We keep 16 standards and frameworks plus 22 regulatory requirements as a catalogue in the platform. The distinction is not hair-splitting: a standard you choose, a regulatory requirement applies to you. The platform treats each differently.
Book a free demoYou choose a standard to be measured against it: ISO 27001, IEC 62443, SOC 2. You decide on scope and certification goal. A regulatory requirement applies to you whether you like it or not: NIS-2, DORA, GDPR, the German BSI Act. Here what counts is not the certificate but demonstrable compliance. In the platform, standards lead to catalogue, controls, statement of applicability and maturity; regulatory requirements lead to obligations, deadlines, reporting paths and evidence. ISO 27001 is the shared control base: security and governance requirements map onto it via crosswalk where technically feasible, so a control implemented once serves several frameworks at the same time. Obligations that cannot be mapped as controls, such as registrations, reporting deadlines or communication with authorities, are managed in their own right.
The numbers below are requirement records in the Cybervize catalogue as of July 2026, not the total number of articles or clauses in a framework. Per legal act, the catalogue covers the obligations relevant to security, governance, privacy and resilience processes; its size may differ from the total number of articles. For freely accessible legal acts and standards (legal texts, NIST) we keep a full-text requirement catalogue. Licensed standards (ISO, IEC, TISAX, PCI, SOC 2) we keep as a reference structure with reference codes and short titles, without the standard text, so that usage stays licence-compliant. The BSI IT-Grundschutz is under an open licence and kept as its own catalogue.
Freely selectable frameworks, depending on the assurance model: certification (ISO), attestation (SOC 2), assessment label (TISAX) or reference mapping, with maturity and applicability view (for ISO 27001 the formal statement of applicability).
Information security management system, the platform's shared language
123 requirement records in the catalogue
Management system for artificial intelligence
70 requirement records in the catalogue
Business continuity management
26 requirement records in the catalogue
Standalone privacy information management system, integrable with ISO/IEC 27001
35 requirement records in the catalogue
Security controls for cloud services
7 requirement records in the catalogue
Information security for energy utilities
12 requirement records in the catalogue
Security of industrial automation, OT and ICS
15 requirement records in the catalogue
Road vehicle cybersecurity
11 requirement records in the catalogue
Railway application cybersecurity
19 requirement records in the catalogue
Cybersecurity framework, function-based governance
106 requirement records in the catalogue
Extensive control catalogue with baselines
158 requirement records in the catalogue
Risk management for AI systems
19 requirement records in the catalogue
Information security in the automotive supply chain
43 requirement records in the catalogue
Assessment criteria for service providers, attestation
44 requirement records in the catalogue
Security in card payment processing
12 requirement records in the catalogue
Methodology and building blocks of the German BSI
74 requirement records in the catalogue
Legal acts and supervisory requirements that apply to affected organisations: with obligations, deadlines and auditable evidence.
EU framework for network and information security
11 requirement records in the catalogue
Technical implementing rules for certain digital services and ICT providers (cloud, data centres, MSP/MSSP, DNS, trust services, online platforms)
49 requirement records in the catalogue
German transposition, operator obligations
18 requirement records in the catalogue
Physical and digital protection of critical infrastructure
16 requirement records in the catalogue
Resilience of critical entities
14 requirement records in the catalogue
Security requirements for products with digital elements
44 requirement records in the catalogue
Digital operational resilience in the financial sector (framework regulation; the RTS and ITS that flesh it out can be integrated as their own catalogues)
21 requirement records in the catalogue
Protection of personal data
23 requirement records in the catalogue
Access to and use of data
22 requirement records in the catalogue
European framework for digital identity and trust services, amending Regulation (EU) No 910/2014
18 requirement records in the catalogue
Requirements for AI systems by risk class
20 requirement records in the catalogue
Grid operators, German BNetzA
15 requirement records in the catalogue
Telecommunications providers
15 requirement records in the catalogue
Supervisory requirements for banks
14 requirement records in the catalogue
Information security in aviation
17 requirement records in the catalogue
Cyber risk management in shipping
17 requirement records in the catalogue
IT security in hospitals
8 requirement records in the catalogue
Smart meter gateway
13 requirement records in the catalogue
Cybersecurity management system for vehicles
14 requirement records in the catalogue
Software update management system for vehicles
10 requirement records in the catalogue
Sector standard for critical water infrastructure
9 requirement records in the catalogue
Radio Equipment Directive, cyber articles
8 requirement records in the catalogue
ISO 27001 is the platform's shared control base. Security and governance requirements map onto it via crosswalk where technically feasible: a control implemented once serves several frameworks at the same time, without duplicate maintenance. Legal, reporting, registration and procedural obligations that cannot be mapped are managed in their own right. Each activated standard gets its own applicability and maturity view; the formal statement of applicability belongs to ISO 27001. New frameworks are integrated as data, not as custom development. And an honest limit: crosswalks reduce duplicate work, but they do not replace an individual review of scope, exceptions and evidence obligations.
Small and mid-sized companies can additionally use DIN SPEC 27076 as an interview-based assessment questionnaire with an additive scoring system. It is not a regulatory framework but a low-threshold entry into site assessment, and it is imported like other catalogues via OSCAL.
The frameworks are not a list on a slide: they live inside the ISMS, BCM, Assessment and TPRM modules, on one data layer with permission model and audit trail. See how the platform turns them into controls, maturity levels and evidence.
See the Cybervize platform