Global Cybersecurity Regulations

The Road to Successful Cybersecurity Certification: We recognize that product certifications are business enablers for our customers. As a result, we aim to not only certify your products, but do so in an efficient, time and cost-effective manner. Intertek has the right philosophical approach as well as the right expertise to position vendors to best meet challenging government cybersecurity certifications.

AMER Region

Argentina

General IoT

• Argentine Data Protection Act no. 25326 (PDPA)

Financial/Bank

• Argentine Central Bank issued regulation: Communication BCRA 6354 as amended by 6375

 

Brazil

General IoT

• Brazilian Internet Law (Law no. 12,965/2014)
• Regulatory Decree (no. 8.771/2016)
• Brazilian Data Protection Law (August 2020)
• National Data Protection Authority (Law no. 13.853/2019)"

Financial/Bank

• Central Bank of Brazil Resolution No. 4.658/2018 (December 2021)

Telecoms

• There are no cybersecurity specific laws for telecom in Brazil, though the country is discussing a National Cybersecurity Plan in Congress
• The most up-to-date regulation that is most closely applicable would be: Decree 8771/2016

 

Canada

General IoT

• National Cybersecurity Strategy
• CyberSecure Canada Certification Program
• Personal Information Protection and Electronic Documents Act (PIPEDA) - Nov 2018

Medical Devices

• Health Canada published guidance on pre-market requirements for medical device cybersecurity applying to all risk classes

Financial/Bank

• Personal Information Protection and Electronic Documents Act (PIPEDA) - Nov 2018
• Bank of Canada's Cybersecurity Strategy 2019-2021

Vehicular

• Motor Vehicle Safety Act (MVSA)
• Strengthening Motor Vehicle Safety for Canadians Act (March 2018)

 

Untied States

General IoT

• California SB327 (Jan 2020)
• Oregon law (Jan 2020)
• NIST Small Business Cybersecurity Bill (Jun 2018)
• NIST Framework for Improving Critical Infrastructure Cybersecurity Verion 1.1 (Apr 2018)

Medical Devices

• FDA [Guidance extract]

Gov't Purchasing Standards

• Gov requirements (S.734 - Internet of Things Cybersecurity Improvement Act of 2019)

Financial/Bank

• [? FIPS ?]
• US FSSCC Financial Services Sector Cybersecuri-ty Profile Overview and User Guide (Oct 2018)
• New York Cybersecurity Requirements for Financial Services Companies (Mar 2017)

Telecoms

• CTIA [Not currently mandatory]

Vehicluar

• USDOT recommends adopting NIST standards.

 

EMEA Region

European Union

General IoT

• Cybersecurity Act (March 2019)
• GDPR (EU) 2016/679
• EC IACS Cyersecurity Certification Frame-work (ICCF) (April 2018)

Medical Devices

• Cybersecurity Act (March 2019)
• GDPR (EU) 2016/679
• EU's medical technology trade association issued new recommendations and encour-ages the adoption of the EU's new Manufacturer Disclosure Statement for Medical Device Security (MDS2) form
• NIS DIrective (EU) 2016/1148
• MDR Regulation (EU) 2017/745
• IVDR Regulation (EU) 2017/746

Telecoms

• Cybersecurity Act (March 2019)
• GDPR (EU) 2016/679

Vehicluar

• Cybersecurity Act (March 2019)
• GDPR (EU) 2016/679
• ENISA recommends manufacturers incorporate cybersecurity into the design of smart car security measures

 

France

General IoT

• National Digital Security Strategy (Oct 2015)

 

Germany

Medical Devices

• German Cybersecurity Requirements for Network-connected Medical Devices

Financial/Bank

• BaFin Specifies BAIT (Feb 2018)
• BaFin consultation on Circular or bank regulato-ry requirements for IT Systems (March 2017)

Telecoms

• DRAFT: German IT Security Act 2.0 (IT-SiG, 2.0)
• German Federal Office for Information Security Act (Aug 2009)

 

Russia

Financial/Bank

• CBR Central Bank of Russia Standard for Maintenance of Information Security of the Russian Banking System Organizations - General Provisions (Jun 2014)
• Russian Banking system standard on information security maintenance (Apr 2014)
• CBR Standard for Information Security of Russian Banking Insitutions Information Security Audit (May 2007)

 

Saudi Arabia

General IoT

• Essential Cybersecurity Controls (ECC - 1:2018) Standard
• Anti-Cyber Crime Law

Gov't Purchasing Standards

• Controls of the Use of Computers and Information networks in Government Entities (Government Mandate No. (81) - 191430/3/H
• Information Security Policies and Procedures Development Framework for Government Agencies (the Framework)

Financial/Bank

• SAMA Cybersecurity Framework (May 2017)

Telecoms

• Controls of the Use of Computers and Information networks in Government Entities (Government Mandate No. (81) - 191430/3/H
• Information Security Policies and Procedures Development Framework for Government Agencies (the Framework)
• Resolution No. 555 of 2019

 

South Africa

General IoT

• Protection of Personal Information Act 4 (POPI Act)
• Cybercrimes & Cybersecurity Act
• South Africa National Cybersecurity Policy Framework (Dec 2015)

Financial/Bank

• Electronic Communications and Transactions Act 25 (ECT Act)
• South African Reseave Bank (SARB) Guidance to banks on cyber resilience (May 2017)

Telecoms

• Controls of the Use of Computers and Information networks in Government Entities (Government Mandate No. (81) - 191430/3/H
• Information Security Policies and Procedures Development Framework for Government Agencies (the Framework)
• Resolution No. 555 of 2019

 

Turkey

General IoT

• Turkey does not have any dedicated cybersecurity laws… however, there is data protection legislation which includes the Personal Data Protection Law No. 6698 (the PDPL)
• Turkey National Cybersecurity Strategy and Action Plan (2016)

Medical Devices

• Turkish Ministry of Health (TMH) recently published a draft regulation to update its current, EU aligned MDR

Financial/Bank

• Electronic Commerce Law No. 6563 (e-Commerce Law)
• Banking Law No. 5411 (Banking Law)
• Regulation on the Information Systems of Banks and Electronic Banking (DRAFT regulation published Feb 2019)
• Institutions in the banking sector must comply with the Control Objectives for Information and RElated Technology (COBIT) standards
• Payment Systems Law No. 6943 - Makes special certification (ISO 27001 and PCI DDS) mandatory

Telecoms

• Use of ISO/IEC 27001 mandatory for entities providing electronic communicatoin services, electronic networks and infrastructure and energy facilities

 

United Kingdom

General IoT

• California SB327 (Jan 2020)
• Oregon law (Jan 2020)
• NIST Small Business Cybersecurity Bill (Jun 2018)
• NIST Framework for Improving Critical Infrastructure Cybersecurity Verion 1.1 (Apr 2018)

Financial/Bank

• UK Financial Conduct Authority (FCA) Consulta-tion on extending Individual Accountability Regime (Jul 2017)
• UK Open Banking Initiative
• Bank of England - UK CBEST Intelligence-led Cybersecurity Assessment 2.0 (2016)

Vehicluar

• PAS 1885:2018

 

Switzerland

General IoT

• Swiss National Strategy for Protection of Switzerland Against Cyber Attacks (Apr 2018)

APAC Region

Australia

General IoT

• Cybersecurity Strategy

Medical Devices

• Australian's Therapeutic Goods Administration (TGA) published medical device cybersecurity guidance for all device risk classes, applicable to industry as well as users

Vehicular

• Australia is aming to have end-to-end regulation in place by 2020 to support the safe, comercial deployment and operation of autonomous vehicles at all levels of automation

China

General IoT

• Cybersecurity Law (June 2017)
• Regulations on Internet Security Supervision and Inspection by Public Security Organs (Nov 2018)
• Guideline for Internet Personal Information Security Protection (Guideline) (April 2019)
• International Strategy of Cooperation on Cyberspace (Mar 2017)

Medical Devices

• The National Medical Products Administra-tion (NMPA) published draft guidelines for standalone medical device software including cybersecurity requirements

Financial/Bank

• CBRC Guidelines on the Risk management of Commercial Banks' Information Technolo-gy

India

Financial/Bank

• Institute for Development and Research in Banking Technology (IDRBT) Cybersecurity Checklist (July 2016)
• RBI Circular to Establish Cybersecurity Framework in Banks (Jun 2016)

Indonesia

Medical Devices

• Article 57 of Law No. 36 of 2009

Financial/Bank

• Regulation No. 1/POJK.07/20136
• Article 25 of Bank Indonesia Regulation No. 18/40/PBI/2016

Telecoms

• Article 40 of Law No. 36 of 1999

Japan

General IoT

• [Law understood to come into effect 1 April 2020?]
• Japan's National Center of Incident Readiness and Strategy for Cybersecurity (Sept 2015)
• Japan's Basic Act on Cybersecurity (2014)

Financial/Bank

• JSFA Policy Approaches to Strengthen Cybersecurity in the Financial Sector (Jul 2015)

South Korea

General IoT

• Personal Ifnormation Protection Act (PIPA)
• Act on the Promotion of IT Network Use and Information Protection Act (Network Act)
• The Act on the Protection and Use of Location Information (Location Information Act)

Medical Devices

• In-vitro Diagnostic Medical Device Act (May 2020)
• South Korean Ministry for Food and Drug Safety (MFDS) issued guidelines for medical device cybersecurity risk management based on US FDA guidance and recommendations

Financial/Bank

• Electronic Financial Transactions Act (EFTA)
• Regulations on Supervision of Electronic Financial Transactions (RSEFT)
• Credit Information Use and Protection Act (Credit Information Act)

Telecoms

• Action on the Promotion of IT Network Use and Information Protection Act (Network Act)
• Protection of Information and Communica-tions Infrastructure Act (PICIPA)

Singapore

General IoT

• Cybersecurity Act (March 2018)
• CSA Singapore Cyber Landscape (Jun 2018)

Medical Devices

• Cybersecurity Act (March 2018)

Gov't Purchasing Standards

• Cybersecurity Act (March 2018)

Financial/Bank

• Cybersecurity Act (March 2018)
• MAS mandated financial institutions must comply with risk management guidelines within the next 12 months (since Aug 2019) in an effort to strengthen the cyber resilience of organizations

Telecoms

• Cybersecurity Act (March 2018)

Vehicluar

• Cybersecurity Act (March 2018)
• TR 68 - a set of guidelines covering areas such as vehicle behavior, safety, and cybersecurity for FULLY autonomous vehicles (2019)
• Road Traffic Act (2017)