Regulatory requirements for information governance and records management

Microsoft 365 licensing guidance for security & compliance.

Use the resources on this page to help you meet specific regulatory requirements for information governance and records management in Microsoft 365. Each section of this document focuses on one or more related regulations and includes any existing guidance or third-party assessment of how to configure Microsoft 365 to help with the requirements outlined.

These resources are available to download from the Data Protection Resources, FAQ and White Papers page of the Service Trust Portal.

New Zealand Public Records Act

Supporting New Zealand's Public Records Act compliance obligations with Microsoft 365 - Download assessment

Applicable workloads: SharePoint, OneDrive, Teams, and Exchange

Released January 2021, this report has been produced in partnership with Microsoft New Zealand to assess the capabilities of Microsoft 365 services for recording, storing, and managing requirements for electronic records, as specified by:

  • New Zealand Public Records Act 2005, which sets guidelines for preservation of public archives and local authority archives in New Zealand.

This report helps you understand how the system aspects of the New Zealand Public Records Act 2005 (PRA) are achievable when using Microsoft 365.

SEC 17a-4(f), FINRA 4511(c), and CFTC 1.31(c)-(d)

Cohasset Assessment - Microsoft 365 - SEC Rule 17a-4(f) - Immutable Storage for SharePoint, OneDrive, Teams, Exchange, and Skype - Download assessment

Applicable workloads: SharePoint, OneDrive, Teams, Exchange, and Skype for Business

Released November 2020, this report has been produced in partnership with Cohasset Associates, Inc. (Cohasset) to assess the capabilities of Microsoft 365 services for recording, storing, and managing requirements for electronic records, as specified by:

  • Securities and Exchange Commission (SEC) in 17 CFR § 240.17a-4(f), which regulates exchange members, brokers or dealers.

  • Financial Industry Regulatory Authority (FINRA) Rule 4511(c), which defers to the format and media requirements of SEC Rule 17a-4(f).

  • The principles-based electronic records requirements of the Commodity Futures Trading Commission (CFTC) in 17 CFR § 1.31(c)-(d).

The opinion from Cohasset is that when compliance features are properly configured and carefully applied and managed as described in their report, the assessed Microsoft 365 services meet the five requirements related to the recording and non-rewriteable, non-erasable storage of electronic records.