Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
How to meet SOC 2 audit logging requirements
A step-by-step guide to meeting SOC 2 audit logging requirements: what to log, retention, access controls, alerting, and how to verify your controls before an audit.
Open Source License Management: Tools and Workflow
A practical breakdown of how mature engineering teams do license management open source style: scanning dependency trees, classifying license risk, and building a workflow that does not slow releases down.
EU Cyber Resilience Act Enforcement Timeline 2026
The EU Cyber Resilience Act is already biting in 2026. Here is the enforcement timeline manufacturers, integrators, and open source stewards need to internalize now.
SOC 2 Cloud Compliance: A Practical Primer
SOC 2 cloud compliance means proving your cloud-hosted controls actually operate the way you say they do — here's what auditors check and how a cloud compliance platform shortens the path to a report.
NIS2 in Spain: The Delayed Transposition and Commission Reasoned Opinion
Spain's draft NIS2 law was approved by the Council of Ministers on 14 January 2025, but had not been published in the BOE by January 2026, triggering Commission action.
SEC Form 8-K Item 1.05: Two Years of Enforcement Lessons
Two years into mandatory cybersecurity incident disclosure, the SEC has issued comment letter sweeps and settled enforcement actions. Here is what filers got wrong.
Implementing the ISO 27001:2022 Revision in 2026
The transition window to the 2022 revision of ISO 27001 closed in October 2025. Here is what we have learned from helping organizations implement it cleanly.
SEC Cyber Incident Disclosure Rule: Year Two
Two years into Item 1.05 of Form 8-K, the SEC has clarified materiality, enforcement posture, and how Regulation S-K Item 106 cybersecurity narratives will be judged.
The Software Transparency Act of 2026: What It Means for the Industry
Proposed legislation would require SBOMs for all critical infrastructure software. Here's a detailed analysis of the bill and its implications.
What is Third-Party Risk Management
Third-party risk management explained: what it covers, why SolarWinds and MOVEit made it board-level, and how modern TPRM differs from supply chain security.
What is Vendor Risk Management
Vendor risk management now means tracking code-level supply chain risk, not just SOC 2 reports—here's what it covers, how to tier vendors, and what regulations require it.
CISA Secure by Design Pledge: Signatories in 2026
CISA's Secure by Design Pledge has crossed 300 signatories. Here is what the 2026 cohort is committing to, what regulators expect in return, and how to prove it.