Statutory vs Regulatory vs Contractual Compliance

Compliance terms are often misused, even by professionals within the cybersecurity and privacy industries. Words have specific meanings, and non-compliance can lead to significant consequences. Cybersecurity, IT, and privacy professionals frequently use the terms "law" and "regulation" interchangeably, though these terms have distinct meanings that must be understood.


ComplianceForge compiled the information on this page to ensure everyone is on the same page, as understanding the nuances of compliance terminology is crucial for managing cybersecurity and privacy risks effectively.


Why Should You Care: Prioritizing Controls & Risk Management

Understanding the "hierarchy of pain" in compliance helps in making well-informed risk decisions that influence technology purchases, resource allocation, and management involvement. It benefits cybersecurity and IT professionals to comprehend the compliance landscape, enabling them to present non-compliance issues in a compelling business context to secure necessary resources.

Beyond correct terminology usage, understanding the three types of compliance is vital for managing cybersecurity and privacy risks. The differences in non-compliance penalties can include:


Statutory, Regulatory, and Contractual Obligations Define "Must Have" vs "Nice To Have" Requirements

In discussions about cybersecurity and privacy requirements, the term "must" is often used as an absolute due to applicable laws, regulations, or contract clauses compelling the control to exist. It is essential to clarify the difference between "compliant" and "secure" to have coherent risk management discussions. Organizations should categorize controls into “must have” vs “nice to have” requirements:

Secure and compliant operations exist when both MCR and DSR are implemented and properly governed:


Statutory Cybersecurity & Privacy Requirements

Statutory obligations are mandated by law and refer to current laws passed by a state or federal government. Examples of statutory compliance requirements in cybersecurity and privacy include:

US Federal Laws:

US State Laws:

International Laws:


Regulatory Cybersecurity & Privacy Requirements

Regulatory obligations are required by law but differ from statutory requirements in that they refer to rules issued by a regulating body appointed by a state or federal government. Regulatory requirements tend to change more often than statutory requirements. Examples of regulatory compliance requirements include:

US Regulatory Requirements:

International Regulatory Requirements:


Contractual Cybersecurity & Privacy Requirements

Contractual obligations are required by legal contracts between private parties. These may include a cybersecurity or privacy addendum in a vendor contract that specifies unique requirements or broader requirements from an industry association. Examples of contractual compliance requirements include: