Solutions · Compliance & Regulations
Every framework. Every region. Pre-mapped.
Safeguard ships pre-mapped control narratives and automated evidence pipelines for 190+ jurisdictions and 60+ frameworks — including the AI-specific regulations now landing across the EU, the US, Singapore, Korea, and India. This page is the encyclopedic map: every framework we cover, organised by region, country, and sector.
190+
Jurisdictions covered
60+
Frameworks pre-mapped
AI-Specific
Regs included
Continuous
Evidence, not annual snapshots
Regional Coverage
Seven regions. One ledger.
Each card lists the frameworks we cover in that jurisdiction, the scope of each, and a direct link to the evidence packet shape we ship for it.
Region 01
North America
Federal cloud authorisation, DoD maturity, and state-level privacy.
13 frameworks
- FedRAMP HIGH— federal cloud authorisation (US)Open framework detail
- CMMC Level 2 / Level 3— DoD contractor cyber maturity (US)Open framework detail
- NIST SP 800-53— federal information system controlsOpen framework detail
- NIST SP 800-161 (Rev 2)— supply-chain risk managementOpen framework detail
- NIST SP 800-218 (SSDF)— secure software development frameworkOpen framework detail
- EO 14028— improving the nation's cybersecurityOpen framework detail
- HIPAA / HITECH— health information privacy (US)Open framework detail
- FISMA— federal information security managementOpen framework detail
- PCI-DSS v4.0— payment card industryOpen framework detail
- SOC 2 Type II— service organisation controlsOpen framework detail
- CCPA / CPRA— California consumer privacyOpen framework detail
- PIPEDA— Canada personal information protectionOpen framework detail
- US Privacy Shield (where applicable)— cross-border data transferEvidence packet
FlagshipFedRAMP HIGH
Region 02
European Union
Privacy, operational resilience, AI obligations, and product cyber security.
9 frameworks
- GDPR— general data protection regulationOpen framework detail
- NIS2 Directive— network and information securityOpen framework detail
- DORA— digital operational resilience actOpen framework detail
- EU AI Act— AI risk categorisation and obligationsOpen framework detail
- EU CER Directive— critical entities resilienceOpen framework detail
- EU Cyber Resilience Act (CRA)— product cyber securityEvidence packet
- EU MDR / IVDR— medical device + in vitro diagnosticOpen framework detail
- EU Solvency II + IDD— insurance regulationOpen framework detail
- ENISA Threat Landscape alignment— EU agency threat baselineOpen framework detail
FlagshipEU AI Act
Region 03
United Kingdom
Post-GDPR privacy plus national cyber assessment baselines.
5 frameworks
- UK GDPR— United Kingdom general data protection regulationOpen framework detail
- NCSC Cyber Assessment Framework (CAF)— national cyber baseline for essential servicesOpen framework detail
- PRA SS1/21— operational resilience (banking)Open framework detail
- FCA fintech / SYSC cyber rules— conduct rules for regulated firmsEvidence packet
- MOD JSP-440— Ministry of Defence security policyOpen framework detail
FlagshipNCSC CAF
Region 04
India
DPDP, sector regulators, and sovereign deployment readiness.
8 frameworks
- DPDP Act, 2023— digital personal data protectionOpen framework detail
- RBI Cybersecurity Framework— bankingOpen framework detail
- SEBI CSCRF— securities cyber resilienceOpen framework detail
- IFSCA Framework— international financial servicesOpen framework detail
- CERT-In Directions— incident reporting (2022)Open framework detail
- STQC certification readiness— for sovereign deploymentsOpen framework detail
- DoT cybersecurity guidelines— telecomEvidence packet
- DGCA / DGS guidelines— aviation + maritimeEvidence packet
FlagshipDPDP Act, 2023
Region 05
Middle East
GCC national cyber controls plus emerging privacy laws.
10 frameworks
- Saudi NCA OTCC— operational technology cybersecurity controlsOpen framework detail
- Saudi NCA ECC— essential cybersecurity controlsOpen framework detail
- UAE NESA / SIA standards— national information assuranceEvidence packet
- UAE Federal Decree-Law No. 45 / 46— data protectionEvidence packet
- Bahrain Personal Data Protection Law— personal data protectionEvidence packet
- Kuwait DCC cyber rules— data classification and protectionEvidence packet
- Oman ITA cyber framework— information technology authority baselineEvidence packet
- Qatar NIA— National Information AssuranceEvidence packet
- Jordan NCSC framework— national cybersecurity baselineEvidence packet
- Egypt NTRA cyber rules— telecom regulator cyber baselineEvidence packet
FlagshipSaudi NCA ECC
Region 06
APAC
Privacy laws, banking technology risk, and AI assurance.
10 frameworks
- Japan APPI— personal information protectionOpen framework detail
- Japan METI cyber for industrial— industrial cyber guidanceEvidence packet
- Singapore PDPA— personal data protectionOpen framework detail
- Singapore MAS TRM— banking technology risk managementOpen framework detail
- Singapore AI Verify— AI governance testing frameworkOpen framework detail
- Australia Privacy Act— national privacy baselineEvidence packet
- Australia ACSC Essential Eight— national cyber mitigation strategiesOpen framework detail
- Korea PIPA— personal information protectionOpen framework detail
- Korea KISA cyber framework— national information security guidanceEvidence packet
- China GenAI / DSL / PIPL— deployment requires sovereign tierEvidence packet
FlagshipSingapore MAS TRM
Region 07
Latin America & Africa
Privacy frameworks across Brazil, Mexico, and African data laws.
6 frameworks
- Brazil LGPD— general data protection lawOpen framework detail
- Mexico LFPDPPP— federal protection of personal dataEvidence packet
- Argentina PDPA— personal data protection actEvidence packet
- South Africa POPIA— protection of personal informationOpen framework detail
- Nigeria NDPR— Nigeria data protection regulationEvidence packet
- Kenya Data Protection Act— national data protection lawEvidence packet
FlagshipBrazil LGPD
AI-Specific Regulations
AI regs overlap regions. We map them anyway.
Eight AI-specific regimes that we surface as standalone control sets in addition to their parent region — because most AI-touching products are now subject to two or three of them at once.
01
EU AI Act
high-risk AI obligations across the EU single market
02
US AI EO 14110
federal AI safety, transparency, and reporting
03
Singapore AI Verify
AI governance testing toolkit and attestations
04
UK AI Safety Institute alignment
frontier model evaluation baseline
05
Japan AI Governance Guidelines (METI)
voluntary corporate AI governance baseline
06
Korea AI Framework Act
AI system risk classification and obligations
07
China Generative AI Measures
model registration, content labelling, training data
08
India DPDP + draft AI Advisory framework
data fiduciary plus AI advisory layer
Sectoral Overlays
The regions are the map. Sectors are the overlays.
Four overlays where a single product is typically subject to two or three frameworks from different regions at the same time.
Finance
- DORA + EU CRAoperational resilience plus product cyber
- MAS TRM + PRA SS1/21banking technology risk on both sides of Asia and the UK
- RBI + SEBI CSCRF + IFSCAIndian banking, securities, and international financial services
Healthcare
- HIPAA / HITECHprotected health information across covered entities
- EU MDR / IVDRmedical device and in vitro diagnostic security obligations
- Regional privacy overlaysGDPR, DPDP, LGPD, POPIA where patient data crosses borders
Defence / Government
- FedRAMP HIGH + CMMC L2/L3US federal cloud and DoD supplier maturity
- MOD JSP-440UK Ministry of Defence security policy baseline
- STQC + Saudi NCA OTCCsovereign certification and OT-grade national controls
Critical Infrastructure
- NIS2 + EU CER Directiveessential and critical entities across the EU
- NIST SP 800-53 + 800-161federal information systems and supply-chain risk
- Saudi NCA OTCC + UAE NESAOT and national assurance for operators of national importance
What "Covered" Means
Three things. Not just a list.
Most vendors put a logo grid on a marketing page and call it "coverage." Coverage here means three concrete things. Where a control requires human judgement — policy authoring, organisational scope, attestation of governance — we surface it as an open checklist gap, not a fake green check.
Pre-mapped control narratives
Every control in the framework is read, interpreted, and given a narrative that explains what Safeguard does for it, what the customer must still attest to, and where the gaps live.
Automated evidence collection
Scans, SBOMs, signed attestations, access logs, policy gate verdicts — all bound to controls and collected continuously, not in screenshot sprints before an audit.
Signed export per framework
One-click export in the format the regulator or auditor expects. Each artifact is signed; the auditor can verify without trusting Safeguard.
Coverage Pipeline
How a new region gets added.
Any framework not on this page is a 4–8 week add given the existing evidence pipeline. Here is what those weeks look like.
01
Customer Signal
A regulated buyer, a partner, or an internal review surfaces a framework that isn't yet on the map. We log the regulator, the jurisdiction, and the deadline.
02
Legal + Regulator Alignment
Counsel and the framework authors read the source text. Where the regulator publishes a control catalogue, we map clause-by-clause. Where it doesn't, we infer from guidance and precedent and flag the inference.
03
Control Narrative + Evidence Pipeline
Each control gets a written narrative plus an automated evidence binding to the underlying telemetry — scans, SBOMs, attestations, access logs, policy gates. Where a control needs human attestation, we ship it as a checklist gap rather than a fake check.
04
Release
The framework appears in the console, the export menu, and on this page. Any framework not yet listed is a 4–8 week add given the existing evidence pipeline — most of the work is narrative authoring, not engineering.
Headline Coverage
The shortlist. One row per region.
| Region | Frameworks covered | Flagship framework | Evidence packet |
|---|---|---|---|
North America | 13 mapped | FedRAMP HIGH | Open FedRAMP HIGH |
European Union | 9 mapped | EU AI Act | Open EU AI Act |
United Kingdom | 5 mapped | NCSC CAF | Open NCSC CAF |
India | 8 mapped | DPDP Act, 2023 | Open DPDP Act, 2023 |
Middle East | 10 mapped | Saudi NCA ECC | Open Saudi NCA ECC |
APAC | 10 mapped | Singapore MAS TRM | Open Singapore MAS TRM |
Latin America & Africa | 6 mapped | Brazil LGPD | Open Brazil LGPD |
Totals on this table refer to frameworks explicitly mapped in the console. Sectoral overlays and AI regimes are counted within their parent region as well as listed in their own sections above.
Related
Where to go next.
Comply with Global Regulations
The use-case page: how compliance actually gets done, step by step, across frameworks.
Open
Supply Chain Compliance
Supplier evidence packets, SBOM exchange, third-party risk attestations.
Open
Security
How Safeguard itself is built — controls, trust posture, sub-processors, and architecture.
Open
Resources & Downloads
Public framework crosswalks, sample evidence packets, and regulator-ready exports.
Open
Country-by-country detail
190+ jurisdictions. Frameworks per country.
Every country and SAR we support, with the specific frameworks we map per jurisdiction. Click any framework name in color to open its dedicated detail page. Sectoral and cross-jurisdiction frameworks (PCI-DSS, FATF, ISO 27001, etc.) apply globally and are included in addition to the country rows below.
See the full standalone mapNorth America3 jurisdictions · 24 frameworks
United States
- FedRAMP HIGH
- CMMC L2 / L3
- NIST SP 800-53
- NIST SP 800-161
- NIST SP 800-218 (SSDF)
- EO 14028
- HIPAA / HITECH
- FISMA
- PCI-DSS v4.0
- SOC 2 Type II
- CCPA / CPRA
- NYDFS Part 500
- SOX
- GLBA
- CISA Directives
Canada
- PIPEDA
- CCCS baseline
- Bill C-26 (Cyber Security Act)
- CSE PROTECTED B/C
- Quebec Law 25
- OSFI B-13
Mexico
- LFPDPPP
- INE cybersecurity guidelines
- CNBV cyber
Central America & Caribbean14 jurisdictions · 25 frameworks
Guatemala
- Personal data protection (draft)
- Banco de Guatemala cyber
Belize
- Central Bank cyber baseline
Honduras
- Personal data protection law
- CNBS cyber
El Salvador
- Personal data protection law
- BCR cyber
Nicaragua
- Law 787 (Personal Data Protection)
- SIBOIF cyber
Costa Rica
- Law 8968 (PROTECDATOS)
- SUGEF cyber
Panama
- Law 81 (Data Protection)
- Superintendencia de Bancos cyber
Cuba
- Decree-Law 35 cyber
Dominican Republic
- Law 172-13
- Superintendencia de Bancos cyber
Haiti
- BRH cyber baseline
Jamaica
- Data Protection Act 2020
- BOJ cyber
Trinidad and Tobago
- Data Protection Act 2011
- Central Bank cyber
Bahamas
- Data Protection Act
- Central Bank cyber
Barbados · Saint Lucia · St. Vincent · St. Kitts · Grenada · Antigua · Dominica
- CARICOM data protection alignment
- ECCB cyber
South America12 jurisdictions · 26 frameworks
Brazil
- LGPD
- BACEN Resolution 4658 (cyber)
- ANPD
- CVM cyber rules
Argentina
- Law 25.326 (PDPA)
- BCRA cyber communication A6354
Chile
- Law 19.628 (revised 2024)
- CMF cyber
- MISP-CL
Colombia
- Law 1581
- SuperFinanciera cyber
- MinTIC GEL
Peru
- Law 29733 (PDPA)
- SBS cyber
Venezuela
- Personal data protection (Constitutional Article 28)
- BCV cyber
Ecuador
- LOPDP 2021
- Junta de Política Financiera cyber
Bolivia
- Constitutional data protection
- ASFI cyber
Paraguay
- Law 6534 (PDPA)
- BCP cyber
Uruguay
- Law 18.331 (PDPA)
- BCU cyber
Guyana
- Bank of Guyana cyber
Suriname
- Central Bank cyber baseline
European Union28 jurisdictions · 99 frameworks
Pan-EU
- GDPR
- NIS2 Directive
- DORA
- EU AI Act
- EU CER Directive
- EU Cyber Resilience Act
- EU MDR / IVDR
- EU Solvency II / IDD
- ENISA Threat Landscape
Austria
- NIS2 transposition (NISG)
- DSG (data protection)
- FMA cyber
Belgium
- NIS2 transposition
- APD data protection
- NBB cyber
Bulgaria
- NIS2 transposition
- CPDP
- BNB cyber
Croatia
- NIS2 transposition
- AZOP
- HNB cyber
Cyprus
- NIS2 transposition
- Commissioner for Personal Data Protection
- CBC cyber
Czech Republic
- NIS2 transposition
- NÚKIB directives
- ÚOOÚ data protection
- ČNB cyber
Denmark
- NIS2 transposition
- Datatilsynet
- Finanstilsynet cyber
Estonia
- NIS2 transposition
- RIA
- AKI data protection
- Baltic eID
Finland
- NIS2 transposition
- Traficom Kybertut
- Finanssivalvonta cyber
France
- ANSSI RGS
- ANSSI SecNumCloud
- CNIL
- OIV requirements
- ACPR cyber
Germany
- BSI IT-Grundschutz
- BSI KRITIS
- BAIT (banking)
- VAIT (insurance)
- KAIT
- BfDI
Greece
- NIS2 transposition
- HDPA
- BoG cyber
Hungary
- NIS2 transposition
- NAIH
- MNB cyber
Ireland
- NIS2 transposition
- DPC Ireland
- CBI cyber
Italy
- ACN cyber framework
- Misure Minime AgID
- Garante per la protezione dei dati
- Banca d'Italia cyber
Latvia
- NIS2 transposition
- CERT.LV
- DVI data protection
Lithuania
- NIS2 transposition
- CERT-LT
- VDAI data protection
Luxembourg
- NIS2 transposition
- CSSF Circular 22/806
- CNPD
Malta
- NIS2 transposition
- IDPC
- MFSA cyber
Netherlands
- NCSC NL Baseline
- BIO (government)
- AP data protection
- DNB cyber
Poland
- KSC cyber framework
- UODO data protection
- KNF cyber
Portugal
- NIS2 transposition
- CNPD
- Banco de Portugal cyber
Romania
- NIS2 transposition
- ANSPDCP
- BNR cyber
Slovakia
- NIS2 transposition
- NBÚ directives
- ÚOOÚ data protection
Slovenia
- NIS2 transposition
- IP data protection
- BS cyber
Spain
- ENS (Esquema Nacional de Seguridad)
- AEPD
- Banco de España cyber
Sweden
- NIS2 transposition
- IMY
- Finansinspektionen cyber
Non-EU Europe19 jurisdictions · 47 frameworks
United Kingdom
- UK GDPR
- NCSC CAF
- PRA SS1/21
- FCA SYSC
- MOD JSP-440
- MOD Cyber Essentials Plus
- NCSC Active Cyber Defence
Switzerland
- FADP (revFADP)
- FINMA Circular 2023/01
- FINMA cyber incident reporting
- NCSC.ch
Norway
- Personopplysningsloven
- NSM Grunnprinsipper
- Finanstilsynet cyber
Iceland
- Act 90/2018
- FME national cyber strategy
- FME finance cyber
Liechtenstein
- DSG (EEA aligned)
- FMA cyber
Monaco
- Law 1.165 (data protection)
- CCAF cyber baseline
San Marino
- Law 171/2018 (GDPR aligned)
Andorra
- LQPD (data protection)
- AFA cyber
Albania
- Law 9887 (data protection)
- AKCESK cyber
Bosnia and Herzegovina
- Law on Personal Data Protection
- CBBH cyber
Serbia
- Law on Personal Data Protection
- NBS cyber
Montenegro
- Law on Personal Data Protection
- CBCG cyber
North Macedonia
- Law on PDP
- NBRSM cyber
Kosovo
- Law 06/L-082 (data protection)
- CBK cyber
Ukraine
- Law on Personal Data Protection
- SSSCIP cyber baselines
- NBU cyber for banks
Moldova
- Law 133/2011 (data protection)
- NBM cyber
Belarus (sovereign tier)
- Law on Personal Data Protection (limited engagement)
Turkey
- KVKK
- BTK telecom cyber
- BDDK banking cyber
- TCMB cyber
Vatican City
- Holy See data protection norms
Middle East13 jurisdictions · 33 frameworks
United Arab Emirates
- NESA / SIA
- Federal Decree-Law 45/46
- ADGM Data Protection
- DIFC DP Law
- CBUAE cyber
Qatar
- NIA
- QFC DPA
- QCB cyber
Bahrain
- Personal Data Protection Law
- CBB cybersecurity framework
Kuwait
- DCC cyber rules
- CBK cyber
Oman
- ITA cyber framework
- CBO cyber
Jordan
- NCSC framework
- JoPDP
- CBJ cyber
Lebanon
- Law 81/2018 (electronic transactions and PDP)
- BDL cyber
Israel
- Privacy Protection Law (amendments 13/14)
- INCD methodologies
- Banking Supervision cyber
Palestine
- PMA cyber baseline
Iraq
- National ICT regulator baselines
- CBI cyber
Iran (sovereign / sanctions-aware)
- Available only via sovereign tier where lawful
Syria · Yemen
- Sovereign tier only where lawful
North Africa7 jurisdictions · 15 frameworks
Egypt
- Data Protection Law 2020
- NTRA cyber rules
- CBE cyber
Libya
- Central Bank cyber baseline
Tunisia
- INPDP data protection
- ANCS cyber
- BCT cyber
Algeria
- Law 18-07 data protection
- ARPCE cyber baselines
- Bank of Algeria cyber
Morocco
- Law 09-08 + CNDP
- DGSSI cyber
- BAM cyber
Sudan
- Central Bank cyber baseline
Mauritania
- Central Bank cyber baseline
West Africa10 jurisdictions · 20 frameworks
Nigeria
- NDPA / NDPR
- CBN cyber framework
- SEC cyber
Ghana
- Data Protection Act 2012
- Cyber Security Authority directives
- Bank of Ghana cyber
Senegal
- Law 2008-12 (data protection)
- BCEAO cyber
Côte d'Ivoire
- Law 2013-450 (data protection)
- BCEAO cyber
Mali · Burkina Faso · Niger
- BCEAO cyber for banks
- National data protection laws
Sierra Leone
- Bank of Sierra Leone cyber
Liberia
- CBL cyber baseline
Gambia · Guinea · Guinea-Bissau
- BCEAO / Central Bank cyber
- Data protection drafts
Togo · Benin
- WAEMU cyber alignment
- BCEAO cyber
Cape Verde
- Data Protection Law
- Banco de Cabo Verde cyber
Central Africa8 jurisdictions · 10 frameworks
Cameroon
- Law 2010/012 (data protection)
- BEAC cyber
Chad
- BEAC cyber baseline
Central African Republic
- BEAC cyber baseline
Republic of the Congo
- BEAC cyber baseline
DR Congo
- BCC cyber
Gabon
- BEAC cyber
Equatorial Guinea · São Tomé and Príncipe
- BEAC cyber
Angola
- Law 22/11 (PDPA)
- BNA cyber
East Africa12 jurisdictions · 21 frameworks
Kenya
- Data Protection Act 2019
- CBK cyber
Tanzania
- Personal Data Protection Act 2022
- BoT cyber
Uganda
- Data Protection and Privacy Act 2019
- BoU cyber
Rwanda
- Law 058/2021 (data protection)
- BNR cyber
Burundi
- BRB cyber baseline
Ethiopia
- Computer Crime Proclamation
- INSA baselines
- NBE cyber
Eritrea · Djibouti · Somalia
- Central Bank cyber baselines
South Sudan
- BoSS cyber baseline
Madagascar
- Law 2014-038 (data protection)
- BFM cyber
Mauritius
- Data Protection Act 2017
- Bank of Mauritius cyber
Seychelles
- Data Protection Act
- CBS cyber
Comoros
- BCC cyber baseline
Southern Africa8 jurisdictions · 17 frameworks
South Africa
- POPIA
- SARB cyber
- NCPF
- FSCA cyber
Namibia
- Personal Data Protection (in development)
- Bank of Namibia cyber
Botswana
- Data Protection Act 2018
- Bank of Botswana cyber
Zimbabwe
- Cyber and Data Protection Act
- RBZ cyber
Zambia
- Data Protection Act 2021
- BoZ cyber
Mozambique
- Personal Data Protection Law
- BM cyber
Malawi
- Data Protection Bill
- RBM cyber
Lesotho · Eswatini
- Central Bank cyber baselines
South Asia8 jurisdictions · 24 frameworks
India
- DPDP Act 2023
- RBI Cybersecurity Framework
- SEBI CSCRF
- IFSCA Framework
- CERT-In Directions (2022)
- STQC
- DoT cyber
- DGCA / DGS
- MeitY
- RBI PA-PG
- NCIIPC
Pakistan
- PECA
- SBP cyber framework
- PTA telecom cyber
Bangladesh
- Personal Data Protection Act (draft)
- Bangladesh Bank cyber guidelines
Sri Lanka
- Personal Data Protection Act 2022
- CBSL cyber
Nepal
- Privacy Act 2018
- NRB cyber
Bhutan
- RMA cyber baseline
Maldives
- MMA banking cyber
- Data protection (draft)
Afghanistan
- DAB cyber baseline (constrained engagement)
Southeast Asia11 jurisdictions · 26 frameworks
Malaysia
- PDPA 2010
- BNM RMiT
- Securities Commission cyber
Indonesia
- PDP Law (UU PDP)
- OJK cyber
- BI cyber
Thailand
- PDPA 2019
- BoT cyber
- SEC cyber
Vietnam
- Cybersecurity Law
- Decree 53/2022
- DTP
- SBV cyber
Philippines
- DPA 2012
- BSP cyber
- SEC cyber
Myanmar (limited engagement)
- CBM cyber baseline
Cambodia
- Cybersecurity Law (in process)
- NBC banking cyber
Laos
- BoL cyber baseline
Brunei
- AMBD cyber
Timor-Leste
- BCTL cyber baseline
East Asia8 jurisdictions · 25 frameworks
Japan
- APPI
- METI cybersecurity
- FSA cyber
- Cybersecurity Basic Act
South Korea
- PIPA
- KISA
- K-ISMS-P
- Korea AI Framework Act
- FSC cyber
China
- GenAI Measures
- DSL
- PIPL
- MLPS 2.0 (sovereign tier only)
- CSL
Taiwan
- Cyber Security Management Act
- NCC rules
- FSC cyber
Hong Kong SAR
- PDPO
- HKMA cyber framework
- SFC cyber
Macau SAR
- Data Protection Law 8/2005
- AMCM cyber
Mongolia
- Cyber Security Law 2021
- Mongolbank cyber
North Korea
- Not supported
Central Asia & Caucasus8 jurisdictions · 14 frameworks
Kazakhstan
- Law on Personal Data Protection
- NBK cyber
- AFSA cyber
Uzbekistan
- Law on Personal Data
- CBU cyber
Turkmenistan
- CB cyber baseline
Tajikistan
- NBT cyber baseline
Kyrgyzstan
- NBKR cyber baseline
Armenia
- Law on Protection of Personal Data
- CBA cyber
Azerbaijan
- Law on Personal Data
- CBA-AZ cyber
Georgia
- Law of Georgia on Personal Data Protection
- NBG cyber
Oceania7 jurisdictions · 14 frameworks
Australia
- Privacy Act
- ACSC Essential Eight
- SOCI Act
- APRA CPS 234
- ASIC cyber
New Zealand
- NZISM
- Privacy Act 2020
- RBNZ cyber
Fiji
- RBF cyber baseline
Papua New Guinea
- BPNG cyber baseline
Solomon Islands · Vanuatu · Samoa · Tonga
- South Pacific Central Bank cyber alignment
Kiribati · Tuvalu · Nauru
- Pacific Islands Forum cyber baseline
Marshall Islands · Micronesia · Palau
- Compact of Free Association cyber alignment
- Banking cyber baselines
Russia & Eurasian Economic Union (sovereign tier)1 jurisdiction · 3 frameworks
Russia (sovereign / sanctions-aware)
- FSTEC Order 17/21
- FSB cyber rules (sovereign deployments only where lawful)
- CBR cyber (sanctions-aware)
Cross-jurisdictional7 jurisdictions · 37 frameworks
ISO / IEC family
- ISO/IEC 27001:2022
- ISO/IEC 27002
- ISO/IEC 27017
- ISO/IEC 27018
- ISO/IEC 27019
- ISO/IEC 27701
- ISO/IEC 42001 (AI management)
NIST family
- NIST CSF 2.0
- NIST SP 800-53
- NIST SP 800-161
- NIST SP 800-218 (SSDF)
- NIST AI RMF
Global financial / payments
- PCI-DSS v4.0
- FATF Travel Rule
- FFIEC
- SWIFT CSP
- Basel III operational risk
- IOSCO cyber
AI-specific (cross-jurisdiction)
- EU AI Act
- US AI EO 14110
- Singapore AI Verify
- UK AI Safety Institute alignment
- Japan AI Governance Guidelines
- Korea AI Framework Act
- China Generative AI Measures
Healthcare cross-jurisdiction
- HITRUST CSF
- HIPAA / HITECH
- EU MDR / IVDR
- PIC/S GMP Annex 11
- FDA 21 CFR Part 11
Industrial / OT
- IEC 62443
- ISA/IEC 62443-4-1
- NERC CIP
- TSA Pipeline Cybersecurity Directives
Climate & ESG disclosure
- ISSB IFRS S1/S2
- CSRD / ESRS
- SEC Climate Disclosure Rule
Missing your jurisdiction? New countries are typically added within 4–8 weeks given the existing evidence pipeline. Talk to the compliance team
Talk to compliance.
Bring the frameworks you owe. We'll walk the map with you — region by region, control by control, evidence packet by evidence packet.