Framework Coverage

78+ Compliance Frameworks & Standards

From global security standards to regional financial regulators — Phana Velocity maps your controls, gathers evidence, and validates compliance across every framework your business requires.

Global Standards & Frameworks

17

NIST 800-53 Rev 5

US federal information security controls (1000+ controls)

→ US federal agencies, FedRAMP, government contractors

ISO 27001:2022

International information security management standard

→ Enterprise software, multinationals, any org seeking certification

ISO 27002:2022

Information security controls reference

→ Organizations implementing ISO 27001 controls

ISO 27799

Health informatics security management

→ Healthcare IT vendors, health data processors

ISO 42001:2023

AI management system standard

→ Companies building or deploying AI systems

SOC 2

Trust Services Criteria for service organizations

→ B2B SaaS, cloud services, any company handling customer data

NIST CSF 2.0

Cybersecurity Framework for critical infrastructure

→ Any industry — voluntary baseline for risk management

CIS Controls v8

Prioritized security actions for cyber defense

→ Any org seeking practical security hygiene benchmarks

COBIT 2019

IT governance and management framework

→ IT departments, public companies, audit functions

CMMC 2.0

US DoD cybersecurity maturity model

→ US defense contractors and subcontractors (DIB)

HITRUST CSF

Certifiable security and privacy framework

→ Healthcare, insurance, any org handling sensitive data

Common Criteria (ISO 15408)

IT product security evaluation standard

→ IT product vendors selling to government

FIPS 140-3

Cryptographic module security requirements

→ Vendors providing crypto modules to US/Canadian government

ISAE 3402

Service organization controls (international SOC)

→ Service orgs reporting to non-US clients (like SOC 1)

IEC 62443

Industrial automation cybersecurity

→ OT/ICS vendors, industrial automation, manufacturing

IEEE 1686

Substation IED security capabilities

→ Electric utilities, substation equipment vendors

FINOS Common Cloud Controls

Open cloud security controls for financial services

→ Financial services firms adopting cloud

Privacy & Data Protection

5

GDPR

EU General Data Protection Regulation

→ Any org handling EU/UK resident personal data

HIPAA

US healthcare data security rule

→ Healthcare providers, payers, and their tech vendors (BAs)

NYDFS 23 NYCRR 500

New York financial services cybersecurity regulation

→ Banks, insurers, and fintechs licensed in New York

POPIA

South Africa data protection act

→ Any org processing personal info of SA residents

LGPD + BCB

Brazil data protection and central bank regulation

→ Fintechs and data processors operating in Brazil

Financial Services — Global

10

PCI-DSS v4.0

Payment card industry data security standard

→ Any entity storing, processing, or transmitting card data

DORA

EU Digital Operational Resilience Act

→ EU financial entities and their ICT service providers

SWIFT CSCF

SWIFT Customer Security Controls Framework

→ Banks and institutions connected to SWIFT network

BCBS 239

Risk data aggregation and reporting principles

→ Global systemically important banks (G-SIBs)

CPMI-IOSCO PFMI

Principles for financial market infrastructures

→ Payment systems, CCPs, securities depositories

IOSCO Cyber Resilience

Securities market cyber resilience guidance

→ Stock exchanges, trading platforms, market operators

Solvency II

EU insurance regulatory framework

→ EU insurance and reinsurance companies

PCI HSM

Hardware security module standards for payment

→ HSM vendors and payment processors using HSMs

PCI PTS

PIN transaction security for payment devices

→ POS terminal manufacturers and payment device vendors

TIBER-EU

EU framework for threat-led penetration testing

→ Systemically important EU financial institutions

Financial Services — Regional Regulators

27

EBA ICT Risk Management

European Banking Authority ICT guidelines

→ EU banks and investment firms

ECB CROE

European Central Bank cyber resilience oversight

→ Eurozone financial market infrastructures

FFIEC Information Security

US Federal Financial Institutions examination

→ US banks, credit unions, savings institutions

NAIC Data Security

US insurance data security model law

→ US licensed insurers (adopted in 20+ states)

APRA CPS 234

Australia prudential information security

→ Australian banks, insurers, super funds

HKMA TM-E-1

Hong Kong monetary authority cyber resilience

→ Hong Kong authorized institutions (banks)

MAS TRM

Singapore technology risk management

→ Singapore licensed financial institutions

OSFI B-13

Canada technology and cyber risk management

→ Canadian federally regulated financial institutions

SAMA CSF

Saudi Arabia monetary authority cybersecurity

→ Saudi financial institutions and fintechs

SEBI CSCRF

India securities cyber security framework

→ Indian stock exchanges, brokers, depositories

RBI CSF

India Reserve Bank cyber security framework

→ Indian banks, NBFCs, payment operators

FINMA Circular

Switzerland financial market supervisory authority

→ Swiss banks, insurers, asset managers

FCA SYSC 13

UK Financial Conduct Authority operational risk

→ UK FCA-regulated firms

CBEST

UK threat-led penetration testing framework

→ UK systemically important financial institutions

PRA SS1/23

UK Prudential Regulation Authority resilience

→ UK PRA-regulated banks and insurers

UK PRA/FCA Operational Resilience

UK operational resilience requirements

→ UK dual-regulated financial services firms

Lloyd's Market Security

Lloyd's of London market security requirements

→ Lloyd's managing agents and syndicates

DNB Good Practice

Netherlands central bank IT practices

→ Dutch banks, insurers, pension funds

Bank of Ghana CISD

Ghana cyber and information security directive

→ Ghanaian licensed financial institutions

Bank of Mauritius CTRM

Mauritius cyber technology risk management

→ Mauritian banks and financial services

Bank of Thailand Cyber

Thailand central bank cyber resilience

→ Thai commercial banks and e-payment providers

CBB TM

Bahrain central bank technology management

→ Bahraini licensed banks and financial firms

CBE CSF

Egypt central bank cybersecurity framework

→ Egyptian banks and payment service providers

CBN CSF

Nigeria central bank cybersecurity framework

→ Nigerian deposit-taking institutions

CBUAE

UAE central bank cybersecurity regulation

→ UAE licensed financial institutions

FISC

Japan financial industry security guidelines

→ Japanese banks, securities firms, insurers

SARB JointStandard 2

South Africa Reserve Bank cybersecurity

→ South African banks and financial market infrastructures

Healthcare & Life Sciences

3

FDA 21 CFR Part 11

Electronic records and signatures

→ Pharma, biotech, medical device — any FDA-regulated electronic system

FDA Cybersecurity Guidance

Medical device cybersecurity requirements

→ Medical device manufacturers (pre- and post-market)

NHS DSPT

UK National Health Service data security toolkit

→ Any org with access to NHS patient data or systems

Energy, Nuclear & Critical Infrastructure

7

NERC CIP

North American electric reliability standards

→ Bulk electric system operators in North America

FERC CIP

Federal Energy Regulatory Commission standards

→ US electric utilities and grid operators

DOE C2M2

Cybersecurity capability maturity model for energy

→ Energy sector organizations (voluntary maturity assessment)

IAEA Nuclear Security

Nuclear facility computer security guidance

→ Nuclear power plants and fuel cycle facilities

NRC 10 CFR 73.54

US Nuclear Regulatory Commission cybersecurity

→ US nuclear power plant licensees

TSA Pipeline Security

Pipeline and surface transportation security

→ US pipeline owners/operators designated by TSA

API 1164

Pipeline SCADA security standard

→ Oil and gas pipeline operators with SCADA systems

EU & National Cyber Regulations

10

NIS2 Directive

EU network and information security directive

→ Essential and important entities across 18 EU sectors

EU Cyber Resilience Act

EU product cybersecurity requirements

→ Manufacturers of products with digital elements sold in EU

ANSSI

France national cybersecurity framework

→ French critical infrastructure operators (OIV/OSE)

BSI IT-Grundschutz

Germany federal IT baseline protection

→ German federal agencies and KRITIS operators

BIO 2.0

Netherlands government information security baseline

→ Dutch government organizations and suppliers

ASD Essential Eight

Australia essential cybersecurity strategies

→ Australian government agencies (mandatory), private sector (recommended)

AWIA

America's Water Infrastructure Act cybersecurity

→ US community water systems serving 3,300+ people

MLPS 2.0

China multi-level protection scheme

→ Any organization operating information systems in China

Qatar NIA

Qatar national information assurance framework

→ Qatar government entities and critical sectors

UAE IA

UAE information assurance standards

→ UAE federal government entities

Compliance by Country

Which frameworks apply to your region?

Every country has its own regulatory landscape. Here's what applies where — and how Phana Velocity covers it.

🌐

Global — Required Across Most Regions

These frameworks are adopted internationally or required by customers/partners regardless of where you operate.

🇸🇬

Singapore

🇸🇦

Saudi Arabia & GCC

🇩🇪

Germany

🇫🇷

France

🇧🇷

Brazil

🇯🇵

Japan

🇿🇦

South Africa

Each country card links to a detailed guide covering local regulatory requirements, enforcement timelines, and how Phana Velocity automates compliance for that region.

Don't see your framework?

We add new frameworks regularly. Reach out and we'll prioritize yours.

Request a Framework