Compliance stats

Table of Contents

    Updated:

    July 9, 2026

    400 Compliance Statistics – June 2026

    Compliance programs underpin data protection, privacy and risk management across every industry, and the numbers show how rapidly the landscape is evolving.

    This article compiles 400 unique, handpicked statistics from authoritative reports and regulatory summaries to help security leaders benchmark their programs and assess regulatory exposure.

    This report is built on verified data from leading research and regulatory bodies, including PwC, IBM, KPMG, the U.S. Department of Health and Human Services, FATF, Verizon, and DLA Piper, which demonstrates the report’s credibility, data quality, and reliability.

    Key Compliance Stats At a Glance

    Regulators continue to issue settlements across healthcare, finance, and edtech sectors. For a current view of recent compliance enforcement actions, see our running coverage of HIPAA, CMMC, SEC, and FTC cases from 2026.

    AI in Compliance Statistics
    AI in Compliance Statistics

    Data Privacy, Payment, And Security Framework Statistics

    Compliance and Web Form Security Yearly Budget Stats
    Compliance and Web Form Security Yearly Budget Stats

    Compliance Audit, Framework, and Certification Statistics

    Regulatory Change Management And AI Governance Statistics

    • The regulatory environment was viewed as a barrier to value creation by 64% of CEOs. (PwC Global CEO Survey)
    • Potential regulatory changes were escalated directly to executive teams or boards by 16% of financial services compliance professionals. (CUBE Cost Of Compliance Report 2025)
    • Significant strategic change due to geopolitical risks was expected by 25% of financial services leaders, and 8% believed those tensions could fundamentally alter their business models. (CUBE Cost Of Compliance Report 2025)

    SOC 2 Statistics 

    ISO 27001 Compliance Figures

    Latest CMMC Stats

    NIST Statistics

    • NIST CSF adoption reached 83% among organizations in the 2025 RH-ISAC CISO Benchmark. (RH-ISAC 2025 CISO Benchmark Report)
    • NIST CSF scores rose 25% since 2024, reaching an average score of 3.1 across functions in 2025. (RH-ISAC 2025 CISO Benchmark Report)
    • Frontrunners scored 3.2 across NIST functions in 2025, with a projected average of 3.5 in 2026. (RH-ISAC 2025 CISO Benchmark Report)
    • Wavestone assessed more than 170 organizations against NIST CSF 2.0 in its 2025 Cyber Benchmark. (Wavestone 2025 Cyber Benchmark)
    • Large-company cybersecurity maturity reached 54% in 2025 based on NIST CSF 2.0 and ISO 27001, up 1 point from 2024. (Wavestone 2025 Cyber Benchmark)
    • Financial-sector cybersecurity maturity reached 62.5% in 2025, up 2.5 points from 2024. (Wavestone 2025 Cyber Benchmark)
    • Cybersecurity budgets averaged 6.4% of IT budgets in 2025, down from 6.6% in 2024. (Wavestone 2025 Cyber Benchmark)
    • Large organizations averaged 1 cybersecurity expert for every 1,016 employees in 2025, compared with 1 expert for every 1,086 employees the year before. (Wavestone 2025 Cyber Benchmark)
    • Across 29 ransomware attack vectors, large organizations had an average protection level of 56% in 2025. (Wavestone 2025 Cyber Benchmark)
    • NIST CSF 2.0 organizes cybersecurity outcomes under 6 core functions: Govern, Identify, Protect, Detect, Respond, and Recover. (NIST Cybersecurity Framework 2.0)
    • NIST CSF 2.0 uses 4 tiers: Partial, Risk Informed, Repeatable, and Adaptive. (NIST Cybersecurity Framework 2.0)
    • NIST CSF 2.0 applies to information technology, the Internet of Things, operational technology, cloud, mobile, and artificial intelligence systems. (NIST Cybersecurity Framework 2.0)
    • NIST SP 800-171 Revision 3 organizes CUI security requirements into 17 families. (NIST SP 800-171 Revision 3)
    • NIST SP 800-171 Revision 3 applies to nonfederal system components that process, store, or transmit CUI. (NIST SP 800-171 Revision 3)
    • NIST SP 800-171 Revision 3 added Planning, System and Services Acquisition, and Supply Chain Risk Management to its security requirement family structure. (NIST SP 800-171 Revision 3)
    • NIST SP 800-53 Revision 5 includes 20 security and privacy control families. (NIST SP 800-53 Revision 5)
    • NIST issued SP 800-53 Release 5.2.0 on August 27, 2025. (NIST SP 800-53 Release 5.2.0 Update)
    • NIST SP 800-53 Release 5.2.0 added updates related to software updates, patches, software integrity, and validation. (NIST SP 800-53 Release 5.2.0 Update)
    • NIST SP 800-70 Revision 5 was published in May 2026 and replaced SP 800-70 Revision 4 from 2018. (NIST SP 800-70 Revision 5)
    • NIST SP 800-70 Revision 5 added mapping concepts between checklist settings, NIST CSF 2.0 outcomes, NIST SP 800-53 controls, and Common Configuration Enumeration identifiers. (NIST SP 800-70 Revision 5)
    • NIST published the final NIST IR 8374 Revision 1 ransomware risk management profile on June 11, 2026. (NIST IR 8374 Revision 1 Ransomware Risk Management)
    • NIST IR 8374 Revision 1 maps ransomware risk management objectives to NIST CSF 2.0 outcomes. (NIST IR 8374 Revision 1 Ransomware Risk Management)
    • In higher education, 36% of respondents rated NIST SP 800-171 compliance as a high priority, while 41% rated it as a moderate priority. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
    • 54% of higher education respondents had a formal NIST SP 800-171 compliance plan, while 44% did not. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
    • 62% of higher education respondents working toward NIST SP 800-171 compliance were investing in cybersecurity tools and technologies. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
    • Limited personnel blocked NIST SP 800-171 compliance for 76% of higher education respondents, followed by competing priorities at 70% and insufficient funding at 66%. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)
    • Increased funding was the top internal resource needed for NIST SP 800-171 compliance at 78%, followed by additional dedicated personnel at 76% and leadership support at 58%. (EDUCAUSE NIST SP 800-171 QuickPoll 2025)

    PCI DSS Stats

    Compliance Requirements

    Cybersecurity Threat And Breach

    AI Threat on Compliance Statistics
    AI Threat on Compliance Statistics
    Compliance Complexity Stat
    Compliance Complexity Stat

    Regional And Country Level Compliance Breakdowns

    Biggest Challenges In ISAE And SOC Reporting In Switzerland Stats
    Biggest Challenges In ISAE And SOC Reporting In Switzerland Stats
    1. Notified personal data breaches increased 22% year over year, reaching an average of 443 notifications per day. (DLA Piper GDPR Fines And Data Breach Survey 2026)
    2. Low confidence in national ability to respond to major cyber incidents reached 31% of respondents in 2026, up from 26% the prior year. (World Economic Forum Global Cybersecurity Outlook 2026)
    3. Privacy regulations benefited business for 90% of compliance professionals in Asia-Pacific. (Cisco 2025 Data Privacy Benchmark Study)

    Breach Response And Compliance Risk Management

    Factors Organizations Actually Screen for While Evaluating Third Party Relationships
    Factors Organizations Actually Screen for While Evaluating Third Party Relationships

    Compliance Cost, Tool Sprawl, And Vendor Complexity

    Regulatory Environment and Leadership Stat
    Regulatory Environment and Leadership Stats

    Noncompliance Cost And Penalties

    Compliance Budget Statistics
    Compliance Budget Statistics

    Third-Party Risk Statistics

    Industry-Specific Statistics

    Compliance in the Financial Services

    Regulatory Change Management Statistics
    Regulatory Change Management Statistics

    Compliance in the SaaS Industry

    Noncompliance Cost Stat
    Noncompliance Cost Stat

    Compliance in Technology

    Manufacturing Compliance Statistics

    Healthcare Compliance Statistics

    Government Compliance Statistics

    Broad Industry Compliance Statistics

    Compliance Team Workload And Skills Statistics

    Compliance Tracking Statistics
    Compliance Tracking Statistics

    Crypto, AML, And Financial Crime Compliance Statistics

    Compliance Training And Employee Behavior Statistics

    Tax Compliance And IRS Audit Statistics

    • The IRS closed 497,621 tax return audits in FY 2025, resulting in $26.8 billion in recommended additional tax. (IRS Data Book 2025)
    • 12,192 taxpayers, or 2.5% of closed examinations, disagreed with the IRS examiner’s determination in FY 2025. (IRS Data Book 2025)
    • Unagreed IRS audit findings represented $12.6 billion in recommended additional tax in FY 2025. (IRS Data Book 2025)
    • The IRS examined 0.36% of individual returns and 0.57% of corporation returns filed for tax years 2015 through 2023, as of the end of FY 2025. (IRS Data Book 2025)
    • The IRS examined 7.9% of individual returns reporting total positive income of $10 million or more for tax years 2015 through 2023, as of the end of FY 2025. (IRS Data Book 2025)
    • For tax year 2021, the IRS exam coverage rate was 6.6% for individual taxpayers reporting total positive income of $10 million or more. (IRS Data Book 2025)
    • For tax year 2021, the IRS exam coverage rate was 3.9% for taxpayers with total positive income of $5 million to $10 million. (IRS Data Book 2025)
    • For tax year 2021, the IRS exam coverage rate was 0.9% for taxpayers with total positive income of $1 million to $5 million. (IRS Data Book 2025)
    • The IRS closed 987,460 Automated Underreporter Program cases in FY 2025, resulting in $5.9 billion in additional assessments. (IRS Data Book 2025)
    • The IRS closed 592,773 Automated Substitute for Return Program cases in FY 2025, resulting in nearly $2.9 billion in additional assessments. (IRS Data Book 2025)
    • The IRS received 4.5 billion third-party information returns in FY 2025, and 93.9% were filed electronically. (IRS Data Book 2025)
    • The IRS completed 2,850 criminal investigations in FY 2025, including 1,085 legal-source tax crime cases, 1,195 illegal-source financial crime cases, and 570 narcotics-related financial crime cases. (IRS Data Book 2025)
    • The IRS collected $117.5 billion in unpaid assessments on returns filed with additional tax due in FY 2025, netting $73.1 billion after credit transfers. (IRS Data Book 2025)
    • The IRS assessed $29.6 billion in additional taxes for returns not filed on time in FY 2025 and collected $3.5 billion with delinquent returns. (IRS Data Book 2025)
    • Taxpayers proposed 38,797 offers in compromise in FY 2025, and the IRS accepted 5,464 offers totaling $98.1 million. (IRS Data Book 2025)
    • Taxpayers created 3.2 million new installment agreements in FY 2025 and paid $17.9 billion toward installment agreements. (IRS Data Book 2025)
    • The IRS Appeals Office closed 52,997 cases in FY 2025, including cases received in prior fiscal years. (IRS Data Book 2025)
    • Examination cases accounted for 41.3% of IRS Appeals cases closed in FY 2025, while Collection Due Process cases accounted for 32.6%. (IRS Data Book 2025)
    • The projected annual gross U.S. tax gap for tax year 2022 was $696 billion, with a projected voluntary compliance rate of 85.0%. (IRS Tax Gap)
    • The projected net U.S. tax gap for tax year 2022 was $606 billion after $90 billion in expected enforced and other late payments. (IRS Tax Gap)
    • Underreporting accounted for $539 billion of the projected tax year 2022 gross tax gap, compared with $63 billion from nonfiling and $94 billion from underpayment. (IRS Tax Gap)
    • Individual income tax accounted for $514 billion of the projected tax year 2022 gross tax gap, followed by employment tax at $127 billion, corporate tax at $50 billion, and estate tax at $5 billion. (IRS Tax Gap)

    Wanna read similar stat based articles? Check out:

    FAQ

    Are compliance requirements increasing worldwide?

    Yes. Regulatory requirements continue to expand across industries, with organizations facing overlapping obligations under data protection, cybersecurity, financial reporting, and sector-specific laws.

    Do companies spend significant budgets on compliance?

    Yes. Many mid-sized and large organizations allocate millions of dollars annually to compliance programs, audits, training, and monitoring activities.

    Are compliance violations financially costly?

    Yes. Regulatory fines, legal settlements, and remediation costs can reach millions or even billions of dollars, depending on the severity and scope of the violation.

    Do small businesses face compliance risks too?

    Yes. Small and medium-sized businesses are frequently subject to the same regulatory frameworks as larger enterprises and can face substantial penalties for noncompliance.

    Has regulatory enforcement activity increased in recent years?

    Yes. Many regulators have expanded enforcement actions, particularly in areas such as data privacy, anti-money laundering, healthcare compliance, and cybersecurity.

    Do compliance programs reduce the risk of penalties?

    Yes. Organizations with documented policies, internal controls, and ongoing monitoring are generally better positioned to detect issues early and mitigate enforcement exposure.

    Can noncompliance affect a company’s reputation?

    Yes. Public enforcement actions and breach disclosures often lead to reputational damage, customer churn, and loss of investor confidence.

    Does compliance only matter for large corporations?

    No. Compliance obligations apply to organizations of all sizes when they operate in regulated industries or process regulated data, making structured compliance management relevant for startups and enterprises alike.

    What is compliance in statistics?

    In compliance statistics, compliance usually means how well an organization follows applicable laws, regulations, standards, and internal policies, and the statistics measure outcomes such as audit findings, violations, training completion, policy adherence, and incident rates. ISO 37301 describes compliance management as a system for handling compliance obligations and adherence to laws, regulations, and ethical standards.

    What are the 7 pillars of compliance?

    The “7 pillars of compliance” usually means the OIG’s seven fundamental elements of an effective compliance program: written policies and standards of conduct, a compliance officer and committee, training and education, communication channels, internal monitoring and auditing, disciplinary standards, and corrective action for detected issues. HHS OIG also labels this area as “Compliance Program Infrastructure: The Seven Elements.”

    What are the 4 stages of compliance?

    There is no single universal four stage model, but one common compliance maturity model uses four phases: Laggard, Compliant, Proactive, and Leader. Other frameworks use five levels, so the exact names can change across sources.

    Tamzid brings 5+ years of writing experience across SaaS, cybersecurity, compliance, and blockchain. He holds a foundational Cisco cybersecurity certification and turns complex topics into clear, practical insights.

    Get In Touch

      Group 1298 (1)-min