Updated:
July 9, 2026
400 Compliance Statistics – June 2026
Compliance programs underpin data protection, privacy and risk management across every industry, and the numbers show how rapidly the landscape is evolving.
This article compiles 400 unique, handpicked statistics from authoritative reports and regulatory summaries to help security leaders benchmark their programs and assess regulatory exposure.
This report is built on verified data from leading research and regulatory bodies, including PwC, IBM, KPMG, the U.S. Department of Health and Human Services, FATF, Verizon, and DLA Piper, which demonstrates the report’s credibility, data quality, and reliability.
Key Compliance Stats At a Glance
- 71% of companies expect to support digital transformation initiatives that require compliance involvement within the next 3 years. (PwC Global Compliance Survey 2025)
- 41% of companies expect to need compliance support for new business models within the next 3 years. (PwC Global Compliance Survey 2025)
- Rising regulatory complexity constrained growth and innovation for 77% of companies. (PwC Global Compliance Survey 2025)
- U.S. federal regulations had an estimated $1.9 trillion annual economic effect. (Competitive Enterprise Institute Ten Thousand Commandments)
- Regulatory complexity hindered the implementation of new IT systems for nearly 90% of companies. (PwC Global Compliance Survey 2025)
- Compliance complexity limited AI use for about two-thirds of companies. (PwC Global Compliance Survey 2025)
- Regulatory complexity was the top challenge for 47% of companies, followed by organizational complexity at 34%, cultural issues at 29%, and resource capacity at 28%. (PwC Global Compliance Survey 2025)
- Technology was already used for more than 11 compliance activities at 49% of organizations. (PwC Global Compliance Survey 2025)
- Technology supported compliance training at 82% of organizations, risk assessment at 76%, monitoring and customer due diligence at 75%, and regulatory disclosures at 72%. (PwC Global Compliance Survey 2025)
- Coordinated compliance improved decision-making for 59% of organizations. (PwC Global Compliance Survey 2025)
- Only 7% of organizations considered themselves compliance leaders, while 38% wanted to become compliance leaders within 3 years. (PwC Global Compliance Survey 2025)
- Centralized governance, risk, and compliance teams existed at 91% of organizations. (Hyperproof 2025 IT Risk And Compliance Benchmark Report)
- Risk and compliance budgets were expected to increase in 2025 at 63% of organizations. (Hyperproof 2025 IT Risk And Compliance Benchmark Report)
- 70% of Chief Compliance Officers expected technology budgets to increase, with investments focused on data analytics, cybersecurity, data privacy, and process automation. (KPMG Global CCO Survey)
- The compliance data management market was expected to reach roughly $16.6 billion in 2025. (Adherent)
- Compliance teams were expected to grow over the next 2 years at 72% of organizations. (Hyperproof 2025 IT Risk And Compliance Benchmark Report)
- AI helped speed up internal compliance functions for 89% of compliance professionals. (Thomson Reuters Future Of Professionals Report 2024)
- Generative AI was expected to take more than 10% of digital budgets at 41% of financial firms in 2024. (Protiviti Compliance Playbook 2025)
- AI was expected to positively affect effective compliance for 71% of respondents. (PwC Global Compliance Survey 2025)
- AI was viewed as a force for good by nearly 90% of compliance professionals. (Thomson Reuters Future Of Professionals Report 2024)
- Disaggregated data made compliance harder for 63% of executives. (PwC Global Compliance Survey 2025)
- Compliance officers now face a wider remit covering regulation, ESG, evolving technology, cybersecurity, data protection, privacy, and third-party risk. (PwC Global Compliance Survey 2025)
- Privacy laws had a positive business impact for 86% of organizations in fall 2024. (Cisco 2025 Data Privacy Benchmark Study)
- Average privacy spending across surveyed organizations reached $2.7 million in fall 2024. (Cisco 2025 Data Privacy Benchmark Study)
- Privacy spending delivered a 1x to less than 2x return for 53% of organizations in fall 2024, while 29% achieved a return of 2x or more. (Cisco 2025 Data Privacy Benchmark Study)
Regulators continue to issue settlements across healthcare, finance, and edtech sectors. For a current view of recent compliance enforcement actions, see our running coverage of HIPAA, CMMC, SEC, and FTC cases from 2026.

Data Privacy, Payment, And Security Framework Statistics

- GDPR applied to 92% of surveyed organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- GDPR is one of the most demanding privacy compliance frameworks because it regulates how organizations collect, process, and transfer personal data. (European Union GDPR Guidance)
- State privacy laws in 2025 expanded sensitive-data definitions, with broader categories appearing in states such as Oregon, Delaware, New Jersey, Colorado, Connecticut, and California rulemaking. (Troutman 2025 State Privacy Guide)
- PCI DSS applied to 58% of surveyed organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- HIPAA applied to 41% of respondents overall and nearly 97% of healthcare organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Data sovereignty was critical or very important for compliance at 85% of organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- At least $100,000 per year was allocated to web form security and compliance by 83% of organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- At least 1 web form-related security incident affected 88% of organizations in the past 2 years. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- A confirmed data breach through form submissions affected 44% of organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Automated or bot-driven attacks on web forms targeted 61% of organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- SQL injection attempts against form fields affected 47% of organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Cross-site scripting attacks against form fields affected 39% of organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Automated incident response workflows were used after web form threat detection at 48% of organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Government ID numbers were collected through forms by 81% of government agencies. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- FedRAMP authorization was required by 75% of government respondents, and FIPS 140-3 validated cryptography was used by 69%. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- HIPAA enforcement included 374,321 complaints and 1,193 compliance reviews, with 99% of cases resolved. (HHS HIPAA Enforcement Highlights)
- HIPAA civil monetary penalties affected 152 cases and totaled $144,878,972. (HHS HIPAA Enforcement Highlights)
- In fall 2024, 90% of security and privacy professionals believed data was safer when stored locally, while 88% said data localization added significant operating cost. (Cisco 2025 Data Privacy Benchmark Study)
- Global providers were viewed as better at protecting data than local providers by 91% of security and privacy professionals in fall 2024. (Cisco 2025 Data Privacy Benchmark Study)
- External oversharing of sensitive SaaS data affected 63% of organizations in 2025, and sensitive data was uploaded to unauthorized apps at 56% of organizations. (Cloud Security Alliance State Of SaaS Security Survey Report)
- Employee names or information were entered into GenAI applications by 46% of respondents in fall 2024, while customer names or information were entered by 31%. (Cisco 2025 Data Privacy Benchmark Study)
- Data collection appeared in 80% of reactive engagements in 2025. (Microsoft Digital Defense Report 2025)
- Large-scale data exfiltration appeared in 82% of observed ransomware incidents in 2025. (Microsoft Digital Defense Report 2025)
Compliance Audit, Framework, and Certification Statistics
- ISO 27001 adoption reached 81% of organizations, up from 67% in 2024. (A-LIGN 2026 Compliance Benchmark Report)
- PCI DSS Requirement 4 full compliance reached 90.5% at interim validation in 2023. (Verizon 2023 Payment Security Report)
- PCI DSS Requirement 11 full compliance reached only 47.6%. (Verizon 2023 Payment Security Report)
- PCI DSS Requirement 1 full compliance rose from 61.8% in 2022 to 74.6% in 2023. (Verizon 2023 Payment Security Report)
- SOC 2 examinations can cover 5 Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. (AICPA SOC Services)
- SOC 2 Type II observation windows commonly span 3, 6, 9, or 12 months. (TrustNet SOC 2 Audit Process, Timeline, And Costs)
- The total cost of achieving SOC 2 can range from $10,000 to $80,000 or more. (Vanta SOC 2 Audit Cost)
- Swiss ISAE and SOC reports averaged 44 controls per report, and most controls required 1 to 5 hours each. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- Only 1 full-time equivalent supported ISAE or SOC processes at 63% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- Two to 5 full-time equivalents supported ISAE or SOC processes at 22% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- Six to 10 full-time equivalents supported ISAE or SOC processes at 7% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- More than 15 full-time equivalents supported ISAE or SOC processes at 7% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- ISAE and SOC processes were standardized but mostly manual at 70% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- Well-integrated automation supported by GRC tools existed at about 20% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- Evidence quality was the biggest ISAE and SOC reporting challenge for 37% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- Control owner turnover was a major ISAE and SOC reporting challenge for 32% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- Meeting deadlines was a major ISAE and SOC reporting challenge for 26% of Swiss organizations. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- One to 5 hours were needed to execute 59% of controls in Swiss ISAE and SOC reports. (KPMG Swiss ISAE And SOC Readiness Study 2025)
- Less than 1 hour was needed to execute 41% of controls in Swiss ISAE and SOC reports. (KPMG Swiss ISAE And SOC Readiness Study 2025)
Regulatory Change Management And AI Governance Statistics
- The regulatory environment was viewed as a barrier to value creation by 64% of CEOs. (PwC Global CEO Survey)
- Potential regulatory changes were escalated directly to executive teams or boards by 16% of financial services compliance professionals. (CUBE Cost Of Compliance Report 2025)
- Significant strategic change due to geopolitical risks was expected by 25% of financial services leaders, and 8% believed those tensions could fundamentally alter their business models. (CUBE Cost Of Compliance Report 2025)
- Regulatory change management was rated as somewhat or highly ineffective by 21% of financial services respondents. (CUBE Cost Of Compliance Report 2025)
- 39% of legal and compliance leaders ranked keeping compliance programs aligned with fast-moving regulatory requirements as a top-three priority. (Gartner)
- At least part of the regulatory change management process was automated by 98% of financial services respondents. (CUBE Cost Of Compliance Report 2025)
- Full implementation of regulatory changes took more than 1 year on average, even with automation. (CUBE Cost Of Compliance Report 2025)
- AI-related regulatory insights for financial services reached 157 in 1 year. (CUBE Cost Of Compliance Report 2025)
- Compliance systems were expected to shift to the cloud by July 2025 at 56% of enterprises. (Compliance And Risks 25 Critical Stats For Chief Compliance Officers)
- In 2025, 86% of business leaders with cybersecurity responsibilities experienced at least 1 AI-related security incident in the previous 12 months. (Cisco 2025 Cybersecurity Readiness Index)
- In 2025, 60% of IT teams could not see the specific prompts or requests employees made in GenAI tools. (Cisco 2025 Cybersecurity Readiness Index)
- Unapproved AI tools were difficult to detect for 60% of respondents in 2025. (Cisco 2025 Cybersecurity Readiness Index)
- Very significant value from GenAI reached 48% of respondents in fall 2024, up from 37% in 2023. (Cisco 2025 Data Privacy Benchmark Study)
- AI-specific risk tools were being implemented by 53% of enterprises in 2025, and 39% planned to expand AI and machine learning skills. (AuditBoard Risk Intelligence Report)
- AI acceptance rates fell roughly 30% in July 2025 after strong adoption in May and June. (AuditBoard Risk Intelligence Report)
- In 2025, 90% of companies lacked the maturity to counter AI-enabled threats, while 36% of technology leaders said GenAI was outpacing their security. (Accenture State Of Cybersecurity Resilience 2025)
- AI development and security investment were balanced at 42% of organizations in 2025, and security was embedded into transformation initiatives from the outset at 28%. (Accenture State Of Cybersecurity Resilience 2025)
SOC 2 Statistics
- SOC 2 reports use 5 Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. (Schellman SOC 2 Trust Services Criteria)
- Security is the required Trust Services Category for every SOC 2 audit. (Schellman SOC 2 Trust Services Criteria)
- 95% of organizations use technology during audits and assessments. (A-LIGN State Of Compliance 2026)
- 72% of organizations are concerned about AI’s impact on compliance. (A-LIGN State Of Compliance 2026)
- Audit quality was “extremely important” to 80% of respondents in 2026, up from 70% the year before. (A-LIGN State Of Compliance 2026)
- More than 50% of respondents had faced rejected audit reports because of incomplete documentation or insufficient testing. (A-LIGN State Of Compliance 2026)
- 97% of organizations conduct at least 2 audits per year, and 74% of enterprise organizations conduct 4 or more audits per year. (A-LIGN State Of Compliance 2026)
- 99% of organizations believed consolidating audits could save time and money, while 27% did not know where to start and 24% cited limited time. (A-LIGN State Of Compliance 2026)
- SOC 2 audit fees typically range from $10,000 to $50,000, depending on company size, auditor, and audit complexity. (Vanta SOC 2 Audit Cost)
- SOC 2 audit preparation typically takes 1 to 5 months, depending on company scale and whether outside security support is used. (Vanta SOC 2 Audit Cost)
- The total cost of achieving SOC 2 can range from $10,000 to $80,000 or more between prep work and the audit itself. (Vanta SOC 2 Audit Cost)
- SOC 2 Type 1 timelines include 1 to 3 months of pre-audit preparation, 2 to 5 weeks for the official audit, and 2 to 6 weeks for report creation and delivery. (Vanta SOC 2 Audit Timeline)
- SOC 2 Type 2 observation windows commonly range from 3 to 12 months. (Vanta SOC 2 Audit Timeline)
- SOC 2 Type 2 audits usually include 2 to 5 weeks for official audit review and 2 to 6 weeks for report creation and delivery. (Vanta SOC 2 Audit Timeline)
- KPMG analyzed more than 400 controls assurance reports issued between 2021 and 2023, including SOC 1, SOC 2, AAF 01/20, AAF 05/20, and ISAE 3000 reports. (KPMG Controls Assurance Benchmarking Report 2024)
- Controls assurance reports increased by more than 80% in 2023 compared with the 2021 base year. (KPMG Controls Assurance Benchmarking Report 2024)
- SOC 2 report volume increased 23% in 2023 over the prior year. (KPMG Controls Assurance Benchmarking Report 2024)
- Manually operated controls accounted for 89% of all operating-effectiveness exceptions. (KPMG Controls Assurance Benchmarking Report 2024)
- System access controls represented 17% of all control exceptions. (KPMG Controls Assurance Benchmarking Report 2024)
- Only 35% of system access controls were automated. (KPMG Controls Assurance Benchmarking Report 2024)
- 41% of Type 1 reports had no exceptions, compared with only 2% of Type 2 reports. (KPMG Controls Assurance Benchmarking Report 2024)
ISO 27001 Compliance Figures
- ISO 27001 valid certificates worldwide reached 96,709 in 2024, across 179,877 certified sites. (ISO Survey 2024)
- Certificates rose 104% and certified sites rose 101% over 2023. (ISO Survey 2024)
- The 2024 edition switched to collecting data directly from the IAF CertSearch database, so part of the year-over-year jump reflects that change in methodology rather than organic growth alone. (ISO Survey 2024)
- ISO Survey 2024 drew from 76 of 77 accreditation bodies and more than 2,400 certification bodies. (ISO Survey 2024)
- ISO Survey results have been tracked since 1993, and from 2025 onward the survey is compiled through IAF CertSearch using anonymized, aggregated certification data. (IAF CertSearch ISO Survey)
- ISO 27001 adoption reached 81% of organizations in 2025, up from 67% in 2024. (A-LIGN ISO 27001 Buyer’s Guide)
- ISO 27001:2022 was published on 25 October 2022, replacing ISO 27001:2013. (IAF Transition Requirements For ISO 27001:2022)
- The ISO 27001:2022 transition period lasted 3 years, or 36 months. (IAF Transition Requirements For ISO 27001:2022)
- Certification bodies had to complete client transitions to ISO 27001:2022 by 31 October 2025. (IAF Transition Requirements For ISO 27001:2022)
- All ISO 27001:2013 certifications were required to expire or be withdrawn at the end of the transition period. (IAF Transition Requirements For ISO 27001:2022)
- ISO 27001:2022 reduced the information security control set from 114 controls in 14 clauses to 93 controls in 4 clauses. (IAF Transition Requirements For ISO 27001:2022)
- ISO 27001:2022 introduced 11 new controls, merged 24 existing controls, and updated 58 controls. (IAF Transition Requirements For ISO 27001:2022)
- ISO 27001:2022 reorganized controls into 4 themes: Organizational, People, Physical, and Technological. (DNV ISO 27001:2022 Changes And Benefits)
- The ISO 27001 certification process includes 5 main steps: optional pre-assessment, Stage 1 audit, Stage 2 audit, surveillance audit, and recertification. (A-LIGN ISO 27001 Buyer’s Guide)
- ISO 27001 certification typically takes 3 to 12 months, with 1 to 4 months for pre-audit work and another 2 to 6 months for the audit phase. (Vanta ISO 27001 Certification Timeline)
- ISO 27001 certification can cost from $6,000 to more than $40,000, depending on business size and ISMS complexity. (Vanta ISO 27001 Certification Cost)
- ISO 27001 and ISO 27002 standard documents cost about $350 combined, with $125 for ISO 27001 and $225 for ISO 27002. (Vanta ISO 27001 Certification Cost)
- ISO 27001 Stage 1 and Stage 2 certification audits typically cost $14,000 to $16,000. (Vanta ISO 27001 Certification Cost)
- ISO 27001 surveillance audits typically cost $6,000 to $7,500. (Vanta ISO 27001 Certification Cost)
- ISO 27001 certification is valid for up to 3 years, with routine surveillance audits required before full recertification. (Vanta ISO 27001 Certification Cost)
- ISO 27001 internal audit support can cost $0 to $6,000, while a gap analysis can cost $5,000 to $8,000. (Vanta ISO 27001 Certification Cost)
Latest CMMC Stats
- The final DFARS rule adding CMMC requirements to defense contracts was published on September 10, 2025. (Federal Register DFARS CMMC Final Rule)
- The final DFARS CMMC rule became effective on November 10, 2025. (Federal Register DFARS CMMC Final Rule)
- DoD launched a 3-year phased rollout of CMMC requirements across defense contracts starting November 10, 2025. (DoD CMMC Contractor Bulletin)
- Phase 1 of CMMC implementation began on November 10, 2025. (DoD CMMC Implementation Announcement)
- Contracting officers can include CMMC Level 1 and Level 2 requirements in new contracts during Phase 1. (DoD CMMC Contractor Bulletin)
- DoD contractors must submit self-assessment scores in the Supplier Performance Risk System during the CMMC rollout. (DoD CMMC Contractor Bulletin)
- The DFARS final rule added 2 key CMMC contract clauses: DFARS 252.204-7021 and DFARS 252.204-7025. (DoD CMMC Contractor Bulletin)
- The DFARS final rule created 4 CMMC level options for solicitations: Level 1 Self, Level 2 Self, Level 2 C3PAO, and Level 3 DIBCAC. (Federal Register DFARS CMMC Final Rule)
- The DFARS final rule lists 7 possible CMMC statuses: Final Level 1, Conditional Level 2 Self, Final Level 2 Self, Conditional Level 2 C3PAO, Final Level 2 C3PAO, Conditional Level 3 DIBCAC, and Final Level 3 DIBCAC. (Federal Register DFARS CMMC Final Rule)
- Conditional CMMC Level 2 and Level 3 statuses can last no more than 180 days from the conditional CMMC date. (Federal Register DFARS CMMC Final Rule)
- The DFARS final rule requires contractors to maintain the required CMMC status for the life of the contract. (Federal Register DFARS CMMC Final Rule)
- Contractors must complete an annual affirmation of continuous compliance in SPRS for each applicable CMMC UID. (Federal Register DFARS CMMC Final Rule)
- A CMMC UID contains 10 alphanumeric characters assigned to each contractor CMMC assessment. (Federal Register DFARS CMMC Final Rule)
- CMMC Level 1 requires annual self-assessment and annual affirmation against 15 FAR 52.204-21 security requirements. (DoD Cybersecurity Resources)
- CMMC Level 2 requires either a self-assessment or a C3PAO assessment every 3 years, depending on the solicitation. (DoD Cybersecurity Resources)
- CMMC Level 2 requires compliance with 110 NIST SP 800-171 Revision 2 security requirements. (DoD Cybersecurity Resources)
- CMMC Level 3 requires Final Level 2 status before the Level 3 assessment. (DoD Cybersecurity Resources)
- CMMC Level 3 requires an assessment every 3 years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center. (DoD Cybersecurity Resources)
- CMMC Level 3 requires annual affirmation against 24 selected NIST SP 800-172 requirements. (DoD Cybersecurity Resources)
- Just under 500 defense contractors had voluntarily achieved Level 2 CMMC certification by late 2025. (Federal News Network Cyber AB Interview)
- The Pentagon estimated that Level 2 third-party assessment requirements could apply to as many as 80,000 companies during the CMMC rollout. (Federal News Network Cyber AB Interview)
- The CMMC ecosystem had just under 600 certified CMMC assessors in late 2025. (Federal News Network Cyber AB Interview)
- About half of certified CMMC assessors were eligible to lead assessment teams in late 2025. (Federal News Network Cyber AB Interview)
- The CMMC ecosystem may need between 2,000 and 3,000 assessors to meet program scale. (Federal News Network Cyber AB Interview)
- HIPAA
- CMS received 140 HIPAA Administrative Simplification complaints during calendar year 2025. (CMS CY 2025 Complaint Enforcement And Compliance Review Analysis Report)
- The 835 Health Care Claim Payment/Advice transaction was one of the top HIPAA Administrative Simplification complaint areas in calendar year 2025. (CMS CY 2025 Complaint Enforcement And Compliance Review Analysis Report)
- The 837 Health Care Claim Professional transaction was one of the top HIPAA Administrative Simplification complaint areas in calendar year 2025. (CMS CY 2025 Complaint Enforcement And Compliance Review Analysis Report)
- The 270 Eligibility, Coverage, or Benefit Inquiry transaction was one of the top HIPAA Administrative Simplification complaint areas in calendar year 2025. (CMS CY 2025 Complaint Enforcement And Compliance Review Analysis Report)
- In June 2026, 772 large healthcare data breaches from 2025 were listed on the HHS OCR breach portal. (HIPAA Journal Largest Healthcare Data Breaches Of 2025)
- Large healthcare data breaches from 2025 affected 139,721,832 individuals. (HIPAA Journal Largest Healthcare Data Breaches Of 2025)
- 16 healthcare data breaches in 2025 affected more than 1 million individuals each. (HIPAA Journal Largest Healthcare Data Breaches Of 2025)
- The largest listed healthcare data breach of 2025 affected 62,224,658 individuals. (HIPAA Journal Largest Healthcare Data Breaches Of 2025)
NIST Statistics
- NIST CSF adoption reached 83% among organizations in the 2025 RH-ISAC CISO Benchmark. (RH-ISAC 2025 CISO Benchmark Report)
- NIST CSF scores rose 25% since 2024, reaching an average score of 3.1 across functions in 2025. (RH-ISAC 2025 CISO Benchmark Report)
- Frontrunners scored 3.2 across NIST functions in 2025, with a projected average of 3.5 in 2026. (RH-ISAC 2025 CISO Benchmark Report)
- Wavestone assessed more than 170 organizations against NIST CSF 2.0 in its 2025 Cyber Benchmark. (Wavestone 2025 Cyber Benchmark)
- Large-company cybersecurity maturity reached 54% in 2025 based on NIST CSF 2.0 and ISO 27001, up 1 point from 2024. (Wavestone 2025 Cyber Benchmark)
- Financial-sector cybersecurity maturity reached 62.5% in 2025, up 2.5 points from 2024. (Wavestone 2025 Cyber Benchmark)
- Cybersecurity budgets averaged 6.4% of IT budgets in 2025, down from 6.6% in 2024. (Wavestone 2025 Cyber Benchmark)
- Large organizations averaged 1 cybersecurity expert for every 1,016 employees in 2025, compared with 1 expert for every 1,086 employees the year before. (Wavestone 2025 Cyber Benchmark)
- Across 29 ransomware attack vectors, large organizations had an average protection level of 56% in 2025. (Wavestone 2025 Cyber Benchmark)
- NIST CSF 2.0 organizes cybersecurity outcomes under 6 core functions: Govern, Identify, Protect, Detect, Respond, and Recover. (NIST Cybersecurity Framework 2.0)
- NIST CSF 2.0 uses 4 tiers: Partial, Risk Informed, Repeatable, and Adaptive. (NIST Cybersecurity Framework 2.0)
- NIST CSF 2.0 applies to information technology, the Internet of Things, operational technology, cloud, mobile, and artificial intelligence systems. (NIST Cybersecurity Framework 2.0)
- NIST SP 800-171 Revision 3 organizes CUI security requirements into 17 families. (NIST SP 800-171 Revision 3)
- NIST SP 800-171 Revision 3 applies to nonfederal system components that process, store, or transmit CUI. (NIST SP 800-171 Revision 3)
- NIST SP 800-171 Revision 3 added Planning, System and Services Acquisition, and Supply Chain Risk Management to its security requirement family structure. (NIST SP 800-171 Revision 3)
- NIST SP 800-53 Revision 5 includes 20 security and privacy control families. (NIST SP 800-53 Revision 5)
- NIST issued SP 800-53 Release 5.2.0 on August 27, 2025. (NIST SP 800-53 Release 5.2.0 Update)
- NIST SP 800-53 Release 5.2.0 added updates related to software updates, patches, software integrity, and validation. (NIST SP 800-53 Release 5.2.0 Update)
- NIST SP 800-70 Revision 5 was published in May 2026 and replaced SP 800-70 Revision 4 from 2018. (NIST SP 800-70 Revision 5)
- NIST SP 800-70 Revision 5 added mapping concepts between checklist settings, NIST CSF 2.0 outcomes, NIST SP 800-53 controls, and Common Configuration Enumeration identifiers. (NIST SP 800-70 Revision 5)
- NIST published the final NIST IR 8374 Revision 1 ransomware risk management profile on June 11, 2026. (NIST IR 8374 Revision 1 Ransomware Risk Management)
- NIST IR 8374 Revision 1 maps ransomware risk management objectives to NIST CSF 2.0 outcomes. (NIST IR 8374 Revision 1 Ransomware Risk Management)
- In higher education, 36% of respondents rated NIST SP 800-171 compliance as a high priority, while 41% rated it as a moderate priority. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
- 54% of higher education respondents had a formal NIST SP 800-171 compliance plan, while 44% did not. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
- 62% of higher education respondents working toward NIST SP 800-171 compliance were investing in cybersecurity tools and technologies. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
- Limited personnel blocked NIST SP 800-171 compliance for 76% of higher education respondents, followed by competing priorities at 70% and insufficient funding at 66%. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
- Increased funding was the top internal resource needed for NIST SP 800-171 compliance at 78%, followed by additional dedicated personnel at 76% and leadership support at 58%. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
PCI DSS Stats
- PCI DSS applies to entities that store, process, or transmit cardholder data, sensitive authentication data, or could affect the security of the cardholder data environment. (PCI Security Standards Council PCI DSS)
- PCI DSS applies across merchants, processors, acquirers, issuers, and service providers involved in payment card processing. (PCI Security Standards Council PCI DSS)
- PCI DSS v4.0.1 became the only active version of the standard supported by PCI SSC after 31 December 2024. (PCI SSC Just Published: PCI DSS v4.0.1)
- PCI DSS v4.0.1 added no new requirements and removed no existing requirements from PCI DSS v4.0. (PCI SSC Just Published: PCI DSS v4.0.1)
- PCI DSS v4.0 introduced 64 new requirements, including 51 future-dated requirements. (PCI SSC Coffee With The Council)
- The 51 future-dated PCI DSS requirements became effective on 31 March 2025. (PCI SSC Coffee With The Council)
- After 31 March 2025, future-dated PCI DSS requirements must be fully considered during a PCI DSS assessment. (PCI SSC Coffee With The Council)
- PCI DSS v4.0 became the active baseline when PCI DSS v3.2.1 was retired on 31 March 2024. (PCI SSC Coffee With The Council)
- PCI DSS Requirements 6.4.3 and 11.6.1 became key e-commerce requirements because scripts running in consumer browsers became a significant target for attackers seeking payment card data. (PCI SSC Coffee With The Council)
- PCI DSS Requirement 6.4.3 focuses on authorizing payment page scripts, checking script integrity, and maintaining script visibility. (PCI SSC Coffee With The Council)
- PCI DSS Requirement 11.6.1 focuses on detecting unauthorized changes to payment pages that could support e-skimming attacks. (PCI SSC Coffee With The Council)
- PCI SSC released guidance for PCI DSS Requirements 6.4.3 and 11.6.1 for entities that process e-commerce payments through embedded iframes or webpages that can affect payment security. (PCI SSC Coffee With The Council)
- Verizon’s 2024 Payment Security Report used 3 key metrics for PCI DSS requirement performance: full compliance, control gap, and compensating controls. (Verizon 2024 Payment Security Report)
- PCI DSS Requirement 4 was the most sustainable key requirement in 2023, with 90.5% of organizations scoring 100% compliance at interim validation. (Verizon 2024 Payment Security Report)
- PCI DSS Requirement 4 full compliance improved from 85.3% in 2022 to 90.5% in 2023. (Verizon 2024 Payment Security Report)
- PCI DSS Requirement 11 had the weakest full-compliance performance in 2023, with only 47.6% of assessments finding the requirement fully in place. (Verizon 2024 Payment Security Report)
- PCI DSS Requirement 11 had the largest control gap in 2023, with 9.1% of controls not in place. (Verizon 2024 Payment Security Report)
- PCI DSS Requirement 6 had the highest compensating-control use in 2023, with 15.9% of organizations applying 1 or more compensating controls. (Verizon 2024 Payment Security Report)
- PCI DSS Requirement 1 full compliance improved from 61.8% in 2022 to 74.6% in 2023. (Verizon 2024 Payment Security Report)
- PCI DSS Requirement 1 control gaps improved from 4.5% in 2022 to 3.7% in 2023. (Verizon 2024 Payment Security Report)
Compliance Requirements
- PCI DSS v4.0.1 consists of 12 principal requirements, detailed security requirements, and testing procedures. (PCI DSS v4.0.1)
- PCI DSS v4.0.1 is organized around 6 core principles for securing payment card data. (KPMG PCI DSS v4.0.1 Overview)
- PCI SSC lists more than 60 guidance documents and information supplements to support PCI DSS assessments. (PCI DSS v4.0.1)
- PCI DSS v4.0.1 made additions across 4 requirements and the appendix section while remaining the current PCI DSS requirements version. (KPMG PCI DSS v4.0.1 Overview)
- NIST CSF 2.0 lists 22 cybersecurity outcome categories across its 6 core functions. (NIST Cybersecurity Framework 2.0)
- NIST CSF 2.0 uses 4 tiers to describe cybersecurity risk governance and management maturity. (NIST Cybersecurity Framework 2.0)
- HIPAA Security Rule coverage includes 3 covered entity types: health plans, health care clearinghouses, and covered health care providers. (HHS Summary Of The HIPAA Security Rule)
- HITECH Act Section 13401 made HIPAA Security Rule safeguards, policies, procedures, and documentation requirements apply directly to business associates. (HHS Summary Of The HIPAA Security Rule)
- FBI CJIS Security Policy v6.0 lists 20 policy areas for protecting criminal justice information. (FBI CJIS Security Policy v6.0)
- The FBI CJIS Division user agreement references 6 major systems and programs: LEEP, NCIC, NICS, N-DEx, NGI, and UCR. (FBI CJIS Security Policy v6.0)
- CIS Controls v8 and v8.1 include 153 safeguards across 3 Implementation Groups. (CIS Controls Implementation Groups)
- CIS Controls IG1 includes 56 safeguards, IG2 adds 74 safeguards, and IG3 adds 23 safeguards for the full 153-safeguard set. (CIS Controls Implementation Group 3)
- FIPS 140-3 provides 4 increasing security levels for cryptographic modules. (NIST FIPS 140-3)
- NIS2 Article 23 uses a 3-stage significant incident reporting structure: 24 hours for early warning, 72 hours for incident notification, and 1 month for the final report. (NIS2 Article 23 Reporting Obligations)
- GDPR Article 33 requires personal data breach notification within 72 hours of awareness when notification to the supervisory authority is required. (EDPB Guidelines 9/2022 On Personal Data Breach Notification)
- SOC 2 uses 5 Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. (Schellman SOC 2 Attestation Services)
- SOC 2 Security is the mandatory Trust Services Category, while the other 4 categories are scoped based on service commitments and customer requirements. (Cloud Security Alliance SOC 2 Trust Services Criteria)
Cybersecurity Threat And Breach

- Proper access controls were missing in 97% of AI-enabled breaches. (IBM Cost Of A Data Breach Report 2025)
- More than 22 billion records were exposed in 2021 breaches. (Flashpoint and Risk Based Security 2021 Year End Data Breach Report)
- Security AI or automation was used extensively by 32% of organizations, used to a limited extent by 40%, and not used by 28%. (IBM Cost Of A Data Breach Report 2025)
- Model theft or unauthorized access affected 43% of companies that experienced AI-related incidents in 2025. (Cisco 2025 Cybersecurity Readiness Index)
- AI-assisted social engineering affected 42% of companies with AI-related incidents in 2025, while data poisoning attempts affected 38%. (Cisco 2025 Cybersecurity Readiness Index)
- Nearly half of organizations, 49%, experienced at least 1 cyberattack within the past year in 2025. (Cisco 2025 Cybersecurity Readiness Index)
- A cybersecurity incident was considered likely to disrupt operations within the next 12 to 24 months by 71% of respondents in 2025. (Cisco 2025 Cybersecurity Readiness Index)
- Exploits accounted for 32% of investigations with an identifiable initial infection vector in 2025. (Mandiant M-Trends 2026 Report)
- Voice-based social engineering accounted for 11% of investigations with a known initial vector in 2025. (Mandiant M-Trends 2026 Report)
- Email phishing accounted for 6% of intrusions in 2025, down from 14% in 2024. (Mandiant M-Trends 2026 Report)
- In 2025, 28% of breaches began with phishing or social engineering, 18% began with unpatched web assets, and 12% used exposed remote services. (Microsoft Digital Defense Report 2025)
- More than 40% of ransomware attacks involved hybrid components in 2025, compared with less than 5% 2 years earlier. (Microsoft Digital Defense Report 2025)
- At least 1 remote monitoring and management tool appeared in about 79% of ransomware cases in 2025. (Microsoft Digital Defense Report 2025)
- Antivirus exclusions were used to avoid defenses in 30% of observed human-operated ransomware incidents in 2025. (Microsoft Digital Defense Report 2025)
- AI-related vulnerabilities increased over the past year for 87% of respondents in 2026. (World Economic Forum Global Cybersecurity Outlook 2026)
- Cyber-enabled fraud and phishing increased for 77% of respondents in 2026, while supply chain disruption increased for 65%. (World Economic Forum Global Cybersecurity Outlook 2026)
- Cyber-enabled fraud personally affected 73% of respondents or someone in their network during 2025. (World Economic Forum Global Cybersecurity Outlook 2026)

Regional And Country Level Compliance Breakdowns

- Notified personal data breaches increased 22% year over year, reaching an average of 443 notifications per day. (DLA Piper GDPR Fines And Data Breach Survey 2026)
- Low confidence in national ability to respond to major cyber incidents reached 31% of respondents in 2026, up from 26% the prior year. (World Economic Forum Global Cybersecurity Outlook 2026)
- Privacy regulations benefited business for 90% of compliance professionals in Asia-Pacific. (Cisco 2025 Data Privacy Benchmark Study)
Breach Response And Compliance Risk Management

- Data breaches affected 60% of organizations with ad hoc risk management in 2024, compared with 41% of those using integrated or automated GRC tools. (Hyperproof 2025 IT Risk And Compliance Benchmark Report)
- Companies that identify a data breach in less than 100 days can save more than $1 million compared with companies that take longer. (ISACA Journal)
- Mature compliance programs track more than baseline compliance rates, including issue detection, response time, corrective actions, and policy access. (Compyl)
- Global median dwell time rose to 14 days in 2025, up from 11 days in 2024. (Mandiant M-Trends 2026 Report)
- Malicious activity was detected internally by 52% of organizations in 2025, while 34% learned from an external entity and 14% learned from an adversary notification. (Mandiant M-Trends 2026 Report)
- Evidence of data theft appeared in 40% of investigations in 2025. (Mandiant M-Trends 2026 Report)
- Ransomware-related incidents had a median dwell time of 9 days in 2025. (Mandiant M-Trends 2026 Report)
- In 2025, 28.96% of Known Exploited Vulnerabilities were exploited on or before the day their CVE was published. (VulnCheck State Of Exploitation 2026)
- First public exploitation activity for Known Exploited Vulnerabilities came from 118 unique sources in 2025. (VulnCheck State Of Exploitation 2026)
- Multifactor authentication blocked over 99% of unauthorized access attempts in 2025. (Microsoft Digital Defense Report 2025
Compliance Cost, Tool Sprawl, And Vendor Complexity

- Annual security budgets exceeded $1 million at 74% of organizations, while 22% had budgets below that threshold. (Hyperproof 2025 IT Risk And Compliance Benchmark Report)
- Budget constraints were the primary reason for not moving to the cloud for 27% of Fortra respondents. (Fortra 2025 State Of Cybersecurity Survey)
- Security concerns were cited by 59% of organizations not moving to the cloud, down from 77% the previous year. (Fortra 2025 State Of Cybersecurity Survey)
- Fewer than 10 security vendors were used by 70% of organizations. (Fortra 2025 State Of Cybersecurity Survey)
- Between 11 and 20 security vendors were used by 21% of organizations. (Fortra 2025 State Of Cybersecurity Survey)
- Between 21 and 30 security vendors were used by 5% of organizations. (Fortra 2025 State Of Cybersecurity Survey)
- Between 31 and 40 security vendors were used by 3% of organizations, and more than 50 vendors were used by 1%. (Fortra 2025 State Of Cybersecurity Survey)
- Security tool knowledge confidence reached 58%, while 20% were somewhat confident, 19% were very confident, and 3% were not confident. (Fortra 2025 State Of Cybersecurity Survey)
- Companies used an average of more than 4 tools to manage multi-state compliance. (Mosey 2025 Multi-State Compliance Benchmark Report)
- Spreadsheets were used for compliance tracking by 55% of organizations, calendar reminders by 65%, and email alerts by 67%. (Mosey 2025 Multi-State Compliance Benchmark Report)
- Dedicated compliance software platforms were used by only 37% of organizations, while 63% relied on a patchwork of general business tools. (Mosey 2025 Multi-State Compliance Benchmark Report)
- Compliance management was highly proactive at only 15% of organizations and somewhat proactive at 52%. (Mosey 2025 Multi-State Compliance Benchmark Report)
- Compliance issues were found through state agency notices or penalties at 59% of organizations. (Mosey 2025 Multi-State Compliance Benchmark Report)
- Late filings that resulted in penalties affected 33% of organizations, unexpected tax liabilities affected 29%, and audit findings affected 23%. (Mosey 2025 Multi-State Compliance Benchmark Report)
- Major compliance challenges were avoided by 44% of organizations. (Mosey 2025 Multi-State Compliance Benchmark Report)
- Too many cybersecurity tools slowed incident detection, response, and recovery for 77% of respondents in 2025. (Cisco 2025 Cybersecurity Readiness Index)
- More than 10 point solutions appeared in the security stacks of 70% of companies in 2025, and more than 30 appeared in the stacks of 26%. (Cisco 2025 Cybersecurity Readiness Index)
- Cybersecurity budgets were expected to increase over the next 12 months by 41% of respondents in 2025, while 18% expected decreases. (ISACA State Of Cybersecurity 2025)
- Risk management staffing was expected to increase over the next 2 years among 70% of risk leaders in 2025. (AuditBoard Risk Intelligence Report)
Noncompliance Cost And Penalties
- The U.S. average data breach cost exceeded $10 million in 2025. (IBM Cost Of A Data Breach Report 2025)
- Organizations without security AI and automation faced average breach costs of $5.52 million, compared with $3.85 million among extensive users. (IBM Cost Of A Data Breach Report 2025)
- High levels of shadow AI increased average breach costs by $670,000, from $4.07 million to $4.74 million. (IBM Cost Of A Data Breach Report 2025)
- A high security skills shortage raised breach costs by $1.57 million, from $3.65 million to $5.22 million. (IBM Cost Of A Data Breach Report 2025)
- Extensive AI-driven security automation reduced average breach costs by $1.67 million, from $5.52 million without automation to $3.85 million with extensive automation. (IBM Cost Of A Data Breach Report 2025)
- Internal compliance costs increased over the last 3 years for 58% of respondents. (Coalfire Securealities Compliance Report 2023)
- Companies invest in compliance because reputational damage and hidden costs can outweigh direct regulatory fines. (Thomson Reuters)
- European supervisory authorities issued approximately €1.2 billion in GDPR fines in 2025. (DLA Piper GDPR Fines And Data Breach Survey 2026)
- GDPR fines reached €97.29 million in H1 2022, nearly €100 million. (Atlas VPN via Global Security Mag)
- GDPR fines across surveyed jurisdictions totaled €7.1 billion since the regulation took effect in 2018. (DLA Piper GDPR Fines And Data Breach Survey 2026)
- Ireland’s Data Protection Commission issued €4.04 billion in fines since 2018 and imposed the largest GDPR fine of 2025 at €530 million for international data transfer violations. (DLA Piper GDPR Fines And Data Breach Survey 2026)
- Binance paid $4.3 billion in combined penalties in 2023 for Bank Secrecy Act and sanctions violations. (U.S. Department Of The Treasury Binance Settlement)
- FinCEN’s $3.4 billion civil penalty and OFAC’s $968 million penalty against Binance were the largest penalties ever imposed by each agency. (U.S. Department Of The Treasury Binance Settlement)
- SEC monetary sanctions against crypto firms climbed 3,018% in 2024 to $4.68 billion. (Social Capital Markets SEC Crypto Fines Analysis)
- Since 2013, the SEC has levied over $7.42 billion in fines against crypto firms and individuals, with 63% of that total coming in 2024 alone. (Social Capital Markets SEC Crypto Fines Analysis)

Third-Party Risk Statistics
- Third-party relationship and alliance work was negatively affected by rising compliance complexity for 76% of executives. (PwC Global Compliance Survey 2025)
- Vendor risk management now covers due diligence, onboarding, ongoing risk management, and offboarding across the vendor lifecycle. (Vanta Vendor Risk Management Framework)
- Third-party visibility was the top supply chain cyber resilience priority for 41% of CISOs. (Accenture State Of Cybersecurity Resilience)
- Strengthening third-party risk management was a top-five priority for 40% of legal, compliance, and privacy leaders. (PwC Global Compliance Survey 2025)
- Third-party breaches ranked among the top threats for 35% of business and technology executives. (KPMG Third Party Risk Management Outlook)
- Purpose-built technology for third-party risk was used by 56% of organizations in 2025. (Cohesity 6 Predictions For 2025)
- Regulatory compliance was screened when evaluating third-party relationships at 58% of organizations. (NAVEX 2025 State Of Risk And Compliance Report)
- Cybersecurity and data protection were screened when evaluating third-party relationships at 54% of organizations. (NAVEX 2025 State Of Risk And Compliance Report)
- Financial health was screened when evaluating third-party relationships at 49% of organizations. (NAVEX 2025 State Of Risk And Compliance Report)
- Human rights were screened when evaluating third-party relationships at 33% of organizations. (NAVEX 2025 State Of Risk And Compliance Report)
- Litigation history was screened when evaluating third-party relationships at 30% of organizations. (NAVEX 2025 State Of Risk And Compliance Report)
- Rigorous due diligence reduced third-party risk for 84% of organizations. (NAVEX 2025 State Of Risk And Compliance Report)
Industry-Specific Statistics
Compliance in the Financial Services

- Financial services organizations treated data sovereignty as critical or very important at 93%. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Financial services respondents showed high adoption of ISO 27001, SOC 2 Type II, and PCI DSS certification. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
Compliance in the SaaS Industry
- SaaS security was rated as a high priority by 86% of organizations in 2025, and 76% increased SaaS security budgets. (Cloud Security Alliance State Of SaaS Security Survey Report)
- Employees adopted SaaS without security involvement at 55% of organizations in 2025, and fragmented SaaS administration affected 57%. (Cloud Security Alliance State Of SaaS Security Survey Report)
- SaaS privilege enforcement was a challenge for 58% of organizations in 2025, and 54% lacked automated lifecycle management. (Cloud Security Alliance State Of SaaS Security Survey Report)
- Non-human identity monitoring was a challenge for 46% of organizations in 2025, and over-privileged API access concerned 56%. (Cloud Security Alliance State Of SaaS Security Survey Report)

Compliance in Technology
- Data sovereignty was critical or very important for 86% of technology companies. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- GDPR applied to 94% of technology companies. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- PCI DSS applied to 72% of technology organizations when they handled payments. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Foundational data and AI security practices were missing at 77% of organizations in 2025. (Accenture State Of Cybersecurity Resilience 2025)
- Only 34% of organizations had a mature cyber strategy in 2025, and 13% had advanced cyber capabilities for modern AI-driven threats. (Accenture State Of Cybersecurity Resilience 2025)
Manufacturing Compliance Statistics
- Data sovereignty was critical for 80% of manufacturing organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- ISO 27001 adoption was strong among manufacturers, while SOC 2 Type II adoption varied widely. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Manufacturing forms often relied on legacy systems, increasing exposure across supplier portals and warranty registration workflows. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
Healthcare Compliance Statistics
- Data sovereignty was critical for 83% of healthcare organizations. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- HIPAA applied to nearly all healthcare respondents, and 97% collected protected health information through forms. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
- Healthcare forms faced high rates of cross-site scripting and credential harvesting attacks. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
Government Compliance Statistics
- Government forms handled applications, benefits, procurement, and citizen services, creating exposure to bot attacks, credential harvesting, and injection attempts. (Kiteworks Data Security And Compliance Risk 2025 Data Forms Survey)
Broad Industry Compliance Statistics
- Employee hours dedicated to compliance increased 61% from 2016 to 2023. (Bank Policy Institute Survey On Compliance Demand)
- Basic tools such as spreadsheets were still used by 40% of compliance teams. (Drata Compliance Trends Report)
- Compliance contributed significantly or moderately to objectives for 77% of global C-suite leaders. (Thomson Reuters Institute 2025 C-Suite Survey)
- Keeping up with laws, policies, and regulations was the most important decision factor for 69% of risk and compliance professionals. (NAVEX Global Risk And Compliance Statistics)
- More than 100 trillion security signals were processed daily in 2025. (Microsoft Digital Defense Report 2025)
- More than 4.5 million net new malware files were blocked every day, and 38 million identity risk detections were analyzed daily in 2025. (Microsoft Digital Defense Report 2025)
- An average of 5 billion emails were screened daily for malware and phishing in 2025. (Microsoft Digital Defense Report 2025)
Compliance Team Workload And Skills Statistics

- A high security skills shortage affected 48% of organizations. (IBM Cost Of A Data Breach Report 2025)
- 34% of organizations foresaw a shortage in specialist compliance skills in the next year. (PwC Global Compliance Survey 2025)
- Privacy training completion reached 90% of employees at more than half of privacy teams. (IAPP Privacy Governance Report 2024)
- Fewer than 50% of employees completed privacy training at 1 in 5 privacy teams. (IAPP Privacy Governance Report 2024)
- Responsibilities beyond privacy were handled by 80% of privacy teams. (IAPP Privacy Governance Report 2024)
- AI governance responsibilities were held by 69% of chief privacy officers. (IAPP Privacy Governance Report 2024)
- Data governance and ethics responsibilities were held by 69% of chief privacy officers. (IAPP Privacy Governance Report 2024)
- Five or more privacy compliance delivery challenges affected 55% of privacy professionals, and 10 or more affected 15%. (IAPP Privacy Governance Report 2024)
- At least 1 data protection officer was in place at 70% of European organizations. (IAPP Privacy Governance Report 2024)
- Data protection officers were present at only 40% of North American organizations, and those organizations averaged fewer than 1 full-time DPO position. (IAPP Privacy Governance Report 2024)
- Cybersecurity roles were more stressful than 5 years earlier for 66% of respondents in 2025. (ISACA State Of Cybersecurity 2025)
- Training for nonsecurity staff to move into security roles was provided by 29% of enterprises in 2025, down from 41% in 2024. (ISACA State Of Cybersecurity 2025)
- Needed cybersecurity skills were hard to hire for 30% of respondents in 2025, and 29% lacked the budget to hire enough people. (ISC2 Cybersecurity Workforce Study)
- Cybersecurity staff reductions increased breach likelihood for 72% of respondents in 2025. (ISC2 Cybersecurity Workforce Study)
Crypto, AML, And Financial Crime Compliance Statistics
- Illicit cryptocurrency addresses received at least $154 billion in 2025, a 162% year-over-year increase. (Chainalysis 2026 Crypto Crime Report)
- Stablecoins accounted for 84% of all illicit crypto transaction volume, up from 63% in 2024. (Chainalysis 2026 Crypto Crime Report)
- Value received by sanctioned entities increased 694% year over year in 2025. (Chainalysis 2026 Crypto Crime Report)
- Illicit activity represented less than 1% of total on-chain crypto transaction volume despite record nominal values. (Chainalysis 2026 Crypto Crime Report)
- Illicit entity wallet balances across BTC, ETH, and stablecoins reached nearly $15 billion by July 2025, a 359% increase from 2020. (Chainalysis 2026 Crypto Crime Report)
- DPRK-linked hackers stole $2 billion from crypto platforms in 2025. (Chainalysis 2026 Crypto Crime Report)
- The February 2025 Bybit exploit netted nearly $1.5 billion, and only 3.8% of the stolen funds had been recovered. (FATF Targeted Update On Virtual Assets And VASPs 2025)
- Russia’s ruble-backed A7A5 token processed over $93.3 billion in less than 1 year before OFAC and EU sanctions designations. (Chainalysis 2026 Crypto Crime Report)
- Americans reported $9.3 billion in cryptocurrency-related fraud losses in 2024, a 66% jump from 2023. (FBI 2024 IC3 Report)
- Crypto investment scams generated 41,557 complaints and $5.8 billion in losses in 2024, a 47% year-over-year increase. (FBI 2024 IC3 Report)
- Crypto ATM and kiosk complaints rose 99% in 2024, with reported losses of $246.7 million. (FBI 2024 IC3 Report)
- Americans aged 60 and older lost over $1.6 billion to crypto investment scams in 2024. (FBI 2024 IC3 Report)
- U.S. crypto fraud losses reached $11 billion across 181,565 complaints in 2025, up 22% from 2024. (FBI IC3 Annual Reports)
- By July 2024, 75% of assessed jurisdictions were only partially compliant or non-compliant with FATF AML/CFT standards for virtual assets. (FATF Targeted Update On Virtual Assets And VASPs 2024)
- By April 2025, only 1 jurisdiction globally was rated fully compliant with FATF Recommendation 15. (FATF Targeted Update On Virtual Assets And VASPs 2025)
- Travel Rule legislation was passed or in progress in 99 jurisdictions, though supervision and enforcement remained low in most. (FATF Targeted Update On Virtual Assets And VASPs 2025)
Compliance Training And Employee Behavior Statistics
- Ethics training was customized for high-risk employees at 76% of compliance programs. (NAVEX 2025 State Of Risk And Compliance Report)
- Training was offered in employees’ native languages at 80% of compliance programs. (NAVEX 2025 State Of Risk And Compliance Report)
- Whistleblower hotlines operated at 53% of organizations, including 69% of large companies, 54% of midsize firms, and 43% of small businesses. (NAVEX 2025 State Of Risk And Compliance Report)
- Official non-retaliation policies protected whistleblowers at only 49% of organizations. (NAVEX 2025 State Of Risk And Compliance Report)
- Purpose-built technology was used for ethics and compliance training and related program elements at 78% of organizations. (NAVEX 2025 State Of Risk And Compliance Report)
- The global baseline Phish-prone Percentage was 33.1% before training. (KnowBe4 2025 Phishing By Industry Benchmarking Report)
- Ongoing security awareness training reduced the global Phish-prone Percentage from 33.1% to 4.1% after 12 months, an 86% decline. (KnowBe4 2025 Phishing By Industry Benchmarking Report)
- Phishing click rates dropped 40% within the first 90 days of security awareness training. (KnowBe4 2025 Phishing By Industry Benchmarking Report)
- The human element was involved in approximately 60% of data breaches in 2025. (Verizon 2025 Data Breach Investigations Report)
- Stolen credentials were the initial access vector in 22% of breaches analyzed in 2025. (Verizon 2025 Data Breach Investigations Report)
- Phishing accounted for 16% of breach initial access vectors in 2025. (IBM Cost Of A Data Breach Report 2025)
- Employees felt pressured to compromise workplace standards or the law at 28% globally, up from 20% in 2019. (Ethics And Compliance Initiative Global Business Ethics Survey 2023)
- Workplace misconduct was observed by 65% of global employees during the prior 12 months, compared with 60% in 2020. (Ethics And Compliance Initiative Global Business Ethics Survey 2023)
- Specific risk areas factored into training program selection for only 26% of risk and compliance professionals. (NAVEX 2024 State Of Risk And Compliance Report)
- GenAI familiarity reached 63% among respondents in fall 2024, up from 55% in 2023. (Cisco 2025 Data Privacy Benchmark Study)
- Soft skills were the largest cybersecurity skill gap in 2025 at 59%, up from 51% in 2024. (ISACA State Of Cybersecurity 2025)
- At least 1 significant cybersecurity consequence from a skills deficiency affected 88% of respondents in 2025. (ISC2 Cybersecurity Workforce Study)
Tax Compliance And IRS Audit Statistics
- The IRS closed 497,621 tax return audits in FY 2025, resulting in $26.8 billion in recommended additional tax. (IRS Data Book 2025)
- 12,192 taxpayers, or 2.5% of closed examinations, disagreed with the IRS examiner’s determination in FY 2025. (IRS Data Book 2025)
- Unagreed IRS audit findings represented $12.6 billion in recommended additional tax in FY 2025. (IRS Data Book 2025)
- The IRS examined 0.36% of individual returns and 0.57% of corporation returns filed for tax years 2015 through 2023, as of the end of FY 2025. (IRS Data Book 2025)
- The IRS examined 7.9% of individual returns reporting total positive income of $10 million or more for tax years 2015 through 2023, as of the end of FY 2025. (IRS Data Book 2025)
- For tax year 2021, the IRS exam coverage rate was 6.6% for individual taxpayers reporting total positive income of $10 million or more. (IRS Data Book 2025)
- For tax year 2021, the IRS exam coverage rate was 3.9% for taxpayers with total positive income of $5 million to $10 million. (IRS Data Book 2025)
- For tax year 2021, the IRS exam coverage rate was 0.9% for taxpayers with total positive income of $1 million to $5 million. (IRS Data Book 2025)
- The IRS closed 987,460 Automated Underreporter Program cases in FY 2025, resulting in $5.9 billion in additional assessments. (IRS Data Book 2025)
- The IRS closed 592,773 Automated Substitute for Return Program cases in FY 2025, resulting in nearly $2.9 billion in additional assessments. (IRS Data Book 2025)
- The IRS received 4.5 billion third-party information returns in FY 2025, and 93.9% were filed electronically. (IRS Data Book 2025)
- The IRS completed 2,850 criminal investigations in FY 2025, including 1,085 legal-source tax crime cases, 1,195 illegal-source financial crime cases, and 570 narcotics-related financial crime cases. (IRS Data Book 2025)
- The IRS collected $117.5 billion in unpaid assessments on returns filed with additional tax due in FY 2025, netting $73.1 billion after credit transfers. (IRS Data Book 2025)
- The IRS assessed $29.6 billion in additional taxes for returns not filed on time in FY 2025 and collected $3.5 billion with delinquent returns. (IRS Data Book 2025)
- Taxpayers proposed 38,797 offers in compromise in FY 2025, and the IRS accepted 5,464 offers totaling $98.1 million. (IRS Data Book 2025)
- Taxpayers created 3.2 million new installment agreements in FY 2025 and paid $17.9 billion toward installment agreements. (IRS Data Book 2025)
- The IRS Appeals Office closed 52,997 cases in FY 2025, including cases received in prior fiscal years. (IRS Data Book 2025)
- Examination cases accounted for 41.3% of IRS Appeals cases closed in FY 2025, while Collection Due Process cases accounted for 32.6%. (IRS Data Book 2025)
- The projected annual gross U.S. tax gap for tax year 2022 was $696 billion, with a projected voluntary compliance rate of 85.0%. (IRS Tax Gap)
- The projected net U.S. tax gap for tax year 2022 was $606 billion after $90 billion in expected enforced and other late payments. (IRS Tax Gap)
- Underreporting accounted for $539 billion of the projected tax year 2022 gross tax gap, compared with $63 billion from nonfiling and $94 billion from underpayment. (IRS Tax Gap)
- Individual income tax accounted for $514 billion of the projected tax year 2022 gross tax gap, followed by employment tax at $127 billion, corporate tax at $50 billion, and estate tax at $5 billion. (IRS Tax Gap)
Wanna read similar stat based articles? Check out:
- 280+ Cybersecurity Compliance Stats
- 100+ Penetration Testing Statistics
- 200+ Cybersecurity Statistics
FAQ
Yes. Regulatory requirements continue to expand across industries, with organizations facing overlapping obligations under data protection, cybersecurity, financial reporting, and sector-specific laws.
Yes. Many mid-sized and large organizations allocate millions of dollars annually to compliance programs, audits, training, and monitoring activities.
Yes. Regulatory fines, legal settlements, and remediation costs can reach millions or even billions of dollars, depending on the severity and scope of the violation.
Yes. Small and medium-sized businesses are frequently subject to the same regulatory frameworks as larger enterprises and can face substantial penalties for noncompliance.
Yes. Many regulators have expanded enforcement actions, particularly in areas such as data privacy, anti-money laundering, healthcare compliance, and cybersecurity.
Yes. Organizations with documented policies, internal controls, and ongoing monitoring are generally better positioned to detect issues early and mitigate enforcement exposure.
Yes. Public enforcement actions and breach disclosures often lead to reputational damage, customer churn, and loss of investor confidence.
No. Compliance obligations apply to organizations of all sizes when they operate in regulated industries or process regulated data, making structured compliance management relevant for startups and enterprises alike.
In compliance statistics, compliance usually means how well an organization follows applicable laws, regulations, standards, and internal policies, and the statistics measure outcomes such as audit findings, violations, training completion, policy adherence, and incident rates. ISO 37301 describes compliance management as a system for handling compliance obligations and adherence to laws, regulations, and ethical standards.
The “7 pillars of compliance” usually means the OIG’s seven fundamental elements of an effective compliance program: written policies and standards of conduct, a compliance officer and committee, training and education, communication channels, internal monitoring and auditing, disciplinary standards, and corrective action for detected issues. HHS OIG also labels this area as “Compliance Program Infrastructure: The Seven Elements.”
There is no single universal four stage model, but one common compliance maturity model uses four phases: Laggard, Compliant, Proactive, and Leader. Other frameworks use five levels, so the exact names can change across sources.
Get In Touch


