Which Compliance Frameworks
Apply to Your Industry?
Every industry faces different regulatory requirements. Use this interactive reference guide to understand which compliance frameworks your organization must follow, and how Petronella can help you achieve and maintain compliance.
23+ years helping organizations navigate compliance. 2,500+ clients served. BBB A+ Accredited since 2003.
Q: How do I know which compliance frameworks apply to my business? The compliance frameworks you must follow depend on your industry, the type of data you handle, who you do business with, and where your customers are located. Healthcare organizations must comply with HIPAA. Defense contractors need CMMC. Companies handling credit cards need PCI DSS. Many organizations are subject to multiple overlapping frameworks. Use the matrix below to identify your requirements, and contact us for a free compliance consultation.
Industry-to-Framework Compliance Matrix
This reference table shows which compliance frameworks typically apply to each industry. A blue circle indicates the primary or most common framework. A green checkmark indicates additional frameworks that commonly apply. Scroll horizontally on mobile to see all columns.
| Industry | HIPAA | CMMC | NIST 800-171 | SOC 2 | PCI DSS | GDPR | FTC Safeguards | ISO 27001 |
|---|---|---|---|---|---|---|---|---|
| Healthcare / Medical | ● | — | — | ✓ | ✓ | ✓ | — | ✓ |
| Defense / DoD Contractors | — | ● | ● | — | — | — | — | ✓ |
| Finance / Banking | — | — | — | ✓ | ● | ✓ | ● | ✓ |
| Legal / Law Firms | ✓ | — | — | ✓ | ✓ | ✓ | ✓ | ✓ |
| SaaS / Technology | ✓ | — | — | ● | ✓ | ✓ | — | ✓ |
| Retail / eCommerce | — | — | — | — | ● | ✓ | — | ✓ |
| Manufacturing | — | ✓ | ✓ | — | — | ✓ | — | ● |
| Education | ✓ | — | ✓ | — | ✓ | ✓ | — | ✓ |
| Government (State/Local) | ✓ | — | ● | — | ✓ | — | — | ✓ |
Compliance Requirements by Industry
Each industry faces unique regulatory pressures and compliance mandates. Here is what you need to know about the frameworks that govern your sector.
Healthcare
Healthcare organizations are bound by HIPAA, which mandates the protection of Protected Health Information (PHI) through administrative, physical, and technical safeguards. Annual Security Risk Assessments are required. Organizations handling payment cards must also comply with PCI DSS, and those with EU patients face GDPR obligations.
Defense / DoD Contractors
Defense contractors must achieve CMMC 2.0 certification and implement all 110 NIST SP 800-171 security controls. DFARS 252.204-7012 requires adequate security for Covered Defense Information, including 72-hour incident reporting. ITAR applies to companies handling defense articles or technical data on the U.S. Munitions List.
Finance / Banking
Financial institutions face one of the most heavily regulated compliance landscapes. The FTC Safeguards Rule (updated 2023) requires comprehensive information security programs. GLBA mandates privacy protections. PCI DSS applies to all card payment processing. SOX adds requirements for publicly traded companies. Banks face additional FFIEC examination requirements.
Legal / Law Firms
Law firms hold some of the most sensitive client data in any industry. Bar association ethics rules require reasonable measures to protect client confidentiality. Firms handling healthcare clients face HIPAA obligations. Those handling financial data face FTC Safeguards Rule requirements. Insurance carriers increasingly require SOC 2 or ISO 27001.
SaaS / Technology
SOC 2 is the de facto compliance standard for SaaS companies, as enterprise buyers require it before signing contracts. Companies handling health data need HIPAA compliance. Those processing payments need PCI DSS. GDPR applies to any SaaS platform with EU users. ISO 27001 is increasingly requested for global enterprise deals.
Retail / eCommerce
Retailers processing credit card payments must comply with PCI DSS, which sets security standards for cardholder data environments. eCommerce businesses with EU customers face GDPR obligations. ISO 27001 provides a comprehensive security management system that satisfies multiple retail compliance requirements simultaneously.
Manufacturing
Manufacturers in the defense supply chain must comply with CMMC and NIST 800-171. ISO 27001 is increasingly required by automotive and industrial supply chain partners. GDPR applies to manufacturers with EU operations. OT/ICS security requires specialized controls beyond traditional IT frameworks.
Education
Educational institutions must protect student records under FERPA. Schools with health services face HIPAA requirements. Institutions receiving federal research funding may need NIST 800-171 compliance for CUI. Universities processing payments need PCI DSS. GDPR applies to institutions with international students from the EU.
Government (State/Local)
State and local government agencies must protect citizen data under NIST frameworks. CJIS Security Policy applies to agencies accessing FBI criminal justice information. Agencies handling health data face HIPAA requirements. FedRAMP governs cloud services for federal information. Many states have their own cybersecurity mandates and breach notification laws.
Compliance Framework Quick Reference
A brief overview of the major compliance frameworks referenced in this guide. Click through to our detailed pages for each framework.
HIPAA
Protects patient health information (PHI). Applies to healthcare providers, insurers, and their business associates.
Learn moreCMMC 2.0
Cybersecurity certification for DoD contractors. Three levels based on the sensitivity of information handled.
Learn moreSOC 2
Trust Services Criteria framework for service organizations. Required by enterprise buyers before signing SaaS contracts.
Learn morePCI DSS
Payment card industry standard for organizations that store, process, or transmit cardholder data.
Learn moreNIST 800-171
110 security requirements for protecting CUI in non-federal systems. Foundation of CMMC Level 2.
Learn moreGDPR
European data protection regulation. Applies to any organization processing personal data of EU residents.
Learn moreFTC Safeguards
Updated 2023 rule requiring financial institutions to implement comprehensive information security programs.
Learn moreISO 27001
International information security management standard. Provides a comprehensive control framework recognized globally.
Learn moreCompliance by Industry FAQ
How do I determine which compliance frameworks apply to my business?
The compliance frameworks that apply to your business are determined by your industry, the types of data you collect and process, who your customers and partners are, and where they are located. Healthcare organizations handling PHI must comply with HIPAA. Defense contractors handling CUI need CMMC. Companies processing credit cards need PCI DSS. Organizations with EU customers or employees face GDPR. Many businesses are subject to multiple overlapping frameworks. A compliance assessment from Petronella identifies all applicable requirements.
Can I comply with multiple frameworks at the same time?
Yes. Many compliance frameworks share overlapping controls, which means implementing one framework often covers significant portions of another. For example, implementing NIST 800-171 for CMMC covers much of ISO 27001. Achieving SOC 2 addresses many HIPAA technical safeguards. Petronella builds unified compliance programs that map controls across all applicable frameworks, reducing duplicate effort and cost.
What happens if my business fails to comply with a required framework?
Consequences vary by framework. HIPAA violations can result in fines from $100 to $50,000 per violation, up to $2.1 million per violation category per year. PCI DSS non-compliance can lead to fines of $5,000 to $100,000 per month from payment processors. CMMC non-compliance means you cannot bid on DoD contracts. GDPR fines can reach 4% of global annual revenue or €20 million, whichever is higher. Beyond fines, non-compliance often leads to data breaches, lawsuits, and reputational damage.
How often do compliance requirements change?
Compliance frameworks are updated regularly. HIPAA has been relatively stable but enforcement priorities shift. PCI DSS 4.0 introduced major changes in 2024. CMMC 2.0 replaced the original CMMC 1.0 model. The FTC Safeguards Rule was significantly updated in 2023. GDPR has ongoing guidance from data protection authorities. Petronella monitors all regulatory changes and helps clients adapt their security programs proactively.
Does Petronella help with compliance audits and certifications?
Yes. Petronella provides end-to-end compliance support including gap assessments, control implementation, policy development, employee training, evidence collection, and audit preparation. While we do not perform the formal certification audits ourselves (those require independent third-party assessors), we prepare your organization to pass those audits on the first attempt. We support HIPAA, CMMC, SOC 2, PCI DSS, ISO 27001, and more.
Not Sure Which Frameworks Apply to You?
Many organizations are subject to multiple overlapping compliance requirements. Our team will assess your industry, data types, and business relationships to identify exactly which frameworks you need to comply with and help you build a unified compliance program. The first consultation is free.