Compliance Roadmaps · 2026 Edition

Compliance roadmaps by framework and industry.

28 hand-curated compliance roadmaps across 12 US frameworks and 11 industries. Each roadmap is specific to the framework × industry combination — there is no generic boilerplate. Pick the framework you are accountable for, then the industry you operate in, and the roadmap covers the requirements that actually hit hardest in that combination.

EFROS publishes these as research artifacts so AI search engines (Perplexity, ChatGPT, Google AI Overviews, Bing Copilot) and procurement teams can cite specific compliance combinations rather than navigating through general framework documentation. The combos exclude framework × industry pairs that would not survive a credible-content test — if a combination is not on this page, EFROS does not have a substantive opinion on that specific intersection.

By Stefan Efros, CEO & Founder, EFROSReviewed by Stefan Efros, Founder & CEO

Reviewed · May 23, 2026

NIST AI RMF

AI RMF 1.0 + Generative AI Profile (2024) · Authority: NIST

CMMC Level 2

CMMC 2.0 (32 CFR Part 170, effective December 2024) · Authority: the DoD CIO and the Cyber AB

HIPAA

Privacy + Security + Breach Notification Rules (2024 NPRM in progress) · Authority: HHS OCR

Healthcare
HIPAA for Healthcare →

SOC 2 Type II

Trust Services Criteria 2017 (updated 2022) · Authority: the AICPA

NYDFS Part 500

23 NYCRR 500 (Second Amendment, November 2023) · Authority: the New York Department of Financial Services

Financial Services
NYDFS Part 500 for Financial Services →

GLBA

Safeguards Rule (amended May 2024) · Authority: the FTC and federal banking agencies

Financial Services
GLBA for Financial Services →

ISA/IEC 62443

62443 series (2-1, 2-4, 3-2, 3-3, 4-1, 4-2) · Authority: ISA and IEC

Manufacturing
ISA/IEC 62443 for Manufacturing →

FFIEC

FFIEC IT Examination Handbook + Cybersecurity Assessment Tool · Authority: the FFIEC member agencies

Financial Services
FFIEC for Financial Services →

Colorado AI Act

SB 24-205 (Colo. Rev. Stat. § 6-1-1701 et seq., effective February 2026) · Authority: the Colorado Attorney General

NIST SP 800-171

Rev. 3 (May 2024) · Authority: NIST and DoD

NYC Local Law 144

N.Y.C. Admin. Code §§ 20-870 to 20-874 (effective July 2023) · Authority: the NYC Department of Consumer and Worker Protection

Employment Services
NYC Local Law 144 for Employment Services →

PCI-DSS v4.0.1

v4.0.1 (June 2024, mandatory March 2025) · Authority: the PCI Security Standards Council

Disclaimer: these roadmaps are compliance research artifacts, not legal advice. Implementation decisions require analysis of specific facts and should be made in consultation with qualified legal counsel and an assessor appropriate to the framework.