Blog > Data Security > Top Regulatory Compliance Frameworks for 2021

Top Regulatory Compliance Frameworks for 2021

Authors Photo Christopher Tozzi | November 16, 2022

GDPR. DSS. NIST. These are just some of the acronymous names of major regulatory compliance frameworks that organizations need to know today. With so many arcane acronyms with which to contend, it can be hard to keep track of which regulatory frameworks apply to what.

If you’re struggling to keep your compliance rules straight, this article is for you. Keep reading for a list of the most important regulatory compliance frameworks to know for 2021.


The General Data Protection Regulation (GDPR), which went into effect in May 2018, is a European Union regulation. However, because its requirements apply broadly to include, in general, any organization that does business in the European Union in some way or interacts with European Union citizens, the GDPR matters to many companies outside of the European Union.

The GDPR requirements are too lengthy to detail here, but you can check out some of our other coverage of the GDPR to learn more — including what GDPR means for mainframes and expert GDPR analysis from Paige Bartley.


The California Consumer Privacy Act (CCPA) is currently America’s most far-reaching consumer privacy and security law. CCPA grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect.


Credit card information is a pretty sensitive type of data, for reasons that are obvious. The Payment Card Industry Data Security Standard, or PCI DSS, is a regulatory standard developed by credit card companies to help protect cardholder data. It was introduced in 2004.

If you process, store, or transmit credit card data, PCI DSS applies to you.

B2B Data Enrichment for Beginners - regulatory compliance


The National Institute of Standards and Technology, or NIST, has developed what is known as the NIST Cybersecurity Framework, or just NIST for short.

Technically, NIST is not a regulatory framework, but rather a policy framework. In other words, it represents a set of best practices for keeping data secure.

So while you may not be legally required to comply with NIST (unless you are subject to contractual obligations or oversight by a particular government agency that is based on NIST standards), following the NIST guidelines is a good way to ensure that you are doing your best in a general sense to keep data and systems secure.


The Health Insurance Portability and Accountability Act, or HIPAA, is one of the best known regulatory compliance frameworks among consumers in the United States. Introduced in 1996, it sets various standards and requirements regarding health data, among other things.

HIPAA is relatively high-level and was introduced at a time when technology platforms looked very different than they do today (although it has been updated a bit since then). As such, HIPAA does not include much in the way of specific technical requirements for the way health data is secured, and the HIPAA rules are subject to a fair amount of interpretation when it comes to how they should be implemented from a technological perspective.

Still, if you deal with health data in one way or another on any of your IT infrastructures, it’s a good idea to consult with HIPAA technology experts to ensure that you are adhering to best practices for securing and processing that data in ways the authorities would deem HIPAA-compliant.

Read our eBook

Managing Risk & Compliance in the Age of Data Democratization

Organizations are increasingly concerned with how data gets used, which works against the idea of democratizing the data. This eBook describes a new approach to achieve the goal of making data accessible within the organization while ensuring that proper governance is in place.


The 2002 Sarbanes-Oxley Act, or SOX, was introduced in the United States in an effort to combat corporate fraud. The law primarily focuses on regulating the accounting and transparency in processes of companies, and does not have any specific technological requirements. However, because the ways in which data is stored and processed are important for ensuring transparency and auditability, any organization that stores data electronically should keep SOX in mind as it designs its data processes.


As you might have guessed from its name, FedRAMP, which is short for Federal Risk and Authorization Management Program, is a regulatory compliance framework that applies to United States federal agencies. It is designed to keep the cloud services and data that those agencies use secure.

This means that, if you work with federal government agencies or help to process their data, you should take FedRAMP requirements into consideration.

Read our eBook Managing Risk & Compliance in the Age of Data Democratization to learn how you can achieve the goal of making the data accessible within the organization while ensuring that proper governance is in place.