Data manipulation is becoming increasingly regulated around the world. Get to know the most important laws, regulations and recommendations regarding the privacy of data manipulated through mobile devices and applications. For more information on how your company can comply, talk to one of our experts.

The GDPR is a European personal data privacy law that applies to any organization that does business in Europe (regardless of its physical location). It sets guidelines for the collection, processing, and storage of European residents’ personally identifiable information. The GDPR law was enforced to protect all personal information, including the ones that are dealt with on mobile devices and applications.

The NIS2 Directive is an EU regulation that aims at protecting essential and important entities against cyber threats. It requires organizations that are part of industries identified as essential and important (energy, public service, banking, pharmaceutical, transportation…) to take advanced cybersecurity measures and report incidents. NIS2 explicitly requires applications and services used on mobile and tablet devices to be secure as part of the global IT environment and recommends system vulnerability detection, intrusion testing and security audits.

ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It stipulates that information stored on, processed by or accessible via user endpoint should be protected. ISO 27001 contains 10 clauses and an annex that is important to mobile security. Adopting ISO 27001:2022 as a framework establishes and maintains robust security controls and practices.


The DPA is the United Kingdom’s data protection legislation. After Brexit, it replaced the GDPR in the UK and largely mirrors its principles. Mobile data processors and controllers operating in the UK must follow the DPA’s requirements to ensure the lawful and secure processing of personal data. This law can lead to fines in case of non-compliance. 

The FTC Act grants the U.S. Federal Trade Commission (FTC) the authority to enforce fair business practices and protect consumer privacy. The Trade Commission enforces even stricter regulations for the health, insurance, and financial sectors. Also applying to organizations that develop mobile applications, it ensures they provide accurate and transparent information about data collection and protection.

PIPEDA is Canada’s federal privacy law governing the collection, use, and disclosure of personal information in commercial activities. Mobile applications and services operating in Canada must comply with PIPEDA, which grants individuals certain rights over their personal data and requires organizations to protect it with appropriate security measures.

SOC 2 is an auditing standard for service providers developed by the American Institute of CPAs (AICPA). Mobile application developers and providers may undergo SOC 2 audits to demonstrate their commitment to data protection. The audit will look at vulnerability management controls, reporting, validation, identification, scoring, prioritization, and tracking.

The Cybersecurity and Infrastructure Security Agency (CISA) provides a checklist designed to assist individuals and organizations in improving the security posture of their mobile devices. The checklist covers device configuration, network connections, Software Updates, App Security, Data Protection, Mobile Device Management (MDM), Phishing and Social Engineering.

PSD2 is an EU directive designed to regulate payment services and promote innovation in the financial sector. It applies to banks, payment service providers (PSP) and any other company that handles financial data. For mobile apps providing payment services, such as banking apps, payment applications, mobile wallets and shopping applications that offer payment functionality, PSD2 requires strong customer authentication and secure data transmission.

DORA is an EU Act that wants to make sure the financial sector in Europe can stay resilient through a severe operational disruption. It delineates technical standards for all financial service institutions, from banking to insurance, to asset management. 

The PCI Security Standards Council is a global organization that maintains and promotes an information security standard for credit card data. It specifically requires all merchants that use mobile payments to protect cardholder data by maintaining a secure environment. In its requirements for compliance, the standard states that mobile devices are not designed to be secure, and that they require additional security measures.

HIPAA is a U.S. regulation that safeguards the privacy and security of individuals’ health information (PHI). Specifically aiming to safeguard the privacy of patients and health plan subscribers.