de la inversión de recursos de los fondos de pensiones
  • Ley 527 de 1999. Comercio electrónico: Se define y reglamenta el acceso y uso de los mensajes de datos, del comercio electrónico y de las firmas digitales, y se establecen las entidades de certificación y se dictan otras disposiciones.
  • Habeas data: El objetivo de esta ley es desarrollar el derecho constitucional que tienen todas las personas a conocer, actualizar y rectificar las informaciones que se hayan recogido sobre ellas en bancos de datos, y los demás derechos, libertades y garantías constitucionales relacionadas con la recolección, tratamiento y circulación de datos personales. A lo que se refiere el artículo 15 de la Constitución Política, así como el derecho a la información establecido en el artículo 20 de la Constitución Política, particularmente en relación con la información financiera y crediticia, comercial, de servicios y la proveniente de terceros países.
  • Circular 052 de 2007 (Superintendencia Financiera de Colombia): La circular 052 de la Superintendencia Financiera, es un conjunto de buenas prácticas para el sector financiero en Colombia que busca establecer un referente fundamental para el desarrollo de la Seguridad Informática en Colombia. Mediante esta circular, los bancos e instituciones financieras deben proteger todos sus canales de atención a clientes frente a riesgos de fraude y de reputación. Algunas de las prácticas que deben implementar para lograrlo son: Inscripción, Almacenamiento, Video vigilancia, Firewalls y demás sistemas de protección informática, Planes de Contingencia bajo el uso de Centros de Cómputo de Alta Disponibilidad, entre otros.
  • Circular Externa No.002 del 06 de Enero de 1998 emanada de la Superintendencia Financiera: Seguridad en transacciones financieras realizadas mediante la utilización de Tarjetas Crédito y Débito a través de Cajeros Automáticos, Puntos de Servicios en establecimientos comerciales y oficinas de las instituciones financieras
  • Ley 1221 de 2008: Regula el teletrabajo en Colombia (Una forma de organización laboral, que consiste en el desempeño de actividades remuneradas o la prestación de servicios a terceros utilizando como soporte las tecnologías de la información y las comunicaciones)
  • Ley 1480 de 2011: Estatuto del Consumidor: tiene como objetivo principal, proteger, promover y garantizar la efectividad y el libre ejercicio de los derechos de los consumidores. Se establecen las reglas de protección para el comercio electrónico.
  • Proyecto de Ley Estatutaria 046 de 2010 por la cual se dictan disposiciones generales para la protección de datos personales
  • Ley No. 1273 de 2009, “POR MEDIO DE LA CUAL SE MODIFICA EL CÓDIGO PENAL, SE CREA UN NUEVO BIEN Jurídico TUTELADO – DENOMINADO “DE LA Protección DE LA Información Y DE LOS DATOS”· Y SE PRESERVAN INTEGRALMENTE LOS SISTEMAS QUE UTILICEN LAS Tecnologías DE LA Información Y LAS COMUNICACIONES, ENTRE OTRAS DISPOSICIONES”.
  • LEY ESTATUTARIA 1581 DE 2012, Por la cual se dictan disposiciones generales para la protección de datos personales, Artículo 1°. Objeto. La presente ley tiene por objeto desarrollar el derecho constitucional que tienen todas las personas a conocer, actualizar y rectificar las informaciones que se hayan recogido sobre ellas en bases de datos o archivos, y los demás derechos, libertades y garantías constitucionales a que se refiere el artículo 15 de la Constitución Política; así como el derecho a la información consagrado en el artículo 20 de la misma.
  • DECRETO 1377 DE 2013 Por el cual se reglamenta parcialmente la Ley 1581 de 2012, que tiene por objeto, “reglamentar parcialmente la Ley 1581 de 2012, por la cual se dictan disposiciones generales para la protección de datos personales.”

Costa Rica

  • Ley 9048, Ley de Delitos Informáticos.

Croatia (Hrvatska)

Laws and regulations applicable to all organizations:

  • Personal Data4Protection Act (Official Gazette 103/03) and Act on Amendments and Addenda to the Personal Data Protection Act (Official Gazette 41/08) – Zakon o zaštiti osobnih podataka (NN 103/03) i Zakon o izmjenama i dopunama Zakona o zaštiti osobnih podataka (NN 41/08) – propisuju da se svi osobni podaci moraju primjereno zaštititi
  • Law on protection and rescue (Official Gazette 174/04) – Zakon o zaštiti i spašavanju (NN 174/04) – u članku 18 propisuje da sve pravne osobe de facto moraju pripremiti planove kontinuiteta poslovanja
  • Electronic Document Act (Official Gazette 150/2005)- Zakon o elektroničkoj ispravi (NN 150/05) – u članku 20 propisuje koje mjere sigurnosti mora osigurati elektronička arhiva; u članku 25 određuje se ovjera informacijske i komunikacije opreme za tijela državne uprave
  • Regulation on the procedure for storage and special measures relating to the technical protection of special categories of personal data (Official Gazette 139/04) – Uredba o načinu pohranjivanja i posebnim mjerama tehničke zaštite posebnih kategorija osobnih podataka (NN 139/04) – preciznije se određuju mjere zaštite za zbirke osobnih podataka koje sadržavaju tzv. posebne kategorije

Laws and regulations applicable to government bodies:

  • Information Security Act (Official Gazette 79/07) – Zakon o informacijskoj sigurnosti (NN 79/07) – propisuje obvezu uvođenja informacijske sigurnosti u sva tijela državne uprave
  • Regulation on Information Security Measures (Official Gazette 46/08) – Uredba o mjerama informacijske sigurnosti (NN46/08) – propisuje način provedbe Zakona o informacijskoj sigurnosti
  • Data Secrecy Act (Official Gazette 79/07) – Zakon o tajnosti podataka (NN 79/07) – propisuje način klasifikacije podataka shodno tajnosti, pristup istima, te zaštitu
  • Regulation on classified information marking, the content and form of security clearance and statement on classified information handling (Official Gazette 102/07) – Uredba o načinu označavanja klasificiranih podataka, sadržaju i izgledu uvjerenja o obavljenoj sigurnosnoj provjeri i Izjave o postupanju s klasificiranim podacima (NN 102/07)
  • Security Vetting Act (Official Gazette 85/08) – Zakon o sigurnosnim provjerama (NN 85/08) – sistem provjere osoba koje ostvaruju pristup klasificiranim podacima
  • Regulation on the content, form, filling in and handling the Security Vetting Questionnaire (Official Gazette 114/08) – Uredba o sadržaju, izgledu, načinu ispunjavanja i postupanju s upitnikom za sigurnosnu provjeru (NN 114/08)
  • Ordinance on criteria for establishing information security advisor positions (Official Gazette 30/11) – Pravilnik o kriterijima za ustrojavanje radnih mjesta savjetnika za informacijsku sigurnost (NN 30/11)

Laws and regulations for banks and other credit institutions:

  • Decision on Adequate Information System Management (Official Gazette 80/07) – Odluka o primjerenom upravljanju informacijskim sustavom (NN 80/07) – precizno određene odgovornosti banaka za uvođenje informacijske sigurnosti, kao i rokovi
  • Guidelines for information system management for decreasing the operational risk (Croatian National Bank, March 2006) – Smjernice za upravljanje informacijskim sustavom u cilju smanjenja operativnog rizika (HNB, ožujak 2006.)
  • Decision on outsourcing (Official Gazette 01/09) – Odluka o eksternalizaciji (NN 01/09) – propisuje obvezu procjene rizika dobavljača u slučaju outsourcinga, što uključuje i procjenu rizika vezanog za zaštitu informacija
  • Decision on adequate outsourcing risk management (Croatian National Bank, October 2005) – Smjernice za adekvatno upravljanje rizikom eksternalizacije (HNB, listopad 2005.)
  • Guidelins for managing the information system risk in credit unions (Croatian National Bank, November 2007) – Smjernice za ovladavanje rizikom informacijskog sustava u kreditnim unijama (HNB, studeni 2007.)
  • Decision on risk management (Official Gazette 01/09) – Odluka o upravljanju rizicima (NN 01/09) – među ostalim određuje pravila za upravljanje operativnim rizikom, te u sklopu tog rizika upravljanje informacijskim sustavom i rizikom informacijskog sustava

Laws and regulations for other financial institutions:

  • Ordinance on the detailed form and minimum scope and content of audit reviews and audit reports of insurance companies (Official Gazette 76/2006) – Pravilnik o detaljnom obliku i najmanjem opsegu te sadržaju revizorskog pregleda i revizorskog izvješća društava za osiguranje (NN 76/06) – obvezuje revizora da među ostalim provjeri koliko su informatički sustavi zaštićeni
  • Ordinance on operating conditions for authorised companies (Official Gazette 14/2007) – Pravilnik o uvjetima za obavljanje poslova ovlaštenog društva (NN 14/07) – u člancima 12 i 13 se propisuje zaštita informacijskog sustava odnosno dokumentacije za burzovne kuće
  • Ordinance regulating business operations of investment fund management companies (Official Gazette 25/2007) – Pravilnik kojim se uređuje poslovanje društva za upravljanje investicijskim fondovima (NN 25/07) – u člancima 11 i 12 se propisuje zaštita informacijskog sustava odnosno dokumentacije
  • Ordinance on organisational requirements for providing investment services and conducting investment activities and ancillary services (Official Gazette 5/2009) – Pravilnik o organizacijskim zahtjevima za pružanje investicijskih usluga i obavljanje investicijskih aktivnosti i pomoćnih usluga (NN 5/09) – u članku 4 nalaže da je društvo dužno ustrojiti i primjenjivati sustave i procedure koji osiguravaju sigurnost, cjelovitost i tajnost podataka, kao i mjere za neprekidno poslovanje; u članku 13 propisuje na koji način se mora čuvati poslovna dokumentacija i podaci

Laws and regulations for telecom operators:

  • Ordinance on means and deadlines for implementation of safeguards and integrity of networks and services (Official Gazette 109/12) – Pravilnik o načinu i rokovima provedbe mjera zaštite sigurnosti i cjelovitosti mreža i usluga (NN 109/12) – u Dodatku 1 (Minimalne mjere sigurnosti) se direktno traži implementacija pojedinih elemenata ISO 27001, ISO 27002, ISO 27005 i ISO 22301

Czech Republic

  • Act on Protection of Personal Data (April 2000) No. 101

Denmark

  • EU General Data Protection Regulation 2016/679 (supplemented by the amendment to Act No. 429, Act No. 502 of 23/05/2018)

Ecuador

  • Resolution JB-2012-2148: information security on electronic channels (applies to all financial institutions)
  • Resolution JB-2014-3066: Information Security Management System based on ISO 27001 and Business Continuity Management System based on ISO 22301 (applies to all financial institutions)
  • Ministerial Agreement No. 166: Implementation of Government Scheme of Information Security based on local NTE ISO 27001 (local ISO based on ISO 27001:2005)
  • Operational Risk Management Resolution: new resolution that is an improvement of Resolution JB-2012-2148 and Resolution JB-2014-3066, and requires all financial institutions to define and implement an ISMS with a limited scope, information security on projects, and third-party information security management.

Estonia

  • Personal Data Protection Act of 2003. June 1996, Consolidated July 2002.
  • Electronic Identification and Trust Services for Electronic Transactions Act (E-identimise ja e-tehingute usaldusteenuste seadus)
  • Public Information Act (Avaliku teabe seadus)
  • Cybersecurity Act (Küberturvalisuse seadus)
  • Electronic Communications Act (Elektroonilise side seadus)
  • Information Society Services Act (Infoühiskonna teenuse seadus)
  • Copyright Act (Autoriõiguse seadus)
  • Identity Documents Act (Isikut tõendavate dokumentide seadus)

European Union

  • European Union Data Protection Directive of 1998
  • EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC)
  • Data Protection Act, 1998.
  • The electronic Commerce (EC directive) Regulations 2002.
  • Regulation of Investigatory Powers act 2000.
  • Basel II: BASEL capital accord (April 2003) (Basel Committee on Banking Supervision)
  • Regulation (EU) 2016/679 (EU General Data Protection Regulation (EU GDPR)), applicable as of 25 May, 2018

Finland (Suomi)

  • Act on the Amendment of the Personal Data Act (986) 2000

France

  • Data Protection Act of 1978 (revised in 2004)

Germany (Deutschland)

  • Grundgesetz für die Bundesrepublik Deutschland (GG) Art 10
  • Bundesdatenschutzgesetz (BDSG)
  • Gesetz zum Schutz personenbezogener Daten (Landesdatenschutzgesetz – LDSG – Baden-Württemberg
  • Bayerisches Datenschutzgesetz (BayDSG) – Bayern
  • Gesetz zum Schutz personenbezogener Daten in der Berliner Verwaltung (Berliner Datenschutzgesetz – BlnDSG) – Berlin
  • Gesetz zum Schutz personenbezogener Daten im Land Brandenburg (Brandenburgisches Datenschutzgesetz – BbgDSG) – Brandenburg
  • Bremisches Datenschutzgesetz (BremDSG) – Bremen
  • Hamburgisches Datenschutzgesetz (HmbDSG) – Hamburg
  • Hessisches Datenschutzgesetz (HDSG) – Hessen
  • Gesetz zum Schutz des Bürgers bei der Verarbeitung seiner Daten (Landesdatenschutzgesetz – DSG M-V) – Mecklenburg-Vorpommern
  • Niedersächsisches Datenschutzgesetz (NDSG) – Niedersachsen
  • Gesetz zum Schutz personenbezogener Daten (Datenschutzgesetz Nordrhein-Westfalen – DSG NRW -) – Nordrhein-Westfalen
  • Landesdatenschutzgesetz (LDSG) – Rheinland-Pfalz
  • Saarländisches Gesetz zum Schutz personenbezogener Daten (Saarländisches Datenschutzgesetz – SDSG –) – Saarland
  • Gesetz zum Schutz der informationellen Selbstbestimmung im Freistaat Sachsen (Sächsisches Datenschutzgesetz – SächsDSG) – Sachsen
  • Gesetz zum Schutz personenbezogener Daten der Bürger (DSG-LSA) – Sachsen-Anhalt
  • Schleswig-Holsteinisches Gesetz zum Schutz personenbezogener Informationen (Landesdatenschutzgesetz – LDSG -) – Schleswig-Holstein
  • Thüringer Datenschutzgesetz (ThürDSG) – Thüringen
  • Telekommunikationsgesetz (TKG)
  • Gesetz über Urheberrecht und verwandte Schutzrechte (UrhG)
  • Gesetz über den Datenschutz bei Telediensten (TDDSG)
  • Telemediengesetz (TMG)
  • Gesetz zur Kontrol­le und Transparenz im Unternehmensbereich (KonTraG)
  • Aktiengesetz (AktG) § 91 Abs. 2 und § 93 Abs. 2 AktG
  • GMBH Gesetz (GmbHG) § 43 Abs. 1 GmbHG
  • Handelsgesetzbuch (HGB) § 317 Abs. 4 und § 317 Abs. 2 HGB
  • Kreditwesengesetz (KWG)
  • Grundsätze zum Datenzugriff und zur Prüfbarkeit digitaler Unterlagen (GDPdU)
  • Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff (GoBD)
  • Abgabenordnung (AO) § 147 AO
  • MaRisk
  • Strafgesetzbuch (StGB) § 202 und § 203 StGB
  • Postgesetz (PostG)
  • Verordnung über den Datenschutz bei der geschäftsmäßigen Erbringung von Postdiensten (Postdienste-Datenschutzverordnung – PDSV)
  • Sozialgesetzbuch (SGB) SGB X
  • Gesetz über die Voraussetzungen und das Verfahren von Sicherheitsüberprüfungen des Bundes (SÜG)
  • Gesetz zur Stärkung der Sicherheit in der Informationstechnik des Bundes

Greece

  • Law 2472/1997 on Protection of Individuals with regard to the Processing of Personal Data
  • Law 3471/2006 on Protection of personal data and privacy in the electronic telecommunications
  • Law 3917/2011 on Retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks, use of surveillance systems by taking or recording audio or video in public areas and related provisions
  • Regulation 26/2004 on Conditions for the lawful processing of personal data for purposes of direct marketing or advertising and credit assessment
  • Common Act of National Data Protection Authority and Authority for Telecommunications Security regarding the Security Requirements for systems processing personal data in order to respond to legal requests for data
  • Law 3614/2008 titled “Strengthening the institutional framework to safeguard the confidentiality of telephone communications and other provisions”
  • Regulation 1742/Β/15-7-2013 on Security and Availability of Networks and Electronic Communication Services
  • Regulation 384/Β/24-3-2005 on Secrecy Assurance for Postal Services
  • Regulation 165/2011 on telecommunications security
  • Presidential Decree 47/2004 for privacy waiver and lawful interception
  • Article 19 of Greek Constitution on confidentiality of correspondence and communication
  • Law 2225/94 on Protection and freedom of communications
  • Law 3917/11 on Retention of data that are intended for processing for legal purposes
  • Ν.4174/2013 Taxation procedures and relevant processes
  • Guideline 1/2005 of Greek Data Protection Authority for destroying personal data archives
  • Law 3758/2009 on Requirements For Collection Organizations and other issues

Guatemala

  • N/A

Guernsey

  • Data Protection (Bailiwick of Guernsey) Law of 2001

Honduras

  • Comisión Nacional de Bancos y Seguros NORMAS PARA REGULAR LA ADMINISTRACIÓN DE LAS TECNOLOGÍAS DE INFORMACIÓN Y COMUNICACIONES EN LAS INSTITUCIONES DEL SISTEMA FINANCIERO CIRCULAR CNBS No.119/2005

Hong Kong

  • Business continuity planning supervisory policy manual – TM-G-2 (The Hong Kong Monetary Authority)
  • Circular to licensed corporations – “Business continuity planning against serious communicable diseases” (Securities and Futures Commission of Hong Kong)
  • HKMA Supervisory Policy Manual, BCP TM-G-2 V1 02.12.02 (Hong Kong Monetary Authority)
  • HKMA Supervisory Policy Manual, General Principles for Technology Risk Management TM-G-1 V.1 24.06.03 (Hong Kong Monetary Authority)
  • HKMA, Supervisory Policy Manual, Supervision of E-Banking TM-E-1 V.1 17.02.04 (Hong Kong Monetary Authority)
  • IT Security Guidelines – G3 (Information Technology Services Dept – The Government of the Hong Kong Special Admin Region)
  • Management, Supervision and Internal Control Guidelines (“the Internal Control Guidelines”) (Securities and Futures Commission of Hong Kong)
  • Cap 486 Personal Data (Privacy) Ordinance (Office of the Privacy Commissioner for Personal Data – the Government of the Hong Kong Special Administrative Region)
  • Cap 514 Patents Ordinance – the Government of the Hong Kong Special Administrative Region
  • Cap 522 Registered Designs Ordinance – the Government of the Hong Kong Special Administrative Region
  • Cap 528 Copyright Ordinance – the Government of the Hong Kong Special Administrative Region
  • Cap 593 Unsolicited Electronic Messages Ordinance – the Government of the Hong Kong Special Administrative Region
  • Cap 57 Employment Ordinance – the Government of the Hong Kong Special Administrative Region
  • Cap 572 Fire Safety (Building) Ordinance – the Government of the Hong Kong Special Administrative Region
  • Cap 603 Product Eco-responsibility Ordinance – the Government of the Hong Kong Special Administrative Region
  • Cap 354 Waste Disposal Ordinance – the Government of the Hong Kong Special Administrative Region

Hungary

  • Act No. CVIII of 2001. on certain issues of electronic commerce services and information society services
  • Act No. XXXV. of 2001. on Electronic Signatures
  • Act No. C. of 2003. on Electronic Communications
  • Act No. CXL. of 2004. on the General Rules of Administrative Proceedings and Services
  • Act No. CLV. of 2009. Protection of classified information
  • Act No. CLVII. of 2010.Protection of the national data assets
  • Act No. CXII. of 2011. on Informational self-determination and Freedom of information (instead of the Act. No. LXIII. Of. 1992.)
  • Act No. CLXVI. of 2012. on the identification, designation and protection of critical infrastructures
  • Act No. L of 2013. on Electronic Information Safety of the Governmental and Municipal Organisations

Iceland

  • Act of Protection of Individual; Processing Personal Data (Jan 2000)

Ireland

  • Data Protection Act 1988 and Amendment Act 2003
  • The Electronic Privacy Regulations 2011 (S.I. 336 of 2011) giving effect to the EU ePrivacy Directive 2002/58/EC
  • The Criminal Damage Act 1991, Section 2,3,4,5
  • The Criminal Justice (Theft and Fraud Offences) Act 2001, Section 9
  • Child Trafficking and Pornography Act 1998
  • British-Irish Agreement Act, 1999, Section 51 – Data protection in cross-border bodies
  • Companies Acts 1963-2013
  • Electronic Commerce Act 2000
  • Copyright and Related Rights Act 2000
  • Defamation Act 2009
  • Consumer Protection Act 2007
  • EC (Protection of Consumers in respect of contracts made by means of distance communication) Regulations 2001
  • Employment (Information) Act 1994
  • Employment Equality Acts 1998 and 2004
  • Unfair Dismissal Acts, 1997 to 2001
  • European Convention of Human Rights Act 2003

Others which may be worth reviewing:

  • Communications (Retention of Data) Act 2011 – for Internet and Telephone Service Providers
  • Freedom of Information Acts 1997 and 2003 – for public sector bodies
  • The Official Languages Act 2003 – for public sector bodies
  • Offences Against the State Act – Section 30
  • The Convention on Cybercrime – is signed but not yet ratified by Ireland as of 1/5/2013

India

  • Information Technology Act as amended by Act of 2008
  • The Information Technology (Amendment) Bill, 2006
  • .IN Domain Name Registration Policy
  • Semiconductor Integrated Circuits Layout-Design Rules, 2001
  • Semiconductor Integrated Circuits Layout Design Act 2000
  • Rules for Information Technology Act 2000
  • .IN Domain Name Dispute Resolution Policy
  • Gujarat Information technology Rules, 2004
  • Karnataka Cyber Cafe Regulations
  • Information Technology Act, 2000
  • India BCP (1. Reserve Bank of India (RBI); 2. Securities & Exchange Board of India (SEBI); 3. National Stock Exchange (NSE); 4. Bombay Stock Exchange (BSE))
  • Companies Act, 1956 Income Tax Act,1961 Employees Provident Fund Act,1952

Indonesia

  • Information and Electronic Transaction / Undang-Undang Informasi dan Transaksi Elektronik(UU No.11 2008)
  • Regulation No 9/15/PBI/2007 (Bank Indonesia)
  • Regulation no. 6/8/PBI/2004 (Bank Indonesia)
  • Indonesia BCP (Bank Indonesia (Central Bank))

Israel

  • N/A

Iran

  • سند راهبردی امنیت فضای تبادل اطلاعات کشور – افتا

Italy

  • Unique Text on Privacy – Decreto Legislativo n° 196 del 30 giugno 2003 “Testo unico sulla Privacy”
  • Protection of persons and other subjects related to the processing of personal data – Legge L. 675/1996 del 31 dicembre 1996 “Tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali” (Superseded by D.Lgs 196/2003)
  • Guidelines for implementation, management and maintenance of Business Continuity in the Banking Sector (ABI – Association of Italian Banks)
  • Guidelines for Crisis Management in the Banking Sector (ABI – Association of Italian Banks)

Japan

  • Personal Information Protection Law (Act)
  • Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988.
  • Business Continuity at Bank of Japan (BOJ (Bank of Japan))
  • Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA (FISC (The Centre for Financial Industry Information System))

Jordan

  • E-Transactions Law, 2001
  • Freedom of Information Act, 2007
  • Cyber Crime Law, 2010
  • Protection of Nation Secrets and Documentation, 1971

Kazakhstan

  • Government Regulation as of 30 Sept 2005. Instruction #359. (Financial Control Agency of Kazakhstan (local name – АФН))

Kenya

  • Central Bank (CBK) Prudential Guidelines on BCM for Institutions Licenced under Banking Act. (The Central Bank of Kenya)

Korea

  • Personal Information Protection Act
  • Act on Promotion of Information and Communication Network Utilization and Information Protection
  • Act on Prevention of Divulgence and Protection of Industrial Technology
  • Unfair Competition Prevention and Trade Secret Protection Act

Kosovo (Kosovë)

  • N/A

Kuwait

  • N/A

Latvia

IT security policies and regulations:

  • Information technology security law
  • Information technology security measures for critical infrastructure planning and implementation arrangements (February 2011)
  • Regulations on electronic communications companies information to be included in the Action Plan, the follow-up plan and the procedure for end users (April 2011)
  • Procedures for ensuring information and communication technology systems in compliance with the minimum safety requirements (July 2015)
  • The Electronic Communications Law
  • State Information Systems Law
  • State Information System General safety requirements (October 2005)
  • National Security Concept
  • Information systems security test guidelines
  • Information security management system implementation guidance

Other:

  • BCM provision for Payment and Securities Settlement Systems in Latvia (Latvjas Banka (Bank of Latvia))

Lithuania

  • Law on Legal Protection of Personal Data (June 1996)

Luxembourg

  • Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data

Macedonia

  • Law on classified information – Закон за класифицирани информации – 9/2004 (last change113/2007)
  • Law on personal data protection – Закон за заштита на лични податоци – 7/2005
  • Law on free access to public information – Слободен пристап до информации од јавен карактер – 13/20006
  • Law on electronic communications – Закон за електронските комуникации – 13/2005 (last change55/2007)
  • Law on communications monitoring – Закон за следење на комуникациите – 121/2006
  • Law on electronic governance – Закон за електронско управување
  • E-Commerce Law – Закон за електронска трговија – 133/2007
  • Law for data in electronic form and electronic signature – Закон за податоците во електронски облик и електронски потпис – 34/2001 (last change 06/2002)
  • Law on Copyright and related rights – Закон за авторското право и сродните права – 47/1996 (last change 131/2007)
  • Law on industrial property – Закон за индустриската сопственост – 47/2002 (last change 79/2007)
  • Criminal code – Кривичен закон – 37/1996 (last change 7/08)

Malaysia

  • Common Law principle of confidentiality
  • Personal data Protection Bill
  • Banking and Financial Institutions Act of 1989 privacy provisions
  • BNM/RH/GL013-3 Guidelines on BCM for Banking Institutions – July 2008 (Bank Negara Malaysia (BNM) – Central Bank of Malaysia)
  • Guidelines on Management of IT Environment (Bank Negara Malaysia (BNM) – Central Bank of Malaysia)
  • Cyberlaws in Malaysia (Digital Signature Act 1997; Computer Crime Act 1997; Telemedicine Act 1997; The Copyright (Amendment) Act 1997; The Communications and Multimedia Act 1998; The Electronic Government Activities Act 2007)

Malta

  • Data Protection Act (Act XXVI of 2001), Amended March 22, 2002, November 15, 2002 and July 15, 2003
  • Guidelines on Business Continuity and Contingency Procedures (The Central Bank of Malta)

Mexico

  • Ley Federal de Transparencia y Acceso a la Información Pública Gubernamental (última reforma 2006) — Apicable al Gobierno Federal.
  • Manual Administrativo de Aplicación General en Materia de Tecnologías de Información y Comunicaciones (2010) — Aplicable al Gobierno Federal.
  • Ley Federal de Protección de Datos Personales en Posesión de Particulares (2010) — Aplicable a personas físicas y morales.

Montenegro (Црна Гора/Crna Gora)

  • N/A

Morocco

  • Data Protection Act

Netherlands

  • Personal Data Protection Act 2000
  • Data Breach Notification Requirement Act 2016

New Zealand

  • Privacy Act, May 1993; Privacy Amendment Act, 1993; Privacy Amendment Act, 1994
  • The Civil Defence & Emergency Management Act (2002)
  • Official information Act, 1982
  • Public records Act, 2005
  • New Zealand Cyber security strategy, June 2011

Nigeria

  • Data Protection Act 1998 Computer Security and Critical Information Infrastructure Protection Bill 2005

Norway

  • Personal Data Act (April 2000) – Act of 14 April 2000 No. 31 Relating to the Processing of Personal Data (Personal Data Act)

Panama

  • N/A

Pakistan

  • Risk Management – Guidelines for Commercial Banks and DFIs (State Bank of Pakistan (SBP))

Paraguay

  • N/A

Peru

  • LEY Nº 29733 Ley de protección de datos personales

Philippines

  • 542 (Philippines Central Bank)
  • 269 (Philippines Central Bank)
  • 268 (Philippines Central Bank)
  • Manila Bank BCP (Bank of Central Philippines (local central bank))

Poland

List of basic laws on information security in Poland:

  • Act of 5 July 2018 on the national cybersecurity system (Journal of Laws 2018, item. 1560, with changes)
  • Act of 5 August 2010 on the protection of classified information (Journal of Laws, 2010, no. 182, item. 1228, with changes)
  • Act of 16 July 1993 on combating unfair competition (Journal of Laws, 1993, no. 47, item. 211, with changes)

List of basic laws on business continuity in Poland:

  • Act of 5 July 2018 on the national cybersecurity system (Journal of Laws 2018, item. 1560, with changes)
  • Act of 26 April 2007 on the crisis management (Journal of Laws, 2007, no. 89, poz. 590, with changes)

Portugal

  • Act on the Protection of Personal Data (Law 67/98 of 26 October)
  • Act on Attacks Against Information Systems (Law 109/2009 of 15 September)

Qatar

  • Cyber crime law (law no. 14 of 2014)
  • National Information Assurance Policy

Romania

  • Law No. 677/2001 on Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data
  • Law No. 506/2004 on Personal data processing and privacy in the electronic communications sector
  • Law No. 8/1996 on copyright and related rights

Russia

  • Personal Data (Law #152 of 26 January 2006)
  • STO BR IBBS-1.0-2010 (Central Bank of the Russian Federation (STO BR IBBS-1.0-2006))
  • 242-P (Central Bank of the Russian Federation)

Saudi Arabia

  • Telecommunications Act & Bylaws – Royal Decree No. M/12
  • Anti-Cyber Crime Law – Royal Decree No. M/17
  • Electronic Transactions Regulation – Royal Decree No. M/18
  • Law for Publishing and Disclosing Confidentials and Information – Royal Decree No. M/35

Senegal

  • Law No.2008-08 on Electronic Transactions
  • Law No.2008-09 on Copyright and Related Rights
  • Law No.2008-10 on Orientation Law on the Information Society
  • Law No.2008-11 on Cybercrime
  • Law No.2008-12 on Protection of Personal Data

Serbia

  • N/A

Singapore

  • The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce.
  • MAS Business Continuity Management Guidelines (June 2003) (MAS (Monetary Authority of Singapore)
  • SGX Member Rules Effective 22 January 2009 (SGX (Singapore Exchange Limited))
  • Computer Misuse and Cybersecurity Act (1998, Renamed in 2013)
  • Personal Data Protection Act 2012 (January 2013)
  • MAS Technology Risk Management (TRM) Notice and Guidelines June 2013 (Monetary Authority of Singapore)

Slovak Republic

  • Act No. 428 of 3 July 2002 on Personal Data Protection.

Slovenia

  • Personal Data Protection Act , RS No. 55/99.

South Africa

  • Ministry for Provincial & local Government Disaster Management Act, 2002
  • Major Hazard Installation Regulations, 1993 (Occupational Health & Safety)
  • SAMOS and CLS Business Continuity Procedures – SA Reserve Bank (South African Reserve Bank National Payment System Department)

South Korea

  • The Act on Promotion of Information and Communications Network Utilization and Data Protection of 2000
  • Act on Assistance to the Autonomous Activities of Enterprises for Disaster Mitigation (National Emergency Management Agency (NEMA))
  • Korea BCP (Financial Supervisory Commission)
  • Supervisory Guidelines for BCP (New Basel Accord Office, Financial Supervisory Service (FSS))

Spain (España)

  • Real Decreto-Legislativo 1/1996, de 12 de abril, por el que se aprueba el Texto Refundido de la ley de propiedad intelectual.
  • Ley Orgánica 15/1999, de 13 de diciembre, de protección de los datos de carácter personal.
  • Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de desarrollo de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal.
  • Ley 59/2003, de 19 de diciembre, de firma electrónica.
  • Ley 56/ 2007 o Ley para el Impulso de la Sociedad de la Información.
  • Ley 11/2007, de 22 de junio, de acceso electrónico de los ciudadanos a los Servicios Públicos
  • Real Decreto 1671/2009, de 6 de noviembre, por el que se desarrolla parcialmente la Ley 11/2007, de 22 de junio, de acceso electrónico de los ciudadanos a los servicios públicos.
  • Real Decreto 3/2010, de 8 de enero (BOE de 29 de enero), por el que se regula el Esquema Nacional de Seguridad en el ámbito de la administración electrónica.
  • Real Decreto 4/2010, de 8 de enero, por el que se regula el Esquema Nacional de Interoperabilidad en el ámbito de la Administración Electrónica.
  • Real Decreto 704/2011, de 20 de mayo, por el que se aprueba el Reglamento de protección de las infraestructuras críticas.

Other documents issued by public bodies (non-law status):

  • Magerit – versión 2. Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información
  • Guías CCN-STIC para la seguridad de los sistemas de la Administración Pública

Sri Lanka

  • Guidelines on Business Continuity Planning (Insurance Board of Sri Lanka)

Sudan

  • N/A

Switzerland

  • The Federal Law on Data Protection of 1992
  • FINMA Recommendations for BCM: Nov 2007 (Swiss Financial Market Supervisory Authority)
  • SFBC 06/6 (Swiss Federal Banking Commission (SFBC))
  • SFBC 06/3 (SFBC)
  • SBA Self Regulation (Swiss Bankers Association)

Sweden

  • Personal Data Protection Act (1998:204), October 24, 1998
  • Regulations and General Guidelines regarding information security, IT operations and deposit systems (Finansinspektionen’s (FSA) Regulatory Code FFFS 2014:5)

Taiwan

  • Computer Processed Personal data Protection Law – applies only to public institutions.

Thailand

  • Official Information Act (1997) for state agencies
  • 118/2550 – Policy on BCM and BCP for Financial Institutions (Bank of Thailand)

Turkey

Laws:

  • 5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi Ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun
  • 5809 sayılı Elektronik Haberleşme Kanunu
  • 5070 sayılı Elektronik İmza Kanunu
  • 6102 sayılı Türk Ticaret Kanunu (TTK), md.18.3: Kayıtlı elektronik posta
  • 6102 sayılı Türk Ticaret Kanunu (TTK), Md.57: Haksız Rekabet
  • 6102 sayılı Türk Ticaret Kanunu (TTK), Md.64: Haksız Rekabet
  • 6102 sayılı Türk Ticaret Kanunu (TTK), Md.65: Haksız Rekabet
  • 6102 sayılı Türk Ticaret Kanunu (TTK), Md.1524: Elektronik işlemler ve bilgi toplumu hizmetleri
  • 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK)
  • 6563 sayılı Elektronik Ticaretin Düzenlenmesi Hakkında Kanun
  • 5237 sayılı Türk Ceza Kanunu md.239
  • 5237 sayılı Türk Ceza Kanunu md.244
  • 5271 sayılı Ceza Muhakemesi Kanunu m.134 Bilgisayarlarda, bilgisayar programlarında ve kütüklerinde arama, kopyalama ve elkoyma
  • 5846 sayılı Fikir Ve Sanat Eserleri Kanunu (FSEK)

Regulations:

  • 38790 tarihli 26108 sayılı Resmi Gazetede yayınlanan ‘Sanal Ortamda Oynatılan Talih Oyunları Hakkında Yönetmelik’
  • 41114 tarihli 28363 sayılı Resmi Gazetede yayınlanan ‘Elektronik Haberleşme Sektöründe Kişisel Verilerin İşlenmesi Ve Gizliliğinin Korunması Hakkında Yönetmelik’
  • 40608 tarihli 27866 sayılı Resmi Gazetede yayınlanan ‘Mesafeli Sözleşmelere Dair Yönetmelik’
  • 40783 tarihli 28036 sayılı Resmi Gazetede yayınlanan ‘Kayıtlı Elektronik Posta Sistemine İlişkin Usul Ve Esaslar Hakkında Yönetmelik’
  • 40890 tarihli 28141 sayılı Resmi Gazetede yayınlanan ‘Elektronik Defter Genel Tebliği’
  • 41284 tarihli 28524 sayılı Resmi Gazetede yayınlanan ‘Gümrük İşlemlerinin Kolaylaştırılması Yönetmeliği’
  • 39416 tarihli 26716 sayılı Resmi Gazetede yayınlanan ‘İnternet Ortamında Yapılan Yayınların Düzenlenmesine Dair Usul Ve Esaslar Hakkında Yönetmelik’
  • 38358 tarihli 25692 sayılı Resmi Gazetede yayınlanan ‘Elektronik İmza Kanununun Uygulanmasına İlişkin Usul Ve Esaslar Hakkında Yönetmelik’
  • 38666 tarihli 25989 sayılı Resmi Gazetede yayınlanan ‘Telekomünikasyon Yoluyla Yapılan İletişimin Tespiti, Dinlenmesi, Sinyal Bilgilerinin Değerlendirilmesi Ve Kayda Alınmasına Dair Usul Ve Esaslar İle Telekomünikasyon İletişim Başkanlığının Kuruluş, Görev Ve Yetkileri Hakkında Yönetmelik’
  • 39127 tarihli 26434 sayılı Resmi Gazetede yayınlanan ‘Telekomünikasyon Yoluyla Yapılan İletişimin Denetlenmesi, Gizli Soruşturmacı ve Teknik Araçlarla İzleme Tedbirlerinin Uygulanmasına İlişkin Yönetmelik’
  • 40489 tarihli 27752 sayılı Resmi Gazetede yayınlanan ‘İnternet Alan Adları Yönetmeliği’

Uganda

  • Computer Misuse Act (2011)
  • Electronic Transactions Act (2011)
  • Electronic Signatures Act (2011)

Ukraine

  • ЗАКОН УКРАЇНИ: Про захист персональних даних
  • ЗАКОН УКРАЇНИ: Про захист інформації в інформаційно-телекомунікаційних системах
  • ЗАКОН УКРАЇНИ: Про інформацію

United Kingdom

  • UK Data Protection Act 1998
  • UK Electronic Communications Act 2000
  • The Consumer Protection Regulations 2000
  • Freedom Of Information Act 2000
  • The Telecommunications (lawful Business Practice and Interception of Communications) Regulations 2000
  • Computer Misuse Act 1990
  • The Electronics Signatures Regulations 2002
  • The Telecommunications (Data Protection & Privacy, Direct Marketing) Regulations 1999
  • The Consumer Protection (Distance Selling) Regulations 2003
  • Regulation of Investigatory Powers Act 2000 (RIPA)
  • Civil Contingencies Act (2004 & 2005) (UK Government)
  • Business Continuity Practice Guide: 2006 (UK Tripartite Authorities: Financial Services Authority (FSA), HM Treasury, Bank of England)
  • Copyright, Designs and Patents Act 1988 (CDPA)
  • Companies Act 2006 contains a number of provisions concerning records and communications
  • The Human Rights Act 1998 (HRA)
  • The Privacy and Electronic Communications Regulations 2003

United States

  • 6 CFR Part 29 Procedures for Handling Critical Infrastructure Information – Department of Homeland Security
  • ACH Rules Book of 2001 (National Automated Clearing House Association – NACHA)
  • Adam Walsh Child Protection and safety Act of 2006
  • Cable Communications Policy Act (Cable Act) of 1984
  • California Consumer Privacy Act (CCPA) of 2018
  • California SB 1386 Security of Non-encrypted Customer Information of 2003 (State of California) and progeny
  • The Californian Online Privacy Protection Act of 2004
  • Children’s Internet Protection Act (CIPA) of 2001
  • Children’s Online Privacy Protection Act (COPPA) of 1998
  • Communications Assistance for Law Enforcement Act (CALEA) of 1994
  • Computer Fraud and Abuse Act (CFAA) of 1986 (FTC – Federal Trade Commission)
  • Computer Security Act of 1987 – (Superseded by the Federal Information Security Management Act (FISMA)
  • Consumer Credit Protection Act (CCPA) of 1992 Section 2001 Title IX – Electronic Funds Transfer
  • Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003
  • Defense Federal Acquisition Regulation Supplement (DFARS) (aka NIST 800-171)
  • Deleting Online Predators Act of 2006
  • The Digital Millennium Copyright Act of 1998
  • DoD Information Assurance Risk Management Framework (DIARMF)
  • Driver’s Privacy Protection Act of 1994
  • Electronic Communications Privacy Act (ECPA) of 1986
  • Electronic Freedom of Information Act (E-FOIA) of 1996
  • Electronic Fund Transfer Act (EFTA) (OCC)
  • Fair and Accurate Credit Transactions Act (FACTA) – including “Red Flags” rule
  • Family Education Rights and Privacy Act (FERPA; also know as the Buckley Amendment) of 1974
  • Federal Acquisition Regulation (FAR): Electronic Funds Transfer Final Rule (Securities and Exchange Commission)
  • Federal Information Security management Act (FISMA) of 2002 (FTC)
  • Federal Risk and Authorization Management Program (FedRAMP)
  • Federal Trade Commission Act (FTCA) of 1999
  • FERC COOP 2007: FERC RM01-12-00 (FERC – Federal Energy Regulatory Commission)
  • FFIEC FIL 67-97/82-96 (FFIEC – Federal Financial Institutions Examination Council)
  • FFIEC Policy SP-5 (FFIEC – Federal Financial Institutions Examination Council)
  • FIPA – Florida Information Protection Act of 2014
  • Foreign Corrupt Practices Act 1977 (P.L 95-213)
  • Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999
  • Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule #7. Contingency Plan 164.308 (a)(7)(i) / HITECH Act
  • Inter-Agency Policy of 1997 from Federal Financial Institutions Examination Council (FFIEC)
  • Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System of 2003 – Federal Reserve System; OCC (Office of the Comptroller of the Currency); SEC (Securities and Exchange Commission)
  • Internet Gambling Prohibition and Enforcement Act
  • IRS Procedure 91-59 (superseded IRS Procedure 86-19) (IRS – Internal Revenue Service)
  • Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth of 2010
  • Minnesota Plastic Card Security Act (PCSA) of 2007
  • NASD Rule 108 (Sept 9, 02) and SR-NASD 2002-112 (March 10 2003)(Release No. 34-48503: File NO SR-NASD-2002-108)(NASD (North American Securities Dealers Association) / SEC)
  • NASD Rule 3500: Emergency Preparedness Part 3510: Business Continuity Plans (NASD)
  • NASD Rule 3500: Emergency Preparedness Parts 3520: Emergency Contact information (NASD)
  • National Industrial Security Program Operating Manual (NISPOM)
  • NERC(North American Electric Reliability Corporation)(CIP) Critical Infrastructure Protection – Cyber Security
  • Nevada Security of Personal Information Law of 2005
  • New York Department of Financial Services 23 NYCRR 500
  • NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan (CFTC – Commodity Futures Trading Commission)
  • NYSE Rule 446 : Business Continuity and Contingency Planning (NYSE – New York Stock Exchange)
  • OCC 2001-47. Third Party Relationships of 2001 (OCC – Office of the Comptroller of the Currency)
  • Oregon ORS 646A.622
  • Privacy Act of 1974 (SUSC552a)
  • Privacy Protection Act (PPA) of 1980
  • Public Law 110-53 Title IX (PS Prep)
  • Right to Financial Privacy Act (RFPA) of 1978
  • Sarbanes-Oxley Act of 2002 (PL 107-204 2002 HR 3763) – Section 404 (PCAOB (Public Company Accounting Oversight Board))
  • Sarbanes-Oxley Act of 2002 : Section 409 (PCAOB)
  • Securities and Exchange Act, Sections 32(a) and (b) (SEC)
  • Telecommunications Act of 1996
  • Telephone Consumer Protection Act (TCPA) of 1991
  • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) of 2001
  • Video Privacy Protection Act of 1988 discussion and overview
  • Washington State HB 1149: Protecting consumers from breaches of security of 2009

Uruguay

  • N/A

Venezuela

  • Special Law Against Cybercrime Official Gazette No. 37,313 of the Bolivarian Republic of Venezuela dated 30 October 2001
  • Law data messages and electronic signatures Official Gazette No. 37,148 dated February 28, 2001
  • Policy Information Technology, Financial Services dematerialized, Electronic Banking and Online Virtual Bodies for Submitted to the Control, Regulation and Supervision of Banks and Other Financial Institutions, Caracas, March 2007.
  • Law credit cards, debit cards, prepaid cards and other financing or electronic payment, dated September 4, 2008.
  • Rules governing the use of electronic banking services Official Gazette No. 39597 dated January 19, 2011

Vietnam

  • The Law on Electronic Transactions 2008

For help with listing all relevant laws and regulations and integrating them with your security policies and procedures, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Connect with Dejan: