Regulatory library

Every regulation. Every authority.

37 regulations across 6 domains — primary legislation, AI rules, AML, competition, and ESG frameworks, all summarised with fine maxima.

Covering EU · UK · US · China · India · Japan · Australia · Singapore · Brazil · South Africa · UAE

Privacy & data protection(16)

GDPRPrivacyFoundational

General Data Protection Regulation

Primary EU personal data framework. Basis for the largest regulatory fines in European history.

Jurisdiction: EU (all 27)Max fine: €20M or 4% global revenueStatus: Active

UK GDPRPrivacy

UK General Data Protection Regulation + DPA 2018

Post-Brexit UK data protection framework enforced by the ICO. Substantively equivalent to EU GDPR.

Jurisdiction: United KingdomMax fine: £17.5M or 4% global revenueStatus: Active

LIL / CNIL ActPrivacy

French Data Protection Act (Loi 78-17 as amended)

National GDPR implementation with additional French-specific obligations. Enforced by the CNIL.

Jurisdiction: FranceMax fine: GDPR maxima applyStatus: Active

BDSGPrivacy

German Federal Data Protection Act

German GDPR implementation with strong employee data provisions and 16 state-level DPA enforcement.

Jurisdiction: GermanyMax fine: GDPR maxima applyStatus: Active

UAVGPrivacy

Dutch GDPR Implementation Act

Dutch GDPR implementation enforced by the AP. Includes specific provisions on biometric and employee data.

Jurisdiction: NetherlandsMax fine: GDPR maxima applyStatus: Active

PIPLPrivacyCritical

Personal Information Protection Law

China's comprehensive personal data law with extraterritorial reach. Requires CAC security assessment for most outbound transfers.

Jurisdiction: ChinaMax fine: 5% of prior-year revenueStatus: Active

APPIPrivacy

Act on Protection of Personal Information

Japan has EU adequacy — the 2022 revision strengthened breach notification and cross-border transfer rules.

Jurisdiction: JapanMax fine: ¥100M per violationStatus: Active

PIPAPrivacy

Personal Information Protection Act

2023 revision significantly increased enforcement powers and introduced a new personal information impact assessment requirement.

Jurisdiction: South KoreaMax fine: 3% of revenueStatus: Active

DPDPAPrivacy

Digital Personal Data Protection Act

India's first comprehensive data protection law. Implementation rules under consultation — enforcement expected 2025.

Jurisdiction: IndiaMax fine: ₹250 crore (~€27M)Status: Active — rules pending

Privacy ActPrivacy

Privacy Act 1988 (reform 2024)

2022 amendment dramatically increased penalty amounts after the Optus and Medibank mega-breaches.

Jurisdiction: AustraliaMax fine: AUD $50M or 30% of adjusted turnoverStatus: Active

PDPAPrivacy

Personal Data Protection Act

2021 revision introduced mandatory breach notification and increased financial penalties.

Jurisdiction: SingaporeMax fine: SGD $1M or 10% of annual turnoverStatus: Active

LGPDPrivacy

Lei Geral de Proteção de Dados Pessoais

Brazil's GDPR-equivalent. ANPD issued its first significant fines in 2023 — enforcement is accelerating.

Jurisdiction: BrazilMax fine: 2% of Brazil revenue, max R$50MStatus: Active

POPIAPrivacy

Protection of Personal Information Act

Most mature data protection law in sub-Saharan Africa. Fully aligned with GDPR principles.

Jurisdiction: South AfricaMax fine: ZAR 10M or imprisonmentStatus: Active

PDPLPrivacy

UAE Federal Personal Data Protection Law

UAE mainland data protection law. Three separate regimes apply: mainland, DIFC, and ADGM.

Jurisdiction: UAEMax fine: AED 5M fixedStatus: Active

PIPEDA / CPPAPrivacy

Personal Information Protection + CPPA Bill C-27

Current PIPEDA lacks direct fine authority. Bill C-27 (CPPA) will transform Canada's enforcement regime — Quebec Law 25 already active.

Jurisdiction: CanadaMax fine: CAD $25M or 5% global revenue (when enacted)Status: PIPEDA active / CPPA pending

CCPA / CPRAPrivacy

California Consumer Privacy Act + Rights Act

Strictest US state privacy law. The CPPA began active enforcement in 2023 with 20+ investigations opened.

Jurisdiction: United StatesMax fine: $7,500 per intentional violationStatus: Active

AI & digital markets(6)

EU AI ActAINew

Artificial Intelligence Act

First comprehensive AI regulation globally. Risk-tiered: prohibited practices banned from Feb 2025; high-risk rules from Aug 2026.

Jurisdiction: EU (all 27)Max fine: €35M or 7% global revenueStatus: Active — phased

AI Generative RulesAI

Interim Measures for Generative AI Services

CAC's generative AI framework covering content moderation, algorithm transparency, and data sourcing obligations.

Jurisdiction: ChinaMax fine: Up to ¥100K (criminal referral possible)Status: Active

DMACompetitionIn force

Digital Markets Act

Obligations for designated "gatekeeper" platforms. Apple, Alphabet, Meta, Amazon, Microsoft, ByteDance are currently designated.

Jurisdiction: EU (all 27)Max fine: 10% global revenue; 20% for repeatStatus: Active

DSAConsumerIn force

Digital Services Act

Online platform liability and transparency obligations. Very large platforms (>45M EU users) face additional obligations.

Jurisdiction: EU (all 27)Max fine: 6% global revenueStatus: Active

DMCC ActCompetitionNew

Digital Markets Competition Consumers Act

UK equivalent of DMA. CMA can designate firms with strategic market status and impose conduct requirements.

Jurisdiction: United KingdomMax fine: 10% global revenueStatus: Active

FTC Act §5ConsumerFoundational

FTC Section 5 — Privacy / Deception

The FTC's primary enforcement tool for unfair or deceptive data practices. No consent order ceiling — Meta paid $5B in 2019.

Jurisdiction: United StatesMax fine: $51,744/day per violationStatus: Active

Cybersecurity & resilience(5)

NIS2CyberIn force

Network & Information Security Directive 2

Mandatory security and incident reporting for essential and important entities. National enforcement commenced October 2024.

Jurisdiction: EU (all 27)Max fine: €10M or 2% global revenueStatus: Active

DORACyberIn force

Digital Operational Resilience Act

ICT risk management and incident reporting for financial entities. Applies from January 2025 — supervised by financial regulators.

Jurisdiction: EU (all 27)Max fine: 1% average daily global turnover for each day of breachStatus: Active

BSI-GesetzCyber

BSI Act (Federal Office for Information Security Act)

German critical infrastructure cybersecurity obligations. BSI has powers to mandate security audits and incident disclosure.

Jurisdiction: GermanyMax fine: €2M per violationStatus: Active

DSLCyber

Data Security Law

Classification and security requirements for all data processed in China. Applies alongside PIPL with additional national security obligations.

Jurisdiction: ChinaMax fine: Up to ¥2M; suspension of businessStatus: Active

SOCI ActCyber

Security of Critical Infrastructure Act

Mandatory reporting and risk management obligations for 11 critical infrastructure sectors including energy, water, and health.

Jurisdiction: AustraliaMax fine: AUD $11.1M per offenceStatus: Active

Competition & antitrust(2)

EU CompetitionCompetitionFoundational

TFEU Articles 101–106 / Merger Regulation

Foundation of EU competition law — cartels, abuse of dominance, and merger control. DG COMP issues fines at 80–100% of maximum in major cases.

Jurisdiction: EU (all 27)Max fine: 10% of global revenueStatus: Active

Sherman / ClaytonCompetitionFoundational

Sherman & Clayton Antitrust Acts

Foundation of US antitrust law. DOJ Antitrust Division pursues criminal prosecutions — executives face personal imprisonment.

Jurisdiction: United StatesMax fine: Up to $100M (entities) / criminal imprisonmentStatus: Active

Finance, AML & crypto(6)

AMLD6AML

6th Anti-Money Laundering Directive

Expanded predicate offences for money laundering to 22 categories. Criminal liability extended to legal persons.

Jurisdiction: EU (all 27)Max fine: €5M or 10% of annual turnoverStatus: Active

MiCAFinanceNew

Markets in Crypto-Assets Regulation

World's first comprehensive crypto regulation. Full application from December 2024 — stablecoins already supervised from June 2024.

Jurisdiction: EU (all 27)Max fine: €5M or 3% of annual turnoverStatus: Active

WftFinance

Financial Supervision Act (Wet op het financieel toezicht)

Dutch financial markets supervision law. AFM and DNB enforce — applies to banks, insurers, investment firms operating in NL.

Jurisdiction: NetherlandsMax fine: €4M or 10% global annual revenueStatus: Active

FCA / MLRAML

Money Laundering Regulations 2017

UK AML framework. FCA has unlimited fine power — Santander received £107.7M in 2022 for AML failings.

Jurisdiction: United KingdomMax fine: UnlimitedStatus: Active

BSA / FinCENAML

Bank Secrecy Act / FinCEN AML Rules

Core US AML framework. FinCEN enforces SAR reporting, KYC, and beneficial ownership requirements across financial institutions.

Jurisdiction: United StatesMax fine: $25,000/day or amount of transactionStatus: Active

HIPAAHealth

Health Insurance Portability and Accountability Act

Administrative, physical, and technical safeguards for protected health information. HHS OCR enforcing tracking-pixel violations from 2023.

Jurisdiction: United StatesMax fine: $1.9M per category per yearStatus: Active

ESG & sustainability(2)

CSRDGreen/ESGIn force

Corporate Sustainability Reporting Directive

Mandatory sustainability reporting for large companies and listed SMEs — phased in from 2024. Double materiality assessment required.

Jurisdiction: EU (all 27)Max fine: Member state defined (typically % of revenue)Status: Active

CS3DGreen/ESG

Corporate Sustainability Due Diligence Directive

Human rights and environmental due diligence obligations across the value chain. Phased rollout from 2027 for largest companies.

Jurisdiction: EU (all 27)Max fine: 5% of global net turnoverStatus: Active — transposing

Missing a regulation?

We track 35+ regulations and add new jurisdictions every quarter.

Request coverage