Enterprise web applications rarely face a single compliance requirement. They face several at once. A B2B SaaS platform serving healthcare clients in the United States and enterprise clients in the European Union must satisfy SOC 2, HIPAA, and GDPR simultaneously. A payments platform must satisfy PCI-DSS v4.0 regardless of geography. A global enterprise SaaS company pursuing ISO 27001 certification does so because multinational enterprise clients require it as a procurement condition.<\/p>\n\n\n\n
This is not a compliance checklist to work through sequentially. It is a concurrent set of obligations that share substantial technical control overlap and must be addressed through a unified enterprise application security architecture. The good news is that approximately 80% of the technical controls required across all five frameworks overlap. Build the right controls once and satisfy multiple frameworks from a single implementation.<\/p>\n\n\n\n
The cost of web application compliance is fixed and predictable when designed up front. Build the technical controls once and maintain them continuously. The annual audit becomes a documentation exercise rather than a remediation project. The cost of non-compliance is variable and unbounded. GDPR fines reach up to 4% of global annual turnover. PCI-DSS failures can result in the loss of card processing ability. SOC 2 failures end enterprise sales conversations before they begin.<\/p>\n\n\n\n
No engineering budget item has a more asymmetric risk-reward profile than compliance-by-design.<\/p>\n\n\n\n
The Five Core Compliance Frameworks<\/strong><\/h3>\n\n\n\nUnderstanding each framework’s scope, enforcement mechanism, and core technical obligation is essential. These form the foundation of any multi-framework compliance programme.<\/p>\n\n\n\n
Here is a concise reference for the five frameworks. Enterprise application security programmes most frequently need to satisfy all of them.<\/p>\n\n\n\n
EU General Data Protection Regulation<\/strong><\/h4>\n\n\n\nGDPR applies to any organisation that processes personal data of EU or UK residents, regardless of where the organisation is based. Data Protection Authorities enforce it, with the ICO in the UK, CNIL in France, and the Irish DPA acting as the lead supervisory authority for most US tech companies with EU headquarters. The maximum penalty is \u20ac20 million or 4% of global annual turnover, whichever is higher, for the most serious violations. Core technical obligations include Article 5 (data minimisation, purpose limitation, storage limitation), Article 25 (privacy by design and by default), and Article 32 (appropriate technical and organisational measures).<\/p>\n\n\n\n
Payment Card Industry Data Security Standard<\/strong><\/h4>\n\n\n\nPCI-DSS v4.0, mandatory for all assessments from March 2025, applies to any entity that stores, processes, or transmits cardholder data. Card brands including Visa, Mastercard, and Amex enforce it through acquiring banks and Qualified Security Assessor audits. The ultimate penalty is losing the ability to accept card payments entirely. Core requirements cover network security, cardholder data protection, secure software development, strong authentication, audit logging, and security testing.<\/p>\n\n\n\n
SOC 2 Type II<\/strong><\/h4>\n\n\n\nSOC 2 is the most commercially impactful certification for B2B SaaS companies selling to enterprise clients in the US market. The American Institute of CPAs defines the Trust Services Criteria, and licensed CPA firms perform the audits. There are no regulatory fines. The commercial penalty is losing enterprise customers who require SOC 2 Type II as a condition of doing business. Type II requires demonstrating continuous control operation across a twelve-month observation period, making it the most operationally demanding certification on this list.<\/p>\n\n\n\n
Health Insurance Portability and Accountability Act<\/strong><\/h4>\n\n\n\nHIPAA applies to US healthcare providers, health plans, clearinghouses, and their business associates. Any web application that processes, stores, or transmits Protected Health Information falls within scope. The HHS Office for Civil Rights enforces it, with penalties reaching up to $1.9 million per violation category per year. Criminal penalties apply to wilful violations. Core technical obligations come from the Security Rule’s Technical Safeguards at 45 CFR \u00a7164.312.<\/p>\n\n\n\n
ISO 27001<\/strong><\/h4>\n\n\n\nISO 27001 is a voluntary international standard for Information Security Management Systems, but it functions as a mandatory procurement requirement for many multinational enterprise clients, particularly in government, defence, and financial services. Accredited certification bodies audit organisations at Stage 1 and Stage 2, with annual surveillance audits and recertification every three years. The 2022 revision restructures the standard to 93 controls across four themes, replacing the 114 controls across 14 domains in the 2013 version.<\/p>\n\n\n\n
The table below summarises the key attributes of each framework for quick reference.<\/p>\n\n\n\nFramework<\/strong><\/td>Enforced By<\/strong><\/td>Maximum Penalty<\/strong><\/td>Audit Type<\/strong><\/td><\/tr>GDPR<\/td> Data Protection Authorities<\/td> \u20ac20M or 4% global turnover<\/td> Regulatory investigation<\/td><\/tr> PCI-DSS v4.0<\/td> Card brands via acquiring banks<\/td> Loss of card processing ability<\/td> QSA assessment or SAQ<\/td><\/tr> SOC 2 Type II<\/td> AICPA \/ CPA firms<\/td> Loss of enterprise customers<\/td> 12-month observation period<\/td><\/tr> HIPAA<\/td> HHS Office for Civil Rights<\/td> $1.9M per violation category<\/td> Federal investigation<\/td><\/tr> ISO 27001<\/td> Accredited certification bodies<\/td> Loss of enterprise contracts<\/td> Stage 1 + Stage 2 audit<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nIndia’s DPDP Act 2023 and IT Rules 2021<\/strong><\/h2>\n\n\n\nIndian web applications and global platforms with Indian users face two additional compliance frameworks that complement the five global frameworks above. The Digital Personal Data Protection Act 2023 establishes data protection rights for Indian residents, mirroring GDPR’s structure while reflecting the Indian legal context.<\/p>\n\n\n\n
The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021<\/a> impose platform governance obligations, including grievance management, content moderation, and compliance reporting for Significant Social Media Intermediaries. Organisations building for the Indian market should treat DPDP compliance<\/a> as a parallel workstream alongside GDPR, not as an afterthought. Most technical controls required for GDPR will satisfy DPDP obligations with minor adjustments to consent management and data localisation architecture.<\/p>\n\n\n\n![\"Secure](\"https:\/\/mobisoftinfotech.com\/resources\/wp-content\/uploads\/2026\/06\/CTA01-6.png\" "\\"Web")
![\"Secure](\"data:image\/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20855%20363%22%3E%3C%2Fsvg%3E\" "\\"Web")
GDPR applies to any organisation that processes personal data of EU or UK residents, regardless of where the organisation is based. Data Protection Authorities enforce it, with the ICO in the UK, CNIL in France, and the Irish DPA acting as the lead supervisory authority for most US tech companies with EU headquarters. The maximum penalty is \u20ac20 million or 4% of global annual turnover, whichever is higher, for the most serious violations. Core technical obligations include Article 5 (data minimisation, purpose limitation, storage limitation), Article 25 (privacy by design and by default), and Article 32 (appropriate technical and organisational measures).<\/p>\n\n\n\n
Payment Card Industry Data Security Standard<\/strong><\/h4>\n\n\n\nPCI-DSS v4.0, mandatory for all assessments from March 2025, applies to any entity that stores, processes, or transmits cardholder data. Card brands including Visa, Mastercard, and Amex enforce it through acquiring banks and Qualified Security Assessor audits. The ultimate penalty is losing the ability to accept card payments entirely. Core requirements cover network security, cardholder data protection, secure software development, strong authentication, audit logging, and security testing.<\/p>\n\n\n\n
SOC 2 Type II<\/strong><\/h4>\n\n\n\nSOC 2 is the most commercially impactful certification for B2B SaaS companies selling to enterprise clients in the US market. The American Institute of CPAs defines the Trust Services Criteria, and licensed CPA firms perform the audits. There are no regulatory fines. The commercial penalty is losing enterprise customers who require SOC 2 Type II as a condition of doing business. Type II requires demonstrating continuous control operation across a twelve-month observation period, making it the most operationally demanding certification on this list.<\/p>\n\n\n\n
Health Insurance Portability and Accountability Act<\/strong><\/h4>\n\n\n\nHIPAA applies to US healthcare providers, health plans, clearinghouses, and their business associates. Any web application that processes, stores, or transmits Protected Health Information falls within scope. The HHS Office for Civil Rights enforces it, with penalties reaching up to $1.9 million per violation category per year. Criminal penalties apply to wilful violations. Core technical obligations come from the Security Rule’s Technical Safeguards at 45 CFR \u00a7164.312.<\/p>\n\n\n\n
ISO 27001<\/strong><\/h4>\n\n\n\nISO 27001 is a voluntary international standard for Information Security Management Systems, but it functions as a mandatory procurement requirement for many multinational enterprise clients, particularly in government, defence, and financial services. Accredited certification bodies audit organisations at Stage 1 and Stage 2, with annual surveillance audits and recertification every three years. The 2022 revision restructures the standard to 93 controls across four themes, replacing the 114 controls across 14 domains in the 2013 version.<\/p>\n\n\n\n
The table below summarises the key attributes of each framework for quick reference.<\/p>\n\n\n\nFramework<\/strong><\/td>Enforced By<\/strong><\/td>Maximum Penalty<\/strong><\/td>Audit Type<\/strong><\/td><\/tr>GDPR<\/td> Data Protection Authorities<\/td> \u20ac20M or 4% global turnover<\/td> Regulatory investigation<\/td><\/tr> PCI-DSS v4.0<\/td> Card brands via acquiring banks<\/td> Loss of card processing ability<\/td> QSA assessment or SAQ<\/td><\/tr> SOC 2 Type II<\/td> AICPA \/ CPA firms<\/td> Loss of enterprise customers<\/td> 12-month observation period<\/td><\/tr> HIPAA<\/td> HHS Office for Civil Rights<\/td> $1.9M per violation category<\/td> Federal investigation<\/td><\/tr> ISO 27001<\/td> Accredited certification bodies<\/td> Loss of enterprise contracts<\/td> Stage 1 + Stage 2 audit<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nIndia’s DPDP Act 2023 and IT Rules 2021<\/strong><\/h2>\n\n\n\nIndian web applications and global platforms with Indian users face two additional compliance frameworks that complement the five global frameworks above. The Digital Personal Data Protection Act 2023 establishes data protection rights for Indian residents, mirroring GDPR’s structure while reflecting the Indian legal context.<\/p>\n\n\n\n
The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021<\/a> impose platform governance obligations, including grievance management, content moderation, and compliance reporting for Significant Social Media Intermediaries. Organisations building for the Indian market should treat DPDP compliance<\/a> as a parallel workstream alongside GDPR, not as an afterthought. Most technical controls required for GDPR will satisfy DPDP obligations with minor adjustments to consent management and data localisation architecture.<\/p>\n\n\n\n
SOC 2 is the most commercially impactful certification for B2B SaaS companies selling to enterprise clients in the US market. The American Institute of CPAs defines the Trust Services Criteria, and licensed CPA firms perform the audits. There are no regulatory fines. The commercial penalty is losing enterprise customers who require SOC 2 Type II as a condition of doing business. Type II requires demonstrating continuous control operation across a twelve-month observation period, making it the most operationally demanding certification on this list.<\/p>\n\n\n\n
Health Insurance Portability and Accountability Act<\/strong><\/h4>\n\n\n\nHIPAA applies to US healthcare providers, health plans, clearinghouses, and their business associates. Any web application that processes, stores, or transmits Protected Health Information falls within scope. The HHS Office for Civil Rights enforces it, with penalties reaching up to $1.9 million per violation category per year. Criminal penalties apply to wilful violations. Core technical obligations come from the Security Rule’s Technical Safeguards at 45 CFR \u00a7164.312.<\/p>\n\n\n\n
ISO 27001<\/strong><\/h4>\n\n\n\nISO 27001 is a voluntary international standard for Information Security Management Systems, but it functions as a mandatory procurement requirement for many multinational enterprise clients, particularly in government, defence, and financial services. Accredited certification bodies audit organisations at Stage 1 and Stage 2, with annual surveillance audits and recertification every three years. The 2022 revision restructures the standard to 93 controls across four themes, replacing the 114 controls across 14 domains in the 2013 version.<\/p>\n\n\n\n
The table below summarises the key attributes of each framework for quick reference.<\/p>\n\n\n\nFramework<\/strong><\/td>Enforced By<\/strong><\/td>Maximum Penalty<\/strong><\/td>Audit Type<\/strong><\/td><\/tr>GDPR<\/td> Data Protection Authorities<\/td> \u20ac20M or 4% global turnover<\/td> Regulatory investigation<\/td><\/tr> PCI-DSS v4.0<\/td> Card brands via acquiring banks<\/td> Loss of card processing ability<\/td> QSA assessment or SAQ<\/td><\/tr> SOC 2 Type II<\/td> AICPA \/ CPA firms<\/td> Loss of enterprise customers<\/td> 12-month observation period<\/td><\/tr> HIPAA<\/td> HHS Office for Civil Rights<\/td> $1.9M per violation category<\/td> Federal investigation<\/td><\/tr> ISO 27001<\/td> Accredited certification bodies<\/td> Loss of enterprise contracts<\/td> Stage 1 + Stage 2 audit<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nIndia’s DPDP Act 2023 and IT Rules 2021<\/strong><\/h2>\n\n\n\nIndian web applications and global platforms with Indian users face two additional compliance frameworks that complement the five global frameworks above. The Digital Personal Data Protection Act 2023 establishes data protection rights for Indian residents, mirroring GDPR’s structure while reflecting the Indian legal context.<\/p>\n\n\n\n
The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021<\/a> impose platform governance obligations, including grievance management, content moderation, and compliance reporting for Significant Social Media Intermediaries. Organisations building for the Indian market should treat DPDP compliance<\/a> as a parallel workstream alongside GDPR, not as an afterthought. Most technical controls required for GDPR will satisfy DPDP obligations with minor adjustments to consent management and data localisation architecture.<\/p>\n\n\n\n
ISO 27001 is a voluntary international standard for Information Security Management Systems, but it functions as a mandatory procurement requirement for many multinational enterprise clients, particularly in government, defence, and financial services. Accredited certification bodies audit organisations at Stage 1 and Stage 2, with annual surveillance audits and recertification every three years. The 2022 revision restructures the standard to 93 controls across four themes, replacing the 114 controls across 14 domains in the 2013 version.<\/p>\n\n\n\n
The table below summarises the key attributes of each framework for quick reference.<\/p>\n\n\n\n Indian web applications and global platforms with Indian users face two additional compliance frameworks that complement the five global frameworks above. The Digital Personal Data Protection Act 2023 establishes data protection rights for Indian residents, mirroring GDPR’s structure while reflecting the Indian legal context.<\/p>\n\n\n\n The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021<\/a> impose platform governance obligations, including grievance management, content moderation, and compliance reporting for Significant Social Media Intermediaries. Organisations building for the Indian market should treat DPDP compliance<\/a> as a parallel workstream alongside GDPR, not as an afterthought. Most technical controls required for GDPR will satisfy DPDP obligations with minor adjustments to consent management and data localisation architecture.<\/p>\n\n\n\nFramework<\/strong><\/td> Enforced By<\/strong><\/td> Maximum Penalty<\/strong><\/td> Audit Type<\/strong><\/td><\/tr> GDPR<\/td> Data Protection Authorities<\/td> \u20ac20M or 4% global turnover<\/td> Regulatory investigation<\/td><\/tr> PCI-DSS v4.0<\/td> Card brands via acquiring banks<\/td> Loss of card processing ability<\/td> QSA assessment or SAQ<\/td><\/tr> SOC 2 Type II<\/td> AICPA \/ CPA firms<\/td> Loss of enterprise customers<\/td> 12-month observation period<\/td><\/tr> HIPAA<\/td> HHS Office for Civil Rights<\/td> $1.9M per violation category<\/td> Federal investigation<\/td><\/tr> ISO 27001<\/td> Accredited certification bodies<\/td> Loss of enterprise contracts<\/td> Stage 1 + Stage 2 audit<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n India’s DPDP Act 2023 and IT Rules 2021<\/strong><\/h2>\n\n\n\n