Regulatory compliance is essential for any business and can actually be financially rewarding by avoiding fines and finding vulnerable areas in your company.

What is regulatory compliance? Regulatory compliance are laws and regulations a company must follow to remain in good standing with specific agencies, governments, and customers. These compliance standards are specific to industries and location and can result in large penalties if not followed correctly.

How Does Regulatory Compliance Work?

In any industry, there are regulations, and organizations operating in those industries must comply with these regulations. Compliance can cover a variety of different practices, processes, and operations within an organization. An organization will likely have more than one area of compliance.

Regulatory Compliance

Some of the different kinds of compliance include the following: 

  • Financial Compliance: Organizations must maintain fair, transparent financial records and refrain from unethical or illegal financial practices that harm stakeholders or consumers.

    Examples of such regulations are the Federal Deposit Insurance Corporation (FDIC) rules for consumer protection and the Sarbanes-Oxley Act (SOX) that requires financial reporting and transparency for corporations to mitigate fraud.

    Additionally, Service Organization Control 2 (SOC 2) compliance is an attestation to investors and insurers regarding the security of systems holding customer data. It is administered by the American Institute of Certified Public Accountants.

  • Regulatory Compliance: This unique form of compliance emphasizes the legal obligations an organization faces as part of its operation. Regulations are a legal form of governance that is predicated on legislation and oversight, typically from a governmental or adjacent regulatory body.

    This form of regulation can often overlap with the others. Compliance usually includes financial, IT, reporting, and audit logging requirements in many cases.

Because there are significant overlaps between different types of regulations, it is essential to understand where such laws come from. For example, HIPAA is a regulatory requirement for all healthcare providers, insurance companies, and associated vendors instituted and administered by federal and local governments. HIPAA, however, contains several provisions for cybersecurity and financial protection.

Conversely, SOC 2, while containing several provisions governing data management, security, and privacy, is not a regulatory requirement. It is not governed by law and is not required as part of any industry standards.

What Are Some Regulatory Compliance Regulations?

Different industries will typically include unique regulations. Some regulations will transcend industry and apply to a wide swath of common organizational types.

Some of the common regulations include:


Organizations Applies To

Organization Governed By

Areas of Coverage


Health Insurance Portability and Accountability Act (HIPAA)

Covered entities (hospitals, doctors, insurance companies) and their business associates

Department of Health and Human Services (HHS)

Protecting Private Health Information (PHI) from unauthorized disclosure

Cybersecurity controls; physical and administrative privacy controls

Sarbanes-Oxley Act (SOX)

Publicly traded corporations

U.S. Securities and Exchange Commission (SEC)

Requiring transparency in corporate financial reporting

Corporations must implement security, transparency, and accountability into financial reporting to stakeholders and the government

General Data Protection Regulation (GDPR)

All businesses collecting consumer data in the European Union

The EU Information Commissioner’s Office (ICO)

Protecting consumer information in EU jurisdictions

Businesses must implement privacy, security, and consent controls to protect consumer data from disclosure or abuse

California Consumer Privacy Act (CCPA)*

Midsize and large businesses in California

California Privacy Protection Agency (CPPA)

Protecting consumer information in California jurisdictions

Businesses must implement privacy, security, and consent controls to protect consumer data from disclosure or abuse

Federal Risk and Authorization Management Program (FedRAMP)

Cloud service providers working with federal agencies

The Joint Authorization Board (JAB) and Program Management Office (PMO)

Securing cloud systems used by federal agencies through third-party vendors

CSPs must implement NIST 800-53 and other controls to meet minimum standards

Cybersecurity Maturity Model Certification (CMMC)

Digital contractors working with Department of Defense agencies

The Department of Defense

Securing defense-related IT systems in the DoD supply chain

Contractors must implement NIST 900-171 and NIST 800-172 controls to work in the supply chain

*As of January 1, 2022, the CCPA will be amended into the California Privacy Rights Act (CPRA) with expanded regulations and controls.

Additionally, several standards are not required or governed by law but apply specifically to either industry practices or optional adoption by a company:


Organizations Applies To

Organization Governed By

Areas of Coverage


Service Organization Control (SOC) 2

Any who adopt the standard

American Institute of Certified Public Accountants (AICPA)

Data security, privacy, confidentiality, and integrity

Organizations must meet minimum security and privacy standards and undergo regular audits

International Organization for Standardization (ISO) 27000 Series

Any who adopt the standard

International Organization for Standardization (ISO)

Data and IT infrastructure security

Organizations design, develop, implement, and maintain Information Security Management Systems (ISMS)

Payment Card Industry Data Security Standard (PCI DSS)

Retailers and merchants accepting credit card payments

Payment Card Industry (including credit card companies like Visa, Mastercard, American Express, etc.)

Credit card and payment information

Payment processors and merchants must implement security practices to secure payment information from theft

What Is Governance, Risk, and Compliance?

Regulations often fall under a larger umbrella of strategies and practices that businesses follow, generally known as governance, risk, and compliance.

GRC includes the following practices:

  • Governance: Integrated strategies and capabilities around governing business practices, data management, and security. Governance includes high-level planning and execution of business processes and objectives.
  • Risk: Risk assessment and management are the practice of measuring financial risks, security vulnerabilities, or other potential hazards and using that information to make decisions around cybersecurity, IT infrastructure, administration, and other business decisions.
  • Compliance: Governance and risk practices must be used to fuel compliance now and into the future.

What Are Some of the Penalties for Noncompliance?

Compliance, often governed by law, can carry significant penalties. Even frameworks governed in the private sector can affect how a company does business.

Some potential penalties include the following: 

  • Financial Penalties: Financial penalties range from smaller fees to crippling fines. HIPAA compliance requirements, for example, scale financial penalties based on the severity of the breach. GDPR, on the other hand, only allows for two different tiers of penalties, each containing significant financial obligations on the part of the noncompliant organization.
  • Loss of Licensing or Authorization: Some frameworks, like FedRAMP or CMMC, come with a baseline loss of certification for severe noncompliance. Here, organizations can no longer only operate in their industry.
  • Legal Liability: If noncompliance leads to severe harm to an organization or individuals, organizations may find themselves legally liable. HIPAA contains several tiers of legal penalties, including jail time, for severe breaches or in cases of fraud.
  • Impact on Business Operations: Some non-government regulations, like PCI DSS, work because the governing body can control how companies function in a business market.

    For example, if a merchant fails to comply with PCI DSS, there is not a default legal repercussion. Instead, the PCI (made up of all the major credit card providers like Visa, Discover, American Express, Mastercard, etc.) can levy fines for continued use of the credit card payment networks.

    Continuing noncompliance can force the PCI to label merchants with a negative rating, including higher fees and limited payment processing capabilities.

    Finally, the PCI can simply close a merchant’s account and make processing payments impossible.

Operationalize Regulatory Compliance

Regulatory compliance is a significant part of any business and must play a role in business strategy and IT infrastructure. Any company operating in regulated industries with standards must use technology to support regulations.

Sensitive content communications is involved in virtually every compliance regulation, and organizations must ensure they have the right policy controls and security processes in place. Learn how Kiteworks unifies, tracks, controls, and secures critical data as it moves into, within, and out of an organization for compliance across myriad regulations, such as HIPAA, PCI DSS, FedRAMP, and others, by scheduling a custom demo.


Back to Risk & Compliance Glossary


Get email updates with our latest blogs news