Framework coverage

Australia's federal privacy statute. Applies to APP-entities — Commonwealth agencies and private-sector organisations with annual turnover above AUD 3 million plus the prescribed lower-threshold categories (health-service providers, traders in personal information, related-body-corporates, credit-reporting bodies, contractors to a Commonwealth contract). Establishes the thirteen Australian Privacy Principles (APPs) in Schedule 1 covering open + transparent management of personal information; anonymity and pseudonymity; collection of solicited / unsolicited / sensitive information; notification of collection; use or disclosure; direct marketing; cross-border disclosure; identifiers; quality + security; access + correction. Part IIIC contains the Notifiable Data Breaches scheme. The 2022 amendments substantially increased civil-penalty exposure for serious or repeated interference with privacy.

Brazil's General Data Protection Law (LGPD). Applies to any processing of personal data carried out by a natural person or a legal entity, public or private, regardless of the means or country in which the data subject is located, provided that (i) processing is carried out in the national territory; (ii) the processing activity has the objective of offering or supplying goods or services to or processing data of individuals located in the national territory; or (iii) the personal data subject of the processing was collected in the national territory. Establishes 10 principles, 10 legal bases, the rights of the data subject, the obligations of controllers and processors, ANPD oversight, and administrative sanctions up to 2% of revenues (capped at BRL 50m per infraction).

California state privacy law applying to for-profit businesses doing business in California that (a) had annual gross revenues over $25 million in the preceding year, (b) annually buy/sell/share the personal information of 100,000+ California consumers or households, or (c) derive 50%+ of annual revenue from selling/sharing California consumers' personal information. Establishes seven consumer rights, three opt-out mechanisms (sale, sharing, sensitive PI), a notice + transparency regime, business-purpose service-provider + contractor + third-party distinctions, and a private right of action for certain data breaches. Enforced by the California Privacy Protection Agency (CPPA) + the California Attorney General.

China's comprehensive personal-information protection statute. Applies to processing of personal information of natural persons within China, and extraterritorially where processing outside China is (i) for the purpose of offering goods or services to natural persons within China, or (ii) for analysing or assessing the activities of natural persons within China. Establishes seven processing principles, six legal bases including separate-consent requirements for sensitive personal information + cross-border transfer + automated decision-making, the rights of individuals, the obligations of Personal Information Handlers (PI Handlers) including localisation + CAC security assessment for Critical Information Infrastructure Operators (CIIOs) and large-volume processors, and penalties up to 5% of preceding-year turnover or RMB 50 million.

EU regulation establishing uniform requirements for the security of network and information systems supporting business processes of financial entities in the Union, and for the digital operational resilience of those entities. Covers ICT risk management (Chapter II), ICT-related incident reporting (Chapter III), digital operational resilience testing including TLPT (Chapter IV), ICT third-party risk (Chapter V), information-sharing arrangements (Chapter VI) and oversight of critical ICT third-party service providers (Chapter V Section II).

Risk-based regulation of AI systems and general-purpose AI models in the EU/EEA. Prohibited practices (Art. 5), high-risk requirements (Title III + Annex III), transparency obligations (Art. 50), and GPAI provisions (Title VIII Chapter V). Applies to providers, deployers, importers, distributors and authorised representatives.

EU horizontal cybersecurity regulation for products with digital elements (hardware + software that can be connected to a device or network). Establishes essential cybersecurity requirements (Annex I), vulnerability handling obligations, conformity-assessment procedures (Annex VIII), CE marking, and 24-hour / 72-hour / 14-day vulnerability + incident reporting. Applies to manufacturers + importers + distributors placing products with digital elements on the EU market. Special categories: important products with digital elements (Annex III) and critical products with digital elements (Annex IV) require stricter conformity assessment routes.

Federal Risk and Authorization Management Program — the US government programme that standardises security authorisation of cloud products and services for federal agencies. Built on the NIST SP 800-53 Rev. 5 control baseline; ReguNav indexes its three baselines (Low / Moderate / High), the 17 NIST 800-53 control families, and the FedRAMP-specific authorisation and continuous-monitoring (ConMon) obligations.

EU regulation governing the processing of personal data of natural persons in the Union and the cross-border movement of such data. Applies to controllers and processors established in the EU and, under Art. 3(2), to those outside the EU that offer goods/services to or monitor data subjects in the EU. Covers principles (Art. 5), lawful basis (Art. 6+9), data-subject rights (Ch. III), controller/processor duties (Ch. IV), security (Art. 32), breach notification (Art. 33-34), DPIA (Art. 35), DPO (Art. 37-39), international transfers (Ch. V) and supervisory authority cooperation.

Synthesis verification standard for autonomous AI agents in healthcare. 8 verification categories (C1 Risk & Lifecycle · C2 AI Model Passport & Traceability · C3 Cybersecurity · C4 Human Oversight · C5 Agent Registration · C6 Autonomy Governance · C7 Bias & Equity · C8 Tool Use & Integration Security) covering 279 requirements across 3 implementation levels (L1 Foundation 85 reqs · L2 Advanced 144 reqs · L3 Expert 50 reqs). Harmonises FDA TPLC/PCCP, EU AI Act high-risk classification, Health Canada SGBA+, UK MHRA AI Airlock + SaMD/AIaMD Change Programme + 2025 PMS regs, NIST AI RMF, WHO GI-AI4H, ISO/IEC 42001, OWASP AISVS, IMDRF GMLP. Empirically validated via red-team evaluation: deterministic middleware reduces unauthorised-tool execution from 56-60% (baseline) to 0% under HAARF enforcement (95% Wilson CI [0.00, 0.07], model-agnostic across Gemini 2.5 Flash + Claude Sonnet 4.6).

US federal regulation governing the use and disclosure of Protected Health Information (PHI) by Covered Entities (health plans, health-care clearinghouses, providers transmitting health information electronically) and Business Associates. Privacy Rule (§§ 164.500-534) governs uses and disclosures of PHI; Security Rule (§§ 164.302-318) requires administrative, physical and technical safeguards for ePHI; Breach Notification Rule (§§ 164.400-414) requires notice to affected individuals, the HHS Secretary and (for breaches affecting ≥500 individuals) prominent media outlets.

HuggingFace Model Card specification — the conventional README.md + YAML frontmatter fields used to describe a model on the HF Hub. Used as the source side of crosswalk edges that map model-card fields to compliance-framework controls (AI Act Art. 13, ISO 42001 8.1, NIST AI RMF MAP-3.1, etc.).

India's general personal data protection statute. Regulates the processing of digital personal data of Data Principals (individuals) by Data Fiduciaries (determines the purpose + means) and Data Processors. Establishes the Data Protection Board of India as the regulator, sets out lawful bases (consent + 'certain legitimate uses' — DPDP's 'lawful purpose'), rights and duties of Data Principals, additional obligations for 'Significant Data Fiduciaries', a default 'cross-border-transfer-allowed unless restricted' regime, and penalties up to ₹250 crore per breach. Children + persons with disability receive heightened protection (verifiable parental consent + restrictions on tracking + targeted advertising).

International standard specifying the requirements for an Information Security Management System (ISMS). HLS clauses 4-10 cover establishment, leadership, planning, support, operation, performance evaluation and improvement. Annex A enumerates 93 information-security controls grouped into Organisational (A.5), People (A.6), Physical (A.7) and Technological (A.8) themes. Certifiable by accredited certification bodies.

International standard extending ISO/IEC 27001 (ISMS) and ISO/IEC 27002 (controls) for privacy information management. Establishes a Privacy Information Management System (PIMS) that covers both PII controllers and PII processors. Clause 5 contains PIMS-specific requirements; Clause 6 contains PIMS-specific guidance for ISO 27002 controls; Clause 7 contains additional guidance for PII controllers (Annex A controls); Clause 8 contains additional guidance for PII processors (Annex B controls). Annex D maps the standard to the GDPR.

International management-system standard for organisations providing or using products or services that use AI systems. Mirrors the High-Level Structure shared by ISO 9001, ISO 27001 and ISO 14001 (Clauses 4-10) and adds an Annex A of AI-specific controls covering AI policy, organisational roles, AI impact assessment, AI system lifecycle, data for AI systems, information for interested parties, third-party relationships and operational planning. Certifiable by accredited certification bodies.

Japan's general statute on the protection of personal information. Establishes the obligations of Personal-Information-Handling Business Operators (PIHBO / 個人情報取扱事業者), the special category of 'special-care-required personal information' (要配慮個人情報), the pseudonymously-processed (仮名加工情報) and anonymously-processed (匿名加工情報) regimes, the personal-related-information (個人関連情報) third-party-provision restriction, mandatory leakage reporting + individual notification, the rights of individuals (disclosure / correction / suspension of use / suspension of provision / disclosure-method choice), cross-border-transfer restrictions, and the PPC's enforcement powers. The 2022 amendments extended extraterritorial application and added administrative-fine exposure up to JPY 100 million for legal persons (Art. 179).

EU Directive on measures for a high common level of cybersecurity. Applies to medium and large essential and important entities operating in critical sectors (Annexes I + II): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal services, waste management, manufacturing of critical products, food, digital providers, and research. Requires cybersecurity risk-management measures (Art. 21), incident reporting on a 24h early warning + 72h notification + 1-month final report cadence (Art. 23), supply-chain security and management-body accountability for non-compliance (Art. 20).

Voluntary US framework for managing risks posed by AI systems. Organises trustworthy-AI work into four core functions — GOVERN (organisational culture, policies, accountability), MAP (context, AI capabilities + use, impact identification), MEASURE (analysis, testing, tracking), MANAGE (prioritised risk response across the lifecycle). Each function decomposes into categories with subcategories. Outcomes — validity + reliability, safety, security + resilience, accountability + transparency, explainability + interpretability, privacy enhancement, fairness with managed bias — characterise trustworthy AI.

Voluntary US framework organising cybersecurity activities into six functions — GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER. Each function decomposes into categories with outcome-statement subcategories. Implementation Tiers (Partial, Risk-Informed, Repeatable, Adaptive) and Profiles (Current + Target) provide an organisational-maturity overlay. Suitable for use across critical infrastructure, government and the private sector at any size.

Industry contractual standard for protecting cardholder data. Applies to any entity that stores, processes or transmits cardholder data (PAN, cardholder name, service code, expiration date) or sensitive authentication data (full track, CAV2/CVC2/CVV2/CID, PIN/PIN block). Twelve requirements cover network security, secure configurations, data protection, transmission cryptography, anti-malware, secure SDLC, role-based access, authentication, physical access, logging + monitoring, regular testing, and the information-security programme. Assessor regimes: Qualified Security Assessor (QSA) for Report on Compliance (ROC); Self-Assessment Questionnaire (SAQ) for smaller merchants; Quarterly Approved Scanning Vendor (ASV) scans for external network.

AICPA Service Organization Controls 1 (SOC 1) Type II examination — reports on the design and operating effectiveness of a service organization's controls likely to be relevant to user entities' Internal Control over Financial Reporting (ICFR). The examination is conducted by an independent service auditor under SSAE 18 AT-C 320. Type II covers a specified period (commonly 6 or 12 months) and includes the service auditor's tests of operating effectiveness. The framework captured here is the standard set of control-objective domains across the industry — logical access; change management; computer operations; system development; data transmission; physical security; data processing integrity — plus the structural requirements for the management description of the system (DC 1-8), the management assertion, CUECs (complementary user-entity controls), CSOCs (complementary subservice-organization controls), and carve-out vs inclusive-method subservice handling.

AICPA attestation framework for service organisations. The Common Criteria (CC1-CC9) form the security baseline that every SOC 2 engagement covers; the four additional categories (Availability, Processing Integrity, Confidentiality, Privacy) are optional and elected by the service organisation. A SOC 2 Type II engagement covers a period (typically 6-12 months) and attests to operating effectiveness of controls. Independent CPA service auditor produces the report under SSAE 18 / AT-C Section 320.

UK data-protection regime: UK GDPR (the EU GDPR retained in domestic law and amended for the UK context) plus the Data Protection Act 2018. Applies to controllers + processors established in the UK and, under Art. 3(2), to those outside the UK that offer goods/services to or monitor data subjects in the UK. Supervisory authority is the Information Commissioner's Office (ICO). This module focuses on the UK-specific deltas vs EU GDPR (which is populated separately at packages/frameworks/src/gdpr.ts).