Cyber, critical infrastructure & AI standards — all in one place.
The latest standards, laws and regulations, with curated metadata, mapped controls and expert guidance from 6clicks. Built for GRC, compliance and security teams.
All content · 60 items
EU 2016/1675 — Commission Delegated Regulation (EU) 2016.1675 on High Risk Third Countries
This regulation identifies high-risk third countries with strategic deficiencies in the area of anti-money laundering (AML) and countering the financing of terrorism (CFT). It supplements Directive (EU) 2015/849, providing a legal framework for such identifications.
- Issuer
- European Commission
- Jurisdiction
- European Union
- Version
- 14 July 2016
- Updated
- Jun 2023
OWASP ASVS — OWASP Application Security Verification Standard
The OWASP Application Security Verification Standard (ASVS) is an open standard for testing and verifying the security of web applications. It provides developers with a comprehensive list of requirements for secure development and helps establish confidence in application security.
- Issuer
- OWASP Foundation
- Version
- 4.0.2
- Updated
- May 2025
COBIT 2019 — COBIT 2019 Framework
The COBIT 2019 Framework, developed by ISACA, is a globally recognized standard for optimizing enterprise IT governance and management. It provides flexible, detailed guidance for organizations aiming to achieve effective governance over information and technology.
- Issuer
- ISACA
- Version
- 2019
CMMC — Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) Assessment Guide defines how organizations are evaluated for compliance with cybersecurity requirements when working with the U.S. Department of Defense. It outlines assessment methods, evidence expectations, and control validation aligned with standards like NIST SP 800-171. The guide ensures consistent and rigorous verification of an organization’s ability to protect sensitive information.
- Issuer
- US Government
- Jurisdiction
- USA
- Version
- 2.13
SPS 521 — Prudential Standard SPS 521 - Conflicts of Interest
Prudential Standard SPS 521 is a legislative instrument under the Superannuation Industry (Supervision) Act 1993. It sets requirements for superannuation entities in Australia to appropriately manage conflicts of interest to ensure compliance and trust in their operations.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
SOC2 — SOC2 Trusted Services Criteria
SOC 2 is a framework for managing and reporting on controls at service organizations relevant to security, availability, processing integrity, confidentiality, and privacy. It aims to provide detailed information and assurance to stakeholders about how these controls are implemented to protect user data.
- Issuer
- American Institute of Certified Public Accountants (AICPA)
- Jurisdiction
- USA
- Updated
- Sep 2022
SPS 310 — Prudential Standard SPS 310 Audit and Related Matters
Prudential Standard SPS 310 establishes requirements for conducting audits and related matters for the superannuation industry in Australia. It ensures compliance with financial reporting and auditing practices in accordance with regulatory standards.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
- Updated
- Jun 2024
Corporations Act 2001 — Corporations Act 2001
The Corporations Act 2001 is Australia’s primary legislation regulating companies and other business entities. It outlines fiduciary duties for directors, including acting in good faith, exercising care and diligence, avoiding improper use of information or position, and disclosing certain interests.
- Issuer
- Australian Government
- Jurisdiction
- Australia
- Version
- 28 September 2017
- Updated
- Nov 2024
Renewable Energy (Electricity) Act 2000
The Renewable Energy (Electricity) Act 2000 establishes a legal framework to encourage the generation of electricity from renewable energy sources in Australia. It creates a system for renewable energy certificates and mandates a Renewable Power Percentage to ensure participation by electricity retailers.
- Issuer
- Australian Government
- Jurisdiction
- Australia
- Updated
- Mar 2016
Workplace Relations Act 1996
The Workplace Relations Act 1996 was an Australian federal law governing employment relations, setting frameworks for workplace agreements, wage-setting, and employee entitlements. It covered topics such as the Australian Fair Pay Commission, industrial relations, and minimum workplace standards.
- Issuer
- Australian Government
- Jurisdiction
- Australia
- Updated
- Dec 2006
FSSCP — The Financial Services Sector Cybersecurity Profile
The Financial Services Sector Cybersecurity Profile is a scalable and extensible assessment tool designed to help financial institutions manage cyber risks and demonstrate regulatory compliance. It is based on the NIST Cybersecurity Framework and offers a tailored approach to streamline cybersecurity assessments globally.
- Issuer
- Financial Services Sector Coordinating Council (FSSCC)
- Jurisdiction
- Global
Ozone Protection and Synthetic Greenhouse Gas Management Act 1989
The Ozone Protection and Synthetic Greenhouse Gas Management Act 1989 is Australian legislation designed to manage the use, import, and export of ozone-depleting substances (ODS) and synthetic greenhouse gases (SGGs). It aligns with Australia's obligations under the Montreal Protocol, emphasizing environmental protection through licensing, quotas, and controls on substances and equipment.
- Issuer
- Australian Government
- Jurisdiction
- Australia
- Version
- 7, 1989
- Updated
- Jan 2020
SMB1001 — SMB1001 Cybersecurity Standard
The SMB1001 Cybersecurity Standard provides small and medium-sized businesses, including law firms, with a clear and achievable framework to enhance their cybersecurity defenses and demonstrate due diligence. It aims to help practitioners protect client confidentiality, reduce cyber risks, and meet stakeholder requirements.
- Issuer
- Dynamic Standards International (DSI)
- Jurisdiction
- Australia
- Version
- 2026
QCF — Qatar Cybersecurity Framework
The Qatar Cybersecurity Framework (QCF) provides structured guidelines to help organizations manage and strengthen their cybersecurity practices across governance, risk, protection, detection, response, and recovery. It promotes a proactive, coordinated approach to mitigating cyber threats while enhancing national and organizational resilience.
- Issuer
- Qatar National Cyber Security Committee (NCSC)
- Jurisdiction
- Qatar
CPS 520 — Prudential Standard CPS 520 Fit and Proper
The Prudential Standard CPS 520 sets out the requirements for assessing the fitness and propriety of responsible persons in APRA-regulated institutions, including banks, insurers, and private health insurers. It ensures that key positions are held by individuals who meet high standards of integrity and competence.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
- Updated
- Jul 2019
Qatar PDPPL — Qatar Personal Data Privacy Protection Law (Law No. (13) of 2016)
The Qatar Personal Data Privacy Protection Law (PDPPL), formally Law No. 13 of 2016, is the primary data protection framework in Qatar. It governs how organizations collect, process, store, transfer, and secure personal data belonging to individuals in the country.
- Issuer
- Qatar National Cyber Security Agency (NCSA)
- Jurisdiction
- Qatar
NSW Cyber Security Policy
The NSW Cyber Security Policy outlines mandatory requirements that all NSW Government agencies must follow to ensure the effective management of cyber security risks to government information and systems. It mandates annual reporting by agencies and includes policy directives related to incident management, risk assessment, and compliance.
- Issuer
- Cyber Security NSW
- Jurisdiction
- New South Wales, Australia
AESCSF v2 Core — Australian Energy Sector Cyber Security Framework
The Australian Energy Sector Cyber Security Framework (AESCSF) provides a structured approach for managing cybersecurity risks specific to the energy sector. Version 2 introduces updates and refinements to address evolving threats and ensure resilience.
- Issuer
- Australian Energy Market Operator (AEMO)
- Jurisdiction
- Australia
- Version
- 2.0
- Updated
- Jan 2023
Privacy and Data Protection Act 2014 — Privacy and Data Protection Act 2014 Version No. 032
The Privacy and Data Protection Act 2014 establishes a framework for protecting personal information and ensuring data security within the State of Victoria, Australia. It sets out responsibilities for Victorian public sector agencies regarding personal data handling and protections.
- Issuer
- Victorian Government
- Jurisdiction
- Victoria, Australia
- Version
- Version No. 032
- Updated
- May 2026
Cyber Essentials Mark — CSA Cybersecurity Certification: Cyber Essentials Mark
The Cyber Essentials (2025) certification is a cybersecurity certification scheme developed by the Cyber Security Agency (CSA) of Singapore. It provides a framework for organisations to enhance their cybersecurity posture, covering areas like classical cybersecurity, cloud security, OT security, and AI security.
- Issuer
- Cyber Security Agency of Singapore (CSA)
- Jurisdiction
- Singapore
- Version
- 04-2025 (Second edition)
- Updated
- Apr 2026
BSI IT-Grundschutz-Compendium Edition 2022
The BSI IT-Grundschutz-Compendium Edition 2022 is a comprehensive cybersecurity guideline published by the German Federal Office for Information Security (BSI). It provides a structured methodology for implementing information security in organizations based on standardized modules and best practices.
- Issuer
- Federal Office for Information Security (BSI)
- Jurisdiction
- Germany
- Version
- 2022
- Updated
- Jan 2023
Consumer Data Right — Competition and Consumer (Consumer Data Right) Rules 2021
The Competition and Consumer (Consumer Data Right) Rules 2021 outline regulations for implementing Australia's Consumer Data Right (CDR) framework. They establish rules for data sharing, privacy safeguards, accreditation of data recipients, and dispute resolution processes.
- Issuer
- Department of the Treasury
- Jurisdiction
- Australia
Commission Implementing Regulation (EU) 2023/203
This regulation outlines requirements for the management of information security risks that could impact aviation safety. It applies to organisations and competent authorities operating in the aviation sector to ensure secure operations.
- Issuer
- European Union Aviation Safety Agency (EASA)
- Jurisdiction
- European Union
- Version
- 2023/203
CDR Designation 2019 — Consumer Data Right (Authorised Deposit Taking Institutions) Designation 2019
This legislative instrument designates the banking sector in Australia as subject to the Consumer Data Right (CDR). It specifies which classes of information are included or excluded under the CDR framework.
- Issuer
- Australian Government
- Jurisdiction
- Australia
- Version
- 14 July 2023
- Updated
- Jul 2023
Corporations Regulations 2001 — Corporations Regulations 2001
The Corporations Regulations 2001 is a set of legislative rules in Australia that provide detailed regulations supporting the Corporations Act 2001. It governs key aspects of corporate governance, financial reporting, and administration within Australian companies.
- Issuer
- Australian Government
- Jurisdiction
- Australia
- Version
- 01 January 2022
- Updated
- Jan 2022
CDR Energy Sector Designation 2020 — Consumer Data Right (Energy Sector) Designation 2020
This legislative instrument designates the Australian energy sector under the Consumer Data Right (CDR) framework. It specifies the types of data, entities, and arrangements covered by CDR for energy consumers.
- Issuer
- Australian Government
- Jurisdiction
- Australia
- Version
- 26 June 2020
- Updated
- Jun 2020
ITSP.10.171 — Protecting Specified Information in Non-Government of Canada Systems and Organizations
ITSP.10.171 sets out security requirements for protecting 'specified information' when it resides in non-Government of Canada systems or organizations. It aligns with NIST standards but adapts them to the Canadian regulatory environment.
- Issuer
- Canadian Centre for Cyber Security
- Jurisdiction
- Canada
- Version
- First release
- Updated
- Oct 2025
PIPEDA — Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that sets rules for the collection, use, and disclosure of personal information in the course of commercial activities. It aims to balance individuals' privacy rights with industry needs for personal data use.
- Issuer
- Government of Canada
- Jurisdiction
- Canada
- Updated
- Mar 2025
Baseline Cyber Security Controls for Small and Medium Organizations
The Baseline Cyber Security Controls for Small and Medium Organizations provides guidance from the Canadian Centre for Cyber Security to improve the resilience of smaller organizations through focused cybersecurity measures. It applies the 80/20 rule, aiming to achieve significant cybersecurity benefits with minimal effort.
- Issuer
- Canadian Centre for Cyber Security
- Jurisdiction
- Canada
- Version
- 1.2
EU AI Act — EU Artificial Intelligence Act
The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive law regulating artificial intelligence. It establishes a risk-based framework that classifies AI systems into four categories—unacceptable, high-risk, limited-risk, and minimal-risk—with stricter obligations applied to higher-risk systems.
- Issuer
- European Union
- Jurisdiction
- European Union
- Version
- January 2024
- Updated
- Apr 2021
SCF — Secure Controls Framework
The Secure Controls Framework (SCF) is a comprehensive, free cybersecurity and data privacy metaframework designed to simplify compliance and build secure, resilient organizations. It unifies control sets to simultaneously meet compliance requirements across multiple laws, regulations, and frameworks.
- Issuer
- Secure Controls Framework (SCF) Council
- Version
- 2023.2
Cyber Essentials v3.2 — Cyber Essentials Requirements for IT Infrastructure
Cyber Essentials is a UK government-backed scheme focused on protecting IT infrastructure from common cyber threats. Version 3.2 outlines updated security controls and practices.
- Issuer
- UK National Cyber Security Centre (NCSC)
- Jurisdiction
- United Kingdom
- Version
- 3.2
EU Data Act — Regulation on harmonised rules on fair access to and use of data (Data Act)
The Data Act is an EU regulation that aims to establish fair rules for access to and use of data generated by connected devices. It promotes data sharing, safeguards user rights, and prevents unfair practices while supporting innovation and the data economy.
- Issuer
- European Commission
- Jurisdiction
- European Union
- Version
- (EU) 2023/2854
- Updated
- Dec 2025
RG 175 — RG 175 AFS licensing: Financial product advisers—Conduct and disclosure
This regulatory guide outlines the conduct and disclosure obligations of financial product advisers who provide advice to retail clients in Australia. It focuses on requirements under Part 7.7 and Division 2 of Part 7.7A of the Corporations Act.
- Issuer
- Australian Securities and Investments Commission (ASIC)
- Jurisdiction
- Australia
- Updated
- Nov 2024
ADHICS — Abu Dhabi Healthcare Information and Cyber Security Standard
The AAMEN programme ensures that all healthcare facilities in Abu Dhabi comply with information security and data privacy standards to safeguard patient data. It incorporates the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS) and aims to enhance cybersecurity governance, resilience, and innovation in the healthcare sector.
- Issuer
- Department of Health Abu Dhabi
- Jurisdiction
- Abu Dhabi, United Arab Emirates
- Version
- 2
- Updated
- May 2026
CPS 231 — Prudential Standard CPS 231 Outsourcing
The Prudential Standard CPS 231 establishes requirements for outsourcing arrangements by financial institutions regulated by the Australian Prudential Regulation Authority (APRA). It aims to ensure that risks associated with outsourcing are effectively managed.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
- Updated
- Jul 2017
RG 1 — RG 1 Applying for and varying an AFS licence
This regulatory guide provides details on the process for applying for and varying an Australian Financial Services (AFS) licence. It outlines ASIC’s approach to assessing applications and the required documentation for submission.
- Issuer
- Australian Securities and Investments Commission (ASIC)
- Jurisdiction
- Australia
UAE IA V2 — UAE Information Assurance Standard Version 2
The UAE Information Assurance Standard Version 2 (UAE IA V2) is a national cybersecurity framework issued by the UAE Cyber Security Council in 2025. It builds upon the previous version with updated controls and integrations to address modern technologies, such as AI/ML, IoT, cloud, and post-quantum cryptography.
- Issuer
- UAE Cyber Security Council
- Jurisdiction
- United Arab Emirates
- Version
- 2.0
- Updated
- Oct 2025
RG 271 — RG 271 Internal Dispute Resolution
This regulatory guide outlines enforceable standards and requirements for internal dispute resolution (IDR) systems for financial firms in Australia. It specifies the obligations these firms must meet to comply with ASIC's IDR standards.
- Issuer
- Australian Securities and Investments Commission (ASIC)
- Jurisdiction
- Australia
- Updated
- Sep 2021
RG 274 — RG 274 Product Design and Distribution Obligations
This guide, issued by ASIC, outlines obligations for issuers and distributors of financial products under Part 7.8A of the Corporations Act. It provides ASIC's interpretation, expectations for compliance, and approach for administering these obligations.
- Issuer
- Australian Securities and Investments Commission (ASIC)
- Jurisdiction
- Australia
VPDSS 2.0 — Victorian Protective Data Security Standards V2.0
The Victorian Protective Data Security Standards (VPDSS) establish 12 high-level mandatory requirements for the protection of public sector information in Victoria, Australia. These requirements cover governance, information, personnel, ICT, and physical security, focusing on a risk-managed approach tailored to the Victorian government context.
- Issuer
- Office of the Victorian Information Commissioner (OVIC)
- Jurisdiction
- Victoria, Australia
- Version
- 2.0
- Updated
- Oct 2019
AIUC-1 — AIUC-1
AIUC-1 is a standard focused on the security, safety, and reliability of AI agents used in enterprises. It addresses risks related to data privacy, security, accountability, and societal concerns while providing certification for compliant organizations.
- Issuer
- Artificial Intelligence Underwriting Company (AIUC)
- Version
- April 15, 2026
RG 181 — RG 181 AFS licensing: Managing conflicts of interest
This regulatory guide outlines the legal obligations under the Corporations Act for Australian financial services (AFS) licensees to have adequate arrangements to manage conflicts of interest. It provides specific guidance on identifying conflicts, implementing effective arrangements, and managing conflicts using appropriate tools.
- Issuer
- Australian Securities and Investments Commission (ASIC)
- Jurisdiction
- Australia
- Updated
- Dec 2025
NIST SP 800-39 — NIST Special Publication 800-39 - Managing Information Security Risk: Organization, Mission, and Information System View
NIST SP 800-39 provides guidance for developing an organization-wide program to manage information security risk. It introduces a structured yet flexible framework for assessing, responding to, and monitoring risks associated with federal information systems.
- Issuer
- National Institute of Standards and Technology (NIST)
- Jurisdiction
- United States
- Updated
- Mar 2011
NIST SP 800-82 Rev. 3 — NIST Special Publication 800-02 Rev. 3 - Guide to Operational Technology (OT) Security
This document provides guidance on securing operational technology (OT) systems, which include programmable devices interacting with the physical environment. It addresses unique performance, reliability, and safety requirements, identifies threats, and recommends security measures.
- Issuer
- National Institute of Standards and Technology (NIST)
- Jurisdiction
- United States
- Version
- Revision 3
NIST SP 800-171A Rev. 3 — NIST Special Publication 800-171A Rev. 3 - Assessing Security Requirements for Controlled Unclassified Information
This publication provides a methodology and assessment procedures for evaluating security requirements associated with the protection of Controlled Unclassified Information (CUI). It supports compliance with NIST SP 800-171 in nonfederal systems and organizations.
- Issuer
- National Institute of Standards and Technology (NIST)
- Jurisdiction
- United States
- Version
- Revision 3
- Updated
- Nov 2023
RG 133 — RG 133 Funds Management and Custodial Services: Holding Assets
RG 133 outlines the Australian financial services (AFS) licence obligations for entities involved in managing and holding client assets. It sets minimum standards that apply to responsible entities of registered managed investment schemes, licensed custody providers, MDA providers, and IDPS operators.
- Issuer
- Australian Securities and Investments Commission (ASIC)
- Jurisdiction
- Australia
- Updated
- Dec 2024
NIST SP 800-161 Rev. 1 — NIST Special Publication 800-161 Rev. 1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
This publication provides guidance on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain. It integrates Cybersecurity Supply Chain Risk Management (C-SCRM) practices into organizational risk management processes.
- Issuer
- National Institute of Standards and Technology (NIST)
- Jurisdiction
- United States
- Version
- Rev. 1, Update 1
NIST CSF 2.0 — NIST Cybersecurity Framework 2.0
The NIST Cybersecurity Framework 2.0 is a comprehensive framework to help organizations manage and reduce cybersecurity risks. It provides guidelines, tools, and resources for improving cybersecurity practices across diverse sectors.
- Issuer
- National Institute of Standards and Technology (NIST)
- Jurisdiction
- United States
- Version
- 2.0
- Updated
- Feb 2026
GDPR — General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union to harmonize privacy regulations across member states. It governs the processing of personal data by organizations operating within the EU and those outside the EU that target EU residents.
- Issuer
- European Parliament and Council of the European Union
- Jurisdiction
- European Union
- Updated
- May 2018
APPs — Australian Privacy Principles
The Australian Privacy Principles (APPs) are a set of 13 principles that form the privacy protection framework under the Privacy Act 1988. They govern how personal information is collected, used, disclosed, and managed by organizations and agencies subject to the Act.
- Issuer
- Office of the Australian Information Commissioner (OAIC)
- Jurisdiction
- Australia
Privacy Act 1988 — Privacy Act 1988
The Privacy Act 1988 is an Australian law that regulates the handling of personal information by businesses, government agencies, and other entities. It includes provisions for the Australian Privacy Principles, credit reporting, and notification of data breaches.
- Issuer
- Australian Government
- Jurisdiction
- Australia
- Version
- No. 119, 1988
CPG 234 — CPG 234 Information Security
This standard provides information security guidance for Australian financial institutions regulated by APRA. It aims to ensure operational resilience and protect against information security threats.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
- Version
- June 2019
- Updated
- Jun 2019
CPG 235 — Prudential Practice Guide CPG 235 - Managing Data Risk
The Prudential Practice Guide CPG 235 provides guidance for Australian financial institutions on how to effectively manage data risk. It focuses on identifying, assessing, and mitigating risks associated with data to ensure its integrity, availability, and confidentiality.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
CPS 220 — Prudential Standard CPS 220 Risk Management
CPS 220 is a prudential standard issued by the Australian Prudential Regulation Authority (APRA) outlining risk management requirements for regulated entities. It establishes standards for institutions to identify, assess, and manage risks effectively to ensure financial stability and compliance.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
- Updated
- Jul 2017
CPS 226 — Prudential Standard CPS 226: Margining and Risk Mitigation for Non-centrally Cleared Derivatives
This is an Australian standard issued by APRA outlining the requirements for margining and risk mitigation of non-centrally cleared derivatives. It ensures financial institutions operate with adequate practices to manage counterparty risk.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
CPS 232 — Prudential Standard CPS 232 Business Continuity Management
CPS 232 is an Australian Prudential Standard that outlines the requirements for regulated entities to maintain and manage effective business continuity plans. It ensures that entities are prepared to address and recover from disruptions to their operations.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
- Updated
- Jul 2017
CPS 230 — Prudential Standard CPS 230 Operational Risk Management
CPS 230 sets out requirements for APRA-regulated entities to effectively manage operational risks. It covers obligations on governance, risk frameworks, and risk controls to ensure resilience against operational disruptions.
- Issuer
- Australian Prudential Regulation Authority (APRA)
- Jurisdiction
- Australia
- Updated
- Jul 2023
RG 166 — RG 166 AFS Licensing: Financial Requirements
RG 166 provides financial requirements for holders of an Australian Financial Services (AFS) licence, which vary based on the financial products and services offered. It excludes entities regulated by the Australian Prudential Regulation Authority (APRA) that are not required to comply with specific provisions of the Corporations Act 2001.
- Issuer
- Australian Securities and Investments Commission (ASIC)
- Jurisdiction
- Australia
- Updated
- Sep 2023
RG 104 — RG 104 AFS Licensing: Meeting the General Obligations
This regulatory guide provides information for Australian Financial Services (AFS) licensees and applicants about compliance with general obligations under section 912A(1) of the Corporations Act. It outlines what ASIC looks for during assessments of compliance.
- Issuer
- Australian Securities and Investments Commission (ASIC)
- Jurisdiction
- Australia
Ready to operationalize these standards?
The 6clicks platform maps these regulations to controls, evidence and risks — automatically.