Compliance Manager regulations list

In this article: View the comprehensive list of regulations available to build assessments in Compliance Manager.

Important

The regulations that are available for your organization's use by default depend on your licensing agreement. Review licensing details.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Overview

Compliance Manager provides a comprehensive set of regulatory templates for creating assessments. These regulations, as they're referred to in Compliance Manager, can help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data. Regulations are added to Compliance Manager as new laws and regulations are enacted. Compliance Manager also updates its regulations when the underlying laws or regulations change. Learn more about how to review and accept updates.

List of regulations and where to find them

Below is the complete list of regulations in Compliance Manager. In Compliance Manager, go to the Regulations tab, and select a regulation's name to view its description, properties, controls, and associated improvement actions. Jump to a section below to view templates by area or industry:

Included regulations

Some regulations are included in Compliance Manager by default, depending on subscription level:

  • Customers at all subscription levels: The Microsoft Data Protection Baseline is included for all organizations as part of their subscription.
  • Customers at the A5/E5/G5 subscription levels: In addition to the Microsoft Data Protection baseline, you can choose any three premium regulations to use for free.
  • US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers: Cybersecurity Maturity Model Certification (CMMC), levels 1 through 5, is included in addition to the Microsoft Data Protection Baseline.

Premium regulations

The regulatory templates listed below may be purchased by your organization. Certain licensing agreements allow for the use of three premium regulations for free. Review licensing details.

Global

  • Guidelines and Functional Requirements for Electronic Records Management Systems (ICA Module 2)
  • ISO 15489-1:2016
  • ISO 16175-1:2020
  • ISO 19791 - Information technology — Security techniques — Security assessment of operational systems
  • ISO 22301:2019
  • ISO 23081-1:2017
  • ISO 27005:2018
  • ISO 27017:2015
  • ISO 27034-1 Information technology — Security techniques — Application security
  • ISO 27799: 2016, Health informatics — Information security management in health
  • ISO 28000 – Specifications for Security Management Systems for the Supply Chain
  • ISO 31000:2018
  • ISO 37301
  • ISO 55001 – Asset management -- Management systems--Requirements
  • ISO IEC 80001-1:2010
  • ISO/IEC 27001:2013
  • ISO/IEC 27001:2022
  • ISO/IEC 27018:2019
  • ISO/IEC 27033-1:2015
  • ISO/IEC 27701:2019
  • NIST 800-207 - Zero Trust Architecture
  • SIG 2022
  • System and Organization Controls (SOC) 1
  • System and Organization Controls (SOC) 2

Industry

US Government

  • Appendix III to OMB Circular No. A-130 - Security of Federal Automated Information Resources
  • CFR - Code of Federal Regulations Title 21, Part 11, Electronic Records, Electronic Signatures
  • Children's Online Privacy Protection Rule (COPPA)
  • CMMC Level 1, Level 2, Level 3, Level 4, Level 5
  • CMMC v2 Level 1
  • CMMC v2 Level 2
  • CMS Information Systems Security and Privacy Policy (IS2P2)
  • Computer Fraud and Abuse Act (CFAA)
  • Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
  • Criminal Justice Information Services (CJIS) Security Policy
  • Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software - FDA
  • Cybersecurity Maturity Model Certification (CMMC) Levels 1 through 5
  • DFARS
  • e-CFR - Identity Theft Rules
  • Electronic Code of Federal Regulations - Part 748.0 and Appendix A
  • FDIC Privacy Rules
  • Federal Financial Institutions Examination Council (FFIEC) Information Security Booklet
  • FedRAMP Moderate
  • FedRAMP SSP High Baseline
  • Freedom of Information Act (FOIA)
  • FTC Privacy of Consumer Financial Information
  • Gramm-Leach-Bliley Act, Title V, Subtitle A, Financial Privacy
  • HIPAA/HITECH
  • HITRUST
  • Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection
  • IRS - Revenue Procedure 98-25 Automated Records
  • IRS-P1075
  • Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0
  • National Archives Universal Electronic Records Management (ERM) Requirements
  • NIST 800-37
  • NIST 800-53 rev.4
  • NIST 800-53 rev.5
  • NIST 800-63 Digital Identity Guidelines
  • NIST 800-78-4: Cryptographic Algorithms and Key Sizes for Personal Identity Verification
  • NIST 800-137A -- Assessing Information Security Continuous Monitoring (ISCM) Programs
  • NIST 800-171
  • NIST 800-184: Guide for Cybersecurity Event Recovery
  • NIST CSF
  • NIST Privacy Framework
  • NIST SP 1800-5 IT Asset Management
  • NIST Special Publication 1800-1 Securing Electronic Health Records on Mobile Devices
  • NIST Special Publication 800-128
  • NIST Special Publication 800-210: General Access Control Guidance for Cloud Systems
  • Sarbanes-Oxley Act
  • SEC 17-4(a)
  • United States of America Privacy Act
  • US - Clarifying Lawful Overseas Use of Data (CLOUD) Act
  • US - Commission Statement and Guidance on Public Company Cybersecurity Disclosures
  • US - Department of Energy (DOE) Assistance to Foreign Atomic Energy Activities
  • US - Family Educational Rights and Privacy Act (FERPA)
  • US - Federal Information Security Modernization Act of 2014 (FISMA)
  • US - Protecting and Securing Chemical Facilities From Terrorist Attacks Act

US States and Territories

  • Alabama - Policy 621: Data Breach Notification - DRAFT
  • Alaska - Chapter 48 - Personal Information Protection Act
  • Arizona - Notification of Breaches in Security Systems
  • Arkansas Code Title 4, Subtitle 7, Chapter 110, Personal Information Protection Act
  • California - Civil Code Section 1798
  • California - Database Breach Act (California SB 1386)
  • California - Education Code-EDC, Title 3, Division 14, Part 65, Chapter 2.5- Social Media Privacy
  • California - Privacy Rights Act (CPRA)
  • California - SB-327 Information Privacy: Connected Devices
  • California Consumer Credit Reporting Agencies Act
  • Colorado Privacy Act (CPA)
  • California Consumer Privacy Act (CCPA)
  • Colorado Protections for Consumer Data Privacy
  • Colorado Revised Statutes, Section 6-1-716, Notice of Security Breach
  • Connecticut - Display and Use of Social Security Numbers and Personal Information
  • Connecticut General Statutes - General Provisions for state contractors who receive confidential information
  • Connecticut Information Security Program to Safeguard Personal Information
  • Connecticut State Law - Breach of security re computerized data containing personal information
  • D.C. Law 16-237 - Consumer Personal Information Security Breach Notification Act
  • Delaware - Student Data Privacy Protection Act
  • Delaware Computer Security Breaches- Commerce and Trade Subtitle II - 12B-100 to 12B-104
  • Florida Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information
  • Georgia (US) Personal Identity Protection Act
  • Guam's Notification of Breaches of Personal Information
  • Hawaii - Security Breach of Personal Information Chapter 487N
  • Idaho Identity Theft
  • Illinois (740 ILCS 14/1) Biometric Information Privacy Act
  • Illinois Personal Information Protection Act
  • Indiana Disclosure of Security Breach
  • Iowa - Student Personal Information Protection Act
  • Iowa Code. Title XVI. Chapter 715C. Personal Information Security Breach Protection
  • Kansas Consumer Information, Security Breach Statute
  • Kentucky Data Breach Notification
  • Louisiana Database Security Breach Notification Law (Act No. 382)
  • Maine - Act to Protect the Privacy of Online Consumer Information
  • Maine - Notice of Risk to Personal Data
  • Code of Maryland State Government - Protection of Information by Government Agencies
  • Maryland Personal Information Protection Act - Security Breach Notification Requirements, HB 1154
  • Maryland's Student Data Privacy Act
  • Massachusetts - 201 CMR 17.00: Standards For The Protection Of Personal Information Of Residents Of The Commonwealth
  • Massachusetts Data Breach Notification Law 93H section 1-6
  • Michigan Identity Theft Protection Act
  • Mississippi Security Breach Notification
  • Montana - Impediment of Identity Theft
  • Nebraska's Data Protection and Consumer Notification of Data Security Breach Act
  • Nevada Chapter 603A - Security and Privacy of Personal Information
  • Nevada Senate Bill 220 Online Privacy Law
  • New Hampshire Right to Privacy Act
  • New Jersey Security Breach Disclosure
  • New Mexico Chapter 57 - Privacy Protection (Article 57-12B-1 through 4)
  • New Mexico Consumer Information Privacy Act
  • New Mexico's Data Breach Notification Act
  • New York - 23 NYCRR Part 500
  • New York City Administrative Code - Security Breach Notification
  • New York General Business Law - Data Security Breach Notification and Data Security Protections
  • New York Privacy Act
  • North Carolina - Identity Theft Protection Act
  • North Dakota Chapter 51-30 Notice of Security Breach for Personal Information
  • Ohio - Security Breach Notification
  • Ohio Data Protection Act 2018
  • Oklahoma Security Breach Notification Act
  • Oregon Consumer Identity Theft Information Protection Act
  • Pennsylvania Breach of Personal Information Notification Act
  • Puerto Rico - Citizen Information on Data Banks Security Act
  • Rhode Island - Identity Theft Protection Act
  • South Carolina - Breach Notification
  • South Dakota - Notice of Breach
  • Tennessee 47-18-2107 Release of Personal Consumer Information
  • Texas - Identity Theft Enforcement and Protection Act
  • Texas Privacy Policy to Protect Social Security Numbers
  • Utah Consumer Credit Protection Act
  • Utah Electronic Information or Data Privacy
  • Vermont - Act on Data Privacy and Consumer Protection
  • Virginia Breach of Personal Information Act
  • Virginia Consumer Data Privacy Act (CDPA)
  • Washington DC - Consumer Security Breach Notification Standard
  • West Virginia - Breach of Security of Consumer Information
  • Wisconsin Security Breach Notification

Regional

Asia-Pacific Countries/Regions

  • Asia Pacific Economic Cooperation (APEC) Privacy Framework
  • Australia - ASD Essential 8
  • Australia - ASD Essential 8 Maturity Level 1
  • Australia - ASD Essential 8 Maturity Level 2
  • Australia - ASD Essential 8 Maturity Level 3
  • Australia - National Archives Act
  • Australia - Public Records Office Victoria Recordkeeping Standards
  • Australia - Spam Act 2003
  • Australia Privacy (Credit Reporting) Code
  • Australia Privacy Act
  • Australia Public Record Act
  • Australian Energy Sector Cyber Security Framework (AESCSF)
  • Australian Information Security Registered Assessor Program (IRAP) with ISM Version 3.5 - Official
  • Australian Information Security Registered Assessor Program (IRAP) with ISM Version 3.5 - Protected
  • Australian Prudential Regulation Authority CPS
  • Victorian Protective Data Security Standards V2.0 (VPDSS 2.0)
  • Information Management Standard for Australian Government - National Archives of Australia (NAA)
  • China - Personal Information Security Specification
  • Cybersecurity Law of the People's Republic of China
  • Hong Kong - Code of Banking Practice and Payment Card
  • Hong Kong - Personal Data (Privacy) Ordinance
  • India Digital Personal Data Protection Act
  • India Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules
  • India - Information Technology Act
  • Reserve Bank of India Cyber Security Framework
  • Indonesia - Law 11/2008
  • Japan - Act on Prohibition of Unauthorized Computer Access
  • Japan - Common Model of Information Security Measures for Government Agencies and Related Agencies
  • Japan - Common Standards for Information Security Measures for Government Agencies and Related Agencies
  • Japan Privacy Mark - JIS Q 15001: 2017
  • Japanese Act on the Protection of Personal Information (Law No. 57 of 2003)
  • Korea - Credit Information Use And Protection Act
  • Korea - The Act on Promotion of Information and Communications Network Utilization and Data Protection
  • Korea Personal Information Protection Act
  • Malaysia - Personal Data Protection Act (PDPA)
  • Malaysia Risk Management in Technology (RMiT)
  • Myanmar - Law Protecting the Privacy and Security of Citizens
  • Nepal - Right to Information Act
  • New Zealand - Privacy Act / 2020
  • New Zealand - Public Records Act
  • New Zealand - Reserve Bank BS11 Outsourcing Policy
  • New Zealand - Telecommunications Information Privacy Code
  • New Zealand Health Data Retention Policy
  • New Zealand Health Information Privacy Code
  • New Zealand Health Information Security Framework (HISF)
  • New Zealand Information Security Manual (NZISM)
  • Pakistan - Electronic Data Protection Act - DRAFT
  • Philippines BSP Information Security Management Guidelines
  • Philippines Data Privacy Act of 2012
  • Singapore - ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers
  • Singapore - Banking Act (Cap.19)
  • Singapore - Cybersecurity 2018
  • Singapore - IMDA IoT Cyber Security Guide
  • Singapore - Monetary Authority of Singapore Technology Risk Management Framework
  • Singapore - Multi-Tier Cloud Security (MTCS) Standard
  • Singapore - Personal Data Protection Act / 2012
  • Singapore Spam Control Act
  • Taiwan - Implementation Rules for the Internal Audit and Internal Control System of Electronic Payment Institutions - 2015
  • Taiwan - Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking
  • Taiwan - Regulations Governing Approval and Administration of Financial Information Service Enterprises Engaging in Interbank Funds Transfer and Settlement
  • Taiwan - Regulations Governing the Standards for Information System and Security Management of Electronic Payment Institutions
  • Taiwan – Trade Secrets Act
  • Taiwan Personal Data Protection Act (PDPA)
  • Thailand PDPA
  • Taiwan – Trade Secrets Act
  • Uzbekistan - Law of The Republic of Uzbekistan on Personal Data
  • Vietnam - Consumer Rights Protection Law
  • Vietnam - Law of Cybersecurity
  • Vietnam - Law of Network Information Security
  • Vietnam - Law on Information Technology

Europe, Middle East, and Africa (EMEA)

  • Albania - The Law on the Protection of Personal Data No. 9887
  • Austrian Telecommunications Act 2003
  • Armenia - Law of the Republic of Armenia on the Protection of Personal Data
  • Belarus Law On Information, Informatization and Protection of information
  • Belgium - Act on the Protection of Natural Persons with Regard to the Processing of Personal Data
  • Belgium NBB Dec 2015
  • Bosnia and Herzegovina Law on the Protection of Personal Data
  • Botswana - Data Protection Act
  • Bulgaria Law for Protection of Personal Data 2002
  • Central Bank of Kuwait Cybersecurity Framework
  • Corporate Sustainability Reporting Directive (CSRD)
  • Cyprus The Processing of Personal Data Law
  • Czech - Act No. 110/2019 Coll. on Personal Data Processing - 2019
  • Czech - On Cyber Security and Change of Related Acts (Act on Cyber Security) - Act No. 181
  • Denmark - The Data Protection Act
  • Denmark - Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment
  • Directive 2013/40/EU Of The European Parliament And Of The Council
  • Dubai - Health Data Protection Regulation
  • Dubai Consumer Protection Regulations (Telecommunications Regulatory Authority)
  • Dubai ISR
  • Egypt - Data Protection Law
  • Estonia - Personal Data Protection Act
  • Estonia - The system of security measures for information systems
  • EU - Directive 2006/24/EC
  • EU - ePrivacy Directive 2002 58 EC
  • EU GDPR (General Data Protection Regulation)
  • EudraLex - The Rules Governing Medicinal Products in the European Union
  • European Network and Information Security Agency (ENISA) - Cloud Computing Information Assurance Framework
  • Finland - Data Protection Act
  • Finnish Criteria for Assessment of Information Security of Cloud Services
  • France - The Data Protection Act
  • Georgia Law on Personal Data Protection
  • Germany - Annotated text of the Minimum Requirements for Risk Management
  • Germany - Cloud Computing Compliance Controls Catalog (C5)
  • Germany - Federal Data Protection Act
  • Germany - Supervisory Requirements for IT in Financial Institutions (BAIT)
  • Ghana - Data Protection Act
  • Ireland Data Protection Act
  • Israel - Privacy Protection (Transfer of Data to Databases Abroad) Regulations
  • Israel Privacy Law
  • Jordan Cloud Platforms & Services Policy
  • Kenya Data Protection Act
  • Luxembourg Act
  • Malta - Data Protection Act
  • Mauritius Data Protection Act 2004
  • Montenegro - Law on Personal Data Protection
  • NATO Directive AC/322-D(2021)0032
  • Nigeria Data Protection Regulation
  • NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council
  • Oman - Electronic Transactions Law
  • Qatar Cloud Security Policy
  • Qatar National Information Assurance (NIA)
  • Republic of Moldova Law on Personal Data Protection
  • Romania - Data Protection Law 190/2018
  • Russia - Federal Law 149-FZ On Information, Information Technology and Information Security
  • Russian Federation Federal Law Regarding Personal Data
  • Saudi Arabia - Saudi Arabia Monetary Authority (SAMA)
  • Saudi Arabia - National Cybersecurity Authority (NCA)
  • South Africa Consumer Protection ACT 68 2008
  • South Africa Electronic Communications and Transactions Act, 2002
  • South Africa - Promotion of Access to Information Act
  • South African POPIA
  • Slovakia Act on the Protection of Personal Data
  • Spain - Nation Security Framework
  • Switzerland - Federal Act on Data Protection (FADP)
  • Turkey - Information and Communication Security Guide
  • Turkey - KVKK Protection of Personal Data 6698
  • UAE - Federal Decree Law on Combating Cyber Crimes
  • UAE - Federal Law Concerning Electronic Transactions and Commerce
  • UAE - Federal Law No 2 of 2019 On the Use of the Information and Communication Technology (ICT) in Health Fields
  • UAE - NESA Information Assurance Standards
  • UAE Data Privacy Law
  • UAE Regulatory Policy TRA - Internet of Things
  • UAE's Federal Decree Law Regulating the Telecommunications Sector
  • Uganda - The Data Protection and Privacy Act
  • UK - Cyber Security for Defence Suppliers Standard 05-138
  • UK - The Offshore Petroleum Activities Regulations / 2011
  • UK Cyber Essentials
  • UK Data Protection Act
  • UK Data Retention Act
  • UK Privacy and Electronic Communications
  • Ukraine - Protection of Personal Data Law
  • Yemen - Yemen Law of the Right of Access to Information

Latin America

  • Antigua and Barbuda - Data Protection Act /2013
  • Bahamas - Data Protection Act
  • Barbados - Data Protection Bill 2019
  • Barbados - Electronic Transactions Act
  • Bermuda - Electronic Transaction Act
  • Saint Lucia Data Protection Act
  • Trinidad and Tobago Data Protection (Act 13 of 2011)

North America

  • Canada - Breach of Security Safeguards Regulations
  • Canada - British Columbia - Information Privacy & Security - FOIPPA
  • Canada - Office of the Superintendent of Financial Institutions Cyber Security Self-Assessment Guide
  • Canada - Personal Health Information Protection Act (PHIPA) 2020
  • Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Canada - Protected B
  • Canada Cybersecure - Baseline Cyber Security Controls for Small and Medium Organizations
  • CAN-SPAM Act
  • Information Security Management Act - Province of British Columbia, CA
  • Mexico - Federal Consumer Protection Law
  • Mexico - Federal Law on Protection of Personal Data Held by Private Parties

South America

  • Argentina - Personal Data Protection Act 25.326
  • Brazil - Consumer Protection Code Law No. 8078 (Office 365)
  • Brazil - General Data Protection Law (LGPD)
  • Colombia - Decree No. 1377/2013
  • Colombia - External Circular Letter 007 of 2018
  • Colombia - Law 1266/2008- Habeas Data Act
  • Peruvian Legislation Law 29733 Law of Data Privacy Protection