Standards-aware policy and compliance guidance

Authorized Economic Operator (AEO) is a globally-recognised customs trusted-trader status (WCO SAFE Framework). EU AEO certification (AEOC customs + AEOS security + AEOF full) under UCC Art 38. US Customs-Trade Partnership Against Terrorism (C-TPAT) + UK AEO (post-Brexit) provide similar benefits including reduced inspections, simplified procedures + mutual recognition with partner countries. Annual self-assessment + customs audit verification. Voluntary but increasingly contractually required by major customers.

Jurisdiction: GLOBAL

Lifecycle: Active

AICPA Statements on Standards for Attestation Engagements (SSAE) are the standards for US attestation engagements (examinations, reviews + agreed-upon procedures) other than audits of historical financial statements. SSAE 21 consolidated + revised the framework. The most well-known SSAE-based engagements are SOC 1 (ICFR reports), SOC 2 (Trust Services Criteria), SOC 3 (general use SOC 2 summary). Audit firms applying SSAEs operate ISQM 1-aligned quality management.

Jurisdiction: US

Lifecycle: Active

AIFMD regulates managers of alternative investment funds (AIFs) marketed in the EU — hedge funds, private equity, real estate, infrastructure, venture capital. Imposes authorisation + ongoing requirements on AIFMs including organisational requirements, capital, conduct of business, delegation, valuation, depositary, leverage limits, transparency + reporting (Annex IV). AIFMD II (Dir 2024/927) amends the regime with substance + delegation requirements, liquidity-management tools for open-ended AIFs + new loan-origination AIF rules. Transposition deadline April 2026.

Jurisdiction: EU

Lifecycle: Active

The ANSI/ASSP A10 series of voluntary consensus standards is the US construction industry's detailed companion to OSHA 29 CFR 1926 — covering pre-project + pre-task safety + health planning (A10.1), demolition (A10.6), tube + coupler scaffolding (A10.10), fall protection (A10.32), excavation (A10.12), steel erection (A10.13), explosives (A10.7) + many others. Voluntary but increasingly contractually required by owners + integrated into safety management systems. Frequently cited as recognised good practice in OSHA citations + enforcement.

Jurisdiction: US

Lifecycle: Active

AS9100D is the global aerospace industry QMS standard, built on ISO 9001 with aerospace-specific requirements covering configuration management, risk-based product safety, counterfeit parts prevention, FAI (First Article Inspection) + supplier control. Required across aerospace + defence supply chains globally. EN 9100 + JISQ 9100 are the European + Japanese equivalents. Certification via IAQG-accredited bodies under the OASIS database.

Jurisdiction: GLOBAL

Lifecycle: Active

Aquaculture Stewardship Council certification for responsibly farmed seafood. Species standards (salmon, shrimp, tilapia, pangasius, bivalves, seabass/seabream, etc.) cover environmental + social criteria. Joint ASC-MSC Seaweed Standard covers cultivated seaweeds.

Jurisdiction: GLOBAL

Lifecycle: Active

Basel III is the Basel Committee on Banking Supervision's comprehensive set of reform measures developed in response to the 2007-09 financial crisis. The post-crisis reforms finalised in December 2017 (often called "Basel IV" or the Basel III Endgame) introduced revised credit + operational + market risk frameworks + an aggregate output floor. Implementation is phased through 2025-2028 across jurisdictions. Transposed into EU law via CRR / CRD (CRR3 + CRD VI), into UK rules via PRA Rulebook Implementation Phase 1 (effective 1 January 2026 in UK), into US via OCC/Fed/FDIC capital rules. Mandatory for all internationally-active banks; broad applicability to other licensed banks through national implementation.

Jurisdiction: GLOBAL

Lifecycle: Active

BRCGS Global Standard for Food Safety Issue 9 is a GFSI-benchmarked food safety + quality scheme widely required by UK + EU retailers + global brand owners. Covers senior management commitment, food safety plan (HACCP), food safety + quality management system, site standards, product control, process control, personnel + food fraud + defence. Audited by accredited certification bodies on a tiered grade system (AA+/AA/A/B/C/D).

Jurisdiction: GLOBAL

Lifecycle: Active

BREEAM is the UK + international sustainability assessment method for buildings, administered by BRE. Rates buildings across 9 categories with ratings Pass / Good / Very Good / Excellent / Outstanding. Used widely in UK + Europe (mandatory in some public sector procurement) + frequently in pre-let / leasing requirements for grade-A commercial space. Companion schemes for refurbishment, in-use + communities.

Jurisdiction: UK

Lifecycle: Active

The US Bank Secrecy Act (BSA) is the principal federal anti-money-laundering law, administered by FinCEN. Requires US financial institutions (including banks, broker-dealers, money services businesses, casinos, mutual funds + certain non-bank residential mortgage lenders) to operate AML programmes, file Suspicious Activity Reports (SARs) + Currency Transaction Reports (CTRs), conduct customer due diligence (CDD/EDD) + identify beneficial ownership. The AML Act of 2020 significantly modernised the regime; the Corporate Transparency Act 2021 introduced beneficial-ownership reporting to FinCEN.

Jurisdiction: US

Lifecycle: Active

BSI C5 is the German Federal Office for Information Security (BSI) catalogue of minimum cloud-security requirements. Required by German federal procurement, increasingly required by German enterprise. The 2020 revision added 17 criteria reflecting cloud-specific evolution. Assessed via ISAE 3000 attestation that maps closely to SOC 2 reporting structure — many cloud providers obtain C5 + SOC 2 together.

Jurisdiction: DE

Lifecycle: Active

California consumer privacy obligations profile.

Jurisdiction: US_CA

Lifecycle: Active

42 CFR Part 2 governs the confidentiality of substance use disorder (SUD) patient records held by federally-assisted Part 2 programs. Stricter than HIPAA — historically required patient consent for nearly every disclosure (including treatment, payment + operations), with severe penalties for re-disclosure. The 2024 Final Rule (effective Feb 2026) harmonised Part 2 more closely with HIPAA — single patient consent for TPO is now permitted, breach notification aligned with HIPAA, civil + criminal penalties strengthened. Continues to require segregation of Part 2 records in EHRs, special handling for legal process, and the iconic re-disclosure prohibition notice.

Jurisdiction: US

Lifecycle: Active

Prioritised cyber defence safeguards for operational implementation.

Jurisdiction: GLOBAL

Lifecycle: Active

CMMC 2.0 is the US Department of Defense's tiered cybersecurity certification programme for contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Level 1 (self-assessment) covers basic FCI safeguards; Level 2 (NIST SP 800-171-aligned) is required for CUI; Level 3 (NIST SP 800-172) for the most sensitive contracts. Final rule effective 2024; phased flow-down to contracts began 2025.

Jurisdiction: US

Lifecycle: Active

CMS Conditions of Participation (CoP, 42 CFR Part 482) are the federal health + safety regulations hospitals must meet to participate in Medicare + Medicaid. Cover governing body, patients' rights, QAPI, medical staff, nursing services, medical records, pharmaceutical services, infection prevention, EMTALA + discharge planning. Enforced through CMS surveys + deemed-status accreditation (Joint Commission, DNV, AAAHC). Failure to meet a Condition can result in termination of provider agreement.

Jurisdiction: US

Lifecycle: Active

COBIT 2019 (ISACA) is an IT governance + management framework providing 40 governance + management objectives across 5 domains. Used by enterprise IT governance functions and audit teams to structure IT governance, risk + control activities. Often paired with ITIL 4 (service management) and ISO 27001 (security management) for integrated IT governance.

Jurisdiction: GLOBAL

Lifecycle: Active

FAO/WHO Codex Alimentarius General Principles of Food Hygiene (CXC 1-1969) including the HACCP annex. The foundation for most national food safety regulations + industry standards globally.

Jurisdiction: GLOBAL

Lifecycle: Active

Codex Alimentarius HACCP (CXC 1-1969) is the global reference for food-safety management. Seven principles: conduct hazard analysis, determine CCPs, establish critical limits, monitoring, corrective actions, verification + record-keeping. The foundational framework underlying virtually every national food-safety regime — including FSMA in the US, FSA in the UK + EU regulations.

Jurisdiction: GLOBAL

Lifecycle: Active

The three core clinical-coding standards used in modern healthcare: ICD-10-CM (US morbidity classification, annually updated by CMS + NCHS), SNOMED CT (comprehensive clinical terminology, distributed under SNOMED International / NHS), LOINC (laboratory + clinical observations, distributed by Regenstrief Institute). Together they enable problem lists, diagnoses, lab results + procedure coding for billing, public health reporting, clinical decision support + research. USCDI v4 + FHIR Implementation Guides specify which terminology is required per data class.

Jurisdiction: GLOBAL

Lifecycle: Active

COSO ERM 2017 is the enterprise risk management reference framework used by US public companies, financial-services firms, and increasingly enterprise CFO + CRO offices globally. Integrates risk management with strategy and performance through 20 principles across 5 components. Heavily referenced by SOX + SEC risk-management commentary; the de-facto framework for ERM committee structure.

Jurisdiction: US

Lifecycle: Active

The Care Quality Commission (CQC) Fundamental Standards are the regulations all CQC-registered providers in England must meet — covering person-centred care, dignity + respect, consent, safe care + treatment, safeguarding, nutrition + hydration, premises + equipment, complaints, good governance, staffing, fit + proper persons, and duty of candour. Breach can result in registration conditions, prosecution + closure. The single assessment framework (effective from 2023) replaces previous KLOEs with quality statements + ratings: Outstanding / Good / Requires Improvement / Inadequate.

Jurisdiction: UK

Lifecycle: Active

The EU's transposition of Basel III into binding regulation (CRR) + member-state-transposed directive (CRD). CRR3 + CRD VI were adopted in 2024 to complete Basel III + add the 2017 Basel "Endgame" reforms — revised credit risk standardised approach, operational risk + output floor. Applies to EU credit institutions + investment firms (with separate prudential regime IFR/IFD for smaller investment firms). Enforcement: ECB (Single Supervisory Mechanism) for significant institutions + national competent authorities for others. Key obligations: capital ratios + buffers, LCR, NSFR, leverage ratio, large exposures, governance + remuneration, public disclosure (Pillar 3).

Jurisdiction: EU

Lifecycle: Active

CSA Cloud Controls Matrix v4 is the Cloud Security Alliance's cloud-specific control framework — 197 controls across 17 domains, mapped to ISO 27001, ISO 27017, NIST 800-53, PCI DSS, and others. Forms the assessment criteria for CSA STAR Level 1 (self-assessment) + Level 2 (third-party certification) and is increasingly required by enterprise cloud procurement.

Jurisdiction: GLOBAL

Lifecycle: Active

UK baseline cyber hygiene controls for common attack reduction.

Jurisdiction: UK

Lifecycle: Active

DICOM is the international standard for medical imaging + related metadata, used in nearly all radiology, cardiology + oncology imaging worldwide. Covers data structure (Information Object Definitions), services (Storage, Query/Retrieve, Modality Worklist, Print), network protocol (DICOM upper layer over TCP/IP) + media exchange. DICOMweb (RESTful DICOM) modernises access. Tightly integrated with HL7 + IHE Profiles (XDS-I, Scheduled Workflow, etc.). Compliance is operational rather than certified, but interoperability with PACS / VNA / RIS is the practical test.

Jurisdiction: GLOBAL

Lifecycle: Active

Digital operational resilience obligations profile for EU financial entities.

Jurisdiction: EU

Lifecycle: Active

The EU 5G Security Toolbox is a coordinated EU approach to securing 5G networks. Recommends strategic + technical risk-mitigation measures including supplier risk assessment, multi-vendor strategies, restricting high-risk vendors from core + sensitive parts of networks + mitigating dependencies. Implemented through national + sector regulations. Pairs with UK Telecommunications Security Act + national equivalents.

Jurisdiction: EU

Lifecycle: Active

ADR (Accord européen relatif au transport international des marchandises Dangereuses par Route) is the European agreement on the international carriage of dangerous goods by road. Classifies hazardous substances + sets requirements for packaging, marking + labelling, vehicles, tank construction, training (DGSA), documentation + security. Updated biennially. Implemented across 50+ countries including UK + EU. Companion modes: RID (rail), ADN (inland waterways), IMDG Code (sea), ICAO TI / IATA DGR (air). DGSA appointment required for in-scope companies.

Jurisdiction: EU

Lifecycle: Active

EU Regulation 2024/1689 (the AI Act) is the first comprehensive AI law — a risk-tiered regulation reaching anyone who places an AI system on the EU market, puts one into service in the EU, or whose output is used in the EU. Penalties reach €35 million or 7% of global turnover for prohibited-practice violations; €15 million or 3% for high-risk non-compliance. Obligations land in waves: prohibited practices and AI literacy from February 2025; general-purpose AI model rules from August 2025; full high-risk system obligations from August 2026. High-risk systems (Annex III: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice, democratic processes) require a registered AI system, risk-management process, data-governance evidence, technical documentation, logging, human oversight, accuracy/robustness/cybersecurity testing, and a quality-management system. Quick Policy seeds the AI governance, AI risk, transparency, and human-oversight policies the Act requires and links them to ISO 42001 + 42005 for a defensible audit trail.

Jurisdiction: EU

Lifecycle: Active

The ATEX Equipment Directive 2014/34/EU sets requirements for equipment + protective systems intended for use in potentially explosive atmospheres placed on the EU market. Companion to ATEX Workplace Directive 1999/92/EC. Equipment categorised by Group (I mining, II surface) + Category (1/2/3 reflecting protection level). CE marking + Ex marking + DoC required. Notified body involvement increases with category. Aligned with IEC 60079 series.

Jurisdiction: EU

Lifecycle: Active

The EU Audiovisual Media Services Directive (AVMSD) regulates television broadcasting + on-demand audiovisual media services (VOD) + video-sharing platforms (VSPs) across EU Member States. Covers protection of minors, commercial communications, European works promotion (30% quota for VOD), accessibility + advertising restrictions. National regulatory authorities (e.g. Ofcom (formerly), CNIL, AGCOM) implement nationally. Implemented in UK as Audiovisual Media Services Regulations (retained post-Brexit).

Jurisdiction: EU

Lifecycle: Active

The EU Battery Regulation 2023/1542 replaced the Battery Directive 2006/66/EC. Covers all battery categories — portable, EV, industrial, LMT (light means of transport), SLI. Imposes carbon footprint, recycled content, due diligence, performance + durability, removability + replaceability + labelling requirements. Phased implementation 2024-2030+. Strong supply-chain due-diligence requirements for cobalt, lithium, nickel + natural graphite.

Jurisdiction: EU

Lifecycle: Active

The EU Construction Products Regulation 305/2011 (CPR) establishes harmonised conditions for the marketing of construction products in the EU. Requires the CE marking of products covered by a harmonised European standard (hEN) or European Assessment Document (EAD), based on a manufacturer's Declaration of Performance (DoP). Sets out 7 basic requirements for construction works. UK has implemented a UKCA-marking parallel regime post-Brexit. 2024 CPR reform — Regulation (EU) 2024/3110 — modernises the framework.

Jurisdiction: EU

Lifecycle: Active

The EU CSDDD obliges large EU + non-EU companies to identify, prevent + mitigate adverse human rights + environmental impacts in their operations + value chains. In-scope: EU companies >1,000 employees + €450m turnover; non-EU companies with €450m EU turnover. Phased implementation 2027-2029. Civil liability + Member State enforcement; transition plans for climate. Companion to CSRD reporting.

Jurisdiction: EU

Lifecycle: Active

The EU Corporate Sustainability Reporting Directive (CSRD) Directive (EU) 2022/2464 + the European Sustainability Reporting Standards (ESRS) adopted by EFRAG significantly expand sustainability reporting for in-scope EU companies + non-EU companies with EU activities. Phased application from 2024 for large public companies + extending to large + listed SMEs by 2027. Mandatory double-materiality assessment + assurance by auditor / independent assurance provider. Companion: SFDR for financial market participants.

Jurisdiction: EU

Lifecycle: Active

The EU Digital Markets Act (Regulation (EU) 2022/1925) sets rules for "gatekeepers" — large digital platforms providing core platform services. Imposes obligations + prohibitions to ensure contestable + fair digital markets including interoperability, data portability, anti-self-preferencing + transparent app stores. Enforced by EU Commission. Fines up to 10% global turnover (20% for repeats). Indirectly affects retail through marketplace + advertising rules.

Jurisdiction: EU

Lifecycle: Active

The EU Digital Services Act (Regulation (EU) 2022/2065) regulates online intermediaries + platforms. Imposes obligations including transparent content moderation, transparent advertising, recommender system transparency, risk assessments (for Very Large Online Platforms (VLOPs) + Very Large Online Search Engines (VLOSEs)) + Trusted Flaggers. Online marketplaces face additional KYC of business users. Enforced by Member State Digital Services Coordinators + EU Commission. Fines up to 6% global turnover.

Jurisdiction: EU

Lifecycle: Active

The European Union Aviation Safety Agency oversees civil aviation safety across EU Member States + EASA-participating states. Implementing Regulations cover Aircrew (Part-FCL), Air Operations (Part-ORO, Part-CAT, Part-SPO), Continuing Airworthiness (Part-M, Part-145), Initial Airworthiness (Part-21) + Aerodromes (Part-ADR). National Aviation Authorities (NAAs) implement EASA regulations. AOC (Air Operator Certificate) + Continuing Airworthiness Management Organisation (CAMO) approvals. UK post-Brexit operates a parallel CAA regime largely aligned with EASA.

Jurisdiction: EU

Lifecycle: Active

The European Electronic Communications Code (EECC) is the foundational EU regulatory framework for electronic communications networks + services + associated facilities. Covers market regulation, spectrum, end-user rights (transparency, contract information, switching, fault repair), universal service + security of networks + services. National Regulatory Authorities (NRAs e.g. ComReg, BNetzA) implement. UK retained pre-Brexit equivalent via Communications Act 2003 + General Conditions.

Jurisdiction: EU

Lifecycle: Active

The Electromagnetic Compatibility Directive 2014/30/EU sets essential requirements for equipment to not generate excessive electromagnetic disturbance + to function in its intended electromagnetic environment. Applies to most electrical + electronic equipment placed on the EU market alongside LVD. Self-certification via technical file + DoC supporting CE marking. Harmonised standards EN 55032, EN 61000 series, EN 55035.

Jurisdiction: EU

Lifecycle: Active

The Ecodesign for Sustainable Products Regulation (ESPR) (EU) 2024/1781 expands the Ecodesign Directive 2009/125/EC. Sets a framework to apply ecodesign + circular requirements to virtually all physical products placed on the EU market (initial focus: textiles, iron + steel, furniture, tyres, chemicals, paint). Introduces the Digital Product Passport (DPP), prohibits destruction of unsold consumer goods + sets ecodesign requirements through delegated acts. Phased implementation.

Jurisdiction: EU

Lifecycle: Active

EU Regulation 517/2014 (F-Gas Regulation) controls fluorinated greenhouse gases used in refrigeration, air conditioning, heat pumps + fire protection. Imposes a phase-down quota system on HFC placement on the EU market, leak-check obligations, record-keeping, recovery + destruction obligations + training + certification of technicians + companies. Revised by Regulation (EU) 2024/573 — accelerated HFC phase-down to net-zero by 2050. UK retained equivalent regime post-Brexit.

Jurisdiction: EU

Lifecycle: Active

EU FIC Regulation 1169/2011 sets mandatory food information rules for the EU — covering allergen declaration (14 listed allergens), nutrition labelling, country of origin, durability date + readability. UK Natasha's Law (Food Information Amendment 2019) extends allergen labelling to prepacked-for-direct-sale (PPDS) food + is widely referenced as a model elsewhere.

Jurisdiction: EU

Lifecycle: Active

EU regulation setting general hygiene requirements for all food business operators, including HACCP principles, food premises + equipment, water, waste, personal hygiene + training. Annex I covers primary production; Annex II covers processing.

Jurisdiction: EU

Lifecycle: Active

Foundation EU food regulation establishing general principles + requirements of food law, the European Food Safety Authority + procedures in matters of food safety. Imposes traceability (Article 18), the precautionary principle, withdrawal/recall (Article 19) + responsibility of food + feed business operators.

Jurisdiction: EU

Lifecycle: Active

EU Regulation 178/2002 is the foundational EU food law — establishing food safety principles, the European Food Safety Authority (EFSA), the Rapid Alert System for Food + Feed (RASFF) + the precautionary principle. Imposes traceability + withdrawal / recall obligations on all food businesses. Companion regulations cover hygiene (852/2004), official controls (625/2017) + food information to consumers (1169/2011).

Jurisdiction: EU

Lifecycle: Active

EU Regulation 2023/988 (General Product Safety Regulation — GPSR) replaces the General Product Safety Directive 2001/95/EC from December 2024. Imposes safety + traceability + recall obligations on producers, importers, distributors + online marketplaces. Internal Production Control + risk assessment required. Mandatory online product safety information + corrective action public notifications. Companion: Market Surveillance Regulation 2019/1020 + product-specific safety laws.

Jurisdiction: EU

Lifecycle: Active

The EU In Vitro Diagnostic Regulation (IVDR) replaced the IVDD, applying since 26 May 2022. Risk-based classification (Class A / B / C / D) drives notified-body involvement for the vast majority of IVDs (vs ~10% under IVDD). Sets requirements on clinical evidence (scientific validity, analytical + clinical performance), performance evaluation reports, EUDAMED registration, UDI, and Person Responsible for Regulatory Compliance. Transitional provisions extended in 2024 (IVDR Amendment 2024/1860) for legacy IVDD devices.

Jurisdiction: EU

Lifecycle: Active

The Low Voltage Directive 2014/35/EU sets essential safety requirements for electrical equipment operating between 50-1000V AC + 75-1500V DC placed on the EU market. Self-certification via technical file + DoC supporting CE marking. Aligned with harmonised standards (EN IEC 62368 + others). One of the foundational CE-marking directives. Enforced by Member State market surveillance.

Jurisdiction: EU

Lifecycle: Active

The EU Machinery Regulation 2023/1230 (effective 2027) replaces the Machinery Directive 2006/42/EC. Sets essential health + safety requirements for the design + construction of machinery placed on the EU market, plus requirements for CE marking, Technical File, Declaration of Conformity + (for Annex I "high-risk" machinery including AI-enabled) third-party assessment. AI-enabled machinery + cybersecurity addressed for the first time. Companion to LVD + EMC + RED.

Jurisdiction: EU

Lifecycle: Active

EU Directive regulating credit agreements for consumers relating to residential immovable property. Establishes harmonised pre-contractual information (ESIS), creditworthiness assessment, conduct of business rules + cooling-off / reflection period.

Jurisdiction: EU

Lifecycle: Active

The EU Medical Device Regulation (MDR) replaced the MDD + AIMDD, applying since 26 May 2021. Sets requirements for the placing on the market + putting into service of medical devices + their accessories in the EU. Drives notified-body conformity assessment, technical documentation (Annex II + III), clinical evaluation (Annex XIV), post-market surveillance (Annex III) + post-market clinical follow-up. EUDAMED registration + UDI assignment + Person Responsible for Regulatory Compliance (PRRC) required. Transitional provisions extended in 2023 (MDR Amendment 2023/607) for legacy MDD devices.

Jurisdiction: EU

Lifecycle: Active

EU Directive protecting waters against pollution caused by nitrates from agricultural sources. Member States designate Nitrate Vulnerable Zones (NVZs) + adopt action programmes with manure storage + spreading limits.

Jurisdiction: EU

Lifecycle: Active

EU regulation on organic production + labelling of organic products. Replaces 834/2007 from 2022. Covers crops, livestock, aquaculture, processed food, wine, yeast + seaweed. Mandates certification by control bodies + organic logo on labelled products.

Jurisdiction: EU

Lifecycle: Active

The Pressure Equipment Directive 2014/68/EU establishes essential safety requirements for the design + manufacture of pressure equipment + assemblies placed on the EU market. Classifies equipment by category (I-IV) based on pressure, volume + fluid type with corresponding conformity assessment modules. Notified body involvement increases with category. CE marking + DoC required. Companion: SPVD 2014/29/EU for simple pressure vessels.

Jurisdiction: EU

Lifecycle: Active

EU regulation on the placing of plant protection products (pesticides) on the market. Companion: Sustainable Use Directive 2009/128/EC + Maximum Residue Levels Regulation 396/2005. Establishes active substance approval + product authorisation.

Jurisdiction: EU

Lifecycle: Active

EU Price Marking Directive 98/6/EC (as amended by Omnibus 2019/2161 in force 2022) requires clear + unambiguous + non-misleading price indication. Omnibus enhances "was / now" rules — reference price must be the lowest price applied in the 30 days prior + introduces additional rules on online consumer reviews + personalised pricing transparency. Implemented nationally; UK retained version applies.

Jurisdiction: EU

Lifecycle: Active

EU Package Travel Directive 2015/2302 protects consumers buying package holidays + linked travel arrangements. Requires pre-contractual + contractual information, insolvency protection of consumer payments, performance liability + remedies for non-conforming travel services. UK retained version (Package Travel + Linked Travel Arrangements Regs 2018) applies in GB.

Jurisdiction: EU

Lifecycle: Active

REACH is the EU regulation addressing the production + use of chemical substances + their potential impacts on human health + the environment. Requires manufacturers, importers + downstream users of chemicals to register substances >1 tonne/year, assess hazards + risks, apply for authorisation for substances of very high concern (SVHC) on the Candidate List + comply with restrictions in Annex XVII. Enforced by national authorities + ECHA; non-compliance can prevent EU market access.

Jurisdiction: EU

Lifecycle: Active

The EU RoHS Directive restricts the use of 10 hazardous substances (lead, mercury, cadmium, hexavalent chromium, PBB, PBDE + four phthalates DEHP/BBP/DBP/DIBP) in electrical + electronic equipment placed on the EU market. Compliance demonstrated through a technical file + the EU Declaration of Conformity supporting CE marking. Annex III + IV exemptions for specific applications. Enforced by Member State market surveillance; non-compliant products can be withdrawn from market.

Jurisdiction: EU

Lifecycle: Active

EU Regulation 561/2006 (Drivers' Hours) + Regulation 165/2014 (Tachographs), with significant amendments by the EU Mobility Package, set the rules on driving + rest times + tachograph use for commercial drivers in the EU + UK (retained post-Brexit, with national amendments). Limits: 9h daily driving (extended to 10h twice weekly), 56h weekly, 90h fortnightly + mandatory breaks + rest periods. Smart tachograph required for new vehicles. Penalties enforced through roadside checks + analyser systems.

Jurisdiction: EU

Lifecycle: Active

The EU VAT Directive establishes the common system of value added tax across EU member states. Defines scope, place of supply rules, VAT rates, exemptions, deduction of input VAT, invoicing requirements + administrative obligations. Member states transpose into national law (with limited flexibility). The VAT in the Digital Age (ViDA) package, agreed 2024, introduces e-invoicing + digital reporting requirements progressively through 2030 + simplifies single-VAT registration + platform-economy treatment. Non-EU businesses making EU-taxable supplies face VAT obligations via OSS / IOSS schemes or local registration.

Jurisdiction: EU

Lifecycle: Active

The WEEE Directive 2012/19/EU establishes producer responsibility for the take-back, recycling + recovery of waste electrical + electronic equipment placed on the EU market. Producers must register with national WEEE registers, fund collection + treatment + report annually. WEEE marking + financial guarantees required. Member State implementation varies.

Jurisdiction: EU

Lifecycle: Active

FAIR is a quantitative information risk management framework standardised under The Open Group (Open FAIR). Defines a vocabulary + methodology for measuring loss-event frequency + magnitude in financial terms, enabling risk decisions to use the same units as other business decisions. Used by mature risk programmes to complement qualitative risk-matrix approaches.

Jurisdiction: GLOBAL

Lifecycle: Active

The US Foreign Account Tax Compliance Act (FATCA) requires foreign financial institutions (FFIs) to identify US account holders + report to IRS (or local tax authority under intergovernmental agreement / IGA), or face 30% withholding on certain US-source payments. Coexists with CRS — most non-US FIs apply both, with FATCA being US-specific. Withholding agent obligations for US payors making certain payments to foreign persons. CRS + FATCA reporting often combined operationally.

Jurisdiction: US

Lifecycle: Active

Financial Action Task Force (FATF) Recommendation 16 — the so-called "Travel Rule" — requires Virtual Asset Service Providers (VASPs) to obtain, hold + transmit required originator + beneficiary information for virtual asset transfers above $/€ 1,000. Implementation varies by jurisdiction: EU via Transfer of Funds Regulation (TFR) Reg 2023/1113 (no minimum threshold), US via FinCEN's $3,000 threshold, UK via Money Laundering Regulations 2017 (£1,000 threshold for crypto). VASPs must implement compliant infrastructure (e.g. TRP, Sumsub, Notabene, Veriscope) + perform sanctions screening on counterparties.

Jurisdiction: GLOBAL

Lifecycle: Active

The UK FCA's Consumer Duty (PRIN 12 + PRIN 2A) is the outcomes-focused regulatory standard for retail consumer financial services. Three cross-cutting rules: (1) act in good faith; (2) avoid foreseeable harm; (3) enable + support customers to pursue their financial objectives. Four outcomes: products + services, price + value, consumer understanding, consumer support. Requires annual Board-approved Consumer Duty assessment + Champion role at Board level. Enforcement combines supervisory engagement, thematic reviews + enforcement action.

Jurisdiction: UK

Lifecycle: Active

UK financial services obligations profile for resilience and conduct.

Jurisdiction: UK

Lifecycle: Active

FDA 21 CFR Part 11 establishes the criteria under which the FDA considers electronic records + electronic signatures to be trustworthy, reliable + equivalent to paper. Applies to records required by FDA predicate rules (e.g. 21 CFR Pt 210/211, Pt 312, Pt 314, Pt 820). Requires validation of systems, audit trails, electronic signature controls (unique IDs, two-component authentication, signature manifestations), access controls + system documentation. Predicate rule applicability + risk-based approach articulated in 2003 Scope and Application guidance. Failure to comply has resulted in FDA 483s, Warning Letters + consent decrees.

Jurisdiction: US

Lifecycle: Active

FDA 21 CFR Part 820 is the Quality System Regulation (QSR) governing medical device manufacturers selling in the US — covering design controls, document controls, purchasing controls, production + process controls, CAPA, complaint handling, servicing, statistical techniques + management responsibility. The Quality Management System Regulation (QMSR) final rule (published Feb 2024, effective 2 Feb 2026) harmonises QSR with ISO 13485:2016 by incorporating the standard by reference, replacing many QSR-specific requirements but preserving FDA-specific records, labelling + complaint elements. Enforced through FDA inspections, 483s + Warning Letters.

Jurisdiction: US

Lifecycle: Active

FDA 21 CFR Part 210 (general cGMP) + Part 211 (cGMP for finished pharmaceuticals) establish the minimum current Good Manufacturing Practice for pharmaceutical manufacturers — covering organisation + personnel, buildings + facilities, equipment, control of components + drug product containers, production + process controls, packaging + labelling, holding + distribution, laboratory controls, records + reports + returned/salvaged drug products. Failure results in FDA 483s, Warning Letters, import alerts + consent decrees. The reference standard for US pharmaceutical manufacturing.

Jurisdiction: US

Lifecycle: Active

FDA 21 CFR Part 50 (Protection of Human Subjects) + Part 56 (Institutional Review Boards) govern the protection of human subjects in FDA-regulated clinical investigations — operationalising the Belmont Report principles. Part 50 requires informed consent + (for emergency research) exception conditions; Part 56 requires IRB review + approval + continuing review. Aligned with the Common Rule (45 CFR §46 Subpart A) since the 2018 revisions, with FDA-specific differences (e.g., no broad consent option, expanded children's research provisions). Inspections by FDA BIMO program.

Jurisdiction: US

Lifecycle: Active

FDA 21 CFR Part 312 governs Investigational New Drug (IND) applications — required before a drug can be shipped across state lines for clinical investigation. Covers commercial vs treatment vs investigator-sponsored INDs, content + format (Form FDA 1571), safety reporting (IND Safety Reports per §312.32 / 7- or 15-day timelines), clinical hold authorities, sponsor obligations + investigator obligations. Failure to comply has resulted in clinical holds + sponsor + investigator disqualification.

Jurisdiction: US

Lifecycle: Active

US medical device cybersecurity guidance for design, evidence, and post-market handling.

Jurisdiction: US

Lifecycle: Active

FDA 21 CFR Part 314 governs New Drug Applications (NDAs) + Abbreviated New Drug Applications (ANDAs). Covers content + format requirements, FDA review timelines (PDUFA), supplements (post-approval changes), reporting (annual reports, NDA-Field Alert Reports, periodic adverse-drug-experience reports under §314.80), labelling + marketing materials. Companion provisions in Part 600 (biologics) + Part 601 (BLAs). Failure has resulted in approval delays, complete response letters + post-marketing requirements.

Jurisdiction: US

Lifecycle: Active

FedRAMP Moderate is the standardised authorisation baseline for US federal civilian cloud services handling controlled unclassified information. Based on NIST SP 800-53 Rev 5 with FedRAMP-specific parameters and continuous monitoring obligations. Authorisation is granted by an Agency Sponsor or the Joint Authorization Board. Required for most federal SaaS contracts; commercial SaaS vendors increasingly pursue it to access government revenue.

Jurisdiction: US

Lifecycle: Active

Federal Reserve + OCC Supervisory Letter SR 11-7 / OCC 2011-12 — Supervisory Guidance on Model Risk Management. The foundational US bank model-risk regulatory expectation framework, articulated for the largest BHCs but treated as the de-facto standard across the US banking + insurance industries + by FSB-watching supervisors globally. Defines model risk + the three pillars: model development, implementation + use; model validation; governance, policies + controls. Substantially extended by Federal Reserve SR 23-4 (interagency guidance on managing AI/ML in models).

Jurisdiction: US

Lifecycle: Active

US banking supervisory guidance for architecture, infrastructure, and operations resilience.

Jurisdiction: US

Lifecycle: Active

US banking supervisory guidance for information security governance, access, and monitoring.

Jurisdiction: US

Lifecycle: Active

Form PF is the SEC + CFTC Private Fund Adviser reporting form filed by SEC-registered investment advisers managing one or more private funds with at least $150m AUM. The February 2024 amendments expanded current + quarterly reporting requirements for large hedge fund advisers + private equity advisers to FSOC. The March 2024 amendments overhauled Section 5 (large private equity adviser reporting). Filings are confidential to SEC + FSOC; non-compliance penalties include censure + fines.

Jurisdiction: US

Lifecycle: Active

EU/UK privacy and data protection requirements for personal data processing.

Jurisdiction: EU

Lifecycle: Active

GFSI-benchmarked food safety standard widely required by major retailers. Issue 9 covers senior management commitment, food safety plan (HACCP), food safety + quality management system, site standards, product control, process control, personnel + product authenticity. Certification covers a single site under unannounced or announced audit.

Jurisdiction: GLOBAL

Lifecycle: Active

GFSI-recognised food safety management certification combining ISO 22000 + PRP standards (e.g. ISO/TS 22002-1) + additional FSSC requirements. v6 strengthens food safety culture, food loss + waste, equipment management + food fraud/defence.

Jurisdiction: GLOBAL

Lifecycle: Active

GFSI-recognised certification programme published by SQFI (a division of FMI). Covers HACCP-based food safety + quality across primary production, manufacturing, distribution + storage. Common in North American food supply chains; uses approved certification bodies + SQF Practitioners.

Jurisdiction: GLOBAL

Lifecycle: Active

The Gramm-Leach-Bliley Act (Title V) is the US federal financial-privacy law. The 2023 amended FTC Safeguards Rule (effective 9 May 2023 for most provisions) substantially strengthened information security obligations for financial institutions under FTC jurisdiction (including auto dealers, payday lenders, mortgage brokers + many fintechs). Mandates a written Information Security Program with named CISO equivalent, risk assessment, MFA, encryption, regular pen-testing, incident response plan + Board reporting. The Safeguards Rule was further amended in 2023 to require notification of qualifying security events to FTC within 30 days.

Jurisdiction: US

Lifecycle: Active

Voluntary on-farm food safety + sustainability certification covering Fruit & Vegetables, Aquaculture, Livestock + Combinable Crops. Required by major retailers in EU, UK + increasingly elsewhere. v6 adds GRASP (workers' welfare) + SPRING (water stewardship) add-ons.

Jurisdiction: GLOBAL

Lifecycle: Active

GS1 is the global standards organisation for supply chain identification + barcoding. Standards include GS1 GTIN (Global Trade Item Number), barcode formats (UPC, EAN, ITF-14, DataMatrix), 2D barcodes including QR + GS1 Digital Link, GS1 Standards for EPCIS (event tracking) + GS1 SmartLabel. Used by virtually all retail supply chains for product identification + inventory + recall + traceability. Adopted in EU Digital Product Passport + retail Web3 use cases.

Jurisdiction: GLOBAL

Lifecycle: Active

The GSMA (GSM Association) develops global mobile network security specifications including the Network Security Assurance Framework, FS.31 Baseline Security Controls, Signalling Security (FS.07) + SS7 / Diameter / GTP security guidelines. Used by mobile network operators + equipment vendors. Pairs with NESAS (Network Equipment Security Assurance Scheme) for product certification. Increasingly mandated by national regulators (e.g. UK Ofcom, BEREC) as supplementary security baselines.

Jurisdiction: GLOBAL

Lifecycle: Active

HEDIS is the NCQA performance measurement set used by 90%+ of US health plans to measure care quality + service. ~90 measures across 6 domains (effectiveness of care, access/availability, experience of care, utilisation/risk-adjusted utilisation, health plan descriptive info, electronic clinical data systems). Audited annually by NCQA-certified HEDIS Compliance Auditors. Drives CMS Medicare Advantage Star Ratings + state Medicaid plan oversight + accreditation. NCQA publishes the technical specifications + annual update cycle.

Jurisdiction: US

Lifecycle: Active

US health information privacy and security safeguards for covered entities and business associates.

Jurisdiction: US

Lifecycle: Active

HIPAA Transactions + Code Sets (TCS) standardise electronic administrative + financial transactions across US health care — 837 (claims), 835 (remittance), 834 (enrolment), 270/271 (eligibility), 276/277 (claim status), 278 (prior authorisation), 820 (premium payment). ASC X12 5010A1 is the current version. Code sets: ICD-10-CM (diagnoses), ICD-10-PCS (inpatient procedures), CPT/HCPCS (outpatient procedures), NDC (drugs), CDT (dental). Required for all HIPAA-covered electronic transactions. Operating Rules (CAQH CORE) add consistency + connectivity.

Jurisdiction: US

Lifecycle: Active

The US Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 strengthened HIPAA — extending Privacy + Security Rule obligations to Business Associates directly, raising civil money penalties to a tiered structure (up to $1.5M per violation category per year), introducing the Breach Notification Rule (notify affected individuals + HHS + sometimes media within 60 days), and incentivising EHR adoption via Meaningful Use. The 2013 Omnibus Rule operationalised most provisions. Enforcement by HHS Office for Civil Rights (OCR) is via resolution agreements + corrective action plans + civil money penalties.

Jurisdiction: US

Lifecycle: Active

HITRUST CSF v11 is a certifiable security + privacy framework primarily used in US healthcare. It harmonises HIPAA, HITECH, NIST 800-53, ISO 27001, PCI DSS, and 40+ other authoritative sources into a single auditable framework with three certification levels (e1, i1, r2) reflecting depth + assurance. The r2 ("Risk-based, 2-year") certification is the gold standard demanded by US payers + large hospital systems.

Jurisdiction: GLOBAL

Lifecycle: Active

HL7 FHIR (Fast Healthcare Interoperability Resources) is the modern interoperability standard for exchanging healthcare information electronically. R5 (released 2023) is the latest "normative" version, building on R4 (the foundation for most national programs). FHIR resources (Patient, Observation, Condition, Encounter, MedicationRequest, etc.) + RESTful API + SMART on FHIR (OAuth 2.0 + OpenID Connect) underpin US ONC Cures Act + EHR Common Health Data Set (USCDI v4), UK NHS Federated Data Platform + EU European Health Data Space (EHDS). Implementation Guides (US Core, UK Core, IPS, Da Vinci, CARIN) tailor FHIR to national + use-case contexts.

Jurisdiction: GLOBAL

Lifecycle: Active

The IATA Dangerous Goods Regulations (DGR) are the global reference for the safe transport of dangerous goods by air. Operationalise the ICAO Technical Instructions (TI) with practical guidance for shippers, carriers + ground handlers. Annual revision. Cover classification, packaging, marking + labelling, documentation + training. Training every 24 months mandatory for all involved in DG by air. Used by airlines, freight forwarders + ground service providers worldwide.

Jurisdiction: GLOBAL

Lifecycle: Active

IATF 16949:2016 is the global automotive industry quality management system standard, defining QMS requirements for automotive production + relevant service part organisations. Built on ISO 9001 with sector-specific customer + IATF-specific requirements. Required by virtually every OEM in automotive supply chains. Audited by IATF-certified bodies.

Jurisdiction: GLOBAL

Lifecycle: Active

The International Building Code (IBC), published by the International Code Council (ICC), is a model building code adopted with state + local amendments across nearly all US jurisdictions. Sets minimum requirements for the design + construction of new + existing buildings — structural, fire-resistive construction, means of egress, accessibility (referencing ICC A117.1), interior finishes, plumbing (via IPC), mechanical (via IMC), electrical (via NEC). Used together with the IRC (residential), IFC (fire), IPC, IMC, IECC + IGCC for a coherent US building regulatory baseline.

Jurisdiction: US

Lifecycle: Active

ICH E6(R3) Good Clinical Practice (GCP) is the international ethical + scientific quality standard for the design, conduct, recording + reporting of trials involving human subjects. R3 (finalised 2025) modernises R2 — risk-proportionate quality management, increased emphasis on data integrity in decentralised trials, sponsor + investigator responsibilities clarified, expanded trial protocol + investigator brochure requirements. Adopted by FDA + EMA + MHRA + PMDA + China NMPA via national implementation. Inspections by regulators result in 483s, Statements of Non-Compliance + suspension of trials.

Jurisdiction: GLOBAL

Lifecycle: Active

ICH Q9(R1) Quality Risk Management + Q10 Pharmaceutical Quality System are the foundation of modern pharmaceutical quality. Q9 establishes a systematic approach to risk management across the product lifecycle (assessment, control, communication, review) using tools like FMEA, HACCP + fault-tree. Q10 describes a PQS based on ICH Q8 + Q9 — process performance + product quality monitoring, CAPA, change management, management review. Adopted by FDA + EMA + MHRA + PMDA + Health Canada into national cGMP frameworks. Q9(R1) revision (2023) added subjectivity-management + hazard-identification clarifications.

Jurisdiction: GLOBAL

Lifecycle: Active

The EU Insurance Distribution Directive governs the design, distribution + servicing of insurance products + the conduct of insurance intermediaries. Replaced the prior Insurance Mediation Directive. Key features: product oversight + governance (POG), Insurance Product Information Document (IPID) for non-life, demands + needs test for all insurance distribution, conflict-of-interest management, training + competence requirements, conduct of business rules + cross-selling restrictions. National competent authorities supervise; transposed via national law in each member state.

Jurisdiction: EU

Lifecycle: Active

IEC 62304 specifies lifecycle requirements for the development + maintenance of medical device software (SaMD + embedded). Drives software safety classification (Class A / B / C based on harm potential), software development planning, requirements analysis, architectural design, unit implementation + integration, system testing, release + post-release maintenance + problem resolution. SOUP (Software of Unknown Provenance) — including OSS — must be identified, risk-assessed + maintained. Required by EU MDR + IVDR + FDA via 510(k) software documentation guidance + ISO 13485 incorporation.

Jurisdiction: GLOBAL

Lifecycle: Active

Medical device software lifecycle processes standard.

Jurisdiction: GLOBAL

Lifecycle: Active

IEC 62366-1 specifies the application of usability engineering to medical devices to mitigate use-related risks. Drives the Use Specification, identification of hazardous use scenarios, formative + summative evaluation, and the Usability Engineering File (UEF). Required by EU MDR + IVDR + FDA via Human Factors Engineering guidance. Failure to perform summative evaluation on the production-equivalent device is a common notified-body finding + FDA 510(k) deficiency.

Jurisdiction: GLOBAL

Lifecycle: Active

IEC 62443 (formerly ISA-99) is the leading international cybersecurity standard for Industrial Automation and Control Systems (IACS). Multi-part series covering general concepts, policies + procedures, system requirements + component requirements. Risk-based zone + conduit model + Security Levels (SL 1-4). Used by OT product vendors (62443-4-1/4-2) + asset owners (62443-2-1/3-2/3-3). Increasingly required in OT procurement; certifiable by IECEE. NIST SP 800-82 + ENISA + national CSIRTs align with 62443.

Jurisdiction: GLOBAL

Lifecycle: Active

IACS security risk assessment and system design profile.

Jurisdiction: GLOBAL

Lifecycle: Active

IACS system security requirements and security levels profile.

Jurisdiction: GLOBAL

Lifecycle: Active

Secure product development lifecycle profile for industrial components and systems.

Jurisdiction: GLOBAL

Lifecycle: Active

Technical security requirements profile for industrial control system components.

Jurisdiction: GLOBAL

Lifecycle: Active

Industrial automation and control systems cybersecurity profile.

Jurisdiction: GLOBAL

Lifecycle: Active

Health software and health IT systems security lifecycle standard.

Jurisdiction: GLOBAL

Lifecycle: Active

International Financial Reporting Standards published by the IFRS Foundation + International Accounting Standards Board (IASB). The global accounting framework adopted (or substantially converged) by 168+ jurisdictions including the EU, UK (FRS 101 incorporates), Canada, Australia, India + most other major economies (notable holdout: US). Key standards include IFRS 15 (Revenue), IFRS 16 (Leases), IFRS 17 (Insurance Contracts — see separate reference), IFRS 9 (Financial Instruments), IFRS 13 (Fair Value), IAS 12 (Income Taxes), IAS 21 (FX), IAS 36 (Impairment), IAS 38 (Intangibles).

Jurisdiction: GLOBAL

Lifecycle: Active

IFRS 17 replaced IFRS 4 as the IASB's accounting standard for insurance contracts. Introduces a current measurement model (General Measurement Model — GMM) with Variable Fee Approach (VFA) for direct participating contracts + Premium Allocation Approach (PAA) simplification for short-duration contracts. Requires presentation of insurance revenue + insurance service expense separately from investment + financing components. Required by IFRS-reporting insurers including most EU + UK + Canadian + Australian insurance groups. US insurers continue under US GAAP (LDTI for long-duration contracts).

Jurisdiction: GLOBAL

Lifecycle: Active

The International Maritime Dangerous Goods (IMDG) Code is the international standard for the safe transport of packaged dangerous goods by sea. Adopted under SOLAS Chapter VII; mandatory since 2004. Classifies + sets packaging, marking, labelling, stowage, segregation + documentation requirements for 9 classes of dangerous goods + marine pollutants. Biennial amendments. Training every 3 years for shore-based personnel. Companion to IATA DGR (air), ADR (road), RID (rail), ADN (inland waterways).

Jurisdiction: GLOBAL

Lifecycle: Active

The International Safety Management (ISM) Code (SOLAS Chapter IX) sets an international standard for the safe management + operation of ships + for pollution prevention. Requires shipping companies to establish a Safety Management System (SMS) + obtain a Document of Compliance (DOC) for the company + a Safety Management Certificate (SMC) for each ship. Designated Person Ashore (DPA) acts as the link between company + ship. Audits by flag State / Recognised Organisation every 30 months. Failure can result in DOC withdrawal + ship detention.

Jurisdiction: GLOBAL

Lifecycle: Active

The International Ship and Port Facility Security (ISPS) Code (SOLAS Chapter XI-2) sets requirements for the security of ships + port facilities. Risk-based with security levels (1-3). Requires Ship Security Officer (SSO), Company Security Officer (CSO), Port Facility Security Officer (PFSO), Ship Security Plan (SSP), Port Facility Security Plan (PFSP) + International Ship Security Certificate (ISSC). Established post-9/11. Audited by RSO / flag State; ports administered by Contracting Government Designated Authority.

Jurisdiction: GLOBAL

Lifecycle: Active

The International Convention for the Prevention of Pollution from Ships, 1973/1978 (MARPOL) is the principal international convention covering prevention of pollution of the marine environment by ships. Six annexes cover oil (Annex I), noxious liquid substances in bulk (Annex II), packaged harmful substances (Annex III), sewage (Annex IV), garbage (Annex V) + air pollution (Annex VI, including IMO 2020 sulphur cap + EEXI + CII + GHG measures). Companion: London Convention/Protocol for dumping. Flag State + Port State Control enforcement.

Jurisdiction: GLOBAL

Lifecycle: Active

The Maritime Labour Convention 2006 (MLC, 2006), known as the "seafarers' bill of rights", sets minimum employment + living + working conditions for seafarers. Comprehensive coverage: minimum age (16-18), medical fitness, qualifications, recruitment + placement, employment agreements, wages, hours of work + rest, leave, repatriation, accommodation, food, medical care, social security, health + safety + accident prevention + complaint procedures. Port State Control inspections + Maritime Labour Certificate (MLC) + Declaration of Maritime Labour Compliance (DMLC) for >500 GT.

Jurisdiction: GLOBAL

Lifecycle: Active

The International Convention for the Safety of Life at Sea, 1974 (SOLAS) is the most important international maritime safety treaty. Sets minimum safety standards for the construction, equipment + operation of merchant ships. Companion conventions: MARPOL (pollution), STCW (seafarer training), MLC (labour). Flag States enforce SOLAS via Port State Control + Recognised Organisations (Class Societies). Amendments adopted regularly via IMO MSC + MEPC. Modern enforcement includes ISM Code + ISPS Code as SOLAS chapters.

Jurisdiction: GLOBAL

Lifecycle: Active

The International Convention on Standards of Training, Certification and Watchkeeping for Seafarers, 1978 (STCW) sets the qualifications + training of masters, officers + watch personnel on seagoing vessels. STCW Code Parts A (mandatory) + B (guidance). Manila Amendments 2010 introduced mandatory hours of rest, security awareness training + revised competence standards. Flag State certification + Recognised Organisation training centres. Companion: STCW-F for fishing vessel personnel.

Jurisdiction: GLOBAL

Lifecycle: Active

The US federal statute regulating investment advisers — investment professionals advising on securities for compensation. Imposes fiduciary duty to clients, registration with SEC (≥ $110m AUM) or state authorities (smaller), Form ADV disclosure, code of ethics, compliance program (Rule 206(4)-7), recordkeeping (Rule 204-2), custody (Rule 206(4)-2), proxy voting (Rule 206(4)-6), marketing (Rule 206(4)-1 — "Marketing Rule"). SEC OCIE / Division of Examinations conducts ongoing examinations.

Jurisdiction: US

Lifecycle: Active

The International Residential Code (IRC), published by ICC, is the model code for the construction of one + two-family dwellings + townhouses up to 3 storeys in the US. Provides a single, comprehensive code combining building, plumbing, mechanical, electrical (via NEC reference), fuel gas + energy (via IECC reference) provisions for low-rise residential construction. Adopted with amendments by most US jurisdictions. IRC scope ends + IBC begins for buildings >3 storeys or non-conforming residential types.

Jurisdiction: US

Lifecycle: Active

International Standards on Auditing (ISAs) are the global standards for the audit of historical financial statements, published by the International Auditing + Assurance Standards Board (IAASB). Adopted by 130+ jurisdictions either directly or via national equivalents. Cover the audit lifecycle from engagement acceptance, planning, risk assessment, evidence gathering, conclusions, reporting + group audit considerations. Closely related to ISRE (reviews), ISAE (assurance engagements) + ISRS (related services). Audit firms applying ISAs operate ISQM 1 + 2 quality management.

Jurisdiction: GLOBAL

Lifecycle: Active

Medical device quality management systems requirements.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 14001:2015 is the international standard for environmental management systems (EMS). Certifiable. Increasingly required by enterprise procurement + supply-chain due diligence. Provides the management-system structure for environmental impact identification, lifecycle thinking, and continuous improvement. Pairs naturally with ISO 9001 + ISO 45001 for integrated management.

Jurisdiction: GLOBAL

Lifecycle: Active

Medical device application of risk management.

Jurisdiction: GLOBAL

Lifecycle: Active

Concepts and principles for information management using BIM.

Jurisdiction: GLOBAL

Lifecycle: Active

Delivery-phase information management for built assets using BIM.

Jurisdiction: GLOBAL

Lifecycle: Active

Operational-phase information management for built assets.

Jurisdiction: GLOBAL

Lifecycle: Active

Information exchange requirements across project and asset workflows.

Jurisdiction: GLOBAL

Lifecycle: Active

Security-minded information management for built assets and BIM workflows.

Jurisdiction: GLOBAL

Lifecycle: Active

Health and safety information management across project and asset life cycles.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 19650 is the international standard for the management of information using Building Information Modelling (BIM) across the lifecycle of the built asset. Parts 1-5 cover concepts, delivery phase, operational phase, information exchange + security-minded approach. UK adoption via the UK BIM Framework. Required by the UK Construction Playbook for public sector + increasingly contractually required in private sector. Drives EIR / BEP / common data environment / federation strategy.

Jurisdiction: GLOBAL

Lifecycle: Active

Road vehicles cybersecurity engineering lifecycle standard.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 22000:2018 specifies requirements for a food safety management system across the food chain. Combines HACCP principles with the PDCA + risk-based thinking of ISO management systems. Used by global food manufacturers + the GFSI-benchmarked schemes (FSSC 22000, BRCGS, IFS, SQF) build on it or align with it.

Jurisdiction: GLOBAL

Lifecycle: Active

Business continuity management system requirements.

Jurisdiction: GLOBAL

Lifecycle: Active

AI concepts and terminology baseline for AI system governance.

Jurisdiction: GLOBAL

Lifecycle: Active

Framework for AI systems using machine learning.

Jurisdiction: GLOBAL

Lifecycle: Active

AI risk management guidance.

Jurisdiction: GLOBAL

Lifecycle: Active

Information Security Management System (ISMS) controls and governance requirements.

Jurisdiction: GLOBAL

Lifecycle: Active

Information security controls guidance companion to ISO/IEC 27001.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO/IEC 27005:2022 provides guidance on information security risk management within the context of an ISO 27001 ISMS. The 2022 revision aligned with ISO 31000 risk-management terminology and re-anchored the process around organisational context, risk identification, analysis, evaluation, and treatment. The reference companion auditors expect to see ISO 27001-aligned risk programmes follow.

Jurisdiction: GLOBAL

Lifecycle: Active

Cloud security controls for providers and customers.

Jurisdiction: GLOBAL

Lifecycle: Active

Protection of PII in public clouds acting as PII processors.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO/IEC 27032:2023 provides guidance on internet security — the intersection of information, network, and application security. The 2023 revision broadened scope to include supply-chain dependencies, cloud services, and IoT, and is often cited alongside ISO 27001 for organisations wanting a cyber-specific complement to general ISMS controls.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO/IEC 27036 (multi-part) provides guidance on information security for supplier relationships. Part 1 covers overview + concepts, Part 2 requirements, Part 3 specifics for ICT supply chain, Part 4 cloud-service customer + provider relationships. The standard supplier-risk reference for ISO 27001-aligned programmes; pairs with ISO 27017 for cloud-specific shared-responsibility.

Jurisdiction: GLOBAL

Lifecycle: Active

Privacy information management extension for ISO/IEC 27001.

Jurisdiction: GLOBAL

Lifecycle: Active

Supply chain security management systems standard.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 28000:2022 specifies requirements for a security management system, including aspects relevant to the supply chain. Applicable to organisations of all sizes that wish to establish, implement, maintain + improve a security management system. Aligned with ISO 9001 + 14001 + 45001 + 27001 in High-Level Structure. Used by logistics operators, warehousing + cross-border supply chains to evidence supply chain security to customers + customs authorities. Pairs with TAPA FSR + AEO programs.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 31000:2018 is the international principles-and-guidelines standard for risk management — the conceptual backbone behind sector-specific risk standards (ISO 27005 for ISMS, ISO 22301 for BCM, ISO 23894 for AI). The 2018 revision sharpened the principles to 8 and emphasised integration of risk management into governance. Not certifiable but heavily referenced by certification standards.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 37301:2021 specifies requirements + guidance for compliance management systems (CMS). Certifiable. Designed to be applicable across industries + regulatory domains. The reference standard for organisations wanting a unifying management-system approach to compliance — popular with multinational + regulated firms that already operate ISO 27001 / 9001 / 45001 management systems.

Jurisdiction: GLOBAL

Lifecycle: Active

Governance implications of AI for organisations.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO management system standard for Facility Management. Specifies requirements for an FM management system covering demand + supply organisation, service delivery, integration of people, place, process + technology. Certifiable.

Jurisdiction: GLOBAL

Lifecycle: Active

AI management system requirements for governance and risk controls.

Jurisdiction: GLOBAL

Lifecycle: Active

AI system impact assessment guidance.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 45001:2018 is the international standard for occupational health + safety management systems (OHSMS). Certifiable. Replaced OHSAS 18001 as the global benchmark. Required by major construction / manufacturing / energy procurement and useful for any organisation with workplace safety risks. Pairs naturally with ISO 9001 + ISO 14001 for integrated management.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 50001:2018 specifies requirements for establishing, implementing, maintaining + improving an energy management system (EnMS). Enables organisations to achieve continual improvement in energy performance, energy efficiency, energy use + consumption. Pairs well with ISO 14001 + ISO 45001 + ISO 9001 in integrated management systems. Certifiable through accredited bodies. Used to evidence energy reduction in TCFD / CSRD reporting.

Jurisdiction: GLOBAL

Lifecycle: Active

AI engineering lifecycle process framework.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 55000 (Asset Management — Overview, principles + terminology), ISO 55001 (requirements) + ISO 55002 (guidance) provide the international framework for managing physical + intangible assets across their lifecycle. Widely adopted by utilities, transport + heavy industry to demonstrate that critical infrastructure investment + maintenance is risk-informed + value-aligned. Pairs with PAS 55-equivalent (predecessor) + RIIO price control submissions in UK.

Jurisdiction: GLOBAL

Lifecycle: Active

ISO 9001:2015 is the international standard for quality management systems (QMS). Certifiable. Provides the management-system structure that other ISO management standards mirror (the "Annex SL" structure). Common pre-requisite for manufacturing + professional-services procurement and frequently mandated in regulated sectors. ISO 9001:2026 is in development.

Jurisdiction: GLOBAL

Lifecycle: Active

Guidance for the application of ISO 14971 to medical devices.

Jurisdiction: GLOBAL

Lifecycle: Active

ISQM 1 (firm-level quality management), ISQM 2 (engagement quality reviews) + ISA 220 Revised (engagement-level quality management) form the IAASB's revised quality management framework for audit firms applying ISAs. Effective 15 December 2022, ISQM 1 replaced ISQC 1 with a risk-based + proactive system requiring quality objectives, risk assessment, response design + monitoring + remediation. Annual evaluation of the firm's system of quality management by leadership.

Jurisdiction: GLOBAL

Lifecycle: Active

ITIL 4 (AXELOS / PeopleCert) is the leading IT service management (ITSM) framework. Reorganised the prior ITIL v3 process orientation into 34 management practices across the ITIL Service Value System. The reference framework for incident, change, problem, request, and asset management — increasingly aligned with DevOps + product-oriented delivery. Foundation + Specialist certifications are widely required for IT operations roles.

Jurisdiction: GLOBAL

Lifecycle: Active

The Joint Commission (TJC) is the largest CMS-deemed hospital accreditor in the US. Accreditation covers all chapters of the Comprehensive Accreditation Manual for Hospitals (CAMH) — National Patient Safety Goals, Provision of Care, Treatment + Services, Medication Management, Infection Prevention + Control, Performance Improvement, Leadership, Information Management, Environment of Care, Emergency Management, Human Resources + Record of Care. Triennial unannounced on-site surveys + intracycle Sentinel Event reporting. Loss of TJC accreditation often triggers CMS termination of provider agreement.

Jurisdiction: US

Lifecycle: Active

LEED (Leadership in Energy and Environmental Design), administered by the US Green Building Council (USGBC), is the world's most widely-used green building rating system. LEED v4.1 covers Building Design + Construction (BD+C), Interior Design + Construction (ID+C), Building Operations + Maintenance (O+M), Neighborhood Development (ND), Homes + Cities + Communities. Project teams earn points across 9 credit categories for Certified / Silver / Gold / Platinum rating. Widely required in US owner + investor procurement.

Jurisdiction: GLOBAL

Lifecycle: Active

Lloyd's of London is the world's specialist insurance + reinsurance marketplace. Lloyd's syndicates + managing agents must comply with FCA + PRA regulation plus Lloyd's-specific requirements: Lloyd's Minimum Standards (governance, risk, capital, conduct, operations + reporting) + Performance Management Supplement. Major changes during transformation (Future at Lloyd's) increasingly digitalise the market + impose tighter performance + conduct standards. Customer + claims focus + Consumer Duty alignment are critical.

Jurisdiction: UK

Lifecycle: Active

MHRA Good Pharmacovigilance Practice (GPvP) governs the system Marketing Authorisation Holders use in the UK to monitor + report on the safety of medicinal products. Largely aligned with EU GVP modules — pharmacovigilance system master file (PSMF), QPPV (Qualified Person for Pharmacovigilance), ICSR reporting, PSURs / PBRERs, risk management plans, signal management + post-authorisation safety studies. MHRA inspectorate conducts routine + for-cause GPvP inspections with critical / major / minor finding grading. Failure has resulted in regulatory action + market withdrawals.

Jurisdiction: UK

Lifecycle: Active

MiCA is the EU regulatory framework for crypto-asset issuers + crypto-asset service providers (CASPs). Three categories of crypto-assets: e-money tokens (EMTs), asset-referenced tokens (ARTs) + other crypto-assets. Imposes white-paper requirements, authorisation + ongoing requirements on CASPs, governance + capital requirements, custody + segregation, market abuse + transparency. Provides EU passport rights once authorised in one member state. Title V on CASP services + Title VI on market abuse apply from 30 December 2024; stablecoin titles from 30 June 2024.

Jurisdiction: EU

Lifecycle: Active

MiFID II + MiFIR establish the EU regulatory framework for investment firms + trading venues. Comprehensive scope: investor protection (suitability, appropriateness, best execution, product governance), market structure (organised trading facilities, systematic internalisers), market transparency (pre/post-trade), commodity derivative position limits, third-country firms regime. Enforcement: national competent authorities, coordinated by ESMA. UK applies retained UK MiFID II post-Brexit (with FCA divergences). MiFID II Review 2024 introduces consolidated tape + revisions to research unbundling + payment for order flow.

Jurisdiction: EU

Lifecycle: Active

Marine Stewardship Council's certification standard for wild-capture fisheries — sustainable stocks, minimal environmental impact + effective management. Companion: MSC Chain of Custody Standard for supply chain traceability.

Jurisdiction: GLOBAL

Lifecycle: Active

National Association of Insurance Commissioners (NAIC) Model Laws + Regulations form the basis of state-by-state US insurance regulation. Key models adopted in many states: Insurance Data Security Model Law (#668), Corporate Governance Annual Disclosure Model Act, Own Risk + Solvency Assessment (ORSA) Model Act, Credit for Reinsurance Model Law, Insurance Holding Company System Model Act. Each US insurer is regulated by its state of domicile + states where it transacts business; NAIC accreditation provides standardised supervision baseline.

Jurisdiction: US

Lifecycle: Active

NCQA Accreditation programs benchmark + recognise quality across health plans, MBHOs, UM organisations, credentialing verification organisations + accountable care organisations. Health Plan Accreditation (HPA) is the most prevalent — driving CMS Star Ratings + state Medicaid contract requirements. Standards cover quality management + improvement, population health management, network management, utilisation management, credentialing + recredentialing, members' rights + responsibilities + member connections + Medicare-specific + Medicaid-specific modules. Surveyor-led on-site + virtual reviews on a 3-year cycle.

Jurisdiction: US

Lifecycle: Active

NERC CIP Reliability Standards set cybersecurity + physical security requirements for the Bulk Electric System (BES) in North America. Mandatory + enforceable under the Federal Power Act. Cover BES Cyber Asset identification (CIP-002), security management controls, personnel + training (CIP-004), electronic + physical security perimeters (CIP-005/006), systems security management (CIP-007), incident reporting (CIP-008), recovery (CIP-009), configuration change management (CIP-010), information protection (CIP-011), supply chain risk (CIP-013) + physical security (CIP-014). Penalties up to $1.5M per day per violation.

Jurisdiction: US

Lifecycle: Active

NFPA 101 (Life Safety Code) establishes minimum requirements for the design, operation + maintenance of buildings + structures for safety to life from fire + similar emergencies. Used alongside or in place of the IBC by certain jurisdictions + sectors (notably CMS-deemed healthcare facilities, which are required to comply with NFPA 101 to participate in Medicare). Covers occupancy classifications, means of egress, protection (fire-resistive construction, compartmentation, detection + alarm, automatic extinguishing), building service + fire protection equipment + operating features.

Jurisdiction: US

Lifecycle: Active

The National Electrical Code (NEC), published by the National Fire Protection Association (NFPA 70), is the US benchmark for safe electrical design, installation + inspection. Adopted with amendments by all 50 states + many local jurisdictions. Covers wiring methods, conductors, branch circuits, feeders, services, overcurrent protection, grounding + bonding, special equipment + special conditions. Used by electrical designers, installers, AHJs (Authorities Having Jurisdiction) + insurers. The single most cited US electrical standard + a frequent subject of inspection findings.

Jurisdiction: US

Lifecycle: Active

DCB0129 is the NHS England clinical risk management standard for manufacturers of Health IT systems. Requires a documented Clinical Safety Management System overseen by a Clinical Safety Officer (CSO) — typically a registered clinician — to perform clinical risk analysis, define clinical risk controls + produce a Clinical Safety Case + Hazard Log per release. Compliance is a prerequisite for NHS England deployment + a core component of the DTAC assessment. Failure has resulted in patient-safety incidents + contractual rejection.

Jurisdiction: UK

Lifecycle: Active

DCB0160 is the companion to DCB0129 — applying to NHS organisations + others deploying Health IT systems. Mirrors DCB0129 with deployment-side responsibilities: deploying-organisation CSO, deployment-specific clinical risk analysis (configuration, integration, training, business processes), Clinical Safety Case + Hazard Log per deployment + transition. Required for NHS deployments + DTAC assessment.

Jurisdiction: UK

Lifecycle: Active

UK healthcare assurance toolkit for data security and protection expectations.

Jurisdiction: UK

Lifecycle: Active

DTAC is the NHS England assessment criteria for digital health technologies entering the NHS. Five domains: Clinical Safety (DCB0129), Data Protection (UK GDPR + Caldicott + DSPT), Technical Assurance (Cyber Essentials Plus + ISO 27001 / SOC 2), Interoperability (FHIR + SNOMED CT) + Usability + Accessibility (WCAG 2.1 AA). Plus core criteria covering company information + value proposition + MHRA registration where applicable. Most NHS procurements require DTAC completion + supplier evidence pack.

Jurisdiction: UK

Lifecycle: Active

EU network and information systems directive obligations profile.

Jurisdiction: EU

Lifecycle: Active

Security and privacy controls for information systems and organisations.

Jurisdiction: GLOBAL

Lifecycle: Active

Guide to operational technology and industrial control systems security.

Jurisdiction: GLOBAL

Lifecycle: Active

Risk management framework for trustworthy AI.

Jurisdiction: GLOBAL

Lifecycle: Active

Cybersecurity outcomes organised by Govern, Identify, Protect, Detect, Respond, Recover.

Jurisdiction: GLOBAL

Lifecycle: Active

The NIST Cybersecurity Framework 2.0 (CSF 2.0) provides voluntary guidance for managing cybersecurity risks across critical-infrastructure sectors including Transportation Systems. CISA Sector-Specific Plan for Transportation Systems + Maritime Transportation Security Act (MTSA) for ports overlay sectoral expectations. Used by FMCSA, FAA, FRA + TSA as a reference + by maritime + aviation operators for supply chain cyber due diligence.

Jurisdiction: US

Lifecycle: Active

Foundational NIST guide for incident response — defines the lifecycle (Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident) used as the structural template by virtually every modern IR programme and referenced by SOC 2 CC7 + ISO 27001 A.5.24. NIST released a draft Rev 3 in 2024 — programmes should track for sign-off.

Jurisdiction: US

Lifecycle: Active

Privacy risk management outcomes for organisations processing personal data.

Jurisdiction: GLOBAL

Lifecycle: Active

The NIST Risk Management Framework provides a structured 7-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) for integrating security + privacy + supply-chain risk into the system development lifecycle. Required across US federal civilian agencies via FISMA and used as the assessment cadence backbone of FedRAMP authorisations.

Jurisdiction: US

Lifecycle: Active

NIST SP 800-171 Rev 3 specifies the security requirements US federal contractors must implement to protect Controlled Unclassified Information (CUI) on non-federal systems. Revision 3, published 2024, restructured the requirements into 17 families with stronger expectations for system architecture, supply chain risk, and ongoing assessment. Mandatory in DoD contracts via DFARS 252.204-7012 and is the technical foundation for CMMC Level 2 assessment.

Jurisdiction: US

Lifecycle: Active

NIST SP 800-82 Rev 3 (Guide to Operational Technology Security) provides guidance on securing operational technology (OT) — industrial control systems (ICS), SCADA, distributed control systems (DCS), programmable logic controllers (PLCs) + industrial IoT. Updates the previous "ICS Security" guidance to reflect convergence of IT + OT + new ransomware threats targeting utilities + manufacturing. Aligned with NIST CSF + SP 800-53 + IEC 62443 + provides risk-based control selection for OT environments. Widely referenced by NERC CIP, TSA Pipeline directives + CISA guidance.

Jurisdiction: GLOBAL

Lifecycle: Active

NIST SP 800-218 — the Secure Software Development Framework — distils secure software practices into four groups (Prepare, Protect, Produce, Respond) covering 19 practices and 42 tasks. Referenced by US Executive Order 14028 as the baseline for software supplied to the federal government, increasingly cited by enterprise procurement and used as the structural backbone for SBOM and vulnerability-disclosure programmes.

Jurisdiction: US

Lifecycle: Active

NIST SP 800-207 defines Zero Trust Architecture (ZTA) — the security model where no implicit trust is granted by network location, and every request is continuously verified. The publication describes seven tenets, deployment patterns, and component roles (policy engine, policy administrator, policy enforcement point). Cited by US federal Zero-Trust strategy (OMB M-22-09) and increasingly by enterprise architecture teams as the reference model.

Jurisdiction: US

Lifecycle: Active

New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) is the cyber regulation covering any entity authorised by NYDFS — banks, insurers, mortgage companies, money transmitters, crypto-asset businesses. The November 2023 Second Amendment introduced Class A company tier (≥ $20m revenue + ≥ 2,000 employees + materially impactful) with enhanced obligations, expanded Board oversight + governance requirements, ransomware reporting (within 24 hours of payment), independent audits + risk assessments. CISO must report to Board annually. Multi-factor authentication is now generally mandatory.

Jurisdiction: US-NY

Lifecycle: Active

The Common Reporting Standard (CRS) is the OECD framework for the automatic exchange of financial account information between jurisdictions to combat offshore tax evasion. Financial institutions in CRS-participating jurisdictions (120+ now signed) must identify reportable accounts via due diligence + report annually to local tax authority who exchanges with the account holder's residence jurisdiction. CRS 2.0 (March 2023) extends scope to include crypto-assets via the Crypto-Asset Reporting Framework (CARF), with implementation from 2026.

Jurisdiction: GLOBAL

Lifecycle: Active

OECD/G20 Inclusive Framework Pillar Two introduces a 15% global minimum effective tax rate for multinational enterprises with consolidated revenue ≥ €750m. Three interlocking rules: Income Inclusion Rule (IIR) — parent jurisdiction tops-up to 15% on low-taxed subsidiaries; Undertaxed Payments Rule (UTPR) — allocates additional top-up tax to other jurisdictions; Subject to Tax Rule (STTR) — treaty-based source-state top-up for certain payments. Transposed via EU Pillar Two Directive (2022/2523) + national laws in 30+ jurisdictions (UK, EU member states, South Korea, Japan, Canada, Australia, etc.) for FY beginning after 31 Dec 2023.

Jurisdiction: GLOBAL

Lifecycle: Active

The OECD Transfer Pricing Guidelines provide guidance on the application of the arm's-length principle for international transfer pricing between associated enterprises. The 2022 consolidation incorporates BEPS Actions 8-10 + 13 reforms including value-creation alignment + Country-by-Country Reporting (CbCR). Heavily relied upon by most OECD + many non-OECD tax administrations + by MNE tax functions for documentation, planning + dispute resolution. CbCR template + master file / local file documentation requirements have been adopted by 110+ jurisdictions.

Jurisdiction: GLOBAL

Lifecycle: Active

The US Treasury Office of Foreign Assets Control (OFAC) administers economic + trade sanctions programs against targeted foreign countries + regimes, terrorists, international narcotics traffickers + other threats to US national security. All US persons (citizens, residents, entities, foreign branches of US entities) must comply. Penalties include criminal + civil sanctions reaching tens of millions of dollars per violation; secondary sanctions can apply to non-US entities. Maintains the Specially Designated Nationals (SDN) List + sanctioned-country programs (Russia, Iran, North Korea, Cuba, Venezuela, etc.). Strict liability — no intent required for many violations.

Jurisdiction: US

Lifecycle: Active

The 21st Century Cures Act (2016) + ONC Final Rule (2020) require certified Health IT to support FHIR-based APIs + prohibit information blocking by healthcare providers, EHR vendors + HINs/HIEs. USCDI (United States Core Data for Interoperability) defines the minimum standardised data classes + elements; USCDI v4 (effective 2026) adds classes for SDOH, mental health + facility info. Penalties for vendors include certification removal; for providers + HINs/HIEs, civil money penalties up to $1M per violation. Drives FHIR + SMART on FHIR adoption + Information Blocking exception analysis.

Jurisdiction: US

Lifecycle: Active

OSHA 29 CFR Part 1910 covers general-industry occupational safety + health standards in the US. Frequently applies to construction-adjacent operations (fixed-site maintenance, fabrication, MEP installation in occupied facilities) + the construction supply chain (prefab manufacturing, scaffolding manufacturing, equipment maintenance). Key topics include walking + working surfaces, exit routes, occupational health + environmental control, hazardous materials, PPE, general environmental controls, medical + first aid, fire protection, materials handling + storage, machinery + machine guarding, hand + portable powered tools, welding, electrical (Subpart S) + commercial diving.

Jurisdiction: US

Lifecycle: Active

OSHA 29 CFR Part 1926 is the federal occupational safety + health regulatory regime for the US construction industry — covering general safety, occupational health, PPE, fire protection, materials handling, hand + power tools, welding + cutting, electrical, scaffolds, fall protection, cranes + derricks, motor vehicles, excavations, concrete + masonry, steel erection, demolition, blasting, power transmission + distribution, stairways + ladders, and toxic + hazardous substances. Enforced by OSHA via inspections + citations + civil penalties; willful or repeated violations can result in criminal prosecution. The single most important US regulatory framework for construction safety.

Jurisdiction: US

Lifecycle: Active

The OSHA Focus Four are the four leading causes of construction fatalities in the US: Falls, Electrocutions, Struck-By + Caught-In/Between. Collectively they account for ~60% of US construction deaths. The Focus Four anchors OSHA's 10-Hour + 30-Hour Construction Outreach Training. Not a regulatory standard per se but a structured framework derived from OSHA 29 CFR 1926 subparts M, K + V, Q + various Caught-In provisions.

Jurisdiction: US

Lifecycle: Active

OSHA 29 CFR §1910 applies to US hospitality + food retail — Bloodborne Pathogens (1910.1030) for staff handling injuries, HazCom (1910.1200) for cleaning chemicals, walking + working surfaces (1910 Subpart D), exit routes (Subpart E) + emergency action plans. Heat illness prevention + ergonomics increasingly emphasised. Enforced by OSHA + state plan equivalents.

Jurisdiction: US

Lifecycle: Active

OSHA Process Safety Management (PSM) 29 CFR §1910.119 establishes requirements for the management of hazards associated with processes using highly hazardous chemicals. Covers 14 elements: PHA, employee participation, PSI, operating procedures, training, contractor management, pre-startup safety review, mechanical integrity, hot work, MOC, incident investigation, emergency planning, compliance audits + trade secrets. Applies to facilities with listed chemicals above threshold quantities. Enforced by OSHA + EPA RMP companion.

Jurisdiction: US

Lifecycle: Active

OWASP ASVS v4.0.3 is the application security verification reference used by developers, security testers, and procurement teams. Defines three verification levels — L1 (opportunistic), L2 (standard), L3 (advanced) — across 14 control families. Increasingly cited in enterprise procurement security questionnaires as the minimum bar for SaaS application security.

Jurisdiction: GLOBAL

Lifecycle: Active

OWASP MASVS v2 is the mobile-specific equivalent of ASVS — eight control families covering storage, cryptography, authentication, network communication, platform interaction, code quality, resilience, and privacy. Adopted as the security baseline for mobile-app submissions to NowSecure, OWASP MASTG, and increasingly by enterprise mobile-app security testing programmes.

Jurisdiction: GLOBAL

Lifecycle: Active

Passivhaus (Passive House) is a voluntary, certifiable ultra-low-energy building standard developed by the Passivhaus Institut. Sets strict performance targets for space heating + cooling demand (<=15 kWh/m²/yr), airtightness (<=0.6 ach@50Pa) + total primary energy. Achieved through a fabric-first approach: super-insulation, airtight envelope, thermal-bridge-free design, MVHR + appropriate glazing. Certification via independent Passivhaus Certifier using PHPP energy model + on-site verification. Gaining traction in UK + US + EU as low-energy benchmark; pairs well with EnerPHit retrofit standard.

Jurisdiction: GLOBAL

Lifecycle: Active

PCAOB Auditing Standards are required for audits of US public companies + SEC-registered broker-dealers, administered by the Public Company Accounting Oversight Board (PCAOB). Substantially overlap with IAASB ISAs but with US-specific requirements. The PCAOB published transformative new AS 1000 (general responsibilities of the auditor in conducting an audit) + revised AS 2310 (auditor's use of confirmation) in 2024. Auditors of public companies must register with PCAOB + are subject to inspection.

Jurisdiction: US

Lifecycle: Active

Security requirements for cardholder data environments and payment processing.

Jurisdiction: GLOBAL

Lifecycle: Active

PCI DSS v4.0.1 applies to hospitality businesses processing payment cards — restaurants, hotels, takeaways. Scope is typically SAQ B-IP / B / D depending on payment channel. Risk-based controls covering cardholder data environment, network security, encryption, vulnerability management + access control. Frequent breach source via integrated POS systems + Wi-Fi.

Jurisdiction: GLOBAL

Lifecycle: Active

PCI DSS v4.0.1 applies to retail merchants processing payment cards. Scope is typically SAQ A (outsourced e-commerce), SAQ A-EP (e-commerce with redirect), SAQ B / B-IP (terminal-only), SAQ C / C-VT (basic payment apps) or SAQ D / D-Merchant (everything else). Risk-based controls covering cardholder data environment, network security, encryption, vulnerability management, access control, monitoring + testing + information security policy. P2PE + tokenisation reduce scope.

Jurisdiction: GLOBAL

Lifecycle: Active

PSD2 is the EU regulatory framework for payment services + payment-service providers (banks, payment institutions, e-money institutions). Key features: Strong Customer Authentication (SCA) for electronic payments (in force 14 Sep 2019, extended for e-commerce to Dec 2020 + UK to Mar 2022), Open Banking (account information + payment initiation services with regulated TPP access), enhanced consumer protection (refund rights, complaint handling). PSD3 + Payment Services Regulation (PSR) proposals are progressing in EU legislative process to replace PSD2; expected adoption 2025-26.

Jurisdiction: EU

Lifecycle: Active

India financial sector controls profile derived from RBI Master Directions.

Jurisdiction: IN

Lifecycle: Active

Federal Reserve Regulation E (administered by CFPB) implements the Electronic Fund Transfer Act. Establishes consumer rights + protections for electronic fund transfers including ATM, POS, debit, ACH, P2P (e.g. Zelle / CashApp / Venmo). Key features: disclosure requirements at account opening, change-in-terms notice (typically 21 days), 60-day error-resolution + provisional credit, unauthorised-transfer liability tiering ($50/$500/unlimited based on reporting time), preauthorised transfer authorisation rules. CFPB has actively expanded Reg E enforcement to cover authorised-push-payment fraud reimbursement issues + P2P platforms.

Jurisdiction: US

Lifecycle: Active

RICS Valuation Global Standards (Red Book) incorporating International Valuation Standards. Mandatory for all RICS members carrying out written valuations. Sets out standards for terms of engagement, valuation bases, reporting + ethics.

Jurisdiction: GLOBAL

Lifecycle: Active

The UK FCA + PRA Senior Managers + Certification Regime is the individual accountability framework for senior personnel of authorised financial services firms. Three tiers: (1) Senior Manager Functions (SMFs) — pre-approved by regulator with Statement of Responsibilities + Management Responsibilities Map; (2) Certification Regime — annual fit + proper assessment of staff who can cause significant harm; (3) Conduct Rules — individual conduct standards applying to nearly all staff. Replaces the prior Approved Persons regime. Senior Managers can be personally held accountable for misconduct in their area of responsibility.

Jurisdiction: UK

Lifecycle: Active

Control criteria for security, availability, confidentiality, processing integrity, and privacy.

Jurisdiction: GLOBAL

Lifecycle: Active

Solvency II is the EU regulatory framework for insurance + reinsurance undertakings. Three pillars: (1) quantitative capital requirements — Solvency Capital Requirement (SCR) + Minimum Capital Requirement (MCR), valuation of assets + liabilities; (2) qualitative governance + risk management including Own Risk + Solvency Assessment (ORSA); (3) disclosure + reporting including Solvency + Financial Condition Report (SFCR) + Regular Supervisory Report (RSR). The Solvency II Review 2024 introduced enhanced macroprudential tools, sustainability-risk integration + recovery + resolution provisions.

Jurisdiction: EU

Lifecycle: Active

The US Sarbanes-Oxley Act of 2002 (SOX) is the federal law that established sweeping corporate-governance + financial-reporting requirements for US public companies + their auditors. Section 302 requires CEO + CFO personal certification of quarterly + annual financial reports. Section 404 requires management + external auditor assessment of internal control over financial reporting (ICFR). Section 906 imposes criminal penalties for false certifications. Section 301 mandates whistleblower protections. Enforcement: SEC + PCAOB + DOJ. Penalties include criminal sanctions, financial penalties + executive disqualification. SOX is the de-facto framework behind US public company ICFR programmes + drives controls over journal entries, period-end close, account reconciliation + ITGCs.

Jurisdiction: US

Lifecycle: Active

SWIFT security controls and attestation framework for SWIFT-connected institutions and service providers.

Jurisdiction: GLOBAL

Lifecycle: Active

The Transported Asset Protection Association Facility Security Requirements (TAPA FSR) is the global industry-led security standard for secure transportation + storage of high-value goods. Three certification levels (A, B, C) covering physical security, procedural security + personnel security. Audited by accredited third parties. Widely required by major shippers + brand owners (technology, pharma, luxury) for warehousing + cross-docking + freight forwarding facilities. Companion: TAPA TSR (Trucking Security Requirements) + PSR (Parking Security).

Jurisdiction: GLOBAL

Lifecycle: Active

The Transportation Security Administration regulates US civil aviation security under 49 CFR §§1540-1562. Aircraft operators (commercial), foreign air carriers, indirect air carriers (IAC), airport operators + general aviation operators must comply with Aircraft Operator Standard Security Program (AOSSP), airport-specific security programs + threat-based security directives. Cargo security via Known Shipper + Air Cargo Security Roadmap. Penalties up to $14k per violation + EO suspensions.

Jurisdiction: US

Lifecycle: Active

The Transportation Security Administration Pipeline Security Directive series (post-Colonial Pipeline 2021) imposes mandatory cybersecurity requirements on critical US pipeline operators. SD02C requires cybersecurity implementation plans, mitigation measures (network segmentation, access controls, MFA, logging, anti-malware, patching), assessment + audit + incident reporting to CISA + TSA. Updated periodically; compliance enforced through civil penalties + criminal referral. Largely aligned with NIST CSF + NIST SP 800-82.

Jurisdiction: US

Lifecycle: Active

UCITS (Undertakings for Collective Investment in Transferable Securities) is the EU regulatory framework for retail-oriented mutual funds. UCITS funds can be marketed across the EU + globally with significant trust + brand recognition. Imposes investment restrictions (eligible assets, diversification, leverage limits), liquidity requirements, depositary safekeeping + oversight, transparency (KIID/KID under PRIIPs), risk + portfolio management requirements + management-company organisational rules.

Jurisdiction: EU

Lifecycle: Active

Approved Document B (Fire Safety) Volumes 1 + 2 + Approved Document M (Access to and use of buildings) are the practical guidance under the Building Regulations 2010 for fire safety + accessibility. Post-Grenfell, AD B has been substantially revised — ban on combustible materials in external walls of buildings >18m (2018), now >11m (2022).

Jurisdiction: UK

Lifecycle: Active

The Committee of Advertising Practice (CAP) Code applies to non-broadcast advertising including online + social media + direct marketing. The BCAP Code applies to broadcast advertising. Both administered by the Advertising Standards Authority (ASA). Self-regulatory system supported by Ofcom backstop for broadcast + CMA backstop for non-broadcast misleading claims. Heavy emphasis on substantiation + honesty + responsibility (especially to children). Voluntary but de facto mandatory for advertisers + agencies.

Jurisdiction: UK

Lifecycle: Active

The Academies Trust Handbook (ATH) is the annual statutory governance + financial framework for academy trusts in England, issued by the ESFA (now part of DfE). Replaces the Academies Financial Handbook. Sets requirements for trust governance, financial management, internal control, related-party transactions, executive pay + audit. Companion to ESFA funding rules for the AGFS (Academy General Annual Grant) + capital funding. Audited annually by external auditors + occasionally by ESFA.

Jurisdiction: UK

Lifecycle: Active

Working Together to Improve School Attendance is the statutory guidance from DfE on improving attendance — now mandatory for schools + LAs from August 2024. Sets expectations for schools to have an attendance policy, designated senior leader for attendance, regular monitoring + tiered support / fines. Replaces previous guidance + introduces consistent national approach including fixed penalty notice thresholds.

Jurisdiction: UK

Lifecycle: Active

UK primary legislation establishing duty of care on animal keepers — five welfare needs (suitable environment + diet, behaviour, companionship, protection from suffering). Sector-specific welfare codes cover livestock species.

Jurisdiction: UK

Lifecycle: Active

DfE statutory guidance on managing behaviour in schools in England — establishing whole-school cultures, classroom + corridor practice, mobile phones, suspensions + permanent exclusions. Companion to Suspension and Permanent Exclusion guidance + Searching, Screening + Confiscation guidance. Inspected as part of Ofsted EIF Behaviour + Attitudes judgement.

Jurisdiction: UK

Lifecycle: Active

The UK Bribery Act 2010 applies to law firms with UK presence + creates the corporate offence of failing to prevent bribery (§7). Law firms must have adequate procedures including risk assessment, top-level commitment, due diligence on clients + agents, communication + monitoring + review. Legal sector has been highlighted by Ministry of Justice + SRA as higher-risk given cross-border + government client work.

Jurisdiction: UK

Lifecycle: Active

The Building Safety Act 2022 (BSA) is the UK post-Grenfell legislative response. Establishes the Building Safety Regulator (BSR — part of HSE) with oversight of the building safety regime + competence framework for industry. For higher-risk buildings (HRBs — broadly buildings >=18m or >=7 storeys with >=2 residential units), introduces the gateway regime (Gateway 1 planning, Gateway 2 pre-construction, Gateway 3 completion), an Accountable Person, a Principal Accountable Person, a Building Safety Case + Safety Case Report, mandatory occurrence reporting + the residents engagement strategy. Tightens construction product regulation + extends limitation periods for defective premises claims to 30 years (retrospective) + 15 years (prospective).

Jurisdiction: UK

Lifecycle: Active

The Bar Standards Board Handbook contains the BSB regulatory arrangements for barristers in England + Wales — including the Code of Conduct (Core Duties + rules), the Bar Qualification Manual, the Scope of Practice + Authorisation + Licensing Rules + the Enforcement Regulations. Regulates barristers, BSB authorised bodies + BSB-regulated entities. Independent disciplinary tribunal + Court of Appeal sanctions including disbarment.

Jurisdiction: UK

Lifecycle: Active

The UK Building Regulations 2010 + the underlying Approved Documents (Parts A-S) set the minimum performance standards for the design + construction of buildings in England (Wales + Scotland have parallel regimes). Parts cover Structure (A), Fire (B), Site preparation (C), Toxic substances (D), Sound (E), Ventilation (F), Sanitation (G), Drainage (H), Heating + hot water (J), Energy (L), Access (M), Glazing (N), Electrical (P), Security (Q), Communications (R), Charging (S). Building Control approval required for most construction; can be via local authority or approved inspector.

Jurisdiction: UK

Lifecycle: Active

Post-Brexit, the UK has developed the UKCA (UK Conformity Assessed) marking parallel to CE for construction products placed on the GB market. UKCA covers products in scope of the Construction Products Regulation 2013 (the UK retained version of EU CPR 305/2011). CE marking continues to be recognised in GB until indefinite further notice. Northern Ireland uses UKNI + CE under the Windsor Framework. Manufacturers issue a Declaration of Performance (DoP).

Jurisdiction: UK

Lifecycle: Active

The Cyber Assessment Framework (CAF) is the UK NCSC framework used by competent authorities under the NIS Regulations (Ofgem for energy, Ofwat for water, Ofcom for telecoms) to assess Operator of Essential Services cyber resilience. 14 outcomes across 4 objectives (managing security risk, defending against attack, detecting events, minimising impact). Increasingly mandated as a regulatory expectation for in-scope organisations.

Jurisdiction: UK

Lifecycle: Active

The Caldicott Principles guide the use + sharing of confidential patient information in the UK NHS + social care. Eight principles: (1) justify purpose, (2) use only when necessary, (3) minimum necessary, (4) need-to-know access, (5) responsibility awareness, (6) compliance with law, (7) duty to share when in patient interest, (8) inform patients + service users. Caldicott Guardian appointment required for NHS organisations. Underpins NHS DSPT + DTAC Data Protection domain + records-management practice. Forms the cultural foundation behind UK GDPR enforcement in healthcare.

Jurisdiction: UK

Lifecycle: Active

The Control of Asbestos Regulations 2012 (CAR) implement EU Directive 2009/148/EC in Great Britain. Apply to all work with asbestos-containing materials (ACMs). Key duties: duty to manage asbestos in non-domestic premises (Reg 4), survey + register, written plan, periodic re-inspection. Work with ACMs: notifiable / licensable depending on category. Training requirement at three levels (Category A asbestos awareness, B non-licensed, C licensed). Air monitoring + medical surveillance + decontamination + waste disposal requirements. HSE enforcement is aggressive; non-licensed contractor (NNLW) work is heavily inspected.

Jurisdiction: UK

Lifecycle: Active

CC25 explains the annual reporting + accounting requirements for charities in England + Wales — annual return, accounts (receipts + payments or accruals), independent examination / audit thresholds + Trustees' Annual Report. Larger charities (income >£1m, or >£250k + gross assets >£3.26m) require audit. Charity Commission can order inquiry on non-filing.

Jurisdiction: UK

Lifecycle: Active

CC3 (The Essential Trustee: what you need to know, what you need to do) is the Charity Commission's foundational guidance for charity trustees in England + Wales. Sets out trustees' six main duties + responsibilities including ensuring charity is carrying out its purposes for public benefit, complying with law, acting in the charity's best interests, managing resources responsibly, acting with reasonable care + skill + ensuring accountability. Required reading for trustee induction.

Jurisdiction: UK

Lifecycle: Active

CC8 (Internal Financial Controls for Charities) sets out the Charity Commission's guidance on robust internal financial controls expected of charities. Covers segregation of duties, authorisation + approval, financial records, banking, income + expenditure controls, investments + reserves + fraud prevention. Larger charities subject to independent audit / examination. Failure can result in Commission inquiries + Trustee Order.

Jurisdiction: UK

Lifecycle: Active

UK Clean Air Zones (CAZ) + Ultra Low Emission Zone (ULEZ — London) + LEZ regimes charge non-compliant vehicles to drive in defined urban areas. Categories A-D + ULEZ rules require Euro 4 (petrol) / Euro 6 (diesel) minimums. Charges apply per entry; penalty if unpaid. Operators must manage fleet compliance + driver awareness. Companion: TfL Direct Vision Standard (DVS) for HGVs in London (Permit + Safe System).

Jurisdiction: UK

Lifecycle: Active

The UK Construction (Design and Management) Regulations 2015 (CDM 2015) are the primary set of regulations governing health, safety + welfare on construction projects in Great Britain. CDM 2015 places duties on Clients, Principal Designers, Designers, Principal Contractors, Contractors + Workers across all construction projects from concept to handover. Key artefacts: Pre-Construction Information (PCI), Construction Phase Plan (CPP), Health + Safety File. Notifiable projects (>500 person-days or >30 working days with >20 workers simultaneously) must be notified to HSE via F10. Enforced by HSE; breach is a criminal offence under HSWA 1974.

Jurisdiction: UK

Lifecycle: Active

HSE Guidance L153 ("Managing health and safety in construction — Construction (Design and Management) Regulations 2015 Guidance on Regulations") provides the practical detail on producing a CDM-compliant Construction Phase Plan (CPP). The CPP is a CDM 2015 Reg 12 requirement — the Principal Contractor must draw it up before construction begins + ensure it is reviewed + updated. Content should be proportionate to project + risk. Typical sections: project description, management of the work, health + safety arrangements, site rules. HSE L153 + the CITB CPP guidance + templates are the de-facto standards.

Jurisdiction: UK

Lifecycle: Active

The Charity Governance Code is a voluntary code of best practice for charity boards in England + Wales, supported by the Charity Commission + sector partners. Two versions (small + larger charities). Seven principles: Organisational Purpose, Leadership, Integrity, Decision-Making + Risk + Control, Board Effectiveness, EDI + Openness + Accountability. Comply-or-explain basis + widely adopted as a board-effectiveness benchmark.

Jurisdiction: UK

Lifecycle: Active

The UK Charities Act 2011 (consolidating earlier Acts + amended by Charities Act 2022) is the principal statute governing charities in England + Wales. Defines charitable purposes (the 13 statutory descriptions of charitable purpose) + the public benefit requirement + the role of the Charity Commission. The 2022 Act introduced significant flexibilities including disposal of land, changes to governing documents, ex gratia payments + trustee remuneration. Companion regimes: Scotland (OSCR + Charities and Trustee Investment (Scotland) Act 2005) + Northern Ireland (CCNI).

Jurisdiction: UK

Lifecycle: Active

The Charity Commission requires trustees to take reasonable steps to protect from harm beneficiaries, staff + others who come into contact with their charity. Sectoral guidance covers safeguarding policy, recruitment, training, reporting + multi-agency cooperation. Safeguarding incidents are reportable serious incidents. Cross-references with statutory safeguarding regimes (Children Acts, Care Act 2014).

Jurisdiction: UK

Lifecycle: Active

CILEx Regulation regulates Chartered Legal Executives + other CILEx members in England + Wales under the LSA 2007. The Code of Conduct sets professional standards covering integrity, competence, client care, confidentiality + the conduct of CILEx-Authorised Practitioners + Entities. Disciplinary tribunal for serious breaches.

Jurisdiction: UK

Lifecycle: Active

CISRS (Construction Industry Scaffolders Record Scheme) is the recognised UK industry certification scheme for scaffolders + scaffold inspectors. Training pathway: COTS → Part 1 → Part 2 → Advanced → Scaffold Inspector (Basic + Advanced). Endorsed by the National Access and Scaffolding Confederation (NASC) + UK Contractors Group + HSE-recognised. Required on most large UK construction sites. Maintains TG20 / TG30 / SG4 guidance underpinning safe scaffolding practice.

Jurisdiction: UK

Lifecycle: Active

The Control of Major Accident Hazards Regulations 2015 (COMAH) implement the EU Seveso III Directive in Great Britain (retained post-Brexit). Apply to establishments where dangerous substances are present above qualifying quantities. Two tiers: Lower-tier requires MAPP; Upper-tier requires Safety Report. Land-use planning, emergency planning + public information also covered. Joint HSE + Environment Agency regulator (Competent Authority).

Jurisdiction: UK

Lifecycle: Active

JCT (Joint Contracts Tribunal) + NEC4 (New Engineering Contract 4th Edition) are the two dominant standard-form construction contract suites used in UK construction. JCT covers traditional, design + build, management + framework. NEC4 emphasises collaborative working + active programme management. JCT Standard Building Contract 2024 is the most-used + NEC4 dominant in infrastructure + public sector.

Jurisdiction: UK

Lifecycle: Active

The Control of Substances Hazardous to Health Regulations 2002 (COSHH) require employers to prevent or control employee exposure to substances hazardous to health. Hierarchy of control: eliminate; substitute; engineering controls + LEV; PPE as last resort. Workplace Exposure Limits (WELs) published by HSE in EH40. Requires written COSHH risk assessment, control measures, monitoring, health surveillance where required, training + emergency procedures. Heavy enforcement focus in construction — silica, asbestos (separate regs), welding fume, vibration, isocyanates.

Jurisdiction: UK

Lifecycle: Active

UK regulations prohibiting unfair commercial practices including misleading actions, misleading omissions + aggressive practices. In property, the CPRs require disclosure of material information that affects a consumer's decision — covers known defects, planning issues, lease terms, EPCs + tenure.

Jurisdiction: UK

Lifecycle: Active

The Consumer Rights Act 2015 consolidates the UK's key consumer protection laws into a single statute covering goods, digital content + services + unfair contract terms + consumer notices. Key rights: goods must be of satisfactory quality, fit for purpose + as described; remedies (repair / replacement / price reduction / refund); 30-day right to reject defective goods. Distance + Doorstep Selling Regulations + Consumer Contracts Regulations 2013 supplement. Enforced by Trading Standards + CMA + Citizens Advice.

Jurisdiction: UK

Lifecycle: Active

The Committee of University Chairs (CUC) Higher Education Code of Governance is the principal code of governance for English HE providers. Adopted on a comply-or-explain basis + referenced in OfS regulatory framework. Covers Governing Body responsibilities, board composition + skills, conduct + accountability, academic governance + student engagement. Updated periodically; most recent revision strengthened academic freedom + freedom of speech provisions.

Jurisdiction: UK

Lifecycle: Active

The Domestic Abuse Act 2021 introduced a statutory definition of domestic abuse + the role of the Domestic Abuse Commissioner + new offences + statutory duties on local authorities to provide support in safe accommodation. Education relevance: children experiencing or witnessing domestic abuse are now recognised as victims in their own right; schools + colleges should reflect this in safeguarding policies + practice + curriculum (RSHE).

Jurisdiction: UK

Lifecycle: Active

UK statutory rules requiring farmers in England to plan use of fertilisers + manures, manage soil + prevent pollution of inland + coastal waters. Enforced by the Environment Agency.

Jurisdiction: UK

Lifecycle: Active

The DfE Data Protection Toolkit for Schools is the practical guidance for English schools + MATs on UK GDPR + DPA 2018 compliance, written in plain English. Covers DPO requirements, lawful basis, retention, ROPA, subject rights, data sharing, breach notification + DPIA. Aligns with ICO + NCSC + JISC guidance + integrates with DfE Cyber Security Standards for Schools.

Jurisdiction: UK

Lifecycle: Active

The Dangerous Substances and Explosive Atmospheres Regulations 2002 (DSEAR) require employers to assess + control the risks from fire, explosion + similar events arising from dangerous substances in the workplace. Requires risk assessment, control measures, classification of hazardous zones (zone 0/1/2 for gas, zone 20/21/22 for dust), accident prevention + emergency arrangements. Applies to construction sites with flammables, dust generation, hot works + LPG.

Jurisdiction: UK

Lifecycle: Active

Operator Licensing (O Licensing) is the UK regulatory regime for commercial road haulage + passenger vehicles. Operators must hold a Goods Vehicle Operator's Licence (HGV) or Public Service Vehicle (PSV) Operator's Licence issued by the Traffic Commissioner. Conditions cover financial standing, transport manager (with CPC), maintenance + repair, operating centre + driver tachograph compliance. DVSA enforces via roadside checks + Operator Compliance Risk Score (OCRS) + Public Inquiries. Loss of "good repute" can result in licence revocation + Operator Disqualification.

Jurisdiction: UK

Lifecycle: Active

UK primary legislation regulating estate agency business. Imposes obligations including disclosure of personal interests (s.21), client money handling (s.14), prohibited offences + powers of the National Trading Standards Estate + Letting Agency Team (NTSELAT). Underpinned by Estate Agents (Provision of Information) Regulations 1991.

Jurisdiction: UK

Lifecycle: Active

The Electrical Equipment (Safety) Regulations 2016 implement the LVD in GB (retained post-Brexit). Apply to electrical equipment designed for use within voltage limits 50-1000V AC or 75-1500V DC placed on the GB market. UKCA marking + Technical File + DoC. Self-certification supported by harmonised standards. OPSS enforces.

Jurisdiction: UK

Lifecycle: Active

UK regulations requiring valid Energy Performance Certificates (EPCs) when buildings are constructed, sold or let. Display Energy Certificates (DECs) apply to public buildings. Enforced by Trading Standards.

Jurisdiction: UK

Lifecycle: Active

The Energy Performance of Buildings (England + Wales) Regulations 2012 implement the EU Energy Performance of Buildings Directive in England + Wales. Require an Energy Performance Certificate (EPC) for buildings sold, let or constructed; Display Energy Certificate (DEC) for public buildings; air conditioning inspections. MEES (Minimum Energy Efficiency Standard) prohibits letting domestic + non-domestic property below E-rating (with phase up to C by 2027 / B by 2030 for non-domestic).

Jurisdiction: UK

Lifecycle: Active

The Code of Good Governance for English Colleges (Association of Colleges) sets the governance framework for FE corporations + sixth-form colleges. Covers strategic leadership + clarity of purpose, board composition + effectiveness, accountability for funding + student outcomes, board behaviours + values + meaningful student + staff engagement. Adopted on a comply-or-explain basis + referenced in ESFA funding agreements + Ofsted Leadership + Management inspections.

Jurisdiction: UK

Lifecycle: Active

UK Act amending the Landlord + Tenant Act 1985 to require all landlords (private + social) to ensure their properties are fit for human habitation at the start of + throughout a tenancy. Tenants can sue for breach.

Jurisdiction: UK

Lifecycle: Active

The Fundraising Regulator sets + maintains the UK Code of Fundraising Practice covering all UK fundraising activity (charities, agencies, third-party fundraisers). Provides public-facing complaint route (Fundraising Complaints) + investigates breaches. Code addresses behaviour towards donors, vulnerable people, transparency, payments + processing + specific channels (face-to-face, digital, telephone, direct mail, events). Pair with the Fundraising Promise + Fundraising Levy.

Jurisdiction: UK

Lifecycle: Active

The UK Food Safety Act 1990 (FSA) is the principal food law in Great Britain, supplemented by the Food Hygiene (England) Regulations 2013 + parallel devolved regulations. Implement Regulation (EC) 852/2004 on hygiene (retained post-Brexit). Require food businesses to register, implement HACCP-based procedures + meet hygiene standards. Food Hygiene Rating Scheme provides public-facing 0-5 ratings. Enforced by local authorities + FSA.

Jurisdiction: UK

Lifecycle: Active

FRS 102 is the principal Financial Reporting Standard applicable in the UK and Republic of Ireland for entities not applying IFRS. Maintained by the Financial Reporting Council (FRC). The 2024 amendments (effective accounting periods starting 1 January 2026) align lease + revenue accounting more closely with IFRS 15 + IFRS 16. Used by the majority of UK + Irish SMEs + most private companies. FRS 101 (reduced disclosure framework based on IFRS) + FRS 105 (micro-entity regime) sit alongside FRS 102.

Jurisdiction: UK

Lifecycle: Active

The Gas Safety (Installation and Use) Regulations 1998 (GSIUR) regulate the installation, maintenance + use of natural gas appliances + installations in Great Britain. Anyone working on gas must be registered with the Gas Safe Register. Landlords must provide an annual Gas Safety Record (CP12) for each property. Failure to comply is a criminal offence; the HSE + Gas Safe enforce. Most-cited source of carbon-monoxide fatality enforcement.

Jurisdiction: UK

Lifecycle: Active

Operational profile for UK GDPR obligations and governance.

Jurisdiction: UK

Lifecycle: Active

The General Product Safety Regulations 2005 (GPSR) impose a general duty on producers + distributors to only place safe consumer products on the UK market. EU GPSR Regulation 2023/988 (in force from December 2024) + UK national equivalent strengthen requirements including online marketplace responsibilities, traceability + recall procedures. Risk-based safety assessment + corrective action obligations. Enforced by Trading Standards + OPSS.

Jurisdiction: UK

Lifecycle: Active

UK Act establishing the Housing Health + Safety Rating System (HHSRS) to assess residential property hazards + mandating HMO licensing where appropriate. Enforced by local housing authorities.

Jurisdiction: UK

Lifecycle: Active

The Health and Safety at Work etc. Act 1974 (HSWA) is the foundational UK health + safety statute. §2 imposes a general duty on employers to ensure, so far as reasonably practicable, the health, safety + welfare at work of all employees. §3 extends duties to persons not in their employment. §6 covers articles + substances. §7 duties on employees. §37 attaches personal liability to directors + managers where consent, connivance or neglect caused the breach. Enforcement by HSE (or local authority); breach is a criminal offence with unlimited fines + imprisonment.

Jurisdiction: UK

Lifecycle: Active

UK GDPR Article 8 sets the digital-services age of consent at 13 in the UK. The ICO Age Appropriate Design Code ("Children's Code") sets 15 standards for online services likely to be accessed by children — data minimisation, default privacy-on, no nudge to lower protections, transparency, age-appropriate communication, parental controls + DPIAs. Statutory under the Data Protection Act 2018; ICO enforcement powers include orders + fines up to £17.5M or 4% global turnover.

Jurisdiction: UK

Lifecycle: Active

The Investigatory Powers Act 2016 (IPA) is the UK statutory framework for the interception of communications + acquisition of communications data + equipment interference + bulk powers. Imposes duties on Telecommunications Operators (TOs) + Communications Service Providers including retention of internet connection records (12 months), lawful intercept warrant compliance + cooperation. Oversight by Investigatory Powers Commissioner + Judicial Commissioners. Cross-border data flow + LEDA (Law Enforcement Disclosure Act) relevance.

Jurisdiction: UK

Lifecycle: Active

KCSIE is the statutory safeguarding + child-protection guidance issued by the UK Department for Education that all schools + colleges in England must have regard to. Updated annually. Parts 1-5 cover safeguarding information for all staff (Part 1), management of safeguarding (Part 2), safer recruitment (Part 3), allegations against staff (Part 4) + child-on-child sexual violence + harassment (Part 5). DSL + deputy DSLs, single central record, online safety filtering + monitoring, low-level concerns, county lines + serious violence all addressed.

Jurisdiction: UK

Lifecycle: Active

The UK Legal Ombudsman provides independent + impartial complaint resolution for consumers of legal services in England + Wales. Scheme Rules set out who can complain, time limits (6 months from final response or 1 year from act / awareness), what awards can be made (up to £50,000) + the firm's obligations on complaint handling. Statutory under LSA 2007. First-tier complaint handling expected at firm level before LeO escalation.

Jurisdiction: UK

Lifecycle: Active

The Licensing Act 2003 governs the sale + supply of alcohol, regulated entertainment + late-night refreshment in England + Wales. Premises licence + personal licence + temporary event notices. Four licensing objectives: prevention of crime + disorder, public safety, prevention of public nuisance + protection of children from harm. Local authority licensing committees + police enforcement.

Jurisdiction: UK

Lifecycle: Active

The Transparency of Lobbying, Non-Party Campaigning and Trade Union Administration Act 2014 ("Lobbying Act") regulates consultant lobbying (Part 1), non-party campaigners in elections (Part 2) + trade unions (Part 3). Charities engaging in regulated campaign activity in the year before a UK general election may need to register with the Electoral Commission + comply with spending limits. Companion: Charity Commission CC9 (Campaigning + Political Activity Guidance for Charities).

Jurisdiction: UK

Lifecycle: Active

The Lifting Operations and Lifting Equipment Regulations 1998 (LOLER) apply to all lifting equipment + lifting operations at work in Great Britain. Lifting equipment must be: of adequate strength + stability; positioned + installed to minimise risk of injury; marked with safe working loads; thoroughly examined at specified intervals (6 months for equipment lifting persons + accessories, 12 months otherwise) by a competent person; subject to a written report of thorough examination (RTE). Lifting operations must be planned by a competent person, appropriately supervised + carried out safely. Common construction enforcement subject.

Jurisdiction: UK

Lifecycle: Active

Legal Professional Privilege under English + Welsh law covers (a) legal advice privilege protecting communications between lawyer + client for the purpose of giving + receiving legal advice + (b) litigation privilege protecting communications + documents in contemplation of litigation. Common-law concept reinforced by statute (PACE 1984, FSMA 2000, etc.). Loss of privilege through inadvertent disclosure, iniquity exception or shared interest is a significant risk in legal practice.

Jurisdiction: UK

Lifecycle: Active

The Legal Services Act 2007 is the principal UK statute regulating legal services in England + Wales. Establishes the Legal Services Board as oversight regulator + the front-line regulators (SRA, BSB, CILEx Regulation, CLC, Costs Lawyers Regulation, Notaries, Patent Attorneys, Trade Mark Attorneys). Reserved legal activities require authorisation. Alternative Business Structures (ABS) permitted from 2011. Outcomes-focused regulation + statutory complaints framework via Legal Ombudsman.

Jurisdiction: UK

Lifecycle: Active

UK regulations setting Minimum Energy Efficiency Standards for privately rented domestic + non-domestic properties. From April 2023, all non-domestic let property must be E or higher. From 2025+, tightened thresholds anticipated. Enforced by local authorities + Trading Standards.

Jurisdiction: UK

Lifecycle: Active

The Manual Handling Operations Regulations 1992 (MHOR) require employers to avoid hazardous manual handling so far as reasonably practicable; assess any unavoidable manual handling (using the TILE/E or MAC framework: Task, Individual, Load, Environment, Other factors); reduce the risk to the lowest reasonably practicable level. Manual handling injuries are the largest single category of UK construction over-7-day injuries.

Jurisdiction: UK

Lifecycle: Active

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) apply to UK legal practitioners carrying out specified relevant activity (independent legal professionals — IPL). Require risk-based customer due diligence, beneficial ownership, ongoing monitoring, suspicious activity reporting + record-keeping. SRA + BSB are supervisors for solicitors + barristers. Enforcement by SRA + NCA + HMRC + HMT OFSI.

Jurisdiction: UK

Lifecycle: Active

UK Money Laundering Regulations 2017 apply to estate agency + (since 2020) letting agency businesses with monthly rents ≥€10,000. HMRC supervises. Requires registration, risk assessment, customer due diligence on buyer + seller, SAR reporting + record-keeping.

Jurisdiction: UK

Lifecycle: Active

The Modern Slavery Act 2015 §54 requires UK commercial organisations with annual turnover ≥£36m to publish a Modern Slavery Statement annually covering steps taken to prevent slavery + human trafficking in their business + supply chains. Companion: criminal offences for slavery + human trafficking + forced labour. Government statement registry. Enforcement is primarily reputational + civil-society driven; statutory enforcement limited but proposed reforms include penalties for non-compliance.

Jurisdiction: UK

Lifecycle: Active

Making Tax Digital is HMRC's programme to digitalise UK tax administration. MTD for VAT has been live since April 2019 + extends to all VAT-registered businesses since April 2022 (≥ £85k threshold abolished). MTD for Income Tax Self Assessment (ITSA) launches from April 2026 for self-employed + landlords with income > £50k + extends to > £30k from April 2027. MTD requires digital record-keeping + filing via API-compatible software + quarterly + annual digital updates.

Jurisdiction: UK

Lifecycle: Active

The Food Information (Amendment) (England) Regulations 2019 ("Natasha's Law") came into force October 2021 extending Regulation 1169/2011 allergen labelling to prepacked-for-direct-sale (PPDS) food in the UK. Driven by the death of Natasha Ednan-Laperouse from anaphylaxis to a PPDS sandwich. Requires full ingredient list + emphasis on the 14 listed allergens on PPDS packaging.

Jurisdiction: UK

Lifecycle: Active

The UK NIS Regulations 2018 implement the EU NIS Directive (retained) covering Operators of Essential Services (OES) in energy, transport, banking, financial market infrastructure, health, drinking water + digital infrastructure + Relevant Digital Service Providers. Competent authorities (Ofgem for energy) supervise. OES must take appropriate + proportionate measures + report serious incidents. NIS2 implementation underway. Penalties up to £17m.

Jurisdiction: UK

Lifecycle: Active

The UK National Minimum Wage Act 1998 + National Living Wage (from 2016, age 21+ from April 2024) set statutory minimum hourly rates. Hospitality is HMRC's most-named non-compliant sector. Common pitfalls: unpaid trial shifts, uniform deductions taking pay below minimum, training time + travel time not paid. Annual uprating each April; enforcement via HMRC + employment tribunals.

Jurisdiction: UK

Lifecycle: Active

The Ofcom Broadcasting Code sets the rules + standards for television + radio broadcasting in the UK under the Communications Act 2003 + Broadcasting Act 1996. Covers 10 sections including protection of under-eighteens, harm + offence, crime + disorder, religion, fairness + privacy, commercial references + sponsorship + due impartiality. Mandatory for licensed broadcasters. Enforced via investigations, sanctions + licence revocation. Companion: BBC Editorial Guidelines + Ofcom Rules on Commercial Communications.

Jurisdiction: UK

Lifecycle: Active

The General Conditions of Entitlement are the rules every Communications Provider (CP) in the UK must comply with under the Communications Act 2003. Cover network functioning, numbering, must-carry, emergency services, consumer protection (including switching, contract information, customer care, complaints, vulnerable consumers, fraud + scams), end-user interests + access conditions. Periodic Statements of Compliance required.

Jurisdiction: UK

Lifecycle: Active

UK Offshore Installations (Offshore Safety Directive) Regulations 2015 (OSDR) implement the EU Offshore Safety Directive + require duty-holders to demonstrate management of major hazards via Safety Cases accepted by the Offshore Major Accident Regulator (OSDR = HSE + BEIS). Companion regimes: Offshore Installations (Prevention of Fire + Explosion + Emergency Response) Regs 1995 (PFEER), Pipeline Safety Regs 1996, OPRC (Oil Pollution Preparedness, Response + Cooperation). Operators of higher-risk facilities must obtain Safety Case + Consent to Operate.

Jurisdiction: UK

Lifecycle: Active

The Office of Gas and Electricity Markets (Ofgem) is the GB energy regulator. Licences (supply, generation, distribution, transmission) impose conditions covering market conduct, consumer protection, financial resilience, network operation + sustainability. Licence Modifications + Statutory Consultations evolve standards continuously. Significant Code Reviews + RIIO price controls (electricity + gas distribution + transmission) drive utility operating models. Enforcement via Provisional Orders, financial penalties + licence revocation.

Jurisdiction: UK

Lifecycle: Active

The Office for Students (OfS) is the regulator of higher education in England. The Regulatory Framework sets the conditions for registration — covering access + participation, quality + standards, student protection, financial viability + sustainability, management + governance + accountability for public funding. Conditions C1-C4 (consumer protection), B1-B11 (quality + standards including the 2024 strengthened conditions), E1-E6 (management + governance) drive most registered-provider compliance work. Sanctions include monetary penalties, specific ongoing conditions, suspension + de-registration.

Jurisdiction: UK

Lifecycle: Active

The Ofsted Education Inspection Framework (EIF) is the structure under which Ofsted inspects schools, FE + skills, early years + initial teacher training in England. Judges four key areas: Quality of Education, Behaviour + Attitudes, Personal Development + Leadership + Management — plus an overall effectiveness judgement (Outstanding / Good / Requires Improvement / Inadequate). Safeguarding is graded separately as Met / Not Met + Not Met means an overall Inadequate. Statutory under the Education Act 2005.

Jurisdiction: UK

Lifecycle: Active

The Office for Nuclear Regulation regulates the safety + security + safeguards at UK nuclear installations. Nuclear Site Licence (NSL) issued under Nuclear Installations Act 1965 with 36 licence conditions. Safety Assessment Principles (SAPs) + Technical Assessment Guides (TAGs) provide the technical basis for safety judgements. Security regulated through NISR 2003 + Security Assessment Principles (SyAPs). Site Licence holders must produce + maintain pre-construction safety reports, periodic safety reviews + emergency plans. World-leading regulator engagement model.

Jurisdiction: UK

Lifecycle: Active

The Office of Rail and Road (ORR) is the independent safety + economic regulator for Britain's railways. Health + safety regulator for rail under Health and Safety at Work etc Act 1974 + Railways and Other Guided Transport Systems (Safety) Regulations 2006 (ROGS). Approves Safety Management Systems for infrastructure managers + railway undertakings. Economic regulator for Network Rail + monitor of HS1 + Channel Tunnel. Enforcement via Improvement / Prohibition Notices + prosecution.

Jurisdiction: UK

Lifecycle: Active

The Online Safety Act 2023 imposes duties on providers of "user-to-user" services + search services with links to the UK to protect users (especially children) from illegal + harmful content. Categorised services (Category 1 + 2A + 2B) face additional duties. Risk assessments, safety duties, transparency reporting + Ofcom enforcement via fines up to £18m or 10% global turnover. Senior manager personal liability for systematic failures. Phased Ofcom Codes of Practice.

Jurisdiction: UK

Lifecycle: Active

Approved Document P is the practical guidance under the Building Regulations 2010 covering electrical installation work in dwellings (England). Most electrical work in dwellings must comply with BS 7671 (Wiring Regulations). Notifiable work must be self-certified by a Competent Person Scheme member (NICEIC, NAPIT, ELECSA, STROMA) or formally inspected. Non-notifiable work still requires BS 7671 compliance.

Jurisdiction: UK

Lifecycle: Active

The Party Wall etc. Act 1996 provides a framework for preventing + resolving disputes in relation to party walls, party fence walls + excavations near neighbouring buildings in England + Wales. Building Owners proposing work falling within the Act must serve notice on Adjoining Owners + obtain consent or appoint surveyors to settle an Award. Failure to follow the Act is a frequent source of construction disputes + litigation.

Jurisdiction: UK

Lifecycle: Active

PAS 5305:2023 is the British Standards Institution publicly-available specification on online safety for educational institutions. Provides a framework for governance, risk assessment, filtering + monitoring, education + training + incident response covering online safety. Complements KCSIE + DfE Filtering + Monitoring Standards by offering a more structured + auditable approach. Adopted by schools, MATs, FE + HE seeking demonstrable best practice + by EdTech serving the sector.

Jurisdiction: UK

Lifecycle: Active

The UK CMA Pricing Practices Guide explains how the Consumer Protection from Unfair Trading Regulations 2008 (CPRs) apply to pricing practices, including reference pricing, headline pricing, drip pricing + bundle pricing. Specifies that "was/now" pricing must reflect a genuine prior price. Enforced by CMA + Trading Standards. Companion: ASA CAP Code + Pricing in Context Guidance.

Jurisdiction: UK

Lifecycle: Active

UK newspaper + magazine + online news content is regulated through voluntary self-regulatory bodies — primarily the Independent Press Standards Organisation (IPSO, the larger body with most national newspapers) + IMPRESS (state-recognised under Royal Charter). Both administer their own Editors' Code of Practice covering accuracy, privacy, harassment, opportunity to reply + reporting of crime. Companion: BBC Editorial Guidelines + Defamation Act 2013 + Editors' Code (IPSO).

Jurisdiction: UK

Lifecycle: Active

Section 26 of the Counter-Terrorism and Security Act 2015 places a duty on specified authorities — including schools, FE colleges + universities — to have due regard to the need to prevent people from being drawn into terrorism. Operationalised through staff training, IT filtering, risk assessment + referral to Channel where concerns arise. Inspected by Ofsted (schools + FE) + OfS (HE). The 2023 guidance update strengthens the focus on online radicalisation + extremism.

Jurisdiction: UK

Lifecycle: Active

The Provision and Use of Work Equipment Regulations 1998 (PUWER) place duties on Employers + the self-employed regarding equipment used at work. Equipment must be: suitable for use, safe for use, maintained in a safe condition + inspected to ensure it remains so. Used by those who have received adequate information + training. Used with appropriate safety measures (e.g. guards, emergency stops, controls, warnings). Frequent overlap with LOLER + WAH; commonly cited HSE enforcement subject in construction.

Jurisdiction: UK

Lifecycle: Active

UK farm assurance scheme covering food safety, animal welfare, environmental protection + responsible sourcing. Recognised by major UK retailers + food service. Sector standards: Beef + Lamb, Dairy, Pigs, Poultry, Combinable Crops + Sugar Beet, Fresh Produce.

Jurisdiction: UK

Lifecycle: Active

UK tax regime for Real Estate Investment Trusts established under Corporation Tax Act 2010 Part 12. Provides tax-efficient vehicle for property investment subject to qualifying conditions on income, distribution + listing.

Jurisdiction: UK

Lifecycle: Active

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR) require Responsible Persons to report specified workplace incidents to HSE (or local authority). Reportable categories: deaths, specified injuries, over-7-day incapacitation, occupational diseases, dangerous occurrences + gas incidents. Reporting via online portal within prescribed timeframes (typically 10 or 15 days from incident, or shorter for deaths + specified injuries). Records must be kept for 3 years. Underpins HSE intervention + statistics; failure to report is itself an offence.

Jurisdiction: UK

Lifecycle: Active

Relationships, Sex and Health Education (RSHE) is statutory in all schools in England since September 2020. Relationships Education in primary; Relationships + Sex Education in secondary; Health Education at both. Schools must publish a written RSHE policy, consult with parents + reflect community values within statutory guidance. 2024 RSHE review tightened age-appropriateness + safeguarding linkages.

Jurisdiction: UK

Lifecycle: Active

The SRA Accounts Rules govern the handling of client money + assets by SRA-regulated firms in England + Wales. Mandatory annual Accountant's Report by Reporting Accountant. Strict separation of client + office money + immediate banking + 5-week withdrawal limits + immediate notification of any breach to the COFA. Among the most heavily enforced areas of SRA regulation.

Jurisdiction: UK

Lifecycle: Active

The UK Streamlined Energy and Carbon Reporting Regulations 2018 (in force April 2019) require large UK companies + LLPs to disclose energy use, GHG emissions + energy efficiency action in their annual reports. In scope: quoted companies + large unquoted companies + large LLPs (turnover >£36m + balance sheet >£18m + >250 employees). Companion: TCFD reporting for premium-listed companies + Sustainability Disclosure Standards being developed.

Jurisdiction: UK

Lifecycle: Active

The Special Educational Needs and Disability (SEND) Code of Practice 0-25 is the statutory guidance on the legal duties of LAs, schools, FE + early years providers + NHS bodies in respect of children + young people with SEND, under the Children + Families Act 2014. Covers identification, assessment + the EHC plan process, Local Offer, mediation + appeals. SENCO required in mainstream schools. Inspected by Ofsted + CQC joint inspection.

Jurisdiction: UK

Lifecycle: Active

Charity Commission guidance requires trustees of registered charities in England + Wales to report serious incidents to the Commission promptly. Reportable matters include significant financial loss, criminal investigation involving the charity, large data breaches, safeguarding incidents, terrorism / extremism links + media-attracting incidents. Failure to report itself a serious matter; reporting demonstrates trustees discharging duty under CC3.

Jurisdiction: UK

Lifecycle: Active

The Supply of Machinery (Safety) Regulations 2008 are the UK domestic implementation of the Machinery Directive 2006/42/EC, retained post-Brexit. Set essential health + safety requirements for machinery placed on the GB market. UKCA marking required for GB market (CE recognised until further notice); Technical File + Declaration of Conformity. Notified body involvement for Annex IV high-risk machinery. UK Office for Product Safety and Standards (OPSS) enforces.

Jurisdiction: UK

Lifecycle: Active

The Charities SORP provides the recommended practice for the preparation of accounts + the Trustees' Annual Report for charities in the UK + Republic of Ireland. Issued by SORP-making body (Charity Commission, OSCR, CCNI + Charity Regulatory Authority of Ireland). Based on FRS 102 with charity-specific adaptations. Following SORP is required by Charities Regulations + provides a true + fair view evidence base.

Jurisdiction: UK

Lifecycle: Active

The Solicitors Regulation Authority Standards + Regulations comprise the SRA Principles (7 high-level professional standards), the Code of Conduct for Solicitors + Code of Conduct for Firms, the SRA Accounts Rules, Authorisation Rules, the Application of Standards + Regulations to In-House Solicitors + the Overseas + Cross-Border Practice Rules. Regulator of solicitors + law firms in England + Wales. Independent enforcement + sanctions including fines + suspension + strike-off.

Jurisdiction: UK

Lifecycle: Active

The SRA requires regulated firms carrying out relevant activity under MLR 2017 to have a firm-wide AML Risk Assessment, written policies, controls + procedures + a nominated officer (Money Laundering Reporting Officer — MLRO). Annual review + practice-level evidence required. SRA Thematic Review activity has highlighted significant weaknesses in many firms' practical implementation; enforcement increasingly material.

Jurisdiction: UK

Lifecycle: Active

The SRA Continuing Competence regime (since 2016) replaced prescriptive CPD hours with an outcomes-based requirement on individuals to reflect on their practice, identify learning + development needs, take appropriate action + record this annually. Firms must support staff competence. Compliance is verified at practising-certificate renewal.

Jurisdiction: UK

Lifecycle: Active

SRA-regulated firms must maintain Professional Indemnity Insurance (PII) at not less than the Minimum Terms + Conditions specified by the SRA (currently £2m / £3m for LLPs + companies). Annual renewal in October. Extended Policy Period + Run-off cover on firm closure. The PII market is a frequent source of practice stress + a significant practice cost.

Jurisdiction: UK

Lifecycle: Active

The Teachers' Standards set the minimum level of practice for trainees + teachers in maintained schools + non-maintained special schools in England. Apply to qualified teachers regardless of career stage. Two parts: Teaching (8 standards covering planning, subject knowledge, behaviour, assessment + more) + Personal + Professional Conduct (uphold public trust). Used for appraisal, induction (ECT), QTS award + capability proceedings.

Jurisdiction: UK

Lifecycle: Active

UK Act banning most letting fees charged to tenants in England, capping security deposits + restricting holding deposits. Enforced by trading standards + the First-tier Tribunal. Failure to comply can result in fines + repayment orders.

Jurisdiction: UK

Lifecycle: Active

The Employment (Allocation of Tips) Act 2023 (UK) requires employers to pass on 100% of tips, gratuities + service charges to workers without deduction (other than for tax) + to allocate them fairly. Statutory Code of Practice provides guidance. Tronc systems remain permitted. Records retained 3 years; workers can request access.

Jurisdiction: UK

Lifecycle: Active

UK ADR redress schemes for estate + letting agents — The Property Ombudsman (TPO) + Property Redress Scheme (PRS). Membership mandatory under the Enterprise + Regulatory Reform Act 2013. Codes cover sales, lettings + commercial agency.

Jurisdiction: UK

Lifecycle: Active

The UK Telecommunications (Security) Act 2021 + Telecommunications Security Code of Practice 2022 + Electronic Communications (Security Measures) Regulations 2022 impose extensive security duties on UK telecoms providers. Cover supply chain (with high-risk vendor designations such as Huawei restrictions), network access controls, sensitive functions, security testing + business continuity. Tier 1 (largest) + Tier 2 + Tier 3 providers face graduated obligations. Enforced by Ofcom + DSIT with fines up to 10% turnover.

Jurisdiction: UK

Lifecycle: Active

UK + EU video-sharing platform (VSP) rules (originally implemented under AVMSD 2018 + now subsumed into UK Online Safety Act + EU DSA) require VSPs to take appropriate measures to protect users from harmful content, restricted content for minors, hate speech + incitement to violence + terrorism content. Measures include reporting + flagging mechanisms, age verification + age-rating systems, parental controls + accessible terms + conditions. Notified to Ofcom (UK) or national regulator (EU).

Jurisdiction: UK

Lifecycle: Active

The Work at Height Regulations 2005 (WAHR) place duties on employers + self-employed regarding work at height in Great Britain. Hierarchy: avoid work at height; use existing safe places (e.g. permanent edge protection); use collective protection (e.g. guard rails, scaffolding); use personal protection (e.g. harness systems) only as last resort. Planning, organisation, competence + risk assessment required. Equipment for work at height must be inspected. Underpins LOLER + scaffolding inspection regime. Falls remain the largest single source of construction fatalities + the most-cited HSE enforcement subject.

Jurisdiction: UK

Lifecycle: Active

The Water Industry Act 1991 governs water + wastewater services in England + Wales. Ofwat (Water Services Regulation Authority) is the economic regulator + sets price controls (PR Periodic Reviews — currently PR24 for 2025-2030). Drinking Water Inspectorate (DWI) regulates water quality. Environment Agency regulates abstraction + discharge. Companies hold licences + appointments; statutory duties on water companies for supply, quality + sewerage. Customer Service Standards + leakage targets.

Jurisdiction: UK

Lifecycle: Active

Working Together to Safeguard Children is the UK statutory guidance setting out how organisations + agencies must work together to safeguard children + promote their welfare under the Children Acts 1989 + 2004. Applies to schools, local authorities, NHS, police + everyone working with children + families. Defines the multi-agency safeguarding partnership arrangements (police + LA + ICB), child protection enquiries (s17, s47), child protection plans + reviews.

Jurisdiction: UK

Lifecycle: Active

Cybersecurity and software update management obligations profile for vehicles.

Jurisdiction: GLOBAL

Lifecycle: Active

URAC (Utilisation Review Accreditation Commission) accredits health-care organisations across 30+ programs covering utilisation management, case management, pharmacy benefit management, telehealth, health website, specialty pharmacy + others. Standards cover governance, quality management, network composition, consumer protection, regulatory compliance + program-specific content. URAC accreditation is often a state-level requirement for UM + PBM operations + a market differentiator for specialty pharmacy + telehealth.

Jurisdiction: US

Lifecycle: Active

The 340B Drug Pricing Program requires drug manufacturers participating in Medicaid to provide discounted outpatient drugs to eligible health care organisations (covered entities) — DSH hospitals, Children's hospitals, FQHCs, Ryan White clinics + others. HRSA administers the program with audit authority. Compliance requires patient definition, GPO prohibition, duplicate discount prohibition, registration + recertification, contract pharmacy management + data integrity. Manufacturer recoveries on findings are material; HRSA + manufacturer audit findings increasingly involve contract-pharmacy + Medicaid duplicates.

Jurisdiction: US

Lifecycle: Active

IRS §501(c)(3) provides federal tax-exempt status for organisations operated exclusively for religious, charitable, scientific, testing for public safety, literary or educational purposes, fostering amateur sports + preventing cruelty to children or animals. No private inurement; political campaign prohibition; limited lobbying. Form 1023 / 1023-EZ application + Form 990 annual reporting. Loss of exemption is catastrophic; intermediate sanctions for excess benefit transactions under §4958.

Jurisdiction: US

Lifecycle: Active

The American Bar Association Model Rules of Professional Conduct are the model ethics rules adopted (with state-specific variations) by all 50 US state bars. Cover the lawyer-client relationship (competence, scope, fees, confidentiality, conflicts), advocate duties (candour + fairness), transactions with non-clients, law firms + associations (supervisory + subordinate lawyer duties), public service + the integrity of the profession. State bar discipline includes private reprimand, public censure, suspension + disbarment.

Jurisdiction: US

Lifecycle: Active

US law firms are not directly subject to FinCEN BSA regulations like banks, but face increasing AML expectations through the ABA Voluntary Good Practices Guidance for Lawyers + the 2024 Treasury National Money Laundering Risk Assessment which highlighted lawyer-facilitated money laundering. FinCEN has proposed rules + Geographic Targeting Orders for certain real estate transactions involve lawyers. State bar rules (e.g. NY 1.15) impose trust account integrity. Increasing enforcement risk via FATF mutual-evaluation pressure.

Jurisdiction: US

Lifecycle: Active

US attorney-client privilege + work-product doctrine protect lawyer-client communications + materials prepared in anticipation of litigation. Federal Rule of Evidence 502 governs inadvertent disclosure + waiver. State law also applies + may differ in scope. Loss of privilege through waiver, crime-fraud exception, subject-matter waiver or compelled disclosure is significant litigation exposure.

Jurisdiction: US

Lifecycle: Active

US Americans with Disabilities Act Title III prohibits discrimination on the basis of disability in places of public accommodation, including commercial real estate, hotels, retail, restaurants + leasing offices. Requires reasonable accommodations + accessible design.

Jurisdiction: US

Lifecycle: Active

Title III of the Americans with Disabilities Act prohibits discrimination on the basis of disability in places of public accommodation — including restaurants, bars, hotels + entertainment venues. 2010 ADA Standards for Accessible Design set physical accessibility standards. Reasonable modifications + auxiliary aids + service animals all covered. Private right of action + DOJ enforcement.

Jurisdiction: US

Lifecycle: Active

The US Anti-Kickback Statute (AKS, 42 USC §1320a-7b) is a criminal statute prohibiting the knowing + wilful offer, payment, solicitation or receipt of remuneration to induce or reward referrals for items or services payable by a federal health care program. The Stark Law (42 USC §1395nn) is a civil strict-liability statute prohibiting physician referrals to entities with which the physician has a financial relationship, with limited exceptions. Together they shape virtually every commercial healthcare arrangement — joint ventures, employment, leases, medical-director agreements, marketing programmes. Enforced by DOJ + HHS-OIG + CMS. Routine source of False Claims Act liability + civil money penalties + exclusion from federal programs.

Jurisdiction: US

Lifecycle: Active

US alcohol regulation combines federal oversight by the Alcohol and Tobacco Tax and Trade Bureau (TTB — labelling, formulation, advertising, federal excise) with state-by-state Alcoholic Beverage Control (ABC) licensing of retail + on-premises sales. Tied house laws prevent producer-retailer ownership in many states. Drinking age 21 nationally (NMDAA 1984). ID acceptance + age verification at point of sale.

Jurisdiction: US

Lifecycle: Active

The Clean Air Act (42 USC §7401+) is the federal law regulating air emissions from stationary + mobile sources. Title V operating permits required for major sources; NESHAP (40 CFR §63) sets hazardous air pollutant standards; PSD + NSR for new + modified sources. State Implementation Plans implement NAAQS. EPA + state enforcement.

Jurisdiction: US

Lifecycle: Active

The Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers + manufacturers to ensure their equipment + facilities + services have built-in surveillance capabilities to allow lawful interception by law enforcement. FCC + DOJ + FBI implementation. Applies to traditional telecoms + interconnected VoIP + broadband Internet access providers (since 2007 FCC interpretation). Implementation costs + privacy considerations significant.

Jurisdiction: US

Lifecycle: Active

The California Consumer Privacy Act (CCPA) + California Privacy Rights Act (CPRA) provide California residents with rights regarding the collection + use of their personal information. CPRA established the California Privacy Protection Agency (CPPA) + extends to "sensitive personal information" + adds rights to correct + limit use. Companion state laws: Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA + 20+ others. Heavy retail + e-commerce exposure.

Jurisdiction: US

Lifecycle: Active

CIPA (47 USC §254(h)) requires K-12 schools + libraries receiving E-Rate discounts (USAC E-Rate program) to implement technology protection measures (filters) to block visual depictions of obscenity, child pornography + material harmful to minors. Internet Safety Policy required including monitoring, education on appropriate online behaviour, cyberbullying awareness + social network safety. Annual certification of compliance to USAC. Audited by USAC + FCC. Penalty: loss of E-Rate funding.

Jurisdiction: US

Lifecycle: Active

The Cybersecurity and Infrastructure Security Agency (CISA) coordinates critical-infrastructure protection across the 16 designated sectors in the US — including Energy, Water + Wastewater. Issues binding operational directives (BODs) + emergency directives (EDs) for federal civilian executive branch + Cybersecurity Performance Goals (CPGs) for critical-infrastructure sectors. Voluntary participation in CISA programs (KEV catalog, Vulnerability Disclosure Policy, Information Sharing).

Jurisdiction: US

Lifecycle: Active

Most US state bars require lawyers to complete a minimum number of Continuing Legal Education hours per reporting cycle (typically 12-15 per year or 24-45 per 3-year cycle). Categories often include ethics, technology, diversity / elimination of bias + substance abuse. CLE providers must be state-approved or accredited via MCLE.

Jurisdiction: US

Lifecycle: Active

The Jeanne Clery Disclosure of Campus Security Policy + Campus Crime Statistics Act (20 USC §1092(f)) requires colleges + universities that participate in federal financial aid programs to disclose campus crime statistics + security policies. Includes the Annual Security Report (ASR), daily crime log, timely warnings + emergency notifications. VAWA 2013 amendments added dating violence, domestic violence + stalking. Audited by Department of Education; civil penalties + Title IV funding implications for non-compliance.

Jurisdiction: US

Lifecycle: Active

COPPA (15 USC §§6501-6506) + the FTC COPPA Rule (16 CFR Part 312) protect the online privacy of children under 13 in the US. Apply to operators of commercial websites + online services + EdTech directed to children under 13 or with actual knowledge they collect from such children. Require posted privacy notices, verifiable parental consent before collecting / using / disclosing personal information, parental access + deletion rights, data minimisation + security. 2025 amendments tightened consent + data-retention rules. Enforced by FTC + state AGs; civil penalties up to $51,744 per violation.

Jurisdiction: US

Lifecycle: Active

The Consumer Product Safety Commission (CPSC) regulates consumer products under the Consumer Product Safety Act (15 USC §§2051-2089) + CPSIA 2008 + specific product statutes (FHSA, FFA, PPPA). Mandatory + voluntary safety standards (ASTM, ANSI), GCC / CPC certification + Section 15(b) substantial product hazard reporting (within 24 hours). Enforced via recalls, civil penalties + criminal prosecution. saferproducts.gov public-facing database.

Jurisdiction: US

Lifecycle: Active

The Clean Water Act (33 USC §1251+) is the federal law regulating discharge of pollutants into US waters + water quality standards. NPDES permits required for point-source discharges; stormwater + industrial pretreatment programs; spill prevention (SPCC). State-implemented; EPA + state enforcement.

Jurisdiction: US

Lifecycle: Active

USDA rules governing the production, handling, labelling + sale of organic agricultural products in the US. Requires a certified Organic System Plan, prohibited substance list, 3-year transition + accredited certifying agent inspections.

Jurisdiction: US

Lifecycle: Active

The Controlled Substances Act + DEA regulations (21 CFR Part 1300+) govern the manufacture, distribution + dispensing of controlled substances. Schedules I-V drive registration, recordkeeping (DEA Form 222 for Schedule II), inventory, security (DEA-approved safes / vaults / cages), reporting losses + theft (Form 106), suspicious-order monitoring + secure disposal. Applies to pharmacies, hospitals, prescribers + manufacturers. Diversion-control enforcement increasingly intersects with the opioid crisis — DEA inspection + suspension of registration + DOJ prosecution.

Jurisdiction: US

Lifecycle: Active

PHMSA Hazardous Materials Regulations (HMR, 49 CFR §§171-180) govern the safe transportation of hazardous materials in commerce in the US. Cover classification, packaging, labelling, marking, placarding, hazmat employee training (every 3 years), shipping papers + incident reporting. Aligned with UN Model Regulations + ICAO TI + IMDG Code for international transport. PHMSA enforcement + civil + criminal penalties.

Jurisdiction: US

Lifecycle: Active

ESSA (Pub L 114-95) reauthorized + replaced NCLB. Governs federal K-12 education funding via Titles I-IX. Sets state accountability requirements, annual standardised testing in reading + math (grades 3-8 + once in HS), graduation rates + English language proficiency. State accountability plans approved by US Department of Education. Subgrants flow to LEAs based on state plans.

Jurisdiction: US

Lifecycle: Active

The Federal Aviation Administration regulates US civil aviation. Title 14 of the CFR (Federal Aviation Regulations — FARs) covers airworthiness (Parts 21-39), pilot certification (Part 61), flight operations (Parts 91, 121, 135, 145), maintenance (Part 145) + safety management (Part 5 — SMS). FAR Part 121 governs scheduled airline operations; Part 135 governs on-demand/commuter; Part 91 governs general aviation. Air Carrier Certificate (Part 121) + Operations Specifications + FAA oversight by Certificate Management Office (CMO). FAA Compliance Action / enforcement via warning letters, civil penalties, suspension + revocation.

Jurisdiction: US

Lifecycle: Active

The False Claims Act (FCA) imposes liability on persons + companies who defraud federal programs — including Medicare + Medicaid. Treble damages + civil penalties per claim ($13,946-$27,894 in 2024). Qui tam provisions allow whistleblowers (relators) to bring suits on behalf of the government + share in recovery (15-30%). Healthcare is the largest source of FCA recoveries — covering billing fraud, kickbacks-as-FCA-predicate (post-2010 ACA), worthless services, off-label promotion + DSH gaming. Driving force behind hospital + physician + pharma compliance programs.

Jurisdiction: US

Lifecycle: Active

The Federal Communications Commission regulates US interstate + international communications by radio, television, wire, satellite + cable. 47 CFR contains the FCC rules covering equipment authorisation, spectrum allocation, broadcasting (Parts 73 + 74), cable (Part 76), telephone (Parts 51, 52, 64) + emerging areas (5G, satellite, broadband). Enforcement Bureau investigates + issues NALs (Notice of Apparent Liability) + Consent Decrees. Companion: Communications Act 1934 + Telecommunications Act 1996 + recent reforms.

Jurisdiction: US

Lifecycle: Active

The Federal Energy Regulatory Commission (FERC) regulates interstate transmission + wholesale sales of electricity + natural gas + oil pipelines + hydropower in the US. Reliability Standards developed by NERC subject to FERC approval are mandatory + enforceable. FERC also enforces market manipulation prohibitions, capacity market rules + Open Access Transmission Tariff (OATT). Civil penalties up to $1.3M per day per violation. ISO/RTO rules sit beneath FERC.

Jurisdiction: US

Lifecycle: Active

FERPA (20 USC §1232g; 34 CFR Part 99) protects the privacy of student education records at any school that receives funding from the US Department of Education. Gives parents rights to inspect + review education records, request amendment + control disclosures (transferring to the student at age 18 — "eligible student"). Limits non-consensual disclosure of personally identifiable information from education records; permits disclosure to "school officials" with legitimate educational interest. Enforced by the US Department of Education Student Privacy Policy Office; loss of federal funding is the ultimate sanction.

Jurisdiction: US

Lifecycle: Active

US Federal law prohibiting discrimination in the sale, rental + financing of housing on the basis of race, colour, national origin, religion, sex, familial status + disability. Enforced by HUD + state/local fair housing agencies.

Jurisdiction: US

Lifecycle: Active

EPA-administered framework regulating the distribution, sale + use of pesticides in the US. Requires pesticide registration, labelling + worker protection (40 CFR 170). State agencies enforce + license applicators.

Jurisdiction: US

Lifecycle: Active

The Fair Labor Standards Act (FLSA) tipped employee provisions allow employers to take a "tip credit" against the federal minimum wage for tipped employees. The 2021 Dual Jobs / 80/20/30 rule + 2024 court rulings continue to evolve. State laws often more protective. Tip pooling permitted with restrictions; managers cannot keep tips.

Jurisdiction: US

Lifecycle: Active

The Federal Motor Carrier Safety Administration regulates commercial motor vehicles (CMVs) in the US. Hours of Service (HOS) rules at 49 CFR §395 limit driving hours (11h driving / 14h on-duty per day; 60h/7d or 70h/8d cycle) + require Electronic Logging Devices (ELD). Companion FMCSRs cover driver qualification (Part 391), drug + alcohol testing (Part 382), vehicle maintenance (Part 396), CDL (Part 383) + hazardous materials (Parts 397). Compliance enforced via roadside inspections + Compliance, Safety, Accountability (CSA) BASICs + new entrant audits + civil penalties + Out of Service orders.

Jurisdiction: US

Lifecycle: Active

The FDA Food Code is the model regulatory standard adopted with amendments by state + local jurisdictions for restaurants + retail food establishments in the US. Covers food employee health, safe food temperatures, cleaning + sanitising, equipment standards + management. Underpins state retail food inspection + Person in Charge requirements + Certified Food Protection Manager.

Jurisdiction: US

Lifecycle: Active

Form 990 (Return of Organization Exempt From Income Tax) is the IRS annual information return required of most tax-exempt organisations. Versions: 990 (gross receipts >$200k or assets >$500k), 990-EZ (between $50k-$200k), 990-N e-postcard (<$50k), 990-PF (private foundations), 990-T (UBIT). Detailed disclosures on governance, executive compensation, related-party transactions, lobbying + functional expenses. Publicly disclosable. Failure to file 3 consecutive years revokes exempt status automatically.

Jurisdiction: US

Lifecycle: Active

The Federal Railroad Administration regulates the US railroad industry. 49 CFR Parts 200-272 cover track safety, train control + positive train control (PTC), locomotive + freight car safety, hazmat rail transport, hours of service + Railroad Safety Risk Reduction (RSRRP). PTC mandated for Class I rail under Rail Safety Improvement Act 2008 (implemented 2020). Enforcement via inspections + civil penalties + emergency orders.

Jurisdiction: US

Lifecycle: Active

USDA FSIS regulates meat, poultry + processed egg products under the Federal Meat Inspection Act, Poultry Products Inspection Act + Egg Products Inspection Act. Mandatory HACCP-based inspection + verification across all US meat + poultry establishments. Recalls + import re-inspection. Distinct from FDA-regulated foods.

Jurisdiction: US

Lifecycle: Active

FSMA is the most sweeping reform of US food-safety laws in 70+ years, shifting the FDA approach from responding to contamination to preventing it. Seven major rules: Preventive Controls (human food), Preventive Controls (animal food), Produce Safety, FSVP (Foreign Supplier Verification), Sanitary Transportation, Mitigation Strategies (intentional adulteration) + Accreditation of Third-Party Certification Bodies. Risk-based + science-based with significant industry obligations including food safety plans + supply chain controls.

Jurisdiction: US

Lifecycle: Active

FDA Food Safety Modernization Act subpart establishing current good manufacturing practice, hazard analysis + risk-based preventive controls for human food. Requires a written food safety plan, hazard analysis, preventive controls (process, allergen, sanitation, supply chain), monitoring + verification + a qualified individual.

Jurisdiction: US

Lifecycle: Active

FDA rule setting science-based minimum standards for the safe growing, harvesting, packing + holding of fruits + vegetables grown for human consumption. Covers agricultural water, biological soil amendments, sprouts, domesticated + wild animals, worker health + hygiene, equipment + tools.

Jurisdiction: US

Lifecycle: Active

Section 5 of the Federal Trade Commission Act (15 USC §45) prohibits unfair or deceptive acts or practices (UDAP) in or affecting commerce. The FTC enforces consumer protection laws including the FTC Act, MagnusonMoss Warranty Act, COPPA, CAN-SPAM, TCPA, Truth in Lending + others. State Attorneys General also enforce state UDAP statutes. Civil penalties + disgorgement + consent orders. Companion: state Little FTC Acts.

Jurisdiction: US

Lifecycle: Active

US Generally Accepted Accounting Principles, codified into the FASB Accounting Standards Codification (ASC). The single source of authoritative US accounting + reporting standards for nongovernmental entities, including all SEC registrants. Continuously updated via Accounting Standards Updates (ASUs). Adoption is mandatory for SEC registrants + widely required by US private-company lenders + auditors. Key topics include Revenue (ASC 606), Leases (ASC 842), Stock Comp (ASC 718), Income Taxes (ASC 740), Business Combinations (ASC 805), Fair Value (ASC 820), Financial Instruments (ASC 815, 825, 326).

Jurisdiction: US

Lifecycle: Active

The FTC Safeguards Rule (16 CFR Part 314), part of the Gramm-Leach-Bliley Act, applies to higher education institutions that engage in financial activities (administering federal student aid, originating loans, processing payments). Requires a written information security program with administrative, technical + physical safeguards; designated Qualified Individual; risk assessment; access controls, encryption, MFA, change management; incident response + service-provider oversight. Department of Education enforces via Title IV audits + cybersecurity scrutiny.

Jurisdiction: US

Lifecycle: Active

Title IV of the Higher Education Act (HEA) governs federal student financial aid programs — Pell Grants, federal student loans, work-study + supplemental grants. Participating institutions must execute a Program Participation Agreement + comply with administrative capability + financial responsibility standards + return of Title IV funds calculations + 90/10 rule + Gainful Employment + Borrower Defense regulations. Audited annually + subject to program reviews. Loss of Title IV eligibility is institutional death-sentence for most providers.

Jurisdiction: US

Lifecycle: Active

IDEA (20 USC §§1400-1482) is the principal federal special education law in the US, ensuring children with disabilities receive a Free Appropriate Public Education (FAPE) in the Least Restrictive Environment (LRE). Parts A + B (school-aged), Part C (early intervention 0-2), Part D (national activities). Drives the IEP (Individualised Education Program), procedural safeguards, evaluation timelines + due process. Enforced by US Department of Education OSEP + state SEAs. Companion to Section 504 of the Rehabilitation Act.

Jurisdiction: US

Lifecycle: Active

Interest on Lawyer Trust Accounts (IOLTA) + state-equivalent rules govern the handling of client funds by US lawyers. Funds held in trust must be in a separate IOLTA account; interest funds legal aid in most states. Trust account integrity is among the most heavily disciplined areas of US legal ethics — commingling, conversion + careless overdrafts trigger near-automatic suspension or disbarment. State bar rules (e.g. ABA Model Rule 1.15) drive specifics.

Jurisdiction: US

Lifecycle: Active

McKinney-Vento (42 USC §11431+) ensures the enrolment, attendance + success of children + youth experiencing homelessness. Requires LEAs to identify homeless students, designate a homeless liaison, allow immediate enrolment without typical documentation + provide transportation to school of origin. Federal subgrants support implementation. Enforced by Department of Education + state coordinators.

Jurisdiction: US

Lifecycle: Active

The US Nuclear Regulatory Commission regulates commercial nuclear power, research reactors, fuel cycle facilities + materials uses. 10 CFR sets out requirements covering reactor licensing (Part 50/52), operating reactors (Part 50 Appendices), materials (Parts 30-40), security (Parts 73-74), emergency planning (Part 50 Appendix E) + radiation protection (Part 20). Generic Letters, Bulletins + Information Notices supplement. Inspections via Reactor Oversight Process (ROP).

Jurisdiction: US

Lifecycle: Active

PPRA (20 USC §1232h) gives parents certain rights regarding surveys + analyses + evaluations conducted on minor students by federally-funded programs. Requires written parental consent (or opt-out for non-DOE-funded) before students participate in surveys covering specified "protected information" (political beliefs, mental health, sex behaviour, religious practices, family income + more). Inspected by Department of Education Student Privacy Policy Office.

Jurisdiction: US

Lifecycle: Active

RCRA (42 USC §6901+) governs the management of hazardous + non-hazardous waste in the US. Subtitle C creates the cradle-to-grave hazardous waste management system — generator categories (VSQG, SQG, LQG), manifesting + tracking, treatment / storage / disposal facility (TSDF) standards. Subtitle D covers solid waste + landfills. State-authorised programs implement RCRA. EPA + state enforcement; civil + criminal penalties.

Jurisdiction: US

Lifecycle: Active

US Real Estate Settlement Procedures Act + Truth in Lending Act (with TRID — TILA-RESPA Integrated Disclosures) govern mortgage origination disclosures + practices. Prohibits kickbacks (Section 8) + requires standardised disclosure forms (Loan Estimate + Closing Disclosure).

Jurisdiction: US

Lifecycle: Active

Following the US Supreme Court's 2018 South Dakota v. Wayfair decision, US states can require sellers without physical nexus to collect + remit sales tax based on economic activity in the state (typically a revenue + transactions threshold). All 45 sales-tax states + DC have adopted economic-nexus rules with varying thresholds (typically $100k revenue or 200 transactions, but recent trends drop the transaction prong). Marketplace facilitator laws shift collection to platforms in many states. Compliance complexity is significant: ~46 jurisdictions with different rules, rates + filing cadences.

Jurisdiction: US

Lifecycle: Active

The Safe Drinking Water Act (42 USC §300f+) regulates public drinking water supplies in the US. EPA + state primacy agencies enforce National Primary Drinking Water Regulations (NPDWRs) including MCLs, treatment technique requirements, monitoring + reporting + Consumer Confidence Reports. AWIA (America's Water Infrastructure Act) 2018 requires Risk + Resilience Assessments + Emergency Response Plans for community water systems serving >3,300. Penalties + emergency orders.

Jurisdiction: US

Lifecycle: Active

Section 504 (29 USC §794) prohibits discrimination on the basis of disability in any program or activity receiving federal financial assistance. In K-12, drives the 504 Plan for students with disabilities who do not qualify for an IEP but need accommodations. Broader than IDEA in coverage (functional impairment threshold) + applies to higher ed too. Enforced by Department of Education OCR + HHS for healthcare-affiliated education. 2024 HHS rule strengthened web accessibility + telehealth equivalence.

Jurisdiction: US

Lifecycle: Active

ServSafe is the leading US food safety + responsible alcohol service training + certification administered by the National Restaurant Association. ServSafe Manager + Food Handler are widely used to meet state CFPM + food handler card requirements. ServSafe Alcohol covers responsible alcohol service compliant with state requirements. Programs are ANSI-CFP accredited.

Jurisdiction: US

Lifecycle: Active

The Standards for Excellence is a voluntary nonprofit ethics + accountability framework administered by the Standards for Excellence Institute + state nonprofit associations. 27 standards across 6 categories (Mission + Strategy, Leadership, Legal Compliance + Ethics, Finance + Operations, Resource Development, Public Awareness + Engagement). Accreditation involves rigorous peer review. Widely referenced by funders + donors as a benchmark of nonprofit accountability.

Jurisdiction: US

Lifecycle: Active

Most US states require charitable organisations soliciting contributions to register with the state attorney general or secretary of state + file annual reports. Multi-state registration commonly facilitated through the Unified Registration Statement (URS). State registration is in addition to federal §501(c)(3) recognition + Form 990. State enforcement includes registration revocation + civil penalties + injunctions.

Jurisdiction: US

Lifecycle: Active

A patchwork of state student-data privacy laws sits alongside federal FERPA + COPPA. California SOPIPA (Student Online Personal Information Protection Act) was the first comprehensive law (2014); Illinois SOPPA (2021) imposed contract + breach-notification requirements; Connecticut, Colorado, NY (Education Law 2-d), Texas + 20+ other states have similar laws. Common themes: prohibitions on targeted advertising + selling student data + creating profiles for commercial purposes + requirements for data security + contractual flow-down. Applies to EdTech operators + districts contracting with them.

Jurisdiction: US

Lifecycle: Active

The Telephone Consumer Protection Act (47 USC §227) regulates telemarketing calls, automatic telephone dialing systems (autodialers), prerecorded voice messages + faxes. Significant litigation source with $500-$1500 per call statutory damages. FCC + courts have interpreted "autodialer" expansively (Facebook v. Duguid 2021 narrowed). Express written consent required for calls to mobile phones + autodialed calls. Companion: Do Not Call Registry + state mini-TCPA laws (Florida, Oklahoma).

Jurisdiction: US

Lifecycle: Active

Title IX (20 USC §1681) prohibits discrimination based on sex in any federally-funded education program or activity. Covers admissions, employment, athletics + sexual harassment / assault. Regulations at 34 CFR Part 106 are amended periodically (most recently 2024 with significant changes to definitions, grievance procedures + non-binary protections; partial rollback in 2025). Requires Title IX Coordinator, written grievance procedures, notice + investigation + decision + appeal. Enforced by US Department of Education Office for Civil Rights (OCR) + private right of action.

Jurisdiction: US

Lifecycle: Active

TSCA (15 USC §2601+) gives EPA authority to require reporting, record-keeping, testing requirements + restrictions relating to chemical substances. The 2016 Lautenberg Chemical Safety Act significantly strengthened EPA's ability to evaluate + manage chemical risks. TSCA Inventory + PMN process for new chemicals; CDR every 4 years; risk evaluation + management for existing chemicals.

Jurisdiction: US

Lifecycle: Active

The Violence Against Women Act (VAWA) 2013 amendments to the Clery Act require post-secondary institutions to include dating violence, domestic violence + stalking in their Annual Security Reports + crime logs + prevention + response programs. The 2022 reauthorization strengthened campus advocate roles + survivor support. Closely integrated with Title IX though distinct in scope + procedure.

Jurisdiction: US

Lifecycle: Active

World Organisation for Animal Health (WOAH, formerly OIE) Code providing standards for animal health, welfare + zoonotic risk management. Used by national veterinary services + as the SPS Agreement reference for international trade.

Jurisdiction: GLOBAL

Lifecycle: Active