Skip to content
Compliance · the catalog

Every framework, declared honestly.

Pick the regimes your repository answers to. Watchdog evidences the automatable slice, gates what it caught failing, and a named human declares the rest. Every framework shows the three-way split — tool-evidenced, evidence-assisted, and human attestation — before you enable a thing.

Each framework is Automatic / On / Off per repository.

The catalog

Ten frameworks, one honest pattern.

Each framework is a catalog of controls plus what Watchdog can evidence. The failure-gate, the self-assessment lifecycle, the signed artifact and the optional contract clause are identical for all — only the catalog and the regulation change.

Accessibility

WCAG 2.2

The web accessibility standard (AA). Static checks tool-evidence what they can; a sandboxed rendered-axe pass adds runtime evidence; a human judges meaning — alt-text equivalence, clear errors.

The ACR page →
Accessibility

EN 301 549

The EU procurement accessibility standard the EAA points at — web plus non-web clauses. Web maps to WCAG; the non-web slices are disclosed as human attestation.

The ACR page →
Cybersecurity

NIS2

The EU network-and-information-security directive. Watchdog tool-evidences the technical slice — CVEs, secrets, supply-chain trail; governance and incident handling are organizational and stay human-declared.

Financial sector

DORA

Digital operational resilience for the EU financial sector — ICT risk and supplier oversight. Scheduled scans and the SBOM feed the evidence; the resilience programme is a human declaration.

Cybersecurity

CRA

The EU Cyber Resilience Act for products with digital elements. The SBOM, CVE and secrets trail is the automatable slice CRA asks about; conformity claims stay with the manufacturer.

Privacy

GDPR (technical)

The technical slice of GDPR — PII in code and config, data-flow signals, crypto posture. Lawfulness and process are organizational and stay human-declared.

Application security

OWASP ASVS

The application-security verification standard. SAST posture, secrets, injection guards tool-evidence part; architecture and design controls are evidence-assisted or human.

Supply-chain

SLSA

Supply-chain levels for software artifacts. Build-provenance and dependency signals tool-evidence a slice; the rest of the chain is declared.

Supply-chain

SSDF

NIST's secure software development framework. Process-heavy: Watchdog evidences the code-visible practices; the organizational practices are attested by a named person.

Security management

ISO 27001 (evidence)

Evidence toward an ISMS — the code-and-pipeline slice only. Watchdog never claims certification; it assembles what a machine can stand behind.

Self-assess any framework on any plan. Signing & exporting the tamper-evident artifact is part of the compliance module — sold on Assay.

We measure; you declare. We never certify. A clean automated result is necessary, not sufficient — a green Watchdog score is never, by itself, a compliance claim. The honesty model in depth: /compliance.

Enable what you need.

Each framework is Automatic / On / Off per repository · Sign in with GitHub · no card.