Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
NIS2 in the Netherlands: Cyberbeveiligingswet Adoption in April 2026
The Dutch Parliament approved the Cyberbeveiligingswet on 15 April 2026, with target entry into force on 1 July 2026 — 21 months after the EU transposition deadline.
NYDFS Part 500: The November 2025 Deadlines, One Year On
The Second Amendment to NYDFS Part 500 added universal MFA and an asset inventory mandate on November 1, 2025. The April 2026 certification reveals where covered entities stand.
Does AI pentesting satisfy SOC 2, ISO 27001, HIPAA or PCI...
AI-powered pentesting promises fast compliance checkmarks, but SOC 2, ISO 27001, HIPAA, and PCI DSS 4.0 auditors require more than an automated scan report.
Aikido Trust Center walkthrough: certifications, pentesti...
A walkthrough of the Aikido Security trust center: what its SOC 2, ISO 27001, and annual pentest claims actually mean, and what's missing for a real vendor risk review.
CMMC 2.0 Phase Two: What November 10, 2026 Means for Contractors
CMMC Phase 1 began in November 2025. Phase 2 lands on November 10, 2026, requiring mandatory C3PAO Level 2 assessments. We unpack the contractor implications.
FedRAMP 20x Phase Two: What Moderate Pilots Are Teaching Us
FedRAMP 20x Phase Two is running Moderate-baseline pilots through Q2 2026. We walk through KSIs, machine-readable OSCAL, and the path to wide-scale adoption.
Cloud Security Standards & Frameworks (ISO/IEC, NIST, CIS)
ISO 27001:2022, NIST CSF 2.0, and CIS Benchmarks now expect software supply chain proof that cloud posture tools like Wiz can't provide alone. Here's what changed and why it matters.
TSA Surface Transportation Cyber NPRM: From Directives to Rule
TSA's November 2024 Enhancing Surface Cyber Risk Management NPRM would formalize what pipeline and rail SDs already require. Operators should prepare now.
DORA Compliance for Fintech Engineering Teams
DORA has applied since January 2025. For engineers that means ICT asset inventories, 4-hour incident classification, TLPT, and a register of every software supplier.
The EU Cyber Resilience Act Explained for Software Vendors
What the EU CRA actually requires from software vendors — SBOMs, vulnerability handling, CE marking, timelines through 2027, and penalties up to EUR 15M.
EU AI Act Enforcement Begins: 2026 Reality Check
A 2026 reality check on EU AI Act enforcement: which obligations are active, what regulators expect, and the technical evidence enterprises must produce.
Secure by Design Pledge: Reading the 2026 Progress Reports
More than 250 manufacturers have signed CISA's Secure by Design pledge. We read the public progress reports to see who is actually moving on the seven goals.