What is the difference between GDPR and SOC 2?

GDPR is a mandatory EU privacy regulation with fines up to €20M or 4% of global revenue, focusing on data subject rights and privacy. SOC 2 is a voluntary US trust services framework focused on security, availability, and confidentiality for service providers. GDPR is legally enforced; SOC 2 is market-driven (90% of enterprise buyers require it). Organizations processing EU data typically need both.

How much does SOC 2 certification cost?

SOC 2 Type II certification typically costs $20,000–$100,000 total, including $10K–$50K for audit fees (CPA firm) and $10K–$50K for preparation (policy development, tooling, remediation). The 12-month Type II observation period means the full process takes 15–18 months from start to report. Automated compliance platforms like EchelonGraph can reduce preparation costs by 40–60%.

What are the penalties for GDPR non-compliance?

GDPR penalties reach up to €20 million or 4% of global annual revenue, whichever is higher. Notable fines include Meta (€1.2 billion, 2023), Amazon (€746 million, 2021), and WhatsApp (€225 million, 2021). Lower-tier violations can result in fines up to €10 million or 2% of revenue. Additionally, data subjects can claim compensation for damages.

How long does ISO 27001 certification take?

ISO 27001 certification typically takes 6–12 months. The process involves: ISMS scope definition (2–4 weeks), risk assessment (4–8 weeks), control implementation (8–16 weeks), internal audit (2–4 weeks), and external certification audit in two stages — Stage 1 (documentation review, 1–2 days) and Stage 2 (implementation evaluation, 3–10 days). Certification is valid for 3 years with annual surveillance audits.

Which compliance framework should I start with?

Start with SOC 2 if you're a SaaS company selling to enterprises (90% of buyers require it). Start with ISO 27001 if you sell globally or into EU/APAC markets. Start with HIPAA if you handle health data. Start with PCI DSS if you process payments. For a risk-based approach, begin with NIST CSF 2.0 — its 6-function model maps to 80% of controls across all other frameworks.

What is the breach notification timeline for each compliance framework?

Breach notification timelines vary significantly: GDPR requires 72 hours to DPA. HIPAA requires 60 days to HHS and individuals. PCI DSS requires immediate notification to acquirer and card brands. DPDP Act (India) requires 72 hours to Data Protection Board. CCPA/CPRA requires notification 'without unreasonable delay.' NIST CSF/CIRCIA requires 72 hours for critical infrastructure. EU AI Act Article 73 requires serious-incident reporting within 15 days (or 2 days for widespread infringement, fatality, or critical-infrastructure disruption). India's CERT-In requires 6 hours (the world's strictest).

What is the EU AI Act and when does it take effect?

The EU AI Act is Regulation (EU) 2024/1689 — the world's first comprehensive AI law, adopted in 2024. It is enforced in phases: (1) prohibited-practice ban (Article 5) in force since 2 February 2025; (2) general-purpose AI model obligations from 2 August 2025; (3) high-risk AI system obligations under Articles 9–17 from 2 August 2026; (4) full enforcement from 2 August 2027. Penalties under Article 99 reach €35M or 7% of global annual revenue — more punitive than GDPR. The Act has extraterritorial reach: it applies to any provider, deployer, importer, or distributor whose AI output reaches the EU market, regardless of where they are headquartered.

How is NIST AI-RMF different from ISO/IEC 42001?

NIST AI-RMF 1.0 (January 2023) is a voluntary US guidance framework built on four functions — Govern, Map, Measure, Manage — that is cited by US Executive Order 14110 and OMB Memo M-24-10 for federal AI procurement. It is not certifiable; organisations self-assess against the playbook. ISO/IEC 42001:2023 is the first international certifiable management-system standard for AI, modelled on ISO 27001's structure (Clauses 4–10) with PDCA + continual improvement. ANAB-accredited certification bodies began offering ISO 42001 audits in 2024. Choose NIST AI-RMF for the function-based playbook and US federal alignment; choose ISO 42001 when you need third-party certification, international recognition, or harmonised-standard alignment under EU AI Act Article 40.

Do I need to comply with the EU AI Act if I'm based outside the EU?

Yes, in most cases. Under Article 2(1)(c), the EU AI Act applies to providers and deployers of AI systems located in a third country where the output produced by the AI system is used in the EU. This extraterritorial reach is similar to GDPR Article 3(2). Practical examples: a US-based SaaS company providing an AI-driven hiring tool used by a German employer is in scope (Annex III high-risk classification); a UK fintech offering AI credit-scoring to French consumers is in scope; an Indian foundation-model provider whose API is integrated into EU products is in scope as a general-purpose AI provider. Non-EU providers must designate an EU-based authorised representative under Article 25.

What is MITRE ATLAS and how does it relate to MITRE ATT\u0026CK?

MITRE ATLAS (Adversarial Threat Landscape for AI Systems) is MITRE's adversarial-ML tactic, technique, and case-study knowledge base — the AI counterpart to MITRE ATT\u0026CK. While ATT\u0026CK covers adversary behaviour against traditional IT systems (initial access, persistence, lateral movement), ATLAS covers attacks specific to ML pipelines: model reconnaissance (AML.T0001), training-data poisoning (AML.T0019), model evasion (AML.T0043), model inversion (AML.T0024), model extraction (AML.T0025), membership inference (AML.T0026), backdoors (AML.T0018), and AI-specific denial of service (AML.T0029). NIST AI-RMF, EU AI Act technical guidance, and OWASP LLM Top 10 all reference ATLAS as the canonical adversarial-ML taxonomy. Security teams should cite ATLAS technique IDs in AI incident reports the same way they cite ATT\u0026CK IDs today.

Which AI compliance framework should I start with?

Start with NIST AI-RMF 1.0 — it is free, voluntary, function-based (Govern, Map, Measure, Manage), and gives you a structured AI risk-management playbook within 3–6 months. Then layer ISO/IEC 42001 if you need certifiable third-party assurance or international recognition; many AIMS controls map cleanly from your existing ISO 27001 ISMS. If you ship AI into the EU, you must additionally comply with the EU AI Act — start by classifying every AI system against Article 6 + Annex III (prohibited / high-risk / limited-risk / minimal-risk). For technical threat-modelling, adopt MITRE ATLAS as your adversarial-ML taxonomy. For LLM-backed products, treat OWASP LLM Top 10 as the de-facto checklist (LLM01 prompt injection, LLM02 insecure output handling, LLM06 sensitive-info disclosure).

13 Frameworks • 13 Security Domains • 169+ Control Mappings

Framework Comparison Matrix

The one-stop compliance comparison. Map the overlap between 13 global standards — 8 traditional security & privacy frameworks (GDPR, SOC 2, ISO 27001, HIPAA, PCI DSS 4.0, NIST CSF 2.0, CCPA/CPRA, DPDP Act) plus 5 AI governance standards (NIST AI-RMF, EU AI Act, ISO/IEC 42001, MITRE ATLAS, OWASP LLM Top 10) — across 13 security control domains.

Every cell cites a specific article, clause, criterion, or technique ID from the framework's authoritative source — EUR-Lex, NIST publications, ISO catalogue, MITRE ATLAS, OWASP — so security teams can navigate from the matrix directly to the regulatory text.

472

Total controls across
all 13 frameworks

80%

NIST CSF 2.0 & ISO 27001
control objective overlap

€35M

Max EU AI Act penalty
(or 7% global revenue — Art 99)

2026-08-02

EU AI Act high-risk
obligations enforceable

AI Compliance Enforcement Timeline

When each AI compliance standard becomes enforceable. Sourced from the regulators' own publications (EUR-Lex, ISO catalogue, NIST press releases).

Frameworks:

GDPR

58%

4✓5◐1✗

42 controls

SOC 2

78%

9✓2◐2✗

64 controls

ISO 27001

80%

9✓2◐1✗

93 controls

HIPAA

71%

7✓3◐1✗

44 controls

PCI DSS

72%

8✓2◐2✗

78 controls

NIST CSF

80%

9✓2◐1✗

106 controls

CCPA

28%

1✓3◐5✗

20 controls

DPDP

34%

2✓3◐5✗

10 controls

AI-RMF

75%

6✓6◐0✗

18 controls

EU AI Act

82%

8✓4◐0✗

18 controls

ISO 42001

63%

3✓8◐0✗

15 controls

ATLAS

45%

2✓6◐4✗

12 controls

OWASP LLM

63%

3✓8◐0✗

12 controls

Security Domain	GDPR EU	SOC 2 US	ISO 27001 International	HIPAA US	PCI DSS Global	NIST CSF US	CCPA US (California)	DPDP India	AI-RMF US	EU AI Act EU	ISO 42001 International	ATLAS International	OWASP LLM International
🔐 Access Control & Authentication Identity management, MFA, role-based access, privileged access management	🟡	✅	✅	✅	✅	✅	⚠️	🟡	🟡	🟡	🟡	—	🟡
🛡️ Data Encryption & Protection Encryption at rest and in transit, key management, data classification, DLP	✅	✅	✅	✅	✅	✅	🟡	🟡	🟡	🟡	🟡	—	⚠️
🌐 Network Security & Segmentation Firewall rules, network segmentation, VPC isolation, zero-trust architecture	🟡	✅	✅	🟡	✅	✅	—	—	⚠️	⚠️	⚠️	—	⚠️
🔍 Vulnerability Management Vulnerability scanning, patching, CVE correlation, penetration testing	🟡	✅	✅	🟡	✅	✅	⚠️	⚠️	🟡	🟡	🟡	✅	✅
🚨 Incident Response & Detection SIEM integration, alerting, breach notification, forensic investigation	✅	✅	✅	✅	✅	✅	🟡	✅	✅	✅	🟡	🟡	🟡
📋 Audit Logging & Monitoring Audit trails, log retention, SIEM forwarding, tamper-proof logging	🟡	✅	✅	✅	✅	✅	⚠️	⚠️	✅	✅	🟡	—	🟡
👤 Data Privacy & Consent Data subject rights, consent management, data minimization, purpose limitation	✅	🟡	🟡	✅	🟡	🟡	✅	✅	🟡	✅	🟡	⚠️	🟡
📊 Risk Assessment & Governance Risk frameworks, security policies, board-level reporting, compliance scoring	✅	✅	✅	✅	✅	✅	🟡	🟡	✅	✅	✅	🟡	🟡
🖥️ Asset & Configuration Management Asset inventory, configuration baselines, change management, drift detection	⚠️	✅	✅	🟡	✅	✅	—	—	✅	✅	✅	🟡	🟡
🔄 Business Continuity & Resilience Disaster recovery, backup strategy, availability SLAs, redundancy, failover	🟡	✅	✅	✅	🟡	✅	—	⚠️	🟡	🟡	🟡	🟡	🟡
🤖 AI Workload Inventory & Classification Model cards, risk-class categorisation, AI system register, shadow-AI discovery	⚠️	🟡	🟡	⚠️	⚠️	🟡	—	—	✅	✅	✅	🟡	🟡
🛡️ Adversarial ML Resilience Evasion, poisoning, model-extraction, backdoor & membership-inference defences	—	—	⚠️	—	—	⚠️	—	—	✅	✅	🟡	✅	✅
💬 LLM Prompt & Output Security Prompt injection, output sanitisation, sensitive-info leakage, agentic-action review	⚠️	—	—	⚠️	—	—	⚠️	—	🟡	✅	⚠️	🟡	✅

✅Full Coverage🟡Partial⚠️Minimal—Not Addressed|Click any row to expand citations and implementation details

Penalty Comparison

Maximum penalties and real-world enforcement examples for each framework — the data security leaders need for board presentations and risk assessments.

Framework	Max Penalty	Notable Example	Mandatory	Breach Notification
EU AI Act	€35M or 7% global revenue (Art 99)	GPAI obligations from 2025-08-02; high-risk from 2026-08-02	Required	Serious incident: 15 days (Art 73)
GDPR	€20M or 4% global revenue	Meta €1.2B (2023)	Required	72 hours
DPDP Act	₹250 crore (~$30M)	Rules pending (2025)	Required	72 hours
HIPAA	$1.5M/yr/category + criminal	Anthem $16M (2018)	Required	60 days
PCI DSS	$5K–$100K/month	Target $292M (2013)	Required	Immediate
CCPA/CPRA	$7,500/violation (intentional)	Sephora $1.2M (2022)	Required	No fixed deadline
SOC 2	No statutory fine	Revenue loss: $100K–$10M+	Voluntary	Per policy
ISO 27001	No statutory fine	Certification/contract loss	Voluntary	Per ISMS
NIST CSF	Contract termination (federal)	DoD contract loss: $1M–$100M+	Voluntary	72 hrs (CIRCIA)
NIST AI-RMF	None (voluntary guidance)	Cited by EO 14110 + OMB M-24-10 for federal AI procurement	Voluntary	Per MANAGE 2.2 playbook
ISO/IEC 42001	Certification loss	Loss of EU AI Act conformity assumption (harmonised standard pathway Art 40)	Voluntary	Per Clause 10.1 nonconformity
MITRE ATLAS	N/A (reference taxonomy)	Used by NIST AI-RMF + EU AI Act guidance as adversarial-ML reference	Voluntary	Cite ATLAS technique IDs
OWASP LLM	N/A (guidance)	De-facto checklist for LLM-app secure-SDLC + red-team	Voluntary	Cite LLM01–LLM10 IDs

Penalty Magnitude at a Glance

Maximum statutory penalty as percentage of global annual revenue — the metric boards actually care about. EU AI Act exceeds GDPR.

Certification Cost & Timeline

How much does compliance actually cost? Realistic cost ranges and timelines based on industry benchmarks for mid-market companies (50–500 employees).

SOC 2 Type II

$20K–$100K

⏱️ 15–18 months

3–6 months prep, 12 months observation, CPA firm audit

ISO 27001

$20K–$120K

⏱️ 6–12 months

Stage 1 doc review + Stage 2 implementation audit, 3-year cert

HIPAA

$50K–$200K

⏱️ 6–18 months

Risk analysis, safeguard implementation, no formal certification

PCI DSS

$15K–$200K

⏱️ 3–12 months

Varies by merchant level (SAQ for L2–L4, QSA for L1)

ISO/IEC 42001

$15K–$50K

⏱️ 6–9 months

International AIMS certification (indicative). Stage 1 + Stage 2 audit with ANAB-accredited bodies (emerging since 2024). Maps to ISO 27001 ISMS structure — extend existing ISMS to AIMS.

* Costs reflect mid-market estimates (50–500 employees). Enterprise costs may be 2–5× higher. Automated platforms like EchelonGraph typically reduce preparation costs by 40–60%. NIST AI-RMF, EU AI Act, MITRE ATLAS, and OWASP LLM Top 10 are not certifiable — they are assessment / self-attestation / reference frameworks. EU AI Act conformity assessment for high-risk systems is performed by notified bodies (~€20K–€200K per system).

AI Compliance Topology

How the 5 AI compliance standards relate to each other and to the traditional frameworks they extend. Lines show structural or normative overlap.

🔮

Automated Gap Analysis

Our AI engine has mapped over 10,000 regulatory nodes globally. Let EchelonGraph automatically bridge your compliance gaps across all 13 frameworks simultaneously — including the 5 AI compliance standards (NIST AI-RMF, EU AI Act, ISO 42001, MITRE ATLAS, OWASP LLM Top 10) — showing exactly which controls you need to implement and in what priority order.

Get Full Mapping →View CVE Pulse →

How EchelonGraph Automates Compliance

🔄

Continuous Scoring

Compliance engine evaluates 472+ controls (incl. 75 AI controls across NIST AI-RMF, EU AI Act, ISO 42001, MITRE ATLAS, OWASP LLM Top 10) every 5 minutes per tenant, scoring Pass/Fail/Partial/N-A with 30/60/90-day trending.

🗺️

Cross-Framework Mapping

Implement one control, satisfy multiple frameworks. Our AI maps overlapping requirements — implement ISO 27001 A.5.15 and automatically satisfy SOC 2 CC6.1, HIPAA §164.312(a), and PCI DSS Req 7.

📋

Evidence Collection

Automated evidence harvesting from cloud APIs. Generate audit-ready PDF/CSV compliance reports with per-control evidence, remediation guidance, and executive summaries.

🚨

Drift Detection

Real-time compliance drift alerts via WebSocket, webhook, and email. When configurations change and a score drops, you know within seconds — not days.

🌍

Multi-Region Coverage

Support for GDPR (EU), CCPA/CPRA (California), DPDP Act (India), ISMS-P (Korea), NIS2 (EU), DORA (financial sector), and more. Automatically enforce data residency requirements per jurisdiction.

🔗

Infrastructure Integration

Connects to AWS, GCP, and Azure via read-only credentials. Scans compute, storage, network, IAM, databases, and certificates — mapping findings to compliance controls in real time.

Authoritative Sources

Every framework, citation, penalty figure, and enforcement date on this page traces to a primary publication. Verify any number by following the source.

EU AI Act ↗Regulation (EU) 2024/1689 — full text, articles, annexes, recitals NIST AI-RMF 1.0 ↗NIST AI 100-1 (Jan 2023) + Generative AI Profile (NIST AI 600-1)ISO/IEC 42001:2023 ↗AI Management System — Clauses 4–10 + Annex A controls MITRE ATLAS ↗Adversarial ML tactic + technique knowledge base (AML.T0xxx)OWASP LLM Top 10 ↗OWASP GenAI Project v1.1 — LLM01 to LLM10 + quarterly updates GDPR ↗Regulation (EU) 2016/679 — full text on EUR-Lex SOC 2 (Trust Services Criteria) ↗AICPA SOC 2 Trust Services Criteria 2017 (updated 2022)ISO/IEC 27001:2022 ↗Information security management systems — international standard HIPAA ↗45 CFR Parts 160 + 164 — Security, Privacy, Breach Notification Rules PCI DSS 4.0 ↗Payment Card Industry Data Security Standard v4.0 (March 2022)NIST CSF 2.0 ↗Cybersecurity Framework 2.0 (Feb 2024) — 6 functions, 22 categories CCPA / CPRA ↗California Consumer Privacy Act + California Privacy Rights Act DPDP Act 2023 (India) ↗Ministry of Electronics & IT — Digital Personal Data Protection Act 2023 Breach-cost benchmarks ↗IBM Cost of a Data Breach Report (annual)Threat intelligence ↗Verizon Data Breach Investigations Report (annual)

EchelonGraph publishes the underlying data behind every cell in this matrix so security and compliance teams can independently verify each figure. If you spot a citation that needs an update, email support@echelongraph.io.