| Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) | US | Requires critical infrastructure entities to report significant cyber incidents and ransomware payments to the US Cybersecurity and Infrastructure Security Agency (CISA) | All private and public entities in critical infrastructure sectors as defined by Presidential Policy Directive 21 (PPD-21), which include entities operating in the energy, healthcare, financial services, transportation, and communications sectors | Fines established through civil actions, alongside possible public disclosure orders |
| Cyber Resilience Act (CRA) | EU | Sets security standards and mandatory requirements for designing digital products, requiring manufacturers to manage vulnerabilities throughout the product lifecycle | Manufacturers that design, develop, or market PDEs under their name; importers that place non-EU PDEs on the EU market; and distributors that supply PDEs without modifying them | At least €15 million or a minimum of 2.5% of the total annual worldwide turnover (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of license |
| Cybersecurity and Infrastructure Security Agency (CISA) Act | US | Establishes CISA in the Department of Homeland Security and strengthens federal protection of critical infrastructure from cyber threats | Federal agencies, state, local, tribal, and territorial governments, and all critical infrastructure operators | Penalties for non-compliance do not exist unless mandated by other legislative acts |
| Cybersecurity Law | China | Regulates network security, personal data protection, and critical information infrastructure | All network and critical information infrastructure operators, network product providers and 3rd-party contractors, entities that deal with personal and cross-border data (if data is collected in China), and entities operating in China | A fine of ¥1 million, alongside possible product recalls or bans, suspension of operations, and loss of licenses |
| Digital Operations Resilience Act (DORA) | EU | Mandates ICT risk management frameworks for the financial sector and requires oversight of critical third-party ICT service providers | Most financial entities, such as banks, investment firms, payment institutions, asset and fund managers, insurers, and crypto platforms, and 3rd-party ICT service providers offering services to financial entities, such as cloud and data service providers, software vendors, and ICT outsourcing firms | Fines are set by EU Member States, while operational penalties include public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses |
| Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity | US | Requires federal agencies to implement security measures and software bills of materials (SBOMs) to ensure the integrity of the software supply chain | All federal agencies, critical infrastructure operators, ICT and OT service providers, cloud service providers, software (classified as critical), and hardware vendors, if under contract with federal agencies and critical infrastructure operators (CIO) | No fines, but organizations could face operational penalties such as public disclosure orders, suspension of operations, and disqualification from federal contracts |
| EU Cybersecurity Act | EU | Regulates the European Union Agency for Cybersecurity (ENISA) and establishes a European cybersecurity certification framework for ICT products, services, and processes | ENISA and providers of ICT products, services, and processes only if they choose to certify their products or are mandated to do so by EU or national regulations | Fines are set by EU Member States, while operational penalties include product recalls or bans and suspension of operations |
| IoT Cybersecurity Improvement Act | US | Mandates the development of minimum-security standards for IoT devices purchased or used by federal agencies | All federal agencies that procure or manage IoT devices, IoT device manufacturers or vendors that supply IoT devices to US federal agencies, and IoT service providers for US federal agencies | No fines, but organizations could face operational penalties such as product recall or bans, suspension of operations, loss of licenses, and disqualification from federal contracts |
| National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 | US | Guides organizations in managing cybersecurity risks through 6 core functions: govern, identify, protect, detect, respond, and recover | All US federal agencies, when mandated by other EOs and regulations, and critical infrastructure service providers, when mandated by EOs and legislation | Penalties for non-compliance do not exist unless mandated by other legislative acts |
| National Security Investment (NSI) Act | UK | Regulates acquisitions and investments that can have national security risks and allows the government to condition acquisitions in 17 sensitive sectors | UK-based companies acquiring another UK or foreign company with UK operations or foreign companies acquiring control over UK business, assets, or intellectual property | At least £10 million or 5% of revenue (whichever is higher), alongside possible transaction voiding |
| Network and Information Systems Regulations | UK | Establishes measures to improve the cybersecurity and resilience of critical services and implements reporting obligations | All operators of essential services, such as energy, health, and digital infrastructure companies, as well as online marketplaces, online search engines, and cloud service providers | A fine of £17 million, alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses |
| Network Data Security Management Regulation | China | Secures network data in China and establishes risk assessments and strict controls on data sharing and cross-border transfers | All entities involved in network data processing within China, including data collection, storage, use, transfer, and deletion, specifically network data processors, critical information infrastructure operators, large platforms, and 3rd-party service providers | A fine of ¥10 million, alongside possible product recalls or bans, suspension of operations, and loss of licenses |
| Network Information Systems Directive 2 (NIS2) | EU | A legislative act aimed at establishing security risk management measures, regulating management compliance, and setting incident reporting procedures while repealing and replacing the original 2016 NIS Directive, addressing prior shortcomings in cybersecurity legislation | Public and private sector entities of all sizes (small, medium, and large) with domestic or foreign headquarters operating within the EU jurisdiction | Fines of at least €10 million or a minimum of 2% of the total annual worldwide turnover (whichever is higher), alongside operational restrictions and public disclosure orders |
| Product Security and Telecommunications Infrastructure Act (PSTIA) | UK | Imposes cybersecurity requirements on manufacturers, importers, and distributors of UK consumer smart products | Any manufacturer of a UK consumer smart product, entity that markets a product manufactured by another entity under that entity’s name or trademark, importer of UK consumer smart products, and distributor of UK consumer smart products | A fine of at least £10 million or 4% of revenue (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses |
| Regulation 2023/2841: Regulation on Cybersecurity Measures for EU Institutions | EU | Establishes common cybersecurity measures across EU institutions | EU institutions, offices, and agencies | No fines, but institutions could face suspension of operations, warnings, and recommendations |
| Regulation 2024/482: Commission Implementing Regulation on European Common Criteria-based Cybersecurity Certification Scheme | EU | Establishes rules and obligations for manufacturers and certification entities involved in the EU Common Criteria (introduced in the EU Cybersecurity Act) | Manufacturers, importers, and distributors of ICT products subject to or pursuing EUCC certification, whether required by EU law or chosen voluntarily | Fines are set by EU Member States, while operational penalties include public disclosure orders, product recalls or bans, and suspension of operations |
| Telecommunications (Security) Act (TSA) | UK | Enforces legal obligations on telecom providers in the UK to safeguard their networks | Public electronic communication network providers, public electronic communications service providers, suppliers of telecommunication equipment, and managed service providers for telecommunication networks | A fine of at least £10 million or 10% of revenue (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, loss of licenses, and enforcement notices |
