Skip to content
Compliance · the catalog

Every framework, declared honestly.

Pick the regimes your repository answers to. Each runs on the same honest pattern: Watchdog evidences the automatable slice, gates what it caught failing, and a named human declares the rest. Every card shows the three-way split — tool-evidenced, evidence-assisted, and human attestation — before you enable a thing. For accessibility (WCAG 2.2 / EN 301 549) we push that as far as it honestly goes: static checks tool-evidence what they can, and for repos with the framework on, a sandboxed rendered-axe pass and LLM advisories add runtime/assisted evidence — so the human slice is the minimum the standard actually requires a person to judge.

Self-assess any framework on any plan. Signing & exporting the tamper-evident artifact is part of the compliance module. We measure; you declare. We never certify.

Accessibility

2 frameworks

Web accessibility (WCAG 2.2 / EN 301 549)

Accessibility EU
2.2 · 55 controls

WCAG 2.2 AA accessibility for web & software — the conformance the EU Accessibility Act makes you self-declare.

Tool 14 Assisted 17 Human 24
Directive (EU) 2019/882 (EAA) · EN 301 549 · WCAG 2.2 Level AA · WCAG-EM 1.0

EN 301 549 accessibility for ICT (EAA / Web Accessibility Directive)

Accessibility EU
3.2.1 · 59 controls

The full EU ICT accessibility standard — WCAG 2.1 AA for the web clause (per v3.2.1), plus the non-web ICT clauses you declare.

Tool 14 Assisted 14 Human 31
EN 301 549 v3.2.1 (harmonised standard) · Directive (EU) 2016/2102 (Web Accessibility Directive) · Directive (EU) 2019/882 (European Accessibility Act) · WCAG 2.1 AA (clause 9)

Cybersecurity

3 frameworks

NIS2 cyber risk-management (Directive 2022/2555)

Cybersecurity EU
2022 · 17 controls

Cyber risk-management measures for essential & important entities — the technical slice of Article 21(2).

Tool 8 Assisted 5 Human 4
Directive (EU) 2022/2555 (NIS2) · Commission Implementing Regulation (EU) 2024/2690 · ENISA technical implementation guidance

Cyber Resilience Act — product cybersecurity (Regulation 2024/2847)

Cybersecurity EU Preview
2024 · 18 controls

Product cybersecurity for products with digital elements (EU CRA) — the repository-visible security properties are tool-evidenced; conformity is the manufacturer's.

Tool 5 Assisted 9 Human 4
Regulation (EU) 2024/2847 (Cyber Resilience Act) · Annex I Part I — essential cybersecurity requirements · Annex I Part II — vulnerability-handling requirements

ISO/IEC 27001 Annex A — readiness evidence (preparation tool, not certification)

Cybersecurity Global
2022 · 93 controls

A preparation/readiness tool for ISO/IEC 27001 Annex A:2022 — all 93 controls. Gather the technical evidence a scan produces toward certification; only the Technological theme (A.8) is tool-evidenced. Not a certificate.

Tool 4 Assisted 8 Human 81
ISO/IEC 27001:2022 Annex A — all 93 controls across the four themes · ISO/IEC 27002:2022 (implementation guidance — referenced, not reproduced) · A certification-readiness / preparation tool — never a substitute for accredited certification

Sector-specific

1 framework

DORA digital operational resilience (Regulation 2022/2554)

Sector-specific EU
2022 · 20 controls

ICT operational-resilience for EU financial entities — five pillars plus the RTS technical measures. Opt-in.

Tool 7 Assisted 3 Human 10
Regulation (EU) 2022/2554 (DORA) · Commission Delegated Regulation (EU) 2024/1774 (RTS — ICT risk-management framework) · DORA RTS/ITS — incident classification, register of information, TLPT

Supply-chain integrity

1 framework

SLSA supply-chain integrity (v1.2 Build & Source tracks)

Supply-chain integrity Global
1.2 · 22 controls

Tamper-resistant build & source integrity (SLSA v1.2) — provenance and source-control attestations across Build L1–L3 and Source L1–L4.

Tool 0 Assisted 3 Human 19
SLSA v1.2 — Supply-chain Levels for Software Artifacts (slsa.dev) · OpenSSF / Linux Foundation · Build track L1–L3 · Source track L1–L4

Application security

2 frameworks

SSDF secure software development (NIST SP 800-218)

Application security US
1.1 · 19 controls

Secure software development practices (NIST SP 800-218) — secure coding & vulnerability response are tool-evidenced; governance is attested.

Tool 5 Assisted 5 Human 9
NIST SP 800-218 v1.1 — Secure Software Development Framework · PO / PS / PW / RV practice groups · Underpins US secure-software attestation; maps onto EU CRA secure-development

OWASP ASVS application-security verification (v5.0.0)

Application security Global
5.0.0 · 345 controls

Application-security verification (OWASP ASVS v5.0.0, full 345-requirement set) — injection, crypto, transport, config, dependencies & logging are tool-evidenced; the rest is verified by testing.

Tool 47 Assisted 91 Human 207
OWASP Application Security Verification Standard (ASVS) v5.0.0 · 17 chapters (V1–V17) · verification levels L1–L3 · 345 requirements · Catalog built verbatim from OWASP's official machine-readable export

Privacy

1 framework

GDPR technical measures — Art. 32 & Art. 25 only (not GDPR compliance)

Privacy EU
2016 · 10 controls

The technical measures of GDPR Art. 32 & Art. 25 only (encryption, secrets, vulnerabilities, resilience) — not GDPR compliance.

Tool 3 Assisted 6 Human 1
Regulation (EU) 2016/679 (GDPR) Art. 32 — security of processing · Regulation (EU) 2016/679 (GDPR) Art. 25 — data protection by design & by default · Technical measures ONLY — excludes lawful basis, DSARs, DPIAs, breach notification, transfers

Enable what you need.

Each framework is Automatic / On / Off per repository · the honesty model in depth · pricing