Which cybersecurity and compliance regulations must your company meet?
Answer a few questions about your organisation and its jurisdictions —EU, Spain, UK, US and Latin America— and instantly get your compliance and GRC map: which cybersecurity regulations apply to you, with exposure level, deadlines, estimated penalties and key obligations.
Legal notice: automated, general guidance for informational purposes. Not legal advice or an official determination of applicability. Actual obligations and amounts depend on thresholds, activity, jurisdictions and supply chain, and must be confirmed through professional analysis. Indexed or unit-based figures (UMA/UTM/UIT) are updated periodically; check the official source. Hard2bit accepts no liability for decisions made solely on this result.
How to know which cybersecurity regulations apply to you
In 2026, most European companies are subject to several cybersecurity and compliance regulations at once, and applicability depends on three factors: the sector you operate in, the size of the organisation and the specific activities you carry out (processing personal data, card payments, online sales, making digital products, using AI or exporting). This tool combines those three factors to indicate, on an orientative basis, which frameworks you should review as a priority.
Regulations covered by the assessment
The assessment is multi-jurisdiction and evaluates the main rules based on where you have your base, customers or market. In the EU and Spain: NIS2, DORA, the National Security Framework (ENS), GDPR and the Spanish Data Protection Act, cookies/ePrivacy, PCI DSS, the European Accessibility Act, the Cyber Resilience Act, the AI Act and dual-use export control. In the United Kingdom: UK GDPR (with the 2025 DUAA reform) and PECR. In the United States: HIPAA, GLBA and the FTC Safeguards Rule, CCPA/CPRA and state privacy laws, state breach notification laws, the SEC disclosure rules, NYDFS, CMMC and SOC 2. In Latin America: LGPD (Brazil), the new LFPDPPP (Mexico), laws 21.719 and 21.663 (Chile), Law 1581 (Colombia) and Law 25.326 (Argentina). Plus voluntary but enabling global frameworks: ISO/IEC 27001, ISO/IEC 42001 (AI management) and SOC 2. Each card links to its official source.
What to do with the result
The result is a starting point. For each applicable regulation, Hard2bit can carry out a formal applicability analysis, a technical and organisational gap assessment, and a risk-prioritised roadmap to conformity. As a cybersecurity company certified in ENS and ISO 27001, with our own 24/7 SOC, we support both the technical side and governance and evidence.
Put Hard2bit to work on your compliance
As a cybersecurity company certified in ENS High and ISO 27001, with our own 24/7 SOC, we turn this diagnosis into a risk-prioritised adequacy plan for each regulation and jurisdiction.
Frequently asked questions
Which cybersecurity regulations must a company in Spain and the EU comply with?
It depends on sector, size and activity. The most common are NIS2 (critical sectors), ENS (the Spanish public sector and its suppliers), DORA (financial entities), the GDPR (any processing of personal data), PCI DSS (card payments), the European Accessibility Act (e-commerce and consumer services), the Cyber Resilience Act (makers of digital products), the AI Act and, as a voluntary reference framework, ISO 27001. This tool indicates which likely apply to you based on your answers.
How do I know if my company is subject to NIS2?
NIS2 applies to essential and important entities in sectors such as energy, transport, banking, healthcare, digital infrastructure or public administration, generally from 50 employees or €10M turnover. It can also reach you indirectly if you are a critical supplier to an affected entity (supply chain). In Spain, transposition is being completed through the draft Cybersecurity Coordination and Governance Act, under parliamentary process in 2026.
Is this diagnosis reliable? Does it replace a legal analysis?
No. The result is automated, general guidance for informational purposes, not legal advice or an official determination of applicability. The actual obligation under each regulation depends on specific thresholds, activity, scope and supply-chain position. We recommend confirming it through professional analysis, which Hard2bit can carry out.
What is the difference between NIS2, ENS, DORA and ISO 27001?
They are complementary frameworks. ISO 27001 is a voluntary standard providing the management and evidence base. ENS is mandatory for the Spanish public sector and its suppliers. NIS2 is an EU cybersecurity directive for critical sectors. DORA is the specific digital operational resilience regulation for the financial sector. A single company can be subject to several at once, and a solid ISO 27001 base simplifies compliance with the rest.
What is GRC (governance, risk and compliance) and how does it relate to these regulations?
GRC stands for governance, risk and compliance. It is the approach that integrates cybersecurity risk management, compliance with regulations such as NIS2, ENS, DORA, GDPR or ISO 27001, and corporate governance into a single programme. Instead of tackling each rule separately, a GRC programme reuses common controls and evidence, cutting cost and effort. Hard2bit designs and runs GRC and regulatory compliance programmes for companies.
Do I have to comply with the European Accessibility Act if I sell online?
If you offer digital products or services to consumers in the EU (for example an online shop, banking or transport), the European Accessibility Act has been enforceable since 28 June 2025. It requires your website or app to meet WCAG 2.1 level AA accessibility and to publish an accessibility statement.
Does the tool store my data or scan my website?
No. The diagnosis runs entirely in your browser from your answers; it does not scan your domain or store information. If you also want to check your technical exposure (headers, TLS, email), you can separately use Hard2bit Scanner for free.