Reference · Worldwide

Global Cybersecurity & Privacy Compliance Map

A single-page reference to the cybersecurity and privacy regimes Dephiant clients navigate worldwide. Use it to scope which obligations apply, where the teeth are, and how to sequence program work across jurisdictions.

European Union & United Kingdom

GDPR

EU General Data Protection Regulation

Scope: Personal data of EU residents, regardless of processor location.
Who it covers: Any organization processing EU personal data.
Teeth: Up to €20M or 4% of global turnover; 72-hour breach notice.

UK GDPR / DPA 2018

United Kingdom GDPR and Data Protection Act

Scope: Personal data of UK residents post-Brexit.
Who it covers: Controllers and processors handling UK personal data.
Teeth: Up to £17.5M or 4% of global turnover; ICO enforcement.

NIS2

Network and Information Security Directive 2

Scope: Cybersecurity for essential and important entities across 18 sectors.
Who it covers: Medium/large entities in energy, transport, banking, health, digital infra, ICT, public admin, manufacturing of critical products.
Teeth: Up to €10M or 2% of global turnover; management-body liability.

DORA

Digital Operational Resilience Act

Scope: ICT risk and third-party resilience for EU financial entities.
Who it covers: Banks, insurers, investment firms, crypto-asset providers, plus critical ICT third-party providers.
Teeth: Periodic penalties up to 1% of average daily worldwide turnover.

North America

HIPAA / HITECH

Health Insurance Portability and Accountability Act

Scope: Protected health information in the United States.
Who it covers: Covered entities (providers, plans, clearinghouses) and business associates.
Teeth: Tiered civil penalties up to ~$2.1M per violation category per year; criminal exposure.

CMMC 2.0

Cybersecurity Maturity Model Certification

Scope: Controlled Unclassified Information for the US Department of Defense supply chain.
Who it covers: Any contractor or sub handling FCI or CUI for the DoD.
Teeth: Loss of contract eligibility; False Claims Act exposure.

PIPEDA

Personal Information Protection and Electronic Documents Act

Scope: Personal information used in commercial activity in Canada.
Who it covers: Private-sector organizations in Canada, plus provincial-equivalent regimes (QC Law 25, etc.).
Teeth: Fines up to CA$100K per violation; breach-of-security-safeguards reporting required.

State Privacy Laws

CCPA / CPRA, VCDPA, CPA, TDPSA, et al.

Scope: Personal information of residents in 19+ US states (and counting).
Who it covers: Businesses meeting revenue or volume thresholds in each state.
Teeth: Per-record statutory damages; AG enforcement; California PPA rule-making.

Asia-Pacific

Essential Eight

Australian Cyber Security Centre — Essential Eight Maturity Model

Scope: Baseline mitigations for cyber-threat resilience.
Who it covers: Mandatory for non-corporate Commonwealth entities; de-facto standard for AU enterprise.
Teeth: Audit findings, reputational and contractual consequences.

Privacy Act 1988

Australian Privacy Act and Notifiable Data Breach scheme

Scope: Personal information held by APP entities.
Who it covers: Most Australian government agencies and businesses > AU$3M turnover.
Teeth: Penalties recently uplifted to AU$50M / 30% of adjusted turnover for serious breaches.

PDPA

Personal Data Protection Act (Singapore)

Scope: Personal data collected, used, and disclosed in Singapore.
Who it covers: Private-sector organizations in Singapore.
Teeth: Fines up to 10% of annual Singapore turnover or SG$1M, whichever is higher.

APPI

Act on the Protection of Personal Information (Japan)

Scope: Personal information of individuals in Japan, including cross-border transfers.
Who it covers: Domestic and foreign businesses handling Japanese personal data.
Teeth: Up to ¥100M for corporations; PPC enforcement and orders.

Latin America & Middle East

LGPD

Lei Geral de Proteção de Dados (Brazil)

Scope: Processing of personal data of individuals in Brazil.
Who it covers: Public and private organizations processing Brazilian personal data.
Teeth: Fines up to 2% of Brazilian turnover, capped at R$50M per violation.

UAE PDPL

UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021)

Scope: Processing of personal data within the UAE.
Who it covers: Controllers and processors operating in or targeting the UAE.
Teeth: Administrative fines per executive regulations; cross-border transfer controls.

KSA PDPL

Saudi Arabia Personal Data Protection Law

Scope: Personal data processing in the Kingdom.
Who it covers: Public and private entities processing Saudi personal data.
Teeth: Fines up to SAR 5M for serious violations; SDAIA enforcement.

Africa

POPIA

Protection of Personal Information Act (South Africa)

Scope: Processing of personal information in South Africa.
Who it covers: Responsible parties processing personal information of South African residents.
Teeth: Fines up to R10M; criminal penalties including imprisonment.

NDPR

Nigeria Data Protection Regulation (NDPR / NDPA)

Scope: Processing of personal data of Nigerian residents and within Nigeria.
Who it covers: Data controllers and processors in Nigeria, and foreign entities processing Nigerian data.
Teeth: Fines up to 2% of annual gross revenue or N10M (whichever is higher); criminal liability for serious breaches.

Kenya DPA

Data Protection Act, 2019 (Kenya)

Scope: Processing of personal data in Kenya or of Kenyan data subjects.
Who it covers: Data controllers and processors operating in Kenya or offering goods/services to Kenyan residents.
Teeth: Fines up to KES 5M or 1% of annual turnover; imprisonment up to 3 years for serious violations.

Ghana DPA

Data Protection Act, 2012 (Act 843) — Ghana

Scope: Processing of personal data in Ghana or of Ghanaian data subjects.
Who it covers: Data controllers and processors established in Ghana or processing Ghanaian personal data.
Teeth: Fines up to GHS 250K; criminal sanctions for unlawful disclosure or processing.

Egypt PDPL

Egypt Personal Data Protection Law (Law No. 151 of 2020)

Scope: Processing of personal data by electronic or traditional means within Egypt.
Who it covers: Controllers and processors in Egypt, and foreign entities targeting Egyptian residents.
Teeth: Administrative fines up to EGP 2M; imprisonment for unauthorized cross-border transfers or disclosure.

Morocco PDPL

Law 09-08 on Personal Data Protection (Morocco)

Scope: Automated processing of personal data in Morocco.
Who it covers: Controllers processing personal data via automated means within Morocco.
Teeth: Fines and temporary or permanent suspension of data processing; CNDP enforcement.

Global Standards & Certifications

ISO/IEC 27001

Information Security Management System standard

Scope: Enterprise-wide ISMS, risk-based control selection (Annex A).
Who it covers: Any organization seeking globally recognized ISMS certification.
Teeth: Loss of certification; commercial impact in RFPs and vendor reviews.

ISO/IEC 27701

Privacy Information Management extension to 27001

Scope: PIMS for controllers and processors mapped to GDPR.
Who it covers: Organizations certifying privacy alongside security.
Teeth: Certification withdrawal; vendor-due-diligence failures.

ISO/IEC 42001

AI Management System standard

Scope: Governance, risk, and lifecycle management of AI systems.
Who it covers: Organizations developing or deploying AI at scale.
Teeth: Emerging baseline for AI-related procurement and regulatory review.

SOC 2

AICPA Trust Services Criteria (Type I / Type II)

Scope: Security, availability, processing integrity, confidentiality, privacy.
Who it covers: SaaS and service providers attesting to customer-facing controls.
Teeth: Lost or stalled enterprise deals; renewal blockers.

PCI DSS 4.0

Payment Card Industry Data Security Standard

Scope: Storage, processing, and transmission of cardholder data.
Who it covers: Merchants and service providers handling cardholder data globally.
Teeth: Card-brand fines, increased per-transaction fees, loss of acquiring relationship.

This map is a starting reference, not legal advice. Specific applicability turns on data flows, sector, and contractual obligations — always validate with qualified counsel in each jurisdiction.

Operating across multiple jurisdictions?

Dephiant builds and operates unified compliance programs that satisfy obligations across EMEA, North America, APAC, Africa, and LATAM without duplicating control work.

Book a scoping call Back to resources