Frameworks

One spine. Many lenses.

Yōjin's home frameworks are Europe's. Under them sits a single canonical control spine: implement a control once and every framework that recognises it counts it. Add a framework and your existing work carries over — coverage is a mapping, not a migration.

The European framework set

Different instruments. One implementation record.

Each framework remains distinct in the graph. Their shared control requirements converge on the same governed spine.

01

NIS2

Network and Information Security Directive (EU) 2022/2555

The EU’s baseline cybersecurity law for essential and important entities, transposed into national law across member states. Yōjin maps its obligations — governance, risk measures, incident reporting, supply-chain duties — to concrete controls and evidence, jurisdiction by jurisdiction.

02

DORA

Digital Operational Resilience Act (EU) 2022/2554

Applying to financial entities since January 2025: ICT risk management, incident reporting, resilience testing, third-party risk. Yōjin treats DORA as a first-class lens over the same control spine — its deepest obligation mapping, with 3,399 human-reviewed obligation-to-control edges.

03

GDPR

General Data Protection Regulation (EU) 2016/679

The security-of-processing obligations (Article 32 and friends) intersect almost everything else you do. Yōjin makes those intersections explicit, so privacy and security stop proving the same thing separately.

04

CER

Critical Entities Resilience Directive (EU) 2022/2557

NIS2’s twin for the physical and organisational resilience of critical infrastructure. Yōjin maps CER duties — resilience measures, incident notification, oversight — onto the same spine, beside the cyber obligations they mirror.

05

CRA

Cyber Resilience Act (EU) 2024/2847

Product-security duties for anything with digital elements: secure development, vulnerability handling, update obligations. Yōjin carries CRA requirements on the obligation model, mapped to controls your engineering teams already operate.

06

AI Act

Artificial Intelligence Act (EU) 2024/1689

Risk-based duties for AI providers and deployers, mapped to concrete controls and AI-risk themes in the graph. Yōjin also governs its own AI the way the Act expects: review-gated, logged, provenance-marked.

canonical control spine

Per-jurisdiction NIS2

One directive. Twenty-seven transpositions.

NIS2 binds through national law — and member states differ on scope, registration duties, deadlines and enforcement. A platform that only knows "NIS2" doesn't know your NIS2.

Yōjin models jurisdiction as a first-class dimension of the graph: national transpositions sit as overlays on the shared obligation plane, so the same control spine reads correctly in Brussels, Dublin or Berlin — one implementation, each country's own letter of the law. Overlays land country by country; beneath them, ENISA's technical implementation guidance carries the EU-wide baseline.

how a jurisdiction enters the graph

  1. 01 The national instrument is ingested alongside the directive it transposes
  2. 02 Deltas — scope, deadlines, extra duties — are mapped as overlay obligations
  3. 03 Reviewers approve every mapping before it publishes
  4. 04 Your tenant reads the spine through its jurisdictions' lenses
Threat context

Obligations on one side. Adversaries on the other.

Frameworks tell you what to prove; threat data tells you why it matters. Yōjin's reference graph carries both. Controls map to MITRE ATT&CK techniques — kept current with upstream releases — and the vulnerability spine carries exploitability context: CVE records, CISA KEV, EPSS scores. When a control is weak, you can see which techniques it would have mitigated. When a risk is assessed, the threat side is already attached.

canonical controls on the spine
1,196
reviewed DORA obligation mappings
3,399
ISO 27001 crosswalk edges
1,626
control-to-technique mitigations
5,255
nodes in the reference graph
2.1M

Reference-graph census, 10 July 2026 — point-in-time counts of published nodes and mappings; every mapping human-reviewed before publication.

Under the lenses

The mapping layers.

Framework lenses only work if the layer beneath them is rigorous. These are the structures the graph is built on:

  • NIST 800-53The canonical control spine — 1,196 canonical controls the catalogue is built on
  • ISO 27001Crosswalked to the spine as a lens — 1,626 reviewed edges
  • NIST CSF 2.0Maturity assessment catalogue, alongside the NIST Privacy Framework
  • CIS Controls v8.1Safeguard-level reference context for implementation guidance
  • MITRE ATT&CKThe threat side: which techniques each control mitigates — kept current with upstream releases
  • CVE · KEV · EPSSVulnerability and exploitability context attached to the threat spine

The graph is built to absorb what's coming next — the same ingest-review-publish pipeline that carries today's frameworks is designed to take on new EU regulation as it lands.

Show us your framework set.

Bring the obligations you carry — the demo maps them onto the spine, live.