Frameworks
Frameworks
Compliance frameworks read through an identity-architecture lens.
Most compliance writing treats identity as an access-control checkbox. We treat it as the largest single control area in every modern framework, and the one most likely to be the missing link when a supervisory review, audit, or breach notification actually happens.
These pages summarise what each framework asks for, where teams typically miss the identity angle, and what we have seen work in practice. Every claim is linked to its authoritative source.
Identity Lens
Choose a Framework
Five frameworks, each read for the identity controls that decide whether the rest works.
European Union
NIS2
Identity is a NIS2 risk-management measure, an incident-reporting input, and a supply-chain control all at once.
Network and Information Security Directive 2
European Union
DORA
DORA is where identity stops being IT plumbing and becomes board-reported operational resilience.
Digital Operational Resilience Act
International
ISO 27001
ISO 27001 is the management-system spine that an identity programme can hang on — the controls live in Annex A, but the discipline lives in the system.
ISO/IEC 27001:2022 — Information Security Management Systems
United States
SOC 2
SOC 2 is a controls report for your customers, and identity is the largest single control area in it.
SOC 2 — Service Organisation Controls (AICPA Trust Services Criteria)
European Union
GDPR
Identity is how the data subject is recognised, how their rights are enforced, and how a personal-data breach is detected.
General Data Protection Regulation (Regulation (EU) 2016/679)
United States
SOX
SOX is where access to financial systems becomes a public-filing risk and weak identity becomes a material weakness.
Sarbanes-Oxley Act (US Public Company Accounting Reform and Investor Protection Act of 2002)
International
ISA/IEC 62443
ISA/IEC 62443 is the standard that brings identity controls into the OT world, where the assumptions of IT identity break.
ISA/IEC 62443 — Security for Industrial Automation and Control Systems
International
ISO 27003
ISO 27003 is where 27001 stops being a checklist and starts being a programme — and identity is the largest implementation lift in it.
ISO/IEC 27003:2017 — Information security management system implementation guidance
International
Basel III
Basel III is where identity becomes a measured operational-risk and operational-resilience input — and where ICT failure has explicit capital implications.
Basel III — International regulatory framework for banks (BCBS standards)
United States
HIPAA
HIPAA puts identity at the centre of every ePHI access decision — and at the centre of every breach notification when an attacker gets through.
Health Insurance Portability and Accountability Act — Security and Privacy Rules
United States federal government
FedRAMP
FedRAMP makes identity the single most evidenced control area in your authorisation package — and the area auditors test hardest at continuous monitoring.
Federal Risk and Authorization Management Program
International
PCI DSS
PCI DSS v4.0 raised the identity bar materially — phishing-resistant MFA, scripted user management, and continuous validation are no longer aspirational.
PCI Data Security Standard v4.0 / v4.0.1
European Economic Area
PSD2 / SCA
PSD2 SCA codified what good customer authentication looks like; the regulator-led RTS turned it into design requirements that most CIAM stacks are still catching up with.
Revised Payment Services Directive — Strong Customer Authentication (PSD2 SCA)
International
NIST CSF 2.0
NIST CSF 2.0 is the framework most other frameworks reference. For identity, it is where the Govern, Identify, Protect, and Respond functions land most heavily.
NIST Cybersecurity Framework 2.0
European Union
EU AI Act
The AI Act is where AI-agent identity, biometric controls, and high-risk-system access become EU-supervised obligations — not just internal policy.
Regulation (EU) 2024/1689 — Artificial Intelligence Act
Start with an identity-aligned assessment
An assessment that maps your current identity controls to the frameworks you operate under, before any redesign.
Book a Conversation