Top 10 security regulations you need to know about in the U.S. and EU

Compliance has always been part of routine planning and development for security experts in the enterprise. But recent headline-grabbing attacks like the SolarWinds incident may have pushed compliance much higher up the priority list. It’s difficult to track the dizzying array of regulations on both sides of the pond and what they require, so we’ve compiled a list that should help. 

Here are the most important laws, regulations, standards, and audit controls that should be on your radar if compliance is top of mind for your organization. We’ve separated U.S. regulations from their European counterparts.

United States

  • Sarbanes-Oxley (SOX) Act — Increased penalties for destroying, altering, or fabricating records in federal investigations. The SOX Act applies to all publicly traded companies in the United States, plus subsidiaries and foreign companies that do business in the United States. As a consequence of the SOX Act, International Standard on Assurance Engagements 3402 (ISAE 3402) was developed by the International Auditing and Assurance Standards Board to assure SOX compliance. The standard is based on the Service Organization Control (SOC) audit framework, which heavily favors enterprises that are using multi-factor authentication (MFA).  
  • Health Insurance Portability and Accountability (HIPAA) Act — Every company that works in healthcare must deal with HIPAA requirements for authentication and access controls. HIPAA is governed by the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule). The HIPAA act itself does not explicitly spell out authentication mechanisms, but two-factor and/or PKI-based authentication is considered to be most secure, and they are widely deployed in the U.S. health care sector.
  • NIST Digital Identity Guidelines — Anyone looking to implement best practices for authentication, including biometrics, should review NIST Special Publication 800-63b. While these are still guidelines rather than approved standards, it defines technical requirements for various authentication assurance levels. For example, it states: “Biometrics shall be used only as part of multi-factor authentication with a physical authenticator (something you have).” A FIPS 140-2 certification is needed to meet the requirements in the NIST Digital Identity Guidelines.

European Union

  • General Data Protection Regulation (GDPR) This gives individuals control over their personal data and simplifies the regulatory environment for international business. All organizations that process or store personal data must have appropriate technical and organizational measures to protect data. To get better compliance for GDPR, the EU Cybersecurity Agency (ENISA) published a report that prescribes the use of two-factor authentication. Violating GDPR rules can result in a fine of up to 10 million euros or up to two percent of an organization’s global turnover.
  • electronic IDentification, Authentication and trust Services (eIDAS) —  is an EU regulation that regulates electronic identification, electronic signatures, certifications and supervisory bodies, which provide a secure way for EU citizens to communicate with public services. Electronic identification schemes on level of assurance Substantial requires two-factor authentication, and level of assurance High adds requirements on tamper-proof authentication devices and dynamic cryptographic schemes.
  • EU Cybersecurity ActThis law strengthened ENISA and established an EU-wide cybersecurity certification framework for digital products, services and processes. ENISA issued several reports and guidelines on authentication, and the message is clear: two-factor authentication is recommended for access to all types of IT systems.
  • Network and Information Systems Directive (NIS)This directive details requirements for operators of essential services (critical infrastructure) and related digital service providers. These operators work in all kinds of industries: energy, transport, finance, healthcare, water, telecom, and digital infrastructure, to name a few. Companies that suffer from an IT attack, significant breach, or service outage must notify the national authority within 48 hours and report damage to their IT infrastructures.
  • EU Payment Services Directive 2 (PSD2) The EU financial sector is regulated by PSD2, coupled with the related Regulatory Technical Standard. It requires “dynamic linking,” which means that the payment amount and the payee of the transaction must be linked to the user through strong authentication. Fulfilling PSD2 requirements can be achieved with PKI devices, like the YubiKey, that support both authentication and digital signatures.

Achieving global compliance with strong multi-factor authentication

In addition to the US and EU regulations mentioned above, ISO has created the global IT-security standard ISO/IEC 27001. This is an important auditing standard focused on information security management. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). A strong ISMS helps organizations secure their information assets. Organizations that meet the standard’s requirements can choose to be certified by an accredited certification body following successful completion of an audit.

It’s not a simple regulatory landscape, so IT managers need to stay updated on all the security acts, regulations, directives, audits and certifications across the globe. They all either implicitly or explicitly require strong authentication solutions. Being in violation of these regulations isn’t a place you want to be. There are hefty fines, or even jail time for responsible managers if the violation is serious enough. Strong authentication makes sense anyway because phishing is the most common IT attack, accounting for 22 percent of all IT security incidents.

Investing in multi-factor authentication solutions, like the YubiKey 5 Series or YubiKey FIPS Series, is a recommended approach to fight off phishing attacks and intrusions, and has the added benefit of keeping you compliant. To learn more about how the YubiKey can help your organization meet stringent compliance requirements, visit: https://www.yubico.com/solutions/cybersecurity-compliance/.

Talk to our teamTalk to our team

Share this article:


  • CEO Corner: Wrapping up a strong year, and looking ahead to 2025 and beyondIt’s no secret that 2024 was a big year of growth for Yubico, highlighted across many notable achievements by our team and increasing demand from our customers. As discussed in my previous post, following a transformative year driven by key cybersecurity trends like passkeys and AI, the year culminated in the significant step of Yubico […]Read moreCEOEarningsMattias Danielsson
  • The rise of AI-driven phishing attacks: What to know and how to be secureAs businesses continue learning the benefits that artificial intelligence (AI) assisted computing tools provide, we’re continuing to see rapid interest and adoption of the technology – especially within the enterprise. Most conversations up until recently have revolved around ChatGPT, but now another new AI-powered large language model tool – DeepSeek – is creating a lot […]Read more
  • Works with YubiKey Spotlight: Expanded partnerships redefining phishing-resistance in 20252024 was an exciting year for Yubico and our partners. Together, we achieved remarkable milestones, launching innovative solutions and forging stronger partnerships – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart of these efforts lies a shared commitment to phishing-resistance.  From registration to […]Read moreWorks with YubiKeywwyk
  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions