How to Use This Cybersecurity Resource

The National Data Protection Authority reference directory covers the regulatory, statutory, and operational landscape of data protection and cybersecurity compliance in the United States. Content is organized by legal framework, agency jurisdiction, sector, and data category — structured for professionals, researchers, and organizations navigating compliance obligations. This page describes how the directory is organized, how its content is verified, how it fits alongside authoritative primary sources, and how corrections or updates are submitted.

How to find specific topics

Content is organized across four primary classification tracks, each reflecting a distinct way professionals approach data protection questions.

By statute or regulation — Pages covering federal laws such as HIPAA Data Protection Requirements, the Gramm-Leach-Bliley Act financial data framework, COPPA children's data protection obligations, and FERPA educational records protection are maintained as standalone reference entries. Each entry covers statutory scope, covered entities, enforcement authority, and penalty structure.

By agency or enforcement body — The Federal Data Protection Agencies reference maps jurisdictional authority across the Federal Trade Commission, the Department of Health and Human Services Office for Civil Rights, the Consumer Financial Protection Bureau, and other named enforcement bodies. Enforcement action patterns are documented separately under FTC Data Security Enforcement and Data Protection Penalties and Enforcement.

By data category — Reference entries cover distinct data classifications including Personally Identifiable Information Definitions, Sensitive Data Categories, and Biometric Data Protection Laws. Classification boundaries vary by statute — what constitutes "sensitive" under California's CPRA differs from classifications under HIPAA's Protected Health Information definition.

By operational process or program area — Compliance program functions are documented across pages covering Incident Response and Data Breach, Privacy Impact Assessments, Data Retention and Disposal Standards, Third-Party Vendor Data Security, and Data Encryption Standards Compliance.

For a structured entry point into the full content inventory, the Cybersecurity Listings page provides categorical access across all published reference entries. The Cybersecurity Directory Purpose and Scope page defines what this directory covers and what it does not.

How content is verified

Reference entries are grounded in named primary sources: enacted federal statutes, published agency regulations in the Code of Federal Regulations, official agency guidance documents, and standards published by recognized standards bodies.

Primary source standards relied upon include:

1. NIST publications — The National Institute of Standards and Technology's Special Publication series, including SP 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations, available at csrc.nist.gov) and the NIST Privacy Framework (Version 1.0, nist.gov/privacy-framework).
2. Federal statute text — Laws including 15 U.S.C. § 6801 et seq. (Gramm-Leach-Bliley), 45 C.F.R. Parts 160 and 164 (HIPAA Security and Privacy Rules), and 15 U.S.C. § 6502 (COPPA) as published in the Electronic Code of Federal Regulations at ecfr.gov.
3. Agency enforcement and guidance documents — Published FTC reports, HHS OCR breach portal data, CISA advisories, and state attorney general guidance where directly applicable to a statutory entry.
4. State statutory text — For entries covering state law, such as the CCPA/CPRA Compliance Reference and State Data Privacy Laws Comparison, source text is drawn from enacted legislation as published in official state legislative databases.

Penalty figures, breach thresholds, and jurisdictional counts cited in any reference entry are attributed to the specific statute, regulation, or agency document from which they are drawn. Figures not traceable to a named public document are characterized structurally ("the penalty cap is established by statute") rather than as unverified numerical assertions.

Content is not legal advice. Regulatory references describe the structure and published scope of law — not its application to any specific organization or fact pattern.

How to use alongside other sources

This directory functions as a structured cross-reference layer, not a replacement for primary regulatory sources. The relationship between this reference and primary sources follows a defined hierarchy:

• Primary authority: The enacted statute, published regulation, or official agency guidance document. Where specific compliance decisions are being made, the primary text governs.
• Agency interpretive resources: FTC Business Guidance, HHS OCR FAQ documents, CFPB examination procedures, and CISA advisories provide agency-level interpretive framing. These are linked directly within relevant reference pages.
• Standards body frameworks: NIST, the International Organization for Standardization (ISO), and the Cloud Security Alliance publish frameworks that inform but do not constitute regulatory requirements unless adopted by reference in an applicable rule.
• This directory: Provides structural navigation, classification context, cross-statutory comparison, and sector-specific indexing across the above layers.

A compliance professional reviewing Cross-Border Data Transfer Rules, for example, would use this reference to identify the relevant federal and state statutory frameworks, then consult the primary statute text and agency guidance for operative requirements. The directory identifies the landscape; the primary sources define the obligation.

Feedback and updates

Data protection law in the United States changes through legislative enactment, agency rulemaking, published enforcement actions, and court decisions. Reference entries are updated when a named primary source — a statute, a published final rule in the Federal Register, or an official agency document — changes the operative text or enforcement threshold documented in an entry.

The US Data Protection Laws Overview and Emerging Federal Privacy Legislation pages track the federal statutory landscape, including pending legislation and regulatory rulemaking proceedings that may affect the content of existing entries.

Submissions identifying specific factual errors — citing the primary source that contradicts published content — can be directed through the contact page. Submissions that reference a specific statute, regulation section, or agency document receive priority review. Requests for new topic coverage are assessed against the directory's defined scope as described in the Cybersecurity Directory Purpose and Scope page.