Does GDPR apply to companies outside the EU?

Yes. GDPR is extraterritorial: it applies to any organisation that offers goods or services to, or monitors the behaviour of, people in the EU, regardless of where the organisation is based. Non-EU controllers may need an EU representative.

What is the difference between CCPA and GDPR?

GDPR is a comprehensive consent-and-rights regime covering all personal data of EU residents. The CCPA (and its successor the CPRA) is narrower, focused on consumer rights such as opting out of the sale or sharing of personal information for California residents.

Which laws have data-localisation requirements?

China's PIPL and Cybersecurity Law impose strict cross-border transfer controls and localisation for certain data. Russia, India and several others also have localisation rules. Always check transfer mechanisms before moving personal data across borders.

Is this a complete list of cybersecurity laws?

No. It highlights major national frameworks for orientation. Most countries layer sector-specific rules for finance, health and telecoms on top, and the landscape changes frequently. Treat it as a starting point, not an authoritative compliance source.

Is this legal advice?

No. This reference is for general awareness only and does not constitute legal advice. Confirm your actual obligations with the relevant data-protection authority or qualified legal counsel for each jurisdiction.

Cybersecurity Law by Country Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Mapping the global privacy landscape

Companies operating across borders must navigate dozens of overlapping data-protection and cybersecurity regimes. This reference gives a high-level orientation: the major national laws by country and region, the year each came into force, and a short note on what it covers — from the EU’s GDPR to Brazil’s LGPD, China’s PIPL and India’s DPDP Act.

How it works

Most modern laws follow a similar shape — a consent or lawful-basis requirement, data-subject rights, breach-notification duties and a supervisory authority — but the details, penalties and transfer rules vary widely. A few patterns to watch:

Comprehensive GDPR-style:  GDPR, UK GDPR, LGPD, PIPA, POPIA, DPDP, revFADP
Consumer / sectoral US:    CCPA/CPRA, HIPAA
Localisation-heavy:        PIPL, Cybersecurity Law (China)
Cyber risk-management:     NIS2 (EU)

The filter searches across country, region, law name and scope so you can quickly find the frameworks relevant to a target market. Years shown are when the law took effect, which can differ from when it was enacted.

Tips and notes

GDPR and several successors are extraterritorial — base location does not exempt you.
Check cross-border transfer mechanisms (SCCs, adequacy, localisation) before moving data.
Many jurisdictions add sector rules for finance, health and telecoms on top of these.
This table is for orientation only; confirm current duties with each regulator or counsel.