Skip to content

25 FRAMEWORKS · ONE SUBSTRATE · EVIDENCE, NOT ATTESTATION

Compliance you can verify, not just attest.

The same operator-independent audit chain, mapped to 25 regulatory frameworks. One substrate. Evidence a regulator verifies without trusting you.

Most compliance is paperwork: a questionnaire you fill in, an auditor who attests on your behalf, a certificate that audits you and not your chain. EdSSA produces the other thing — a tamper-evident, archive-grade record of what actually happened, that the data owner, the regulator, or a national audit institution can verify directly, with software they hold.

EU · UK · US-federal · global standards · sector regimes · Finnish sovereign

The shift

From paperwork to proof.

Today, demonstrating compliance means producing documents: annual questionnaires, a certificate that audits the prime vendor and not the chain beneath it, an auditor who attests on your behalf. None of it is operational evidence of what was actually done with the data — and the post-2024 regulatory stack (NIS2, DORA, the AI Act) has started asking operators to prove things paper cannot.

EdSSA produces the other thing. Every authentication or data-handling event can anchor into a Tier-4 Merkle audit chain with a seven-year retention floor. The chain is operator-independent: it replicates to the data owner, a public transparency log, or the regulator directly, and is verified with software they hold — no cooperation from the party being verified.

This is the same primitive the satellites and data-supply-chain pages describe, pointed at the compliance question: not “did you sign a form?” but “can anyone check what happened, years later, without taking your word for it?”

We map that one substrate to 25 regulatory frameworks — and each mapping is a document plus a configuration, never new cryptography. That is why the breadth is real, and why it keeps growing.

The breadth

25 frameworks. One substrate.

Most regulated operators sit in several at once — an EU fintech in DORA + GDPR + ISO 27001 + SOC 2; a US hospital in HIPAA + HITRUST + NIST CSF. The same audit chain answers all of them.

European Union

6 frameworks

NIS2 · DORA · GDPR Art. 28 + 30 · AI Act Art. 14 · Cyber Resilience Act · MiCA. The post-2024 EU stack — the regulatory tailwind behind the data-supply-chain, public-sector, and agentic-AI use cases.

United Kingdom

1 framework

UK GDPR + Data Protection Act 2018. The post-Brexit data-protection sibling for processors handling UK personal data.

US federal

5 frameworks

FedRAMP · CMMC 2.0 · NIST CSF 2.0 · NIST AI RMF · HIPAA. NIST CSF 2.0’s new Govern function and supply-chain emphasis map directly onto the operator-independent chain.

Global standards + sector

10 frameworks

ISO 27001 · ISO 42001 · SOC 2 · HITRUST CSF · PCI DSS v4 · IEC 62443 (industrial) · ISO/SAE 21434 (automotive) · DO-326A (aviation) · IMO MSC.428 (maritime) · NERC CIP (energy).

Finland — sovereign

3 frameworks

Julkri (public administration) · Katakri 2020 (national security, incl. classified) · Pitukri (cloud security assessment). A Finnish-origin protocol mapping to Finnish sovereign criteria — the clearest expression of the sovereignty posture.

By theme

Cross-cutting

AI governance (AI Act, NIST AI RMF, ISO 42001) · data protection (GDPR, UK GDPR, HIPAA) · supply-chain (NIS2, DORA, CMMC, CRA) · general security (ISO 27001, SOC 2, NIST CSF).

One substrate, every regime

The mapping is a document. The evidence is math.

Each framework ships as a pack: a control-by-control mapping of EdSSA features to the regime’s articles, a sample deployment configuration, and one command — edssa-admin compliance-export — that emits a GPG-signed evidence bundle. Only a tag changes between regimes; the audit chain underneath is identical.

The recipient — an auditor, a competent authority, a national audit institution — verifies the bundle independently with edssa-admin verify-anchor. Because the chain is open and the verifier is software they can hold and re-implement under our royalty-free standards-track licence, they are not trusting you, or your auditor, or any single party in the chain. The integrity is a property of the chain itself.

Map

Article ↔ feature

Every line of a pack is marked: provided by EdSSA, shared with the operator, or operator-owned. The honest gaps are named, not hidden — a pack is technical-control evidence, not a certificate.

Export

Signed bundle

One regime-agnostic command produces a GPG-signed archive: per-fleet audit-chain summaries, config snapshots, and a transparency-log pointer. The submission cadence + content stay the operator’s; this is the verifiable evidence leg.

Verify

Without cooperation

The regulator runs the open verifier (verify-anchor --against-witness) against the bundle or the live public transparency log. Tamper anywhere in the chain breaks the verification visibly — years later, after the underlying crypto has migrated.

Claim discipline

What a pack proves — and what it does not.

It is verifiable technical-control evidence.

Proof, anchored and independently checkable, of what your systems and your chain actually did — the evidence sub-problem that sits at the centre of GDPR, NIS2, DORA, the AI Act and the rest.

It is not a certificate, or a substitute for the rest.

It does not certify you, replace your policies, contracts or governance, or cover the non-technical requirements (staff training, substantive risk assessment). Those stay yours; the pack names exactly where its line ends.

Which frameworks apply to you?

Tell us the regimes you operate under — we’ll walk through the packs that map to them and the evidence each produces. Bring your hardest “prove it” question.

Talk to us →