Resource Center / Infographics / Cybersecurity Law Basics
Cybersecurity Law Basics
This resource provides an overview on the basics of cybersecurity law, including definitions, as well as information on the sectors it applies to and the significant laws and regulations that impact it.
Published: January 2025
Contributors:
Navigate resource
The statutes, regulations and applied common law doctrines that punish attacks on, allocate liability for, and seek to mandate or otherwise improve the security and resiliency of computers, computer information, and computer-based or computer-controlled systems.
Much of cybersecurity law is based upon risk management and employs measures such as risk assessments, security audits and incident response planning.
The ultimate goal of cybersecurity law is to protect the confidentiality, integrity and availability of personal information, intellectual property and critical infrastructure.
The IAPP additionally hosts a Cybersecurity Law topic page, which regularly updates with the latest cybersecurity law news and resources.
What does cybersecurity law include?
- Standards intended to safeguard data and ensure the secure operation of systems and networks.
- Criminal laws that punish those who attack computer networks and computer data.
- Requirements to implement organizational and technical measures to protect networks and information from unauthorized access, breaches and cybercrime.
- Obligations on data custodians to protect personal data against loss or misuse.
- Laws mandating breach notification and incident reporting to authorities and/or affected individuals to enable quick responses to cyberthreats.
- Measures to facilitate international cooperation among organizations and governments against cyberthreats not limited by traditional borders.
What is cybersecurity law not limited to?
- IT security: Cybersecurity law goes beyond data protection and focuses on the integrity of the operational technology that controls physical processes.
- Large organizations: Cybersecurity laws can apply to any organization that handles personal information or maintains digital systems, regardless of size or industry.
- Prosecuting cybercrime: Although cybersecurity law covers cybercrime, it also addresses preventative measures, organizational liability and incident response.
- Data protection or privacy: Although it is an element of privacy or data protection, cybersecurity law is broader. It addresses not just how personal information is collected, used and shared, but also the security of all types of data and the operational availability of computer-based or computer-controlled networks and systems.
- Technical standards: While some cybersecurity laws require organizations to follow specific technical standards, others only require reasonable security. Cybersecurity laws may require management practices, such as risk assessment, access control establishment and response plan adoption, but leave the choice of specific technologies to organizations.
Laws and regulations that impact cybersecurity
This section provides a directory of some of the main global laws and regulations that impact cybersecurity.
-
expand_more
Australia's Cyber Security Act 2024Australia's Cyber Security Act 2024
Introduces mandatory security standards for smart devices, establishes reporting obligations for ransomware payments and encourages other voluntary reporting to the government to support responses to significant cyber incidents.
View here -
expand_more
Brazil's General Data Protection LawBrazil's General Data Protection Law
Requires appropriate technical and organizational security measures for personal data and authorizes heavy fines for noncompliance.
View here -
expand_more
Data Security Law and Cybersecurity Law of the People's Republic of ChinaData Security Law and Cybersecurity Law of the People's Republic of China
Establish a framework of strict cybersecurity measures, including data localization, influencing how multinational companies manage networks and data operations within China.
View here -
expand_more
EU General Data Protection RegulationEU General Data Protection Regulation
Requires appropriate technical and organizational security measures for personal data and mandates breach notifications.
View here -
expand_moreEU NIS2 Directive
EU NIS2 Directive
Expands upon the Network and Information Security Directive, requiring service providers and manufacturers in critical sectors to implement specific types of risk management measures and report security incidents.
View here -
expand_more
India's Information Technology ActIndia's Information Technology Act
Criminalizes cybercrimes such as identity theft, hacking and the spread of malicious software. Establishes the Indian Computer Emergency Response Team to handle cybersecurity incidents.
View here -
expand_more
Nigeria's Cybercrimes (Prohibition, Prevention, Etc.) Act 2015Nigeria's Cybercrimes (Prohibition, Prevention, Etc.) Act 2015
Criminalizes cybercrimes, mandates registration of cybercafes and grants investigatory powers to law enforcement authorities.
View here -
expand_more
Singapore's Cybersecurity Act 2018Singapore's Cybersecurity Act 2018
Requires operators of critical information infrastructure to comply with specific types of risk management measures and report cybersecurity incidents. Mandates licensing requirements for cybersecurity providers and grants the Cybersecurity Commission the authority to investigate and respond to threats.
View here -
expand_more
U.S. Cybersecurity Information Sharing ActU.S. Cybersecurity Information Sharing Act
Aims to promote voluntary information sharing among private organizations and with the U.S. government regarding cyberthreats and defensive measures.
View here -
expand_moreU.S. Federal Trade Commission Act
U.S. Federal Trade Commission Act
Prohibits unfair or deceptive trade practices, which the FTC has interpreted to include deceptive statements about cybersecurity and failure to protect personal information with reasonable security.
View here
-
expand_more
Cybersecurity resources