Regulatory Compliance
In-depth guides and analysis on regulatory compliance from the Safeguard engineering team.
138 articles
EU CRA Enforcement First Year: What Changed
A senior engineer's review of the first year of EU Cyber Resilience Act enforcement, what regulators actually asked for, what vendors got wrong, and where the bar moves next.
DIB Small Shop CMMC Readiness On A Budget
Small defense industrial base shops cannot spend like primes. Here is a pragmatic CMMC Level 2 readiness path that fits a real small business budget.
Defense Software Supply Chain Under the 2026 Federal Rules
CMMC 2.0, the FAR SBOM rule, and DoD Instruction 8500.01 have reshaped what software contractors must deliver. Here is the 2026 operational baseline for defense industrial base suppliers.
NIS2 Directive Supply Chain Obligations in 2026
NIS2 has been in force across the EU since October 2024, and member state enforcement is now operating in earnest. The supply chain obligations are the ones most organizations underestimated.
EU AI Act High-Risk System Obligations
A senior engineer's breakdown of the EU AI Act high-risk system obligations as they apply in 2026, with a focus on documentation, supply chain, and ongoing monitoring.
SOC 2 Control Mapping With Supply Chain Evidence
Map SOC 2 Trust Services Criteria to concrete supply chain artifacts. Learn how SBOMs, findings, and policy logs satisfy CC controls without manual gymnastics.
FedRAMP High Software Supply Chain Evidence
FedRAMP High demands provable software supply chain controls, not just policy text. Here is how to assemble the evidence package without slowing engineering.
CISA Secure-By-Design Pledge Update 2026
A senior engineer's view of where the CISA Secure-By-Design pledge stands in 2026, what signatories actually delivered, and what the second wave of expectations looks like.
EU CRA Self-Assessment Evidence Pack
Build a Cyber Resilience Act self-assessment pack from supply chain evidence. Learn which artifacts CRA expects and how to produce them without rebuilding your stack.
IL7 Air-Gap Deployment Supply Chain Controls
IL7 environments are isolated by design but inherit every supply chain risk in the artifacts that cross the gap. Here is how to lock down the inbound flow.
SLSA v1.1 Framework Update: What's New
SLSA v1.1 sharpens the build track, adds a source track draft, and clarifies attestation semantics. Here is the practical guide for security teams.
Using Reachability To Defend SOC 2 Audit Decisions
An auditor asks why you didn't fix CVE-X. The defensible answer involves reachability evidence. Without it, the conversation gets uncomfortable.