Skip to main content
24 frameworks · live coverage

Three steps to know if ReguNav fits.

For CFOs, COOs, Heads of Risk, and General Counsel. Skip the architecture diagrams — see the deliverable, the problem solved, and the ROI you'll quote to the board.

1. Pick your driverAudit, deadline, or regulator2. See deliverablesWhat you get, what it solves, ROI3. Book a POC30-min walkthrough on a real tenant
Start with my driverBook a POC walkthrough
24 shipped · sectoral + national + global · custom frameworks in 30 days

Every framework you face. One dictionary engine.

Every framework here is declared as data, not code — so a single classification engine, evidence matcher, and obligation tracker work across all of them. New frameworks land monthly. Bring your own and we'll model it in 30 days.

EU AI Act

(EU) 2024/1689EUofficial ↗

Risk-classified AI systems · Annex III high-risk · GPAI · post-market monitoring · serious-incident reporting · FRIA · transparency Art 50/53

ISO/IEC 42001:2023

First AI Management SystemGlobalofficial ↗

AIMS structure · risk treatment · impact assessment · operational planning · supplier requirements · monitoring + measurement · improvement

ISO/IEC 27001:2022

Information Security MSGlobalofficial ↗

Annex A controls (93) · ISMS scope · risk treatment · management review · continual improvement · Annex SL aligned

ISO/IEC 27701:2019

Privacy MS extension to 27001Globalofficial ↗

PII processor + controller · 6.x extension to ISO 27001 · privacy by design · data subject rights

GDPR

(EU) 2016/679EU/EEAofficial ↗

Lawful basis · Art 22 automated decisions · Art 25 by-design · Art 28 processors · Art 35 DPIA · Art 32 security · breach notification

HIPAA

Security & Privacy RulesUSofficial ↗

Administrative · physical · technical safeguards · BA agreements · breach notification · individual rights · accounting of disclosures

SOC 2 Type II

AICPA Trust Services CriteriaUS/Globalofficial ↗

CC1-CC9 · A1 availability · C1 confidentiality · PI1 processing integrity · P1-P8 privacy · 12-month observation period

SOC 1 Type II

ICFR-relevant controlsUS/Globalofficial ↗

Controls relevant to financial reporting at user entities · 6-12 month testing · ISAE 3402 alignment

PCI DSS 4.0.1

Payment Card IndustryGlobalofficial ↗

12 requirements · cardholder-data protection · network segmentation · access control · vulnerability management · monitoring

NIST AI RMF 1.0

AI risk-management frameworkUS/Globalofficial ↗

Govern · Map · Measure · Manage · trustworthy AI characteristics · profiles for use cases

NIST CSF 2.0

Cybersecurity frameworkUS/Globalofficial ↗

Govern · Identify · Protect · Detect · Respond · Recover · 6 functions · Implementation Tiers · Profiles

DORA

(EU) 2022/2554EU/EEAofficial ↗

ICT risk management · ICT incident reporting · digital operational resilience testing · ICT third-party risk · information sharing

CCPA / CPRA

California privacy lawUSofficial ↗

Consumer rights · sensitive personal info · service-provider obligations · automated decision-making opt-out · risk assessments

NIS2 Directive

(EU) 2022/2555EU/EEAofficial ↗

Essential / important entities · Art 21 risk-mgmt measures · Art 23 24h early-warning + 72h incident notice · supply-chain · governance

EU Cyber Resilience Act

(EU) 2024/2847EU/EEAofficial ↗

Products with digital elements · Annex I essential cybersecurity · SBOM · vulnerability handling · CE marking · actively-exploited vuln reporting

UK GDPR + DPA 2018

Post-Brexit UK regimeUKofficial ↗

ICO authority · UK adequacy regulations · Schedule 2 exemptions · DSAR · accountability · DPIA · breach notification

India DPDP Act

Digital Personal Data Protection Act 2023Indiaofficial ↗

Data Principal rights · Data Fiduciary obligations · consent manager · cross-border transfer · Data Protection Board · penalty regime

Brazil LGPD

Lei Geral de Proteção de Dados Pessoais (Lei 13.709/2018)Brazilofficial ↗

Data subject rights · legal bases · DPO requirement · ANPD authority · cross-border transfer · breach notification · sanctions

China PIPL

Personal Information Protection Law 2021Chinaofficial ↗

Lawful basis · sensitive personal info · cross-border transfer (CAC review) · separate consent · PIPIA · automated decision-making

Japan APPI

Act on Protection of Personal InformationJapanofficial ↗

Personal information handling · sensitive info · cross-border transfer (white-list / SCC) · PPC authority · individual rights · breach reporting

Australia Privacy Act

Privacy Act 1988 + APPsAustraliaofficial ↗

13 Australian Privacy Principles · OAIC authority · NDB scheme · cross-border disclosure APP 8 · CDR overlap

HuggingFace Model Card

Model Card spec (community standard)Globalofficial ↗

Model details · intended use · bias / risks / limitations · training data · evaluation · environmental impact · technical specs · crosswalk to EU AI Act Art 53 + GPAI Code of Practice

HAARF — Healthcare AI Agents Regulatory Framework

UK MHRA AI Airlock anchoredUK/Globalofficial ↗

Agent identification + scope · clinical safety + risk · data governance + provenance · human oversight + override · post-market monitoring · transparency · SaMD/AIaMD change-mgmt · 2025 PMS regs

FedRAMP (FEDRAMP)

US Federal Risk and Authorization Management Program · NIST 800-53 Rev. 5 baselineUnited Statesofficial ↗

FIPS 199 categorisation · Low/Moderate/High baselines · SSP · 3PAO assessment · POA&M · JAB P-ATO / Agency ATO · Continuous Monitoring · US-CERT incident reporting · Marketplace listing

Your sectoral regulation. Modelled in 30 days.

On the Enterprise plan, bring us any regulation, standard, or internal control catalog — sectoral (TRAI, MAS, FCA, Bafin), national security (NIS2), or proprietary. We model it as a dictionary entry within 30 days: clauses, controls, evidence types, and crosswalks to all 13 built-in frameworks. Then it works exactly like the rest of the platform.

Request a framework →