European Union
EU · UK · US-federal · global standards · sector regimes · Finnish sovereign
The shift
From paperwork to proof.
Today, demonstrating compliance means producing documents: annual questionnaires, a certificate that audits the prime vendor and not the chain beneath it, an auditor who attests on your behalf. None of it is operational evidence of what was actually done with the data — and the post-2024 regulatory stack (NIS2, DORA, the AI Act) has started asking operators to prove things paper cannot.
EdSSA produces the other thing. Every authentication or data-handling event can anchor into a Tier-4 Merkle audit chain with a seven-year retention floor. The chain is operator-independent: it replicates to the data owner, a public transparency log, or the regulator directly, and is verified with software they hold — no cooperation from the party being verified.
This is the same primitive the satellites and data-supply-chain pages describe, pointed at the compliance question: not “did you sign a form?” but “can anyone check what happened, years later, without taking your word for it?”
We map that one substrate to 25 regulatory frameworks — and each mapping is a document plus a configuration, never new cryptography. That is why the breadth is real, and why it keeps growing.
The breadth
25 frameworks. One substrate.
Most regulated operators sit in several at once — an EU fintech in DORA + GDPR + ISO 27001 + SOC 2; a US hospital in HIPAA + HITRUST + NIST CSF. The same audit chain answers all of them.
United Kingdom
1 framework
US federal
5 frameworks
Global standards + sector
10 frameworks
Finland — sovereign
3 frameworks
By theme
Cross-cutting
One substrate, every regime
The mapping is a document. The evidence is math.
Each framework ships as a pack: a control-by-control mapping of EdSSA features to the regime’s articles, a sample deployment configuration, and one command — edssa-admin compliance-export — that emits a GPG-signed evidence bundle. Only a tag changes between regimes; the audit chain underneath is identical.
The recipient — an auditor, a competent authority, a national audit institution — verifies the bundle independently with edssa-admin verify-anchor. Because the chain is open and the verifier is software they can hold and re-implement under our royalty-free standards-track licence, they are not trusting you, or your auditor, or any single party in the chain. The integrity is a property of the chain itself.
Map
Article ↔ feature
Export
Signed bundle
Verify
Without cooperation
verify-anchor --against-witness) against the bundle or the live public transparency log. Tamper anywhere in the chain breaks the verification visibly — years later, after the underlying crypto has migrated.Claim discipline