Governance (REGULATIVA)

Compliance that accumulates evidence continuously — not quarterly.

Compliance in most organisations is a quarterly manual exercise. Export findings from the vulnerability scanner. Export logs from the SIEM. Map them to controls in a spreadsheet. Write narratives for each auditor question. Repeat next quarter.

This process is expensive in analyst hours and produces a compliance posture that is only accurate at the moment of the export. Findings discovered between reports are not reflected. Controls that failed between audits may not surface until the next quarterly review.

SPNT's governance module (REGULATIVA) changes both. It maps substrate entities to compliance obligations continuously — not on a quarterly cycle, not in a separate tool, not by manual export. Compliance posture is a live state. Evidence packets are generated from the substrate on demand.

Framework coverage

35 frameworks. 3,144 obligations.

The currently covered frameworks include:

• General security: SOC 2 (Trust Services Criteria), ISO/IEC 27001:2022
• Payment and financial: PCI DSS v4.0
• Privacy and data protection: GDPR
• EU operational: NIS2 Directive, DORA (Digital Operational Resilience Act)
• US federal and defence: CMMC 2.0, NIST CSF 2.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 3
• Healthcare: HIPAA Security Rule

…plus 24 additional frameworks covering regional regulations, sector-specific requirements, and baseline standards.

Obligations are versioned to specific framework releases. When a framework is updated, the obligation dataset updates and re-evaluates against your current substrate findings — existing compliance records are preserved and migrated.

Full framework list →

How obligation mapping works

When a finding enters the substrate, the applicability engine evaluates it against every framework in scope for your organisation:

1. Classify — the finding is classified by type (vulnerability, misconfiguration, exposure, policy violation) and control category.
2. Check applicability — for each framework in scope, the engine evaluates which obligations apply to this finding type and control category.
3. Map — for each applicable obligation, a record is created or updated linking the finding to the obligation.
4. Update status — the compliance status of each affected obligation is updated immediately. A new critical finding on an in-scope asset may move an obligation from "met" to "at risk".

This runs automatically, every time a finding is written or updated. Without analyst intervention.

Evidence packets

When an auditor requests evidence — for a SOC 2 report, an ISO 27001 audit, a NIS2 review — REGULATIVA generates an evidence packet from the substrate on demand.

A packet for a given obligation contains:

• The obligation reference — identifier and full text from the framework.
• Linked findings — every substrate finding mapped to this obligation, with current status.
• Evidence chains — the underlying evidence for each finding, showing exactly how each issue was discovered.
• Control health records — current and historical health of controls linked to the obligation.
• Telemetry evidence — telemetry events that validate or invalidate the relevant controls.
• Offense verification records — exploit-verification results for findings linked to the obligation, where available.
• Remediation history — finding status changes and remediation events over the audit period.

The packet is structured for auditor review — organised by obligation, with citations to source records — not a flat log dump.

NIS2 and DORA in practice

NIS2. SPNT maps substrate findings to NIS2 Article 21 measures: network and information system security, incident handling, business continuity, supply chain security, access control, and more. NIS2 compliance posture is a live view, not a quarterly snapshot.

DORA. SPNT maps substrate findings, telemetry events, and control health records to DORA obligations across ICT risk management, incident management, digital operational resilience testing, and ICT third-party risk.