Framework Coverage
78+ Compliance Frameworks & Standards
From global security standards to regional financial regulators — Phana Velocity maps your controls, gathers evidence, and validates compliance across every framework your business requires.
Global Standards & Frameworks
17NIST 800-53 Rev 5
US federal information security controls (1000+ controls)
→ US federal agencies, FedRAMP, government contractors
ISO 27001:2022
International information security management standard
→ Enterprise software, multinationals, any org seeking certification
ISO 27002:2022
Information security controls reference
→ Organizations implementing ISO 27001 controls
ISO 27799
Health informatics security management
→ Healthcare IT vendors, health data processors
ISO 42001:2023
AI management system standard
→ Companies building or deploying AI systems
SOC 2
Trust Services Criteria for service organizations
→ B2B SaaS, cloud services, any company handling customer data
NIST CSF 2.0
Cybersecurity Framework for critical infrastructure
→ Any industry — voluntary baseline for risk management
CIS Controls v8
Prioritized security actions for cyber defense
→ Any org seeking practical security hygiene benchmarks
COBIT 2019
IT governance and management framework
→ IT departments, public companies, audit functions
CMMC 2.0
US DoD cybersecurity maturity model
→ US defense contractors and subcontractors (DIB)
HITRUST CSF
Certifiable security and privacy framework
→ Healthcare, insurance, any org handling sensitive data
Common Criteria (ISO 15408)
IT product security evaluation standard
→ IT product vendors selling to government
FIPS 140-3
Cryptographic module security requirements
→ Vendors providing crypto modules to US/Canadian government
ISAE 3402
Service organization controls (international SOC)
→ Service orgs reporting to non-US clients (like SOC 1)
IEC 62443
Industrial automation cybersecurity
→ OT/ICS vendors, industrial automation, manufacturing
IEEE 1686
Substation IED security capabilities
→ Electric utilities, substation equipment vendors
FINOS Common Cloud Controls
Open cloud security controls for financial services
→ Financial services firms adopting cloud
Privacy & Data Protection
5GDPR
EU General Data Protection Regulation
→ Any org handling EU/UK resident personal data
HIPAA
US healthcare data security rule
→ Healthcare providers, payers, and their tech vendors (BAs)
NYDFS 23 NYCRR 500
New York financial services cybersecurity regulation
→ Banks, insurers, and fintechs licensed in New York
POPIA
South Africa data protection act
→ Any org processing personal info of SA residents
LGPD + BCB
Brazil data protection and central bank regulation
→ Fintechs and data processors operating in Brazil
Financial Services — Global
10PCI-DSS v4.0
Payment card industry data security standard
→ Any entity storing, processing, or transmitting card data
DORA
EU Digital Operational Resilience Act
→ EU financial entities and their ICT service providers
SWIFT CSCF
SWIFT Customer Security Controls Framework
→ Banks and institutions connected to SWIFT network
BCBS 239
Risk data aggregation and reporting principles
→ Global systemically important banks (G-SIBs)
CPMI-IOSCO PFMI
Principles for financial market infrastructures
→ Payment systems, CCPs, securities depositories
IOSCO Cyber Resilience
Securities market cyber resilience guidance
→ Stock exchanges, trading platforms, market operators
Solvency II
EU insurance regulatory framework
→ EU insurance and reinsurance companies
PCI HSM
Hardware security module standards for payment
→ HSM vendors and payment processors using HSMs
PCI PTS
PIN transaction security for payment devices
→ POS terminal manufacturers and payment device vendors
TIBER-EU
EU framework for threat-led penetration testing
→ Systemically important EU financial institutions
Financial Services — Regional Regulators
27EBA ICT Risk Management
European Banking Authority ICT guidelines
→ EU banks and investment firms
ECB CROE
European Central Bank cyber resilience oversight
→ Eurozone financial market infrastructures
FFIEC Information Security
US Federal Financial Institutions examination
→ US banks, credit unions, savings institutions
NAIC Data Security
US insurance data security model law
→ US licensed insurers (adopted in 20+ states)
APRA CPS 234
Australia prudential information security
→ Australian banks, insurers, super funds
HKMA TM-E-1
Hong Kong monetary authority cyber resilience
→ Hong Kong authorized institutions (banks)
MAS TRM
Singapore technology risk management
→ Singapore licensed financial institutions
OSFI B-13
Canada technology and cyber risk management
→ Canadian federally regulated financial institutions
SAMA CSF
Saudi Arabia monetary authority cybersecurity
→ Saudi financial institutions and fintechs
SEBI CSCRF
India securities cyber security framework
→ Indian stock exchanges, brokers, depositories
RBI CSF
India Reserve Bank cyber security framework
→ Indian banks, NBFCs, payment operators
FINMA Circular
Switzerland financial market supervisory authority
→ Swiss banks, insurers, asset managers
FCA SYSC 13
UK Financial Conduct Authority operational risk
→ UK FCA-regulated firms
CBEST
UK threat-led penetration testing framework
→ UK systemically important financial institutions
PRA SS1/23
UK Prudential Regulation Authority resilience
→ UK PRA-regulated banks and insurers
UK PRA/FCA Operational Resilience
UK operational resilience requirements
→ UK dual-regulated financial services firms
Lloyd's Market Security
Lloyd's of London market security requirements
→ Lloyd's managing agents and syndicates
DNB Good Practice
Netherlands central bank IT practices
→ Dutch banks, insurers, pension funds
Bank of Ghana CISD
Ghana cyber and information security directive
→ Ghanaian licensed financial institutions
Bank of Mauritius CTRM
Mauritius cyber technology risk management
→ Mauritian banks and financial services
Bank of Thailand Cyber
Thailand central bank cyber resilience
→ Thai commercial banks and e-payment providers
CBB TM
Bahrain central bank technology management
→ Bahraini licensed banks and financial firms
CBE CSF
Egypt central bank cybersecurity framework
→ Egyptian banks and payment service providers
CBN CSF
Nigeria central bank cybersecurity framework
→ Nigerian deposit-taking institutions
CBUAE
UAE central bank cybersecurity regulation
→ UAE licensed financial institutions
FISC
Japan financial industry security guidelines
→ Japanese banks, securities firms, insurers
SARB JointStandard 2
South Africa Reserve Bank cybersecurity
→ South African banks and financial market infrastructures
Healthcare & Life Sciences
3FDA 21 CFR Part 11
Electronic records and signatures
→ Pharma, biotech, medical device — any FDA-regulated electronic system
FDA Cybersecurity Guidance
Medical device cybersecurity requirements
→ Medical device manufacturers (pre- and post-market)
NHS DSPT
UK National Health Service data security toolkit
→ Any org with access to NHS patient data or systems
Energy, Nuclear & Critical Infrastructure
7NERC CIP
North American electric reliability standards
→ Bulk electric system operators in North America
FERC CIP
Federal Energy Regulatory Commission standards
→ US electric utilities and grid operators
DOE C2M2
Cybersecurity capability maturity model for energy
→ Energy sector organizations (voluntary maturity assessment)
IAEA Nuclear Security
Nuclear facility computer security guidance
→ Nuclear power plants and fuel cycle facilities
NRC 10 CFR 73.54
US Nuclear Regulatory Commission cybersecurity
→ US nuclear power plant licensees
TSA Pipeline Security
Pipeline and surface transportation security
→ US pipeline owners/operators designated by TSA
API 1164
Pipeline SCADA security standard
→ Oil and gas pipeline operators with SCADA systems
EU & National Cyber Regulations
10NIS2 Directive
EU network and information security directive
→ Essential and important entities across 18 EU sectors
EU Cyber Resilience Act
EU product cybersecurity requirements
→ Manufacturers of products with digital elements sold in EU
ANSSI
France national cybersecurity framework
→ French critical infrastructure operators (OIV/OSE)
BSI IT-Grundschutz
Germany federal IT baseline protection
→ German federal agencies and KRITIS operators
BIO 2.0
Netherlands government information security baseline
→ Dutch government organizations and suppliers
ASD Essential Eight
Australia essential cybersecurity strategies
→ Australian government agencies (mandatory), private sector (recommended)
AWIA
America's Water Infrastructure Act cybersecurity
→ US community water systems serving 3,300+ people
MLPS 2.0
China multi-level protection scheme
→ Any organization operating information systems in China
Qatar NIA
Qatar national information assurance framework
→ Qatar government entities and critical sectors
UAE IA
UAE information assurance standards
→ UAE federal government entities
Compliance by Country
Which frameworks apply to your region?
Every country has its own regulatory landscape. Here's what applies where — and how Phana Velocity covers it.
Global — Required Across Most Regions
These frameworks are adopted internationally or required by customers/partners regardless of where you operate.
United States
European Union
United Kingdom
India
Australia
Germany
Brazil
Each country card links to a detailed guide covering local regulatory requirements, enforcement timelines, and how Phana Velocity automates compliance for that region.
Don't see your framework?
We add new frameworks regularly. Reach out and we'll prioritize yours.
Request a Framework