ISO 27001:2022 Clause 4.2 — Applicable laws, regulations & contractual obligations
| Regulation / Law | Jurisdiction | Type | How It Applies to AcmeCorp | Contact | Next Review | Status |
|---|---|---|---|---|---|---|
| UK GDPR & Data Protection Act 2018 | UK | Legislation | Processing personal data of UK data subjects; controller obligations | Sarah Lin (DPO) | 1 Feb 2027 | Compliant |
| EU General Data Protection Regulation | EU | Legislation | Processing personal data of EU data subjects via Dublin entity | Sarah Lin (DPO) | 1 Feb 2027 | Compliant |
| NIS 2 Directive (EU 2022/2555) | EU | Directive | Essential entity; 24h cyber incident reporting obligation from Oct 2024 | Jane Cooper (CISO) | 31 Mar 2026 | Partial |
| ISO 27001:2022 | Global | Standard | Voluntary standard maintained for customer assurance | Mike Patel (GRC) | Jan 2027 | Compliant |
| SOC 2 Type II (AICPA) | US | Framework | Customer contractual requirement for SaaS platform | Mike Patel (GRC) | Sep 2026 | Partial |
| BSI C5 (Cloud Computing) | DE | Standard | German enterprise customer procurement requirement | Mike Patel (GRC) | Jun 2026 | Partial |
| UK Computer Misuse Act 1990 | UK | Legislation | Unauthorised access provisions; employee awareness training | Sarah Lin (DPO) | Jan 2027 | Compliant |
| Payment Card Industry DSS v4.0 | Global | Standard | Payment processing via Stripe; applicable cardholder data controls | CFO | Mar 2026 | Compliant |
| ePrivacy Directive (Cookie Law) | EU | Directive | Cookie consent on salvinta.com and customer portals | Sarah Lin (DPO) | Jan 2027 | Compliant |
| Network & Information Security (NIS) UK | UK | Legislation | Operational technology security obligations | Jane Cooper (CISO) | Jun 2026 | Under Review |
| Cyber Essentials (NCSC) | UK | Certification | Public sector client supply chain requirement | Thomas Richards | Nov 2026 | Compliant |
| UK Modern Slavery Act 2015 | UK | Legislation | Annual disclosure statement (revenue >£36m threshold approaching) | HR Director | Jan 2027 | Compliant |