Compliance
Nonprofits face the same attacks as any business on a fraction of the budget. There's no nonprofit-specific cyber law — but PCI, grant requirements, and state breach laws still bite. The high-leverage, low-cost controls that matter.
Nonprofits get hit by the same attacks as any business — phishing, ransomware, donor-data theft — usually on the leanest IT budgets on the map. The reassuring part: there's no nonprofit-specific cybersecurity law to decode. The part that surprises people: several real obligations still apply, and grantmakers increasingly expect a security posture before they write the check. This guide covers what actually applies and the controls that matter most per dollar.
There's no statute written specifically for nonprofit cybersecurity, but four real pressures apply depending on what your organization does:
The honest framing: the driver for most nonprofits isn't a single regulator — it's donor trust, grant eligibility, and the same ransomware risk everyone faces.
Two reasons. First, the data: donor and member records — names, contact details, giving history, sometimes payment and bank information — are valuable and often concentrated in a CRM. Second, the gap: most nonprofits run on a stretched, part-time, or volunteer IT setup, which attackers read as a soft target. Ransomware is the blunt end of it — Verizon's 2026 DBIR found it in 48% of breaches (Verizon DBIR) — and a small team without backups can be crippled by a single incident.
Carriers and grantmakers don't grade nonprofits on a curve, so the smart move is to lead with the controls that cost the least and prevent the most:
These four are the high-leverage set, and none of them require enterprise money.
Cost is the real constraint, so it's worth being concrete: Foundation EDR has no minimum — you can start with a single device. The fuller tiers (Protected adds identity and training; Complete adds SIEM) are built for organizations with at least five staff and are billed per seat. A small nonprofit can run enterprise-grade detection without an enterprise budget — see pricing.
The fastest path is to start with the high-leverage controls and produce the documentation grantmakers and cyber carriers increasingly ask for — as a byproduct of the service, not a separate project. The Cyber Insurance Readiness Sprint maps your current state and produces that evidence package in a fixed-scope, seven-business-day engagement. See the Nonprofits & Associations security page for how the program runs on a nonprofit budget.
No single law governs nonprofit cybersecurity, but PCI (on card donations), grant terms, and state breach laws all apply — and donor trust is the asset you can't afford to lose. Lead with MFA, tested backups, and phishing training; get managed detection without hiring; and document it once for grantmakers and carriers. The controls that cost the least move the most.
Protecting donors and grants on a tight budget? Book a nonprofit security assessment.
Last updated
June 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
There's no single cybersecurity law written just for nonprofits, but several real obligations apply depending on what you do. If you accept card donations, PCI DSS applies. If you take federal grants, your funding agreement can flow down security requirements. State data-breach-notification laws apply to donor and member personal information. And if your mission involves health data or financial counseling, HIPAA or GLBA may apply on top.
Yes. PCI DSS applies to every organization that stores, processes, or transmits cardholder data — there's no nonprofit exemption. If you accept donations by card, you're in scope. The good news: using a compliant payment processor that handles the card data can dramatically shrink what you're responsible for.
It varies by funder, and it's rising. Federal grant recipients can inherit safeguarding requirements through their award terms, and private and institutional funders increasingly ask about data protection during due diligence. A documented security program — even a lean one — is becoming part of being grant-ready, not just an IT nicety.
The controls that move the most risk per dollar: multi-factor authentication on every account, immutable or MFA-protected backups with a tested restore, and recurring phishing simulation. None require a big budget, and together they block the most common ways a nonprofit gets breached. Managed EDR starts per-device with no minimum, so a five-device org pays for five devices.
Related reading
No — HIPAA doesn't cover pets, and there's no federal law requiring vets to safeguard animal health records. But veterinary practices still run on payment data and cloud software that ransomware loves. The real risk, and what to do about it.
Read articleProperty managers hold tenant SSNs and bank details, pull credit reports under FCRA, and move owner money — making them a prime target for wire fraud and data theft. The real exposures and the controls that close them.
Read articleIf you take card payments — in a shop or online — PCI DSS applies to you, and 51 new v4.x requirements became mandatory in 2025. What that means for a small merchant, plain-English, without the jargon.
Read article