Compliance Framework Directory

SOC 2 is a US-originated attestation focused on Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) — audited annually by a CPA firm and most common in SaaS sales cycles. ISO 27001 is an international certification covering an Information Security Management System (ISMS) with 93 controls across 4 themes; recognized in 170+ countries and increasingly required in EU and APAC enterprise procurement. Many companies pursue both — they share ~60% control overlap, so the marginal cost of adding the second is lower than the first.

Typical timeline is 6–12 months end-to-end. First 3–6 months are spent designing and implementing controls (policies, access management, monitoring). Then a continuous 6-month observation window is required for Type II evidence collection. After the observation window, the audit itself runs 2–4 weeks. Companies using automated evidence collection (EchelonGraph, Vanta, Drata) typically cut the prep time by 30–50% versus manual approaches.

Up to €20 million or 4% of global annual turnover — whichever is higher. The largest GDPR fine to date was €1.2 billion against Meta in 2023 for unlawful US data transfers. Smaller violations (failure to honor data subject rights, late breach notification) typically draw fines of €50K–€5M. GDPR applies extraterritorially: any organization processing EU residents' personal data is in scope, regardless of where the organization is headquartered.

Two categories: Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and their Business Associates (any vendor handling Protected Health Information on behalf of a Covered Entity — including cloud providers, billing services, IT vendors, and software platforms). If you store, process, or transmit Protected Health Information (PHI) for a covered entity, you need a signed Business Associate Agreement (BAA) and HIPAA-compliant safeguards. Violations can carry criminal penalties up to $250,000 and 10 years' imprisonment.

Enforcement is phased. Prohibited AI practices (social scoring, biometric categorization for sensitive attributes, etc.) are banned from February 2025. General-purpose AI model rules apply from August 2025. The full high-risk AI obligations (Article 9 risk management, Article 15 accuracy/robustness/cybersecurity, Article 16 conformity assessment) become enforceable August 2, 2026. Penalties reach €35 million or 7% of global turnover — higher than GDPR. The Act applies extraterritorially: any AI system whose outputs are used in the EU is in scope.

NIS2 is the EU's updated cybersecurity directive, in force from October 2024. It expanded scope from NIS1's 7 sectors to 18, splitting them into Essential entities (energy, transport, banking, financial market infrastructures, healthcare, water, digital infrastructure, ICT service management, public administration, space) and Important entities (postal/courier, waste management, chemicals, food, manufacturing, digital providers, research). Senior management can be held personally liable, and fines reach €10 million or 2% of global turnover for Essential entities.

CIS Controls are 18 prioritized, organization-level safeguards (formerly known as the SANS Top 20) — they tell you WHAT to do at a strategic level. CIS Benchmarks are platform-specific, prescriptive hardening guides — step-by-step technical configurations for AWS, GCP, Azure, Kubernetes, Linux, Windows, Docker, and dozens more. Most cloud security tools (including EchelonGraph) automate the CIS Benchmarks because they're directly actionable. Think of it as: Controls are the strategy, Benchmarks are the playbooks.

Not legally mandated for the private sector — but heavily incentivized. NIST CSF 2.0 (released February 2024) is referenced in SEC cybersecurity disclosure requirements for public companies, FTC enforcement actions, state breach notification laws, and an increasing number of insurance underwriting questionnaires. For federal contractors and agencies, NIST SP 800-53 (the control catalog CSF maps to) is mandatory. For CMMC-required defense contractors, NIST SP 800-171 controls are required.