Customer Guide
Framework Coverage Model
How OneComply presents DORA-first workflows and cross-framework evidence reuse without overstating legal or regulatory compliance.
Compliance review required
Launch Positioning
OneComply is positioned as a DORA-first operational-resilience platform for EU financial entities. DORA and CSSF are the launch workflow anchors: ICT vendors, control evidence, incidents, reporting clocks, board-ready posture, and audit trail. ISO 27001, NIS2, GDPR, and CRA are surfaced as mapped evidence and readiness layers.
This distinction matters because customers can reuse the same evidence across frameworks where a mapping is defensible, while still seeing the limitations and review steps before relying on a report externally.
Coverage Matrix
| Framework | Coverage | Product scope | Report posture |
|---|---|---|---|
| DORA | End-to-end workflow coverage | Primary launch workflow for EU financial entities: ICT risk, vendors, incidents, evidence, audit trail, posture, and board/regulator readiness. | Internal readiness reports and DORA RoI EBA-format ZIP generation are available. Authority acceptance requires external CSSF/eDesk receipt evidence. |
| CSSF 22/806 | End-to-end workflow coverage | Luxembourg-focused overlay for ICT governance, outsourcing readiness, circular tracking, and DORA/CSSF operational alignment. | CSSF readiness and missing-field reports are supported. eDesk/authority filings remain disabled until the matching official package generator is complete. |
| ISO 27001 | Mapped evidence coverage | Mapped ISMS control library, Statement of Applicability support, policy/evidence linkage, and certification-preparation reporting. | Internal status and gap reports are supported. Certification outcome remains auditor-led. |
| NIS2 | Mapped evidence coverage | Entity classification, security-measure evidence mapping, incident-readiness tracking, and supply-chain alignment. | Internal readiness reports and evidence gaps are supported. Member-state implementation differences require compliance review. |
| GDPR | Mapped evidence coverage | Privacy-security evidence linkage across ROPA, DPIA, DSR, consent, breach evidence, processors, and audit trail. | Internal readiness and data-process exports are supported. Legal basis and privacy notices require customer/legal review. |
| CRA | Readiness coverage | Future-readiness mapping for product-security controls, SBOM, vulnerability handling, technical documentation, and reporting timelines. | Internal readiness reports are supported. Authority/market-surveillance submission templates are not represented as complete. |
How To Use This In Customer Reviews
- Use DORA as the primary workflow when presenting OneComply to EU financial entities.
- Use CSSF 22/806 as the Luxembourg regulator overlay for ICT outsourcing and circular evidence.
- Use ISO 27001, NIS2, and GDPR as evidence-reuse views unless the customer has completed their own compliance review.
- Use CRA as future-readiness mapping for product-security and vulnerability-management obligations.
- Use report trust panels before exporting anything intended for external review.
Official Context Links
DORA applies to digital operational resilience for financial entities. NIS2 and CRA timelines depend on implementation and phased application. Customers should check the latest regulator and supervisory-authority pages before final submission decisions.