InstrumentLegal sourceHow the lens reads the spine
01
NIS2
Network and Information Security Directive (EU) 2022/2555
The EU’s baseline cybersecurity law for essential and important entities, transposed into national law across member states. Yōjin maps its obligations — governance, risk measures, incident reporting, supply-chain duties — to concrete controls and evidence, jurisdiction by jurisdiction.
02
DORA
Digital Operational Resilience Act (EU) 2022/2554
Applying to financial entities since January 2025: ICT risk management, incident reporting, resilience testing, third-party risk. Yōjin treats DORA as a first-class lens over the same control spine — its deepest obligation mapping, with 3,399 human-reviewed obligation-to-control edges.
03
GDPR
General Data Protection Regulation (EU) 2016/679
The security-of-processing obligations (Article 32 and friends) intersect almost everything else you do. Yōjin makes those intersections explicit, so privacy and security stop proving the same thing separately.
04
CER
Critical Entities Resilience Directive (EU) 2022/2557
NIS2’s twin for the physical and organisational resilience of critical infrastructure. Yōjin maps CER duties — resilience measures, incident notification, oversight — onto the same spine, beside the cyber obligations they mirror.
05
CRA
Cyber Resilience Act (EU) 2024/2847
Product-security duties for anything with digital elements: secure development, vulnerability handling, update obligations. Yōjin carries CRA requirements on the obligation model, mapped to controls your engineering teams already operate.
06
AI Act
Artificial Intelligence Act (EU) 2024/1689
Risk-based duties for AI providers and deployers, mapped to concrete controls and AI-risk themes in the graph. Yōjin also governs its own AI the way the Act expects: review-gated, logged, provenance-marked.
↓ canonical control spine