LAWS AND REGULATIONS ON INFORMATION

SECURITY

Argentina
Personal Data Protection Act of 2000 (aka Habeas Data)
Data Protection infrigments and penalties. Provision 1/2003
Security measures for the treatment and maintenance of personal data contained in files,
records, databanks or databases. Provision 11/2006
BANCO CENTRAL DE LA REPBLICA ARGENTINA COMUNICACIN A 4609 (12/2006)
Ley de Delitos Informticos (2008) Ley 26.388

Austria
Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999
(Datenschutzgesetz 2000 or DSG 2000)

Australia
Privacy Act of 1988
Protective Security Framework June 2010 (Australian Government Attorney Generals
Department (AGD))
Prudential Standard CPS232 Business Continuity Management (Australian Prudential
Regulation Authority (APRA))
Prudential Standard SPS232 Business Continuity Management
Prudential Standard APS 222 Associations with Related Entities (APRA)
Prudential Standard CPS 231 Outsourcing (APRA)
Prudential Practice Guide PPG 231 Outsourcing (APRA)
Prudential Practice Guide SPG 231 Outsourcing (APRA)
Prudential Practice Guide CPG 233 Pandemic Planning (APRA)
Prudential Practice Guide CPG 234 Management of Security Risk in Information and
Information Technology (APRA)
Prudential Practice Guide LPG 232 Business Continuity Management (APRA)
Prudential Practice Guide SPG 232 Business Continuity Management (APRA)

Victorian Legislation
Crimes Act 1958 (Vic.)
Essential Services Act 1958 (Vic)
Evidence Act 2008 (Vic)
Freedom of Information Act 1982 (Vic)
Surveillance Devices Act 1999 (Vic)
Audit Act 1994 (Vic)
Employment Law Act 2009
 Public Records Act 1973 (Vic)
Australian Security Intelligence Organisation Act 1979 (Cth)

Commonwealth
Crimes Act 1914 (Cth)
Criminal Code Act 1995 (Cth)
Cybercrime Act 2001 (Cth)
Electronic Transactions Act 1999 (Cth)
Intelligence Services Act 2001 (Cth)
National Security Information (Criminal and Civil Proceedings) Act 2004 (Cth)
Privacy Act 1988 (Cth)
Spam Act 2003 (Cth)
Telecommunications Act 1997 (Cth)
Telecommunications (Interception and Access) Act 1979 (Cth)
Do Not Call Register Act 2006

Standards
Telemarketing and Research Industry Standard 2007
Fax Marketing Industry Standard 2011
Data deletion standards
Victorian Electronic Records Strategy (VERS)
Victorian Recordkeeping Standards

Bahamas
Disaster Preparedness and Response Act 2006; Emergency Relief Guarantee Fund Act 1999
(National Emergency Management Agency (NEMA))
PU19-0406 Supervisory and Regulatory Guidelines Business Continuity 1st May 2007
(The Central Bank of the Bahamas)

Barabados
Operational Risk Guidelines, June 2007 (The Central Bank of Barbados)

Belgium
Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog
The National Bank of Belgium (NBB)
The Financial Services and Markets Authority (FSMA)

Bolivia
Bosnia and Herzegovina
Personal Data Protection Act / Zakon o zatiti linih podataka (Sl. glasnik BiH broj: 49/06)
 Pravilnik o nainu voenja i obrascu evidencije o zbirkama linih podataka (Sl. glasnik BiH
broj: 52/09)
Pravilnik o nainu uvanja i posebnim mjerama tehnike zatite linih podataka (Sl. glasnik
BiH broj: 67/09)
Pravilnik o inspekcijskom nadzoru u oblasti zatite linih podataka (Sl. glasnik BiH broj:
51/09)
Pravilnik o postupku po prigovoru nosioca podataka u Agenciji za zatitu linih podataka u
Bosni i Hercegovini (Sl. glasnik BiH broj: 51/09)
Instrukcija o nainu provjere obrade linih podataka prije uspostavljanja zbirke linih podataka
(Sl. glasnik BiH broj: 76/09)

Brazil
Constituio Federal, arts. 5, 23, 37 e 216
Cdigo Civil, arts. 927 e 932
Consolidao das Leis do Trabalho CLT, art. 482
Cdigo de Conduta da Alta Administrao, arts. 5 e 14
Decreto n 1.171/94 (Cdigo de tica do Servidor Pblico), Sees I e II.
Cdigo de Defesa do Consumidor, arts. 43 e 44
Cdigo Penal, arts. 151-154, 184, 266, 297, 298, 305, 307, 311, 313, 314, 325
Cdigo Processo Penal, arts. 20, 207, 745
Cdigo Tributrio Nacional, art. 198
Cdigo de Processo Civil, arts. 347 e 406
Lei n 12.965, de 23 abril de 2014. (Marco Civil da Internet)

Bulgaria
Law on classified information
. .109 20 2007
Law on personal data protection . .57
13 2007.
Law on free access to public information
. , . 49 2007 .
Telecommunications Act Promulgated State Gazette No. 88/7.10.2003, effective 7.10.2003,
amended and supplemented, SG No. 19/1.03.2005, SG No. 77/27.09.2005, SG No.
88/4.11.2005
E-Commerce Law . .41 22 2007.
Law for data in electronic form and electronic signature
. .38 11 2007.
Law on Copyright and related rights
. .59 20 2007.
Law on electronic data -. .109 20
2007.
Law on electronic management . .46
12 2007.
 Law on crises management . .78 28
2007.

Canada
The Privacy Act July 1983
Personal Information Protection and Electronic Data Act (PIPEDA)
Emergency Management Act of 2007 (Canadian Government)
Emergency Management & Civil Protection Act Ontario Regulation (Province of Ontario)
Ontario Regulation 380/04
IDA By-Law 17.19 Business Continuity Plan Requirement (OSC (Ontario Securities
Commission))
Letter to Federally Regulated Financial Institutions, Insurance Companies, CBA etc March
2006

Chile
Act on the Protection of Personal Data, August 1998

China (Peoples Republic of China)

Guidelines on the Risk Management of Commercial Banks Information Technology
Information Security Technology Guide of Personal Information Protection (Release on 30 Jan
2011, Draft and Under Consultation)

Colombia
Two laws affecting data privacy Law 1266 of 2008 and Law 1273 of 2009
Ley 599 de 2000, Derechos de autor: Articulo 270. Violacin a los derechos morales de autor.
Ley 599 de 2000: Por la cual se expide el Cdigo Penal. En esta se mantuvo la estructura del
tipo penal de violacin ilcita de comunicaciones, se cre el bien jurdico de los derechos de
autor y se incorporaron algunas conductas relacionadas indirectamente con el delito
informtico, tales como el ofrecimiento, venta o compra de instrumento apto para interceptar
la comunicacin privada entre personas. Se tipific el Acceso abusivo a un sistema
informtico, as: Art. 195. El que abusivamente se introduzca en un sistema informtico
protegido con medida de seguridad o se mantenga contra la voluntad de quien tiene derecho
a excluirlo, incurrir en multa.
Decreto 2649 del 1993 articulo 134: Retencin de registros informacin financiera
Resolucin 0275 de 2001, Gobierno corporativo Superintendencia de valores: Se establecen
los requisitos que deben acreditar las personas jurdicas pblicas y privadas que pretendan
ser destinatarias de la inversin de recursos de los fondos de pensiones
 Ley 527 de 1999. Comercio electrnico: Se define y reglamenta el acceso y uso de los
mensajes de datos, del comercio electrnico y de las firmas digitales, y se establecen las
entidades de certificacin y se dictan otras disposiciones.
Habeas data: El objetivo de esta ley es desarrollar el derecho constitucional que tienen todas
las personas a conocer, actualizar y rectificar las informaciones que se hayan recogido sobre
ellas en bancos de datos, y los dems derechos, libertades y garantas constitucionales
relacionadas con la recoleccin, tratamiento y circulacin de datos personales. A lo que se
refiere el artculo 15 de la Constitucin Poltica, as como el derecho a la informacin
establecido en el artculo 20 de la Constitucin Poltica, particularmente en relacin con la
informacin financiera y crediticia, comercial, de servicios y la proveniente de terceros pases.
Circular 052 de 2007 (Superintendencia Financiera de Colombia): La circular 052 de la
Superintendencia Financiera, es un conjunto de buenas prcticas para el sector financiero en
Colombia que busca establecer un referente fundamental para el desarrollo de la Seguridad
Informtica en Colombia. Mediante esta circular, los bancos e instituciones financieras deben
proteger todos sus canales de atencin a clientes frente a riesgos de fraude y de reputacin.
Algunas de las prcticas que deben implementar para lograrlo son: Inscripcin,
Almacenamiento, Video vigilancia, Firewalls y dems sistemas de proteccin informtica,
Planes de Contingencia bajo el uso de Centros de Cmputo de Alta Disponibilidad, entre
otros.
Circular Externa No.002 del 06 de Enero de 1998 emanada de la Superintendencia
Financiera: Seguridad en transacciones financieras realizadas mediante la utilizacin de
Tarjetas Crdito y Dbito a travs de Cajeros Automticos, Puntos de Servicios en
establecimientos comerciales y oficinas de las instituciones financieras
Ley 1221 de 2008: Regula el teletrabajo en Colombia (Una forma de organizacin laboral,
que consiste en el desempeo de actividades remuneradas o la prestacin de servicios a
terceros utilizando como soporte las tecnologas de la informacin y las comunicaciones)
Ley 1480 de 2011: Estatuto del Consumidor: tiene como objetivo principal, proteger,
promover y garantizar la efectividad y el libre ejercicio de los derechos de los consumidores.
Se establecen las reglas de proteccin para el comercio electrnico.
Proyecto de Ley Estatutaria 046 de 2010 por la cual se dictan disposiciones generales para la
proteccin de datos personales
Ley No. 1273 de 2009, POR MEDIO DE LA CUAL SE MODIFICA EL CDIGO PENAL, SE
CREA UN NUEVO BIEN Jurdico TUTELADO DENOMINADO DE LA Proteccin DE LA
Informacin Y DE LOS DATOS Y SE PRESERVAN INTEGRALMENTE LOS SISTEMAS
QUE UTILICEN LAS Tecnologas DE LA Informacin Y LAS COMUNICACIONES, ENTRE
OTRAS DISPOSICIONES.
LEY ESTATUTARIA 1581 DE 2012, Por la cual se dictan disposiciones generales para la
proteccin de datos personales, Artculo 1. Objeto. La presente ley tiene por objeto
desarrollar el derecho constitucional que tienen todas las personas a conocer, actualizar y
rectificar las informaciones que se hayan recogido sobre ellas en bases de datos o archivos, y
los dems derechos, libertades y garantas constitucionales a que se refiere el artculo 15 de
la Constitucin Poltica; as como el derecho a la informacin consagrado en el artculo 20 de
la misma.
DECRETO 1377 DE 2013 Por el cual se reglamenta parcialmente la Ley 1581 de 2012, que
tiene por objeto, reglamentar parcialmente la Ley 1581 de 2012, por la cual se dictan
disposiciones generales para la proteccin de datos personales.

Costa Rica
Ley 9048, Ley de Delitos Informticos.

Croatia (Hrvatska)
Laws and regulations applicable to all organizations:
Personal Data4Protection Act (Official Gazette 103/03) and Act on Amendments and Addenda
to the Personal Data Protection Act (Official Gazette 41/08) Zakon o zatiti osobnih
podataka (NN 103/03) i Zakon o izmjenama i dopunama Zakona o zatiti osobnih podataka
(NN 41/08) propisuju da se svi osobni podaci moraju primjereno zatititi
Law on protection and rescue (Official Gazette 174/04) Zakon o zatiti i spaavanju (NN
174/04) u lanku 18 propisuje da sve pravne osobe de facto moraju pripremiti planove
kontinuiteta poslovanja
Electronic Document Act (Official Gazette 150/2005)- Zakon o elektronikoj ispravi (NN
150/05) u lanku 20 propisuje koje mjere sigurnosti mora osigurati elektronika arhiva; u
lanku 25 odreuje se ovjera informacijske i komunikacije opreme za tijela dravne uprave
Regulation on the procedure for storage and special measures relating to the technical
protection of special categories of personal data (Official Gazette 139/04) Uredba o nainu
pohranjivanja i posebnim mjerama tehnike zatite posebnih kategorija osobnih podataka (NN
139/04) preciznije se odreuju mjere zatite za zbirke osobnih podataka koje sadravaju tzv.
posebne kategorije

Laws and regulations applicable to government bodies:

Information Security Act (Official Gazette 79/07) Zakon o informacijskoj sigurnosti (NN
79/07) propisuje obvezu uvoenja informacijske sigurnosti u sva tijela dravne uprave
Regulation on Information Security Measures (Official Gazette 46/08) Uredba o mjerama
informacijske sigurnosti (NN46/08) propisuje nain provedbe Zakona o informacijskoj
sigurnosti
Data Secrecy Act (Official Gazette 79/07) Zakon o tajnosti podataka (NN 79/07) propisuje
nain klasifikacije podataka shodno tajnosti, pristup istima, te zatitu
Regulation on classified information marking, the content and form of security clearance and
statement on classified information handling (Official Gazette 102/07) Uredba o nainu
oznaavanja klasificiranih podataka, sadraju i izgledu uvjerenja o obavljenoj sigurnosnoj
provjeri i Izjave o postupanju s klasificiranim podacima (NN 102/07)
Security Vetting Act (Official Gazette 85/08) Zakon o sigurnosnim provjerama (NN 85/08)
sistem provjere osoba koje ostvaruju pristup klasificiranim podacima
Regulation on the content, form, filling in and handling the Security Vetting Questionnaire
(Official Gazette 114/08) Uredba o sadraju, izgledu, nainu ispunjavanja i postupanju s
upitnikom za sigurnosnu provjeru (NN 114/08)
Ordinance on criteria for establishing information security advisor positions (Official Gazette
30/11) Pravilnik o kriterijima za ustrojavanje radnih mjesta savjetnika za informacijsku
sigurnost (NN 30/11)

Laws and regulations for banks and other credit institutions:

Decision on Adequate Information System Management (Official Gazette 80/07) Odluka o
primjerenom upravljanju informacijskim sustavom (NN 80/07) precizno odreene
odgovornosti banaka za uvoenje informacijske sigurnosti, kao i rokovi
Guidelines for information system management for decreasing the operational risk (Croatian
National Bank, March 2006) Smjernice za upravljanje informacijskim sustavom u cilju
smanjenja operativnog rizika (HNB, oujak 2006.)
Decision on outsourcing (Official Gazette 01/09) Odluka o eksternalizaciji (NN 01/09)
propisuje obvezu procjene rizika dobavljaa u sluaju outsourcinga, to ukljuuje i procjenu
rizika vezanog za zatitu informacija
 Decision on adequate outsourcing risk management (Croatian National Bank, October 2005)
Smjernice za adekvatno upravljanje rizikom eksternalizacije (HNB, listopad 2005.)
Guidelins for managing the information system risk in credit unions (Croatian National Bank,
November 2007) Smjernice za ovladavanje rizikom informacijskog sustava u kreditnim
unijama (HNB, studeni 2007.)
Decision on risk management (Official Gazette 01/09) Odluka o upravljanju rizicima (NN
01/09) meu ostalim odreuje pravila za upravljanje operativnim rizikom, te u sklopu tog
rizika upravljanje informacijskim sustavom i rizikom informacijskog sustava

Laws and regulations for other financial institutions:

Ordinance on the detailed form and minimum scope and content of audit reviews and audit
reports of insurance companies (Official Gazette 76/2006) Pravilnik o detaljnom obliku i
najmanjem opsegu te sadraju revizorskog pregleda i revizorskog izvjea drutava za
osiguranje (NN 76/06) obvezuje revizora da meu ostalim provjeri koliko su informatiki
sustavi zatieni
Ordinance on operating conditions for authorised companies (Official Gazette 14/2007)
Pravilnik o uvjetima za obavljanje poslova ovlatenog drutva (NN 14/07) u lancima 12 i 13
se propisuje zatita informacijskog sustava odnosno dokumentacije za burzovne kue
Ordinance regulating business operations of investment fund management companies
(Official Gazette 25/2007) Pravilnik kojim se ureuje poslovanje drutva za upravljanje
investicijskim fondovima (NN 25/07) u lancima 11 i 12 se propisuje zatita informacijskog
sustava odnosno dokumentacije
Ordinance on organisational requirements for providing investment services and conducting
investment activities and ancillary services (Official Gazette 5/2009) Pravilnik o
organizacijskim zahtjevima za pruanje investicijskih usluga i obavljanje investicijskih
aktivnosti i pomonih usluga (NN 5/09) u lanku 4 nalae da je drutvo duno ustrojiti i
primjenjivati sustave i procedure koji osiguravaju sigurnost, cjelovitost i tajnost podataka, kao i
mjere za neprekidno poslovanje; u lanku 13 propisuje na koji nain se mora uvati poslovna
dokumentacija i podaci

Laws and regulations for telecom operators:

Ordinance on means and deadlines for implementation of safeguards and integrity of
networks and services (Official Gazette 109/12) Pravilnik o nainu i rokovima provedbe
mjera zatite sigurnosti i cjelovitosti mrea i usluga (NN 109/12) u Dodatku 1 (Minimalne
mjere sigurnosti) se direktno trai implementacija pojedinih elemenata ISO 27001, ISO 27002,
ISO 27005 i ISO 22301

Czech Republic
Act on Protection of Personal Data (April 2000) No. 101

Denmark
Act on Processing of Personal Data, Act No. 429, May 2000

Ecuador
Resolution JB-2012-2148: information security on electronic channels (applies to all financial
institutions)
Resolution JB-2014-3066: Information Security Management System based on ISO 27001
and Business Continuity Management System based on ISO 22301 (applies to all financial
institutions)
 Ministerial Agreement No. 166: Implementation of Government Scheme of Information
Security based on local NTE ISO 27001 (local ISO based on ISO 27001:2005)
Operational Risk Management Resolution: new resolution that is an improvement of
Resolution JB-2012-2148 and Resolution JB-2014-3066, and requires all financial institutions
to define and implement an ISMS with a limited scope, information security on projects, and
third-party information security management.

Estonia
Personal Data Protection Act of 2003. June 1996, Consolidated July 2002.

European Union
European Union Data Protection Directive of 1998
EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC)
Data Protection Act , 1998.
The electronic Commerce (EC directive) Regulations 2002.
Regulation of Investigatory Powers act 2000.
Basel II: BASEL capital accord (April 2003) (Basel Committee on Banking Supervision)
EU General Data Protection Regulation (EU GDPR), 2016

Finland (Suomi)
Act on the Amendment of the Personal Data Act (986) 2000

France
Data Protection Act of 1978 (revised in 2004)

Germany (Deutschland)
Grundgesetz fr die Bundesrepublik Deutschland (GG) Art 10
Bundesdatenschutzgesetz (BDSG)
Gesetz zum Schutz personenbezogener Daten (Landesdatenschutzgesetz LDSG Baden-
Wrttemberg
Bayerisches Datenschutzgesetz (BayDSG) Bayern
Gesetz zum Schutz personenbezogener Daten in der Berliner Verwaltung (Berliner
Datenschutzgesetz BlnDSG) Berlin
Gesetz zum Schutz personenbezogener Daten im Land Brandenburg (Brandenburgisches
Datenschutzgesetz BbgDSG) Brandenburg
Bremisches Datenschutzgesetz (BremDSG) Bremen
Hamburgisches Datenschutzgesetz (HmbDSG) Hamburg
Hessisches Datenschutzgesetz (HDSG) Hessen
Gesetz zum Schutz des Brgers bei der Verarbeitung seiner Daten
(Landesdatenschutzgesetz DSG M-V) Mecklenburg-Vorpommern
Niederschsisches Datenschutzgesetz (NDSG) Niedersachsen
Gesetz zum Schutz personenbezogener Daten (Datenschutzgesetz Nordrhein-Westfalen
DSG NRW -) Nordrhein-Westfalen
 Landesdatenschutzgesetz (LDSG) Rheinland-Pfalz
Saarlndisches Gesetz zum Schutz personenbezogener Daten (Saarlndisches
Datenschutzgesetz SDSG ) Saarland
Gesetz zum Schutz der informationellen Selbstbestimmung im Freistaat Sachsen
(Schsisches Datenschutzgesetz SchsDSG) Sachsen
Gesetz zum Schutz personenbezogener Daten der Brger (DSG-LSA) Sachsen-Anhalt
Schleswig-Holsteinisches Gesetz zum Schutz personenbezogener Informationen
(Landesdatenschutzgesetz LDSG -) Schleswig-Holstein
Thringer Datenschutzgesetz (ThrDSG) Thringen
Telekommunikationsgesetz (TKG)
Gesetz ber Urheberrecht und verwandte Schutzrechte (UrhG)
Gesetz ber den Datenschutz bei Telediensten (TDDSG)
Telemediengesetz (TMG)
Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (KonTraG)
Aktiengesetz (AktG) 91 Abs. 2 und 93 Abs. 2 AktG
GMBH Gesetz (GmbHG) 43 Abs. 1 GmbHG
Handelsgesetzbuch (HGB) 317 Abs. 4 und 317 Abs. 2 HGB
Kreditwesengesetz (KWG)
Grundstze zum Datenzugriff und zur Prfbarkeit digitaler Unterlagen (GDPdU)
Grundstze ordnungsmiger DV-gesttzter Buchfhrungssysteme (GoBS)
Abgabenordnung (AO) 147 AO
MaRisk
Strafgesetzbuch (StGB) 202 und 203 StGB
Postgesetz (PostG)
Verordnung ber den Datenschutz bei der geschftsmigen Erbringung von Postdiensten
(Postdienste-Datenschutzverordnung PDSV)
Sozialgesetzbuch (SGB) SGB X
Gesetz ber die Voraussetzungen und das Verfahren von Sicherheitsberprfungen des
Bundes (SG)
Gesetz zur Strkung der Sicherheit in der Informationstechnik des Bundes

Greece
Law 2472/1997 on Protection of Individuals with regard to the Processing of Personal Data
Law 3471/2006 on Protection of personal data and privacy in the electronic
telecommunications
Law 3917/2011 on Retention of data generated or processed in connection with the provision
of publicly available electronic communications services or of public communications
networks, use of surveillance systems by taking or recording audio or video in public areas
and related provisions
 Regulation 26/2004 on Conditions for the lawful processing of personal data for purposes of
direct marketing or advertising and credit assessment
Common Act of National Data Protection Authority and Authority for Telecommunications
Security regarding the Security Requirements for systems processing personal data in order
to respond to legal requests for data
Law 3614/2008 titled Strengthening the institutional framework to safeguard the
confidentiality of telephone communications and other provisions
Regulation 1742//15-7-2013 on Security and Availability of Networks and Electronic
Communication Services
Regulation 384//24-3-2005 on Secrecy Assurance for Postal Services
Regulation 165/2011 on telecommunications security
Presidential Decree 47/2004 for privacy waiver and lawful interception
Article 19 of Greek Constitution on confidentiality of correspondence and communication
Law 2225/94 on Protection and freedom of communications
Law 3917/11 on Retention of data that are intended for processing for legal purposes
.4174/2013 Taxation procedures and relevant processes
Guideline 1/2005 of Greek Data Protection Authority for destroying personal data archives
Law 3758/2009 on Requirements For Collection Organizations and other issues

Guatemala
Guernsey
Data Protection (Bailiwick of Guernsey) Law of 2001

Honduras
Comisin Nacional de Bancos y Seguros NORMAS PARA REGULAR LA ADMINISTRACIN
DE LAS TECNOLOGAS DE INFORMACIN Y COMUNICACIONES EN LAS
INSTITUCIONES DEL SISTEMA FINANCIERO CIRCULAR CNBS No.119/2005

Hong Kong
Personal Data (Privacy) Ordinance (Office of the Privacy Commissioner for Personal Data
the Government of the Hong Kong Special Admin Region)
Business continuity planning supervisory policy manual TM-G-2 (The Hong Kong Monetary
Authority)
Circular to licensed corporations Business continuity planning against serious
communicable diseases (Securities and Futures Commission of Hong Kong)
HKMA Supervisory Policy Manual, BCP TM-G-2 V1 02.12.02 (Hong Kong Monetary Authority)
HKMA Supervisory Policy Manual, General Principles for Technology Risk Management TM-
G-1 V.1 24.06.03 (Hong Kong Monetary Authority)
HKMA, Supervisory Policy Manual, Supervision of E-Banking TM-E-1 V.1 17.02.04 (Hong
Kong Monetary Authority)
IT Security Guidelines G3 (Information Technology Services Dept The Government of the
Hong Kong Special Admin Region)
 Management, Supervision and Internal Control Guidelines (the Internal Control Guidelines)
(Securities and Futures Commission of Hong Kong)

Hungary
Act No. CVIII of 2001. on certain issues of electronic commerce services and information
society services
Act No. XXXV. of 2001. on Electronic Signatures
Act No. C. of 2003. on Electronic Communications
Act No. CXL. of 2004. on the General Rules of Administrative Proceedings and Services
Act No. CLV. of 2009. Protection of classified information
Act No. CLVII. of 2010.Protection of the national data assets
Act No. CXII. of 2011. on Informational self-determination and Freedom of information
(instead of the Act. No. LXIII. Of. 1992.)
Act No. CLXVI. of 2012. on the identification,designation and protection of critical
infrastructures
Act No. L of 2013. on Electronic Information Safety of the Governmental and Municipal
Organisations

Iceland
Act of Protection of Individual; Processing Personal Data (Jan 2000)

Ireland
Data Protection Act 1988 and Amendment Act 2003
The Electronic Privacy Regulations 2011 (S.I. 336 of 2011) giving effect to the EU ePrivacy
Directive 2002/58/EC
The Criminal Damage Act 1991, Section 2,3,4,5
The Criminal Justice (Theft and Fraud Offences) Act 2001, Section 9
Child Trafficking and Pornography Act 1998
British-Irish Agreement Act, 1999, Section 51 Data protection in cross-border bodies
Companies Acts 1963-2013
Electronic Commerce Act 2000
Copyright and Related Rights Act 2000
Defamation Act 2009
Consumer Protection Act 2007
EC (Protection of Consumers in respect of contracts made by means of distance
communication) Regulations 2001
Employment (Information) Act 1994
Employment Equality Acts 1998 and 2004
Unfair Dismissal Acts, 1997 to 2001
European Convention of Human Rights Act 2003
Others which may be worth reviewing:
Communications (Retention of Data) Act 2011 for Internet and Telephone Service Providers
Freedom of Information Acts 1997 and 2003 for public sector bodies
The Official Languages Act 2003 for public sector bodies
Offences Against the State Act Section 30
The Convention on Cybercrime is signed but not yet ratified by Ireland as of 1/5/2013

India
Information Technology Act as amended by Act of 2008
The Information Technology (Amendment) Bill, 2006
.IN Domain Name Registration Policy
Semiconductor Integrated Circuits Layout-Design Rules, 2001
Semiconductor Integrated Circuits Layout Design Act 2000
Rules for Information Technology Act 2000
.IN Domain Name Dispute Resolution Policy
Gujarat Information technology Rules, 2004
Karnataka Cyber Cafe Regulations
Information Technology Act, 2000
India BCP (1. Reserve Bank of India (RBI); 2. Securities & Exchange Board of India (SEBI); 3.
National Stock Exchange (NSE); 4. Bombay Stock Exchange (BSE))
Companies Act, 1956 Income Tax Act,1961 Employees Provident Fund Act,1952

Indonesia
Information and Electronic Transaction / Undang-Undang Informasi dan Transaksi
Elektronik(UU No.11 2008)
Regulation No 9/15/PBI/2007 (Bank Indonesia)
Regulation no. 6/8/PBI/2004 (Bank Indonesia)
Indonesia BCP (Bank Indonesia (Central Bank))

Israel
Iran

Italy
Unique Text on Privacy Decreto Legislativo n 196 del 30 giugno 2003 Testo unico sulla
Privacy
Protection of persons and other subjects related to the processing of personal data Legge L.
675/1996 del 31 dicembre 1996 Tutela delle persone e di altri soggetti rispetto al trattamento
dei dati personali (Superseded by D.Lgs 196/2003)
Guidelines for implementation, management and maintenance of Business Continuity in the
Banking Sector (ABI Association of Italian Banks)
 Guidelines for Crisis Management in the Banking Sector (ABI Association of Italian Banks)

Japan
Personal Information Protection Law (Act)
Law for the Protection of Computer Processed Data Held by Administrative Organs,
December 1988.
Business Continuity at Bank of Japan (BOJ (Bank of Japan))
Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA (FISC
(The Centre for Financial Industry Information System))

Jordan
E-Transactions Law, 2001
Freedom of Information Act, 2007
Cyber Crime Law, 2010
Protection of Nation Secrets and Documentation, 1971

Kazakhstan
Government Regulation as of 30 Sept 2005. Instruction #359. (Financial Control Agency of
Kazakhstan (local name ))

Kenya
Central Bank (CBK) Prudential Guidelines on BCM for Institutions Licenced under Banking
Act. (The Central Bank of Kenya)

Korea
Personal Information Protection Act
Act on Promotion of Information and Communication Network Utilization and Information
Protection
Act on Prevention of Divulgence and Protection of Industrial Technology
Unfair Competition Prevention and Trade Secret Protection Act

Kosovo (Kosov)
Kuwait
Latvia
IT security policies and regulations:
Information technology security law
Information technology security measures for critical infrastructure planning and
implementation arrangements (February 2011)
Regulations on electronic communications companies information to be included in the Action
Plan, the follow-up plan and the procedure for end users (April 2011)
Procedures for ensuring information and communication technology systems in compliance
with the minimum safety requirements (July 2015)
The Electronic Communications Law
State Information Systems Law
 State Information System General safety requirements (October 2005)
National Security Concept
Information systems security test guidelines
Information security management system implementation guidance

Other:
BCM provision for Payment and Securities Settlement Systems in Latvia (Latvjas Banka
(Bank of Latvia))

Lithuania
Law on Legal Protection of Personal Data (June 1996)

Luxembourg
Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal
Data

Macedonia
Law on classified information 9/2004 (last
change113/2007)
Law on personal data protection 7/2005
Law on free access to public information
13/20006
Law on electronic communications 13/2005 (last
change55/2007)
Law on communications monitoring 121/2006
Law on electronic governance
E-Commerce Law 133/2007
Law for data in electronic form and electronic signature
34/2001 (last change 06/2002)
Law on Copyright and related rights
47/1996 (last change 131/2007)
Law on industrial property 47/2002 (last change
79/2007)
Criminal code 37/1996 (last change 7/08)

Malaysia
Common Law principle of confidentiality
Personal data Protection Bill
Banking and Financial Institutions Act of 1989 privacy provisions
BNM/RH/GL013-3 Guidelines on BCM for Banking Institutions July 2008 (Bank Negara
Malaysia (BNM) Central Bank of Malaysia)
Guidelines on Management of IT Environment (Bank Negara Malaysia (BNM) Central Bank
of Malaysia)
 Cyberlaws in Malaysia (Digital Signature Act 1997; Computer Crime Act 1997; Telemedicine
Act 1997; The Copyright (Amendment) Act 1997; The Communications and Multimedia Act
1998; The Electronic Government Activities Act 2007)

Malta
Data Protection Act (Act XXVI of 2001), Amended March 22, 2002, November 15, 2002 and
July 15, 2003
Guidelines on Business Continuity and Contingency Procedures (The Central Bank of Malta)

Mexico
Ley Federal de Transparencia y Acceso a la Informacin Pblica Gubernamental (ltima
reforma 2006) Apicable al Gobierno Federal.
Manual Administrativo de Aplicacin General en Materia de Tecnologas de Informacin y
Comunicaciones (2010) Aplicable al Gobierno Federal.
Ley Federal de Proteccin de Datos Personales en Posesin de Particulares (2010)
Aplicable a personas fsicas y morales.

Montenegro ( /Crna Gora)

Morroco
Data Protection Act

Netherlands
Personal Data Protection Act 2000
Data Breach Notification Requirement Act 2016

New Zealand
Privacy Act, May 1993; Privacy Amendment Act, 1993; Privacy Amendment Act, 1994
The Civil Defence & Emergency Management Act (2002)
Official information Act, 1982
Public records Act, 2005
New Zealand Cyber security strategy, June 2011

Nigeria
Data Protection Act 1998 Computer Security and Critical Information Infrastructure Protection
Bill 2005

Norway
Personal Data Act (April 2000) Act of 14 April 2000 No. 31 Relating to the Processing of
Personal Data (Personal Data Act)

Panama
Pakistan
Risk Management Guidelines for Commercial Banks and DFIs (State Bank of Pakistan
(SBP))

Paraguay
Peru
 LEY N 29733 Ley de proteccin de datos personales

Philippines
542 (Philippines Central Bank)
269 (Philippines Central Bank)
268 (Philippines Central Bank)
Manila Bank BCP (Bank of Central Philippines (local central bank))

Poland
Act of the Protection of Personal Data (August 1997)
Business Continuity of Payment and Security Settlement Systems infra-structure (The
National Bank of Poland)

Portugal
Act on the Protection of Personal Data (Law 67/98 of 26 October)
Act on Attacks Against Information Systems (Law 109/2009 of 15 September)

Qatar
Cyber crime law (law no. 14 of 2014)
National Information Assurance Policy

Romania
Law No. 677/2001 on Protection of Persons concerning the Processing of Personal Data and
the Free Circulation of Such Data
Law No. 506/2004 on Personal data processing and privacy in the electronic communications
sector
Law No. 8/1996 on copyright and related rights

Russia
Personal Data (Law #152 of 26 January 2006)
STO BR IBBS-1.0-2010 (Central Bank of the Russian Federation (STO BR IBBS-1.0-2006))
242-P (Central Bank of the Russian Federation)

Saudi Arabia
Telecommunications Act & Bylaws Royal Decree No. M/12
Anti-Cyber Crime Law Royal Decree No. M/17
Electronic Transactions Regulation Royal Decree No. M/18
Law for Publishing and Disclosing Confidentials and Information Royal Decree No. M/35

Senegal
Law No.2008-08 on Electronic Transactions
Law No.2008-09 on Copyright and Related Rights
Law No.2008-10 on Orientation Law on the Information Society
Law No.2008-11 on Cybercrime
 Law No.2008-12 on Protection of Personal Data

Serbia
Singapore
The E-commerce Code for the Protection of Personal Information and Communications of
Consumers of Internet Commerce.
MAS Business Continuity Management Guidelines (June 2003) (MAS (Monetary Authority of
Singapore)
SGX Member Rules Effective 22 January 2009 (SGX (Singapore Exchange Limited))
Computer Misuse and Cybersecurity Act (1998, Renamed in 2013)
Personal Data Protection Act 2012 (January 2013)
MAS Technology Risk Management (TRM) Notice and Guidelines June 2013 (Monetary
Authority of Singapore)

Slovak Republic
Act No. 428 of 3 July 2002 on Personal Data Protection.

Slovenia
Personal Data Protection Act , RS No. 55/99.

South Africa
Ministry for Provincial & local Government Disaster Management Act, 2002
Major Hazard Installation Regulations, 1993 (Occupational Health & Safety)
SAMOS and CLS Business Continuity Procedures SA Reserve Bank (South African
Reserve Bank National Payment System Department)

South Korea
The Act on Promotion of Information and Communications Network Utilization and Data
Protection of 2000
Act on Assistance to the Autonomous Activities of Enterprises for Disaster Mitigation (National
Emergency Management Agency (NEMA))
Korea BCP (Financial Supervisory Commission)
Supervisory Guidelines for BCP (New Basel Accord Office, Financial Supervisory Service
(FSS))

Spain (Espaa)
Real Decreto-Legislativo 1/1996, de 12 de abril, por el que se aprueba el Texto Refundido de
la ley de propiedad intelectual.
Ley Orgnica 15/1999, de 13 de diciembre, de proteccin de los datos de carcter personal.
Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de
desarrollo de la Ley Orgnica 15/1999, de 13 de diciembre, de proteccin de datos de
carcter personal.
Ley 59/2003, de 19 de diciembre, de firma electrnica.
Ley 56/ 2007 o Ley para el Impulso de la Sociedad de la Informacin.
Ley 11/2007, de 22 de junio, de acceso electrnico de los ciudadanos a los Servicios Pblicos
 Real Decreto 1671/2009, de 6 de noviembre, por el que se desarrolla parcialmente la Ley
11/2007, de 22 de junio, de acceso electrnico de los ciudadanos a los servicios pblicos.
Real Decreto 3/2010, de 8 de enero (BOE de 29 de enero), por el que se regula el Esquema
Nacional de Seguridad en el mbito de la administracin electrnica.
Real Decreto 4/2010, de 8 de enero, por el que se regula el Esquema Nacional de
Interoperabilidad en el mbito de la Administracin Electrnica.
Real Decreto 704/2011, de 20 de mayo, por el que se aprueba el Reglamento de proteccin
de las infraestructuras crticas.

Other documents issued by public bodys (non law status):

Magerit versin 2. Metodologa de Anlisis y Gestin de Riesgos de los Sistemas de
Informacin
Guas CCN-STIC para la seguridad de los sistemas de la Administracin Pblica

Sri Lanka
Guidelines on Business Continuity Planning (Insurance Board of Sri Lanka)

Sudan
Switzerland
The Federal Law on Data Protection of 1992
FINMA Recommendations for BCM: Nov 2007 (Swiss Financial Market Supervisory Authority)
SFBC 06/6 (Swiss Federal Banking Commission (SFBC))
SFBC 06/3 (SFBC)
SBA Self Regulation (Swiss Bankers Association)

Sweden
Personal Data Protection Act (1998:204), October 24, 1998
Regulations and General Guidelines regarding information security, IT operations and deposit
systems (Finansinspektionens (FSA) Regulatory Code FFFS 2014:5)

Taiwan
Computer Processed Personal data Protection Law applies only to public institutions.

Thailand
Official Information Act (1997) for state agencies
118/2550 Policy on BCM and BCP for Financial Institutions (Bank of Thailand)

Turkey
Laws:
5651 sayl nternet Ortamnda Yaplan Yaynlarn Dzenlenmesi Ve Bu Yaynlar Yoluyla
lenen Sularla Mcadele Edilmesi Hakknda Kanun
5809 sayl Elektronik Haberleme Kanunu
5070 sayl Elektronik mza Kanunu
6102 sayl Trk Ticaret Kanunu (TTK), md.18.3: Kaytl elektronik posta
 6102 sayl Trk Ticaret Kanunu (TTK), Md.57: Haksz Rekabet
6102 sayl Trk Ticaret Kanunu (TTK), Md.64: Haksz Rekabet
6102 sayl Trk Ticaret Kanunu (TTK), Md.65: Haksz Rekabet
6102 sayl Trk Ticaret Kanunu (TTK), Md.1524: Elektronik ilemler ve bilgi toplumu
hizmetleri
6698 sayl Kiisel Verilerin Korunmas Kanunu (KVKK)
6563 sayl Elektronik Ticaretin Dzenlenmesi Hakknda Kanun
5237 sayl Trk Ceza Kanunu md.239
5237 sayl Trk Ceza Kanunu md.244
5271 sayl Ceza Muhakemesi Kanunu m.134 Bilgisayarlarda, bilgisayar programlarnda ve
ktklerinde arama, kopyalama ve elkoyma
5846 sayl Fikir Ve Sanat Eserleri Kanunu (FSEK)

Regulations:
38790 tarihli 26108 sayl Resmi Gazetede yaynlanan Sanal Ortamda Oynatlan Talih
Oyunlar Hakknda Ynetmelik
41114 tarihli 28363 sayl Resmi Gazetede yaynlanan Elektronik Haberleme Sektrnde
Kiisel Verilerin lenmesi Ve Gizliliinin Korunmas Hakknda Ynetmelik
40608 tarihli 27866 sayl Resmi Gazetede yaynlanan Mesafeli Szlemelere Dair
Ynetmelik
40783 tarihli 28036 sayl Resmi Gazetede yaynlanan Kaytl Elektronik Posta Sistemine
likin Usul Ve Esaslar Hakknda Ynetmelik
40890 tarihli 28141 sayl Resmi Gazetede yaynlanan Elektronik Defter Genel Teblii
41284 tarihli 28524 sayl Resmi Gazetede yaynlanan Gmrk lemlerinin Kolaylatrlmas
Ynetmelii
39416 tarihli 26716 sayl Resmi Gazetede yaynlanan nternet Ortamnda Yaplan Yaynlarn
Dzenlenmesine Dair Usul Ve Esaslar Hakknda Ynetmelik
38358 tarihli 25692 sayl Resmi Gazetede yaynlanan Elektronik mza Kanununun
Uygulanmasna likin Usul Ve Esaslar Hakknda Ynetmelik
38666 tarihli 25989 sayl Resmi Gazetede yaynlanan Telekomnikasyon Yoluyla Yaplan
letiimin Tespiti, Dinlenmesi, Sinyal Bilgilerinin Deerlendirilmesi Ve Kayda Alnmasna Dair
Usul Ve Esaslar le Telekomnikasyon letiim Bakanlnn Kurulu, Grev Ve Yetkileri
Hakknda Ynetmelik
39127 tarihli 26434 sayl Resmi Gazetede yaynlanan Telekomnikasyon Yoluyla Yaplan
letiimin Denetlenmesi, Gizli Soruturmac ve Teknik Aralarla zleme Tedbirlerinin
Uygulanmasna likin Ynetmelik
40489 tarihli 27752 sayl Resmi Gazetede yaynlanan nternet Alan Adlar Ynetmelii

Uganda
Computer Misuse Act (2011)
Electronic Transactions Act (2011)
Electronic Signatures Act (2011)
United Kingdom
UK Data Protection Act 1998
UK Electronic Communications Act 2000
The Consumer Protection Regulations 2000
Freedom Of Information Act 2000
The Telecommunications (lawful Business Practice and Interception of Communications)
Regulations 2000
Computer Misuse Act 1990
The Electronics Signatures Regulations 2002
The Telecommunications (Data Protection & Privacy, Direct Marketing) Regulations 1999
The Consumer Protection (Distance Selling) Regulations 2003
Regulation of Investigatory Powers Act 2000 (RIPA)
Civil Contingencies Act (2004 & 2005) (UK Government)
Business Continuity Practice Guide: 2006 (UK Tripartite Authorities: Financial Services
Authority (FSA), HM Treasury, Bank of England)
Copyright, Designs and Patents Act 1988 (CDPA)
Companies Act 2006 contains a number of provisions concerning records and
communications
The Human Rights Act 1998 (HRA)
The Privacy and Electronic Communications Regulations 2003

United States
6 CFR Part 29 Procedures for Handling Critical Infrastructure Information Department of
Homeland Security
ACH Rules Book of 2001 (National Automated Clearing House Association NACHA)
Adam Walsh Child Protection and safety Act of 2006
Cable Communications Policy Act (Cable Act) of 1984
California SB 1386 Security of Non-encrypted Customer Information of 2003 (State of
California) and progeny
The Californian Online Privacy Protection Act of 2004
Childrens Internet Protection Act (CIPA) of 2001
Childrens Online Privacy Protection Act (COPPA) of 1998
Communications Assistance for Law Enforcement Act (CALEA) of 1994
Computer Fraud and Abuse Act (CFAA) of 1986 (FTC Federal Trade Commission)
Computer Security Act of 1987 (Superseded by the Federal Information Security
Management Act (FISMA)
Consumer Credit Protection Act (CCPA) of 1992 Section 2001 Title IX Electronic Funds
Transfer
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003
 Defense Federal Acquisition Regulation Supplement (DFARS) (aka NIST 800-171)
Deleting Online Predators Act of 2006
The Digital Millennium Copyright Act of 1998
DoD Information Assurance Risk Management Framework (DIARMF)
Drivers Privacy Protection Act of 1994
Electronic Communications Privacy Act (ECPA) of 1986
Electronic Freedom of Information Act (E-FOIA) of 1996
Electronic Fund Transfer Act (EFTA) (OCC)
Fair and Accurate Credit Transactions Act (FACTA) including Red Flags rule
Family Education Rights and Privacy Act (FERPA; also know as the Buckley Amendment) of
1974
Federal Acquisition Regulation (FAR): Electronic Funds Transfer Final Rule (Securities and
Exchange Commission)
Federal Information Security management Act (FISMA) of 2002 (FTC)
Federal Risk and Authorization Management Program (FedRAMP)
Federal Trade Commission Act (FTCA) of 1999
FERC COOP 2007: FERC RM01-12-00 (FERC Federal Energy Regulatory Commission)
FFIEC FIL 67-97/82-96 (FFIEC Federal Financial Institutions Examination Council)
FFIEC Policy SP-5 (FFIEC Federal Financial Institutions Examination Council)
FIPA Florida Information Protection Act of 2014
Foreign Corrupt Practices Act 1977 (P.L 95-213)
Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999
Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule #7.
Contingency Plan 164.308 (a)(7)(i) / HITECH Act
Inter-Agency Policy of 1997 from Federal Financial Institutions Examination Council (FFIEC)
Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial
System of 2003 Federal Reserve System; OCC (Office of the Comptroller of the Currency);
SEC (Securities and Exchange Commission)
Internet Gambling Prohibition and Enforcement Act
IRS Procedure 91-59 (superseded IRS Procedure 86-19) (IRS Internal Revenue Service)
Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of
Residents of the Commonwealth of 2010
Minnesota Plastic Card Security Act (PCSA) of 2007
NASD Rule 108 (Sept 9, 02) and SR-NASD 2002-112 (March 10 2003)(Release No. 34-
48503: File NO SR-NASD-2002-108)(NASD (North American Securities Dealers Association)
/ SEC)
NASD Rule 3500: Emergency Preparedness Part 3510: Business Continuity Plans (NASD)
NASD Rule 3500: Emergency Preparedness Parts 3520: Emergency Contact information
(NASD)
 National Industrial Security Program Operating Manual (NISPOM)
NERC(North American Electric Reliability Corporation)(CIP) Critical Infrastructure Protection
Cyber Security
Nevada Security of Personal Information Law of 2005
New York Department of Financial Services 23 NYCRR 500
NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan (CFTC
Commodity Futures Trading Commission)
NYSE Rule 446 : Business Continuity and Contingency Planning (NYSE New York Stock
Exchange)
OCC 2001-47. Third Party Relationships of 2001 (OCC Office of the Comptroller of the
Currency)
Oregon ORS 646A.622
Privacy Act of 1974 (SUSC552a)
Privacy Protection Act (PPA) of 1980
Public Law 110-53 Title IX (PS Prep)
Right to Financial Privacy Act (RFPA) of 1978
Sarbanes-Oxley Act of 2002 (PL 107-204 2002 HR 3763) Section 404 (PCAOB (Public
Company Accounting Oversight Board))
Sarbanes-Oxley Act of 2002 : Section 409 (PCAOB)
Securities and Exchange Act, Sections 32(a) and (b) (SEC)
Telecommunications Act of 1996
Telephone Consumer Protection Act (TCPA) of 1991
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act (USA PATRIOT Act) of 2001
Video Privacy Protection Act of 1988 discussion and overview
Washington State HB 1149: Protecting consumers from breaches of security of 2009

Uruguay
Venezuela
Special Law Against Cybercrime Official Gazette No. 37,313 of the Bolivarian Republic of
Venezuela dated 30 October 2001
Law data messages and electronic signatures Official Gazette No. 37,148 dated February 28,
2001
Policy Information Technology, Financial Services dematerialized, Electronic Banking and
Online Virtual Bodies for Submitted to the Control, Regulation and Supervision of Banks and
Other Financial Institutions, Caracas, March 2007.
Law credit cards, debit cards, prepaid cards and other financing or electronic payment, dated
September 4, 2008.
Rules governing the use of electronic banking services Official Gazette No. 39597 dated
January 19, 2011
Vietnam
The Law on Electronic Transactions 2008