Frameworks catalogue

ReguNav ships dictionaries for 13 regulatory and standards frameworks. Each framework is parsed clause-by-clause into a deterministic schema you can query, crosswalk and attach evidence to. Coverage percentages reflect the share of clauses currently dictionarised — uncovered clauses are still tracked for awareness and surface as "out-of-scope" in compliance reports.

Apache-2.0 source for every dictionary lives at dictionaries@regunav.com.

Jump to

EU AI Act (Regulation (EU) 2024/1689)

European Commission · DG CNECT · effective: 2 August 2026 (high-risk obligations); GPAI obligations 2 August 2025; prohibitions in force since 2 February 2025 · 113 clauses · ReguNav coverage: 100%

Scope. Any provider, deployer, importer, or distributor of an AI system or general-purpose AI model placed on the EU market or whose output is used in the EU.

Core clauses

  • Art. 5 — Prohibited AI practices
  • Art. 6 / Annex I-III — High-risk classification
  • Art. 9 — Risk management system
  • Art. 10 — Data and data governance
  • Art. 11 — Technical documentation (Annex IV)
  • Art. 12 — Record-keeping (automatic logs)
  • Art. 13 — Transparency to deployers
  • Art. 14 — Human oversight
  • Art. 15 — Accuracy, robustness, cybersecurity
  • Art. 17 — Quality management system
  • Art. 26 — Deployer obligations
  • Art. 27 — Fundamental Rights Impact Assessment (FRIA)
  • Art. 43 — Conformity assessment procedure
  • Art. 47-49 — EU declaration of conformity, CE marking, registration
  • Art. 51-56 — General-Purpose AI (GPAI) obligations
  • Art. 72 — Post-market monitoring
  • Art. 73 — Reporting of serious incidents

Crosswalks to

ISO/IEC 42001 · ISO/IEC 23894 · NIST AI RMF 1.0 · ISO 27001 · GDPR

Sample evidence types

  • FRIA report (Art. 27)
  • Annex IV technical documentation
  • Risk management plan + minutes
  • Training data sheet (Art. 10)
  • Human oversight SOP
  • Post-market monitoring plan
  • Incident notification log
  • Conformity declaration + CE mark file

Activate via API: POST /v1/frameworks/eu-ai-act/activate · Browse clauses: GET /v1/frameworks/eu-ai-act/clauses

ISO/IEC 42001:2023 — AI Management System

ISO/IEC JTC 1/SC 42 · effective: Published December 2023; certifiable from Q3 2024 · 39 clauses · ReguNav coverage: 100%

Scope. Organizations of any size that develop, provide or use AI systems.

Core clauses

  • 4 — Context of the organization
  • 5 — Leadership and AI policy
  • 6.1 — AIMS planning + risk treatment
  • 6.1.4 — AI system impact assessment
  • 7.4 — Communication
  • 8.2 — AI system impact assessment (operational)
  • 9.1 — Monitoring, measurement, analysis
  • 9.2 — Internal audit
  • 10.2 — Nonconformity & corrective action
  • Annex A controls (38 control objectives across 9 domains)
  • Annex B implementation guidance

Crosswalks to

EU AI Act · ISO/IEC 27001 · ISO/IEC 23894 · NIST AI RMF

Sample evidence types

  • AIMS scope statement
  • AI policy + objectives
  • Risk register + treatment plan
  • AI impact assessment per system
  • Stage 1 + Stage 2 audit reports
  • Internal audit programme
  • Management review minutes

Activate via API: POST /v1/frameworks/iso-42001/activate · Browse clauses: GET /v1/frameworks/iso-42001/clauses

ISO/IEC 27001:2022 — Information Security Management

ISO/IEC JTC 1/SC 27 · effective: Published October 2022; transition deadline October 2025 · 93 clauses · ReguNav coverage: 100%

Scope. Any organization that processes, stores or transmits information.

Core clauses

  • Clauses 4-10 — Management system
  • Annex A.5 — Organizational controls (37)
  • Annex A.6 — People controls (8)
  • Annex A.7 — Physical controls (14)
  • Annex A.8 — Technological controls (34)

Crosswalks to

SOC 2 · GDPR · DORA · NIST CSF 2.0 · ISO 42001

Sample evidence types

  • Statement of Applicability
  • Risk treatment plan
  • Internal audit reports
  • Penetration test letter
  • Stage 2 certification certificate

Activate via API: POST /v1/frameworks/iso-27001/activate · Browse clauses: GET /v1/frameworks/iso-27001/clauses

ISO/IEC 27701:2019 — Privacy Information Management

ISO/IEC JTC 1/SC 27 · effective: Published August 2019; revision pending Q4 2026 · 49 clauses · ReguNav coverage: 95%

Scope. Extension of ISO 27001 for organizations acting as PII controllers or processors.

Core clauses

  • 5 — PIMS-specific guidance for ISO 27001
  • 6 — PIMS-specific guidance for ISO 27002
  • 7 — Additional ISO 27002 guidance for controllers
  • 8 — Additional ISO 27002 guidance for processors

Crosswalks to

GDPR · CCPA · ISO 27001

Sample evidence types

  • PIMS scope
  • Privacy policy
  • DPIA register
  • Records of processing
  • Sub-processor list

Activate via API: POST /v1/frameworks/iso-27701/activate · Browse clauses: GET /v1/frameworks/iso-27701/clauses

GDPR — Regulation (EU) 2016/679

European Data Protection Board · effective: In force since 25 May 2018 · 99 clauses · ReguNav coverage: 100%

Scope. Any controller or processor of personal data of EU/EEA data subjects.

Core clauses

  • Art. 5 — Principles
  • Art. 6 — Lawful basis
  • Art. 9 — Special categories
  • Art. 13/14 — Information to data subjects
  • Art. 15-22 — Data subject rights (DSAR, erasure, portability, automated decisions)
  • Art. 25 — Privacy by design and by default
  • Art. 28 — Processor obligations
  • Art. 30 — Records of processing
  • Art. 32 — Security of processing
  • Art. 33-34 — Personal data breach notification
  • Art. 35 — DPIA
  • Art. 37-39 — DPO
  • Chapter V — International transfers (SCCs, BCRs, adequacy)

Crosswalks to

ISO 27701 · CCPA · EU AI Act · HIPAA

Sample evidence types

  • Records of processing (RoPA)
  • DPIA per high-risk processing
  • Consent log
  • Sub-processor list
  • SCC + TIA per international transfer
  • Breach notification log
  • DPO appointment

Activate via API: POST /v1/frameworks/gdpr/activate · Browse clauses: GET /v1/frameworks/gdpr/clauses

HIPAA — Health Insurance Portability and Accountability Act

U.S. Department of Health and Human Services (HHS) / OCR · effective: Privacy Rule 2003; Security Rule 2005; Omnibus 2013; HIPAA NPRM 2024 pending · 78 clauses · ReguNav coverage: 90%

Scope. Covered entities and business associates that handle Protected Health Information (PHI) in the United States.

Core clauses

  • §164.308 — Administrative safeguards
  • §164.310 — Physical safeguards
  • §164.312 — Technical safeguards
  • §164.502 — Uses and disclosures
  • §164.508 — Authorizations
  • §164.514 — De-identification
  • §164.530 — Privacy admin requirements
  • §164.404-410 — Breach notification

Crosswalks to

ISO 27001 · SOC 2 · GDPR

Sample evidence types

  • Business Associate Agreements
  • Security risk analysis
  • Workforce training records
  • Incident log

Activate via API: POST /v1/frameworks/hipaa/activate · Browse clauses: GET /v1/frameworks/hipaa/clauses

SOC 2 Type II

AICPA — TSP 100 (2017, last revised 2022) · effective: Continuously revised; current TSP 100-2022 · 64 clauses · ReguNav coverage: 100%

Scope. Service organizations of any size handling customer data; report addresses CSPs, SaaS, MSPs.

Core clauses

  • CC1 — Control environment
  • CC2 — Communication and information
  • CC3 — Risk assessment
  • CC4 — Monitoring activities
  • CC5 — Control activities
  • CC6 — Logical and physical access
  • CC7 — System operations
  • CC8 — Change management
  • CC9 — Risk mitigation
  • Optional TSCs: A · C · PI · P

Crosswalks to

ISO 27001 · NIST CSF · PCI DSS

Sample evidence types

  • Type II report (12-month observation period)
  • Trust services criteria mapping
  • Auditor walkthrough memos

Activate via API: POST /v1/frameworks/soc2/activate · Browse clauses: GET /v1/frameworks/soc2/clauses

PCI DSS 4.0.1

PCI Security Standards Council · effective: v4.0 effective March 2022; v4.0.1 effective June 2024; future-dated requirements live 31 March 2025 · 271 clauses · ReguNav coverage: 95%

Scope. Any merchant, service provider, or processor that stores, processes or transmits cardholder data.

Core clauses

  • Req. 1 — Network security controls
  • Req. 3 — Protect stored account data
  • Req. 6 — Develop and maintain secure systems
  • Req. 8 — Identify users and authenticate access
  • Req. 11 — Test security regularly
  • Req. 12 — Information security policy

Crosswalks to

ISO 27001 · SOC 2 · NIST CSF

Sample evidence types

  • Attestation of Compliance
  • Report on Compliance
  • Quarterly ASV scan
  • Internal pentest report

Activate via API: POST /v1/frameworks/pci-dss/activate · Browse clauses: GET /v1/frameworks/pci-dss/clauses

NIST AI RMF 1.0 + GAI Profile (NIST-AI-600-1)

U.S. National Institute of Standards and Technology · effective: Released January 2023; GAI Profile July 2024 · 72 clauses · ReguNav coverage: 100%

Scope. Voluntary framework for any organization designing, developing, deploying or using AI.

Core clauses

  • GOVERN — 19 sub-categories
  • MAP — 18 sub-categories
  • MEASURE — 16 sub-categories
  • MANAGE — 19 sub-categories
  • GAI Profile — 12 GenAI-specific risks

Crosswalks to

EU AI Act · ISO 42001 · ISO 23894

Sample evidence types

  • AI inventory
  • AI RMF profile
  • Trustworthy AI assessment
  • TEVV plan

Activate via API: POST /v1/frameworks/nist-ai-rmf/activate · Browse clauses: GET /v1/frameworks/nist-ai-rmf/clauses

NIST CSF 2.0

U.S. National Institute of Standards and Technology · effective: Released February 2024 · 106 clauses · ReguNav coverage: 100%

Scope. Voluntary cybersecurity framework for any organization.

Core clauses

  • GV — Govern (new in 2.0)
  • ID — Identify
  • PR — Protect
  • DE — Detect
  • RS — Respond
  • RC — Recover

Crosswalks to

ISO 27001 · SOC 2 · DORA

Sample evidence types

  • CSF profile
  • Tier rating
  • Asset inventory
  • Tabletop exercise reports

Activate via API: POST /v1/frameworks/nist-csf/activate · Browse clauses: GET /v1/frameworks/nist-csf/clauses

DORA — Regulation (EU) 2022/2554

European Supervisory Authorities (ESMA, EBA, EIOPA) · effective: Applies from 17 January 2025 · 64 clauses · ReguNav coverage: 100%

Scope. EU financial entities (banks, insurers, investment firms, crypto-asset providers, ICT third-party providers).

Core clauses

  • Art. 5-16 — ICT risk management framework
  • Art. 17-23 — ICT-related incident reporting
  • Art. 24-27 — Digital operational resilience testing
  • Art. 28-44 — ICT third-party risk + Critical TPP designation
  • Art. 45-49 — Information sharing

Crosswalks to

ISO 27001 · NIS2 · NIST CSF

Sample evidence types

  • ICT risk framework
  • Major incident registry
  • Threat-led penetration test (TLPT) report
  • TPP register

Activate via API: POST /v1/frameworks/dora/activate · Browse clauses: GET /v1/frameworks/dora/clauses

CCPA / CPRA

California Privacy Protection Agency (CPPA) · effective: CCPA in force since 1 January 2020; CPRA effective 1 January 2023 · 45 clauses · ReguNav coverage: 95%

Scope. Businesses meeting CCPA thresholds processing personal information of California consumers.

Core clauses

  • §1798.100 — Right to know
  • §1798.105 — Right to delete
  • §1798.106 — Right to correct
  • §1798.110 — Disclosure
  • §1798.120 — Right to opt-out of sale/sharing
  • §1798.121 — Right to limit sensitive PI
  • §1798.135 — Sales/sharing notices
  • §1798.185 — CPPA regulations (incl. ADMT, risk assessments)

Crosswalks to

GDPR · ISO 27701

Sample evidence types

  • Privacy policy
  • Opt-out mechanism
  • Consumer request log
  • Service-provider contracts

Activate via API: POST /v1/frameworks/ccpa/activate · Browse clauses: GET /v1/frameworks/ccpa/clauses

FERPA

U.S. Department of Education · effective: 1974; 2008/2011 amendments; 2024 NPRM pending · 18 clauses · ReguNav coverage: 85%

Scope. Educational agencies and institutions receiving U.S. Department of Education funds.

Core clauses

  • §99.30 — Disclosure consent
  • §99.31 — Permitted disclosures
  • §99.32 — Recordation of disclosures
  • §99.36 — Health & safety emergency

Crosswalks to

GDPR · HIPAA

Sample evidence types

  • Annual notification
  • Consent forms
  • Disclosure log

Activate via API: POST /v1/frameworks/ferpa/activate · Browse clauses: GET /v1/frameworks/ferpa/clauses

Frameworks on the roadmap

  • EU NIS2 (Directive 2022/2555) — H2 2026
  • UK AI Regulation White Paper / pro-innovation framework — TBC
  • Singapore AI Verify + MAS FEAT — H1 2026
  • Brazil LGPD + ANPD AI ruleset — H2 2026
  • Saudi SDAIA AI Ethics — H2 2026
  • UAE AI Charter (PDPL) — H2 2026

Need a framework that is not listed? Open a ticket at dictionaries@regunav.com or email dictionaries@regunav.com.