IL HB5204

Creates the Cybersecurity Compliance Act establishing an affirmative defense for covered entities that maintain written cybersecurity programs with administrative, technical, and physical safeguards conforming to industry-recognized frameworks.

Defines "covered entity" as any business accessing, maintaining, communicating, or processing personal or restricted information through systems in or outside Illinois.

Requires cybersecurity programs designed to protect information security and confidentiality, defend against anticipated threats, and prevent unauthorized access likely to cause identity theft or fraud.

Accepts compliance with six specified industry frameworks including NIST standards, FedRAMP, Center for Internet Security Controls, ISO/IEC 27000, and PCI data security standards, with one-year grace periods when frameworks are revised.

Provides no private right of action under the Act; covered entities must scale their programs based on entity size, complexity, activity scope, information sensitivity, available tools, and resources.