Horiuno — Compliance Infrastructure

Espacio Jose

Matriz de Requisitos

Mapeo regulatorio a nivel de requisito en DORA, NIS2, GDPR, EU AI Act, ENS e ISO 27001. Úsalo para rastrear solapamiento, cobertura y presión de implementación sin aplanar la jerarquía legal entre legislación de la UE y marcos de aseguramiento.

28 AFOs·7 regulations·96.1% average coverage

AFO ID	Requirement	DORA	NIS2	BSI	ENS	ISO 27001	GDPR	EU AI Act	Files	Coverage
A_25339	TLS 1.3 configuration	Art. 9(2)	Art. 21(2)(e)	CON.1.A13	CCN-804.A12	A.8.24	—	—	infrastructure/zeta-guard.yaml	100%
A_25406	ZETA header validation	Art. 9(2)	Art. 21(2)(e)	APP.3.1.A4	CCN-804.A15	—	—	—	api/src/middleware/zetaHeaders.ts	100%
A_25667	DPoP validation sidecar	Art. 9(4)(c)	Art. 21(2)(d)	ORP.4	CCN-804.A8	—	—	—	infrastructure/zeta-guard.yaml	100%
A_25668	Token audience validation	Art. 9(4)(c)	Art. 21(2)(d)	CON.1	CCN-804.A14	—	—	—	infrastructure/pep-auth/tokenVerifier.ts	100%
A_25669	Step-up auth (401 not 403)	Art. 9(2)	Art. 21(2)(d)	ORP.4.A8	CCN-804.A9	—	—	—	api/src/middleware/zetaHeaders.ts	100%
A_25701	mTLS between services	Art. 9(2)	Art. 21(2)(e)	CON.1.A12	CCN-804.A11	—	—	—	infrastructure/service-mesh/mtls-config.yaml	100%
A_25702	Network segmentation policy	—	Art. 21(2)(e)	NET.1.1.A9	CCN-804.A16	A.8.22	—	—	infrastructure/network/segmentation.tf	95%
A_25715	Secrets rotation < 90 days	Art. 9(4)(b)	Art. 21(2)(d)	CON.1.A15	CCN-804.A13	—	—	—	infrastructure/vault/rotation-policy.hcl	100%
A_25720	Incident detection < 5 min	Art. 17(1)	Art. 23(1)	DER.1.A7	CCN-804.A20	—	—	—	monitoring/siem/detection-rules.yaml	92%
A_25721	Incident notification < 24h	Art. 19(1)	Art. 23(1)	DER.2.1.A1	CCN-804.A21	—	—	—	monitoring/incident-response/notify.ts	80%
A_25730	SBOM generation per release	—	Art. 21(2)(a)	APP.6.A1	CCN-804.A17	—	—	—	ci/sbom-generator.yaml,scripts/generate-sbom.sh	100%
A_25735	Access review quarterly	Art. 9(4)(a)	Art. 21(2)(i)	ORP.4.A5	CCN-804.A6	A.5.15	—	—	iam/access-review/quarterly-audit.ts	100%
A_25740	Data encryption at rest (AES-256)	Art. 9(2)	Art. 21(2)(e)	CON.1.A6	CCN-804.A10	A.8.24	—	—	infrastructure/encryption/at-rest.tf	100%
A_25745	Backup integrity verification	Art. 12(1)	Art. 21(2)(c)	CON.3.A5	CCN-804.A18	—	—	—	infrastructure/backup/verify-integrity.sh	98%
A_25750	Vulnerability scan weekly	Art. 25(1)	Art. 21(2)(e)	OPS.1.1.A15	CCN-804.A19	A.8.8	—	—	ci/vulnerability-scan.yaml	100%
A_25755	Log retention >= 12 months	Art. 12(3)	Art. 21(2)(g)	OPS.1.1.A18	CCN-804.A22	A.8.15	—	—	infrastructure/logging/retention-policy.tf	100%
A_25760	MFA enforcement all users	Art. 9(4)(c)	Art. 21(2)(j)	ORP.4.A9	CCN-804.A7	A.8.5	—	—	iam/mfa/enforcement-policy.ts	100%
A_25765	AI model risk assessment	—	—	—	CCN-804.A25	—	—	Art. 9(1)	ai/risk-assessment/model-audit.py	88%
A_25770	AI transparency documentation	—	—	—	CCN-804.A26	—	—	Art. 13(1)	ai/transparency/model-card-generator.ts	91%
A_25775	AI human oversight controls	—	—	—	CCN-804.A27	—	—	Art. 14(1)	ai/oversight/human-in-loop.ts	85%
A_25780	Penetration test annual	Art. 26(1)	Art. 21(2)(e)	DER.3.A3	CCN-804.A23	—	—	—	security/pentest/annual-scope.yaml	100%
A_25785	Third-party risk assessment	Art. 28(1)	Art. 21(2)(e)	OPS.2.1.A4	CCN-804.A24	—	—	—	vendor/risk-assessment/framework.ts	94%
A_25790	Disaster recovery test biannual	Art. 26(2)	Art. 21(2)(c)	DER.4.A7	CCN-804.A28	—	—	—	infrastructure/dr/test-runbook.yaml	97%
A_25795	Information security policy review	—	—	—	CCN-804.A29	A.5.1	Art. 24	—	governance/isms/policy-review.ts	100%
A_25800	Data processing records (ROPA)	—	—	—	—	A.5.12	Art. 30	—	governance/gdpr/ropa-generator.ts	94%
A_25805	Data subject access request automation	—	—	—	—	—	Art. 15-20	—	governance/gdpr/dsar-workflow.ts	88%
A_25810	Asset inventory management	Art. 8(1)	Art. 21(2)(a)	ORP.1.A1	CCN-804.A30	A.5.9	—	—	governance/isms/asset-inventory.ts	97%
A_25815	Business continuity planning	Art. 11(1)	Art. 21(2)(c)	DER.4.A1	CCN-804.A31	A.5.30	—	—	governance/isms/bcp-framework.ts	92%