Cybersecurity Law by Country Reference

Key data protection and cybersecurity legislation by country.

Reference of major national data-protection and cybersecurity laws by country with the year in force and a scope note, covering GDPR, CCPA, LGPD, PIPL, DPDP and more, plus a live filter. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Does GDPR apply to companies outside the EU?

Yes. GDPR is extraterritorial: it applies to any organisation that offers goods or services to, or monitors the behaviour of, people in the EU, regardless of where the organisation is based. Non-EU controllers may need an EU representative.

Mapping the global privacy landscape

Companies operating across borders must navigate dozens of overlapping data-protection and cybersecurity regimes. This reference gives a high-level orientation: the major national laws by country and region, the year each came into force, and a short note on what it covers — from the EU’s GDPR to Brazil’s LGPD, China’s PIPL and India’s DPDP Act.

How it works

Most modern laws follow a similar shape — a consent or lawful-basis requirement, data-subject rights, breach-notification duties and a supervisory authority — but the details, penalties and transfer rules vary widely. A few patterns to watch:

Comprehensive GDPR-style:  GDPR, UK GDPR, LGPD, PIPA, POPIA, DPDP, revFADP
Consumer / sectoral US:    CCPA/CPRA, HIPAA
Localisation-heavy:        PIPL, Cybersecurity Law (China)
Cyber risk-management:     NIS2 (EU)

The filter searches across country, region, law name and scope so you can quickly find the frameworks relevant to a target market. Years shown are when the law took effect, which can differ from when it was enacted.

The major frameworks at a glance

GDPR (EU, 2018)

The General Data Protection Regulation covers all processing of personal data of EU residents by any organisation anywhere in the world. It introduced the six lawful bases, the right to erasure, mandatory breach notification within 72 hours, and fines of up to €20 million or 4% of global annual turnover. The UK retained a near-identical framework (UK GDPR) after Brexit.

CCPA / CPRA (California, 2020 / 2023)

The California Consumer Privacy Act and its 2023 successor the CPRA give California residents opt-out rights over the sale and sharing of personal information, plus rights to know, delete, and correct. It applies to businesses above certain thresholds operating in California, not just those based there.

LGPD (Brazil, 2020)

Brazil’s Lei Geral de Proteção de Dados closely mirrors the GDPR structure — lawful bases, data-subject rights, DPO requirement, and national authority (ANPD). It applies to any processing of data about people located in Brazil.

PIPL (China, 2021)

China’s Personal Information Protection Law imposes strict consent requirements, mandatory data localisation for certain categories, and strict controls on cross-border transfers that must be approved by the Cyberspace Administration of China (CAC).

DPDP Act (India, 2023)

India’s Digital Personal Data Protection Act, enacted in 2023, covers digital personal data and introduces data-principal rights, consent manager provisions, and significant data fiduciaries subject to heightened obligations.

NIS2 Directive (EU, 2023)

The revised Network and Information Security directive focuses on operational cybersecurity rather than data protection — it mandates risk management, incident reporting within 24 hours, and supply-chain security for essential and important entities across 18 sectors.

Cross-border transfer considerations

Moving personal data between countries is one of the most operationally complex areas:

  • EU adequacy decisions allow free transfer to countries the European Commission has approved (e.g. UK, Japan, South Korea).
  • Standard contractual clauses (SCCs) are the fallback mechanism for transfers to non-adequate countries.
  • PIPL transfers from China require a CAC security assessment for large volumes or sensitive data, a Personal Information Protection Certification, or an approved standard contract.
  • Russian data localisation requires primary storage of Russian citizen data on servers physically in Russia.

Tips and notes

  • GDPR and several successors are extraterritorial — base location does not exempt you.
  • Sector rules for finance, health, and telecoms add obligations on top of these baseline laws.
  • Many laws allow for contractual and certification mechanisms where adequacy does not exist.
  • This table is for orientation only; confirm current duties with the relevant regulator or qualified legal counsel for each jurisdiction.