Regulatory Mapping
This page gives compliance officers and auditors a direct overview: which WAF++ controls cover which regulatory requirements – cross-pillar, in a single view.
|
The mappings reflect the normative intent of the controls, but do not replace legal advice. A complete compliance statement always requires an organization-specific gap analysis. |
GDPR – General Data Protection Regulation
GDPR-relevant controls are distributed across two pillars: Sovereign (technical and organizational measures, data transfers, deletion) and Cost (storage limitation, deletion obligations).
| GDPR Article | Requirement | WAF++ Controls |
|---|---|---|
Art. 5(1)(e) |
Storage limitation – data must not be retained longer than necessary |
|
Art. 17 |
Right to erasure |
|
Art. 20 |
Right to data portability |
|
Art. 28 |
Processor – contractual requirements |
|
Art. 30 |
Records of processing activities |
|
Art. 32 |
Technical and organizational measures |
SOV-020 · SOV-030 · SOV-040 · SOV-050 · SOV-060 · SOV-070 · SOV-090 |
Art. 33 |
Notification of data breaches |
|
Art. 44 |
General principles for data transfers |
|
Art. 46 |
Transfers subject to appropriate safeguards |
BSI C5:2020
The BSI Cloud Computing Compliance Criteria Catalogue is fully covered by the Sovereign pillar.
| BSI C5 Control | Requirement area | WAF++ Controls |
|---|---|---|
OPS-04 |
Data management and data locality |
|
OPS-06 |
Service handover / exit management |
|
INF-01 |
Geographic location of infrastructure |
|
NET-01 |
Network security |
|
LOG-01 |
Logging of security events |
|
LOG-02 |
Protection of log data |
|
IAM-01 |
Identity and access management |
|
IAM-03 |
Privileged access |
|
IAM-05 |
Review of access rights |
|
CRY-01 |
Cryptographic methods |
|
CRY-02 |
Key management |
|
BCM-01 |
Business continuity management |
|
BCM-02 |
Emergency planning and testing |
|
SCA-01 |
Supply chain / subcontractors |
|
SIM-01 |
Security incident management |
|
SIM-02 |
Detection of security incidents |
|
PRO-01 |
Portability and interoperability |
EUCS – EU Cybersecurity Certification Scheme for Cloud Services (ENISA)
| EUCS Control | Requirement area | WAF++ Controls |
|---|---|---|
SOV-01 / SOV-02 |
Data sovereignty – geographic restrictions |
|
SOV-03 |
Cryptographic data sovereignty |
|
DSP-01 |
Data classification |
|
DSP-04 |
Data backup and recovery |
|
IAM-01 |
Access control policy |
|
IAM-03 |
Privileged access |
|
IAM-04 |
Third-party access policy |
|
LOG-01 |
Logging |
|
IVS-09 |
Network security |
|
IVS-10 |
Egress control |
|
BCR-01 |
Business continuity |
|
CRY-01 / CRY-03 |
Encryption and key management |
|
SCA-01 |
Subcontractors and supply chain |
|
PRO-01 / PRO-02 |
Portability and reversibility |
ISO 27001:2022
| ISO Control | Requirement area | WAF++ Controls |
|---|---|---|
A.5.3 |
Separation of duties |
|
A.5.12 |
Classification of information |
|
A.5.19 |
Information security in supplier relationships |
|
A.5.20 |
Information security in supplier agreements |
|
A.5.21 |
Managing ICT supply chain |
|
A.5.26 |
Response to information security incidents |
|
A.5.29 |
Information security during disruption |
|
A.5.33 |
Protection of records |
|
A.8.2 |
Privileged access rights |
|
A.8.3 |
Restriction of access to information |
|
A.8.10 |
Deletion of information |
|
A.8.13 |
Information backup |
|
A.8.15 |
Logging |
|
A.8.16 |
Monitoring activities |
|
A.8.20 |
Network security |
|
A.8.21 |
Security of network services |
|
A.8.22 |
Segregation of networks |
|
A.8.24 |
Use of cryptography |
|
A.8.25 |
Secure development lifecycle |
GAIA-X
| GAIA-X Requirement | Area | WAF++ Controls |
|---|---|---|
Sovereign Cloud – Data location requirements |
Geographic data locality |
|
Data Sovereignty – Location transparency |
Transparency about data locations |
|
Sovereign Cloud – Cryptographic self-determination |
Key ownership with the user |
|
Sovereign Cloud – Reversibility requirements |
Provider switching and portability |
FinOps Foundation
| FinOps area | Requirement | WAF++ Controls |
|---|---|---|
Inform Phase – Cost Allocation |
Cost transparency and allocation to teams / workloads |
|
Inform Phase – Budget Visibility |
Budgets visible and with alerting |
|
Optimize Phase – Rightsizing |
Adjust resources to usage, detect idle |
|
Optimize Phase – Storage Lifecycle |
Lifecycle rules for storage and retention |
|
Optimize Phase – Observability Costs |
Limit logging retention, use tiering |
|
Optimize Phase – Rate Optimization |
Reserved instances / savings plans for baseline workloads |
|
Optimize Phase – Network Costs |
Control egress and data transfer costs |
|
Operate Phase – Tagging & Attribution |
Tag enforcement as the basis for all cost allocation |
|
Operate Phase – Budget Management |
Budget management and variance reporting |
|
Operate Phase – Architecture Governance |
Document cost impacts in architectural decisions |
|
Operate Phase – Review Cadence |
Regular FinOps reviews with defined participants |
|
Operate Phase – Cost Debt Governance |
Register architectural cost debt and review quarterly |
Summary Matrix – Controls by Framework
The following matrix shows at a glance which controls touch which frameworks:
| Control | GDPR | BSI C5 | EUCS | ISO 27001 | GAIA-X | SOC 2 | FinOps |
|---|---|---|---|---|---|---|---|
✅ |
✅ |
✅ |
✅ |
✅ |
|||
✅ |
✅ |
✅ |
✅ |
✅ |
|||
✅ |
✅ |
✅ |
✅ |
||||
✅ |
✅ |
✅ |
✅ |
||||
✅ |
✅ |
✅ |
✅ |
✅ |
|||
✅ |
✅ |
✅ |
✅ |
✅ |
|||
✅ |
✅ |
✅ |
✅ |
✅ |
|||
✅ |
✅ |
✅ |
✅ |
||||
✅ |
✅ |
✅ |
✅ |
||||
✅ |
✅ |
✅ |
✅ |
✅ |
|||
✅ |
|||||||
✅ |
|||||||
✅ |
|||||||
✅ |
✅ |
||||||
✅ |
|||||||
✅ |
|||||||
✅ |
✅ |
||||||
✅ |
|||||||
✅ |
|||||||
✅ |
Further Reading
-
Controls Catalog – complete control details with assertions and remediation
-
Pillar 7 – Sovereign – pillar documentation with all SOV controls
-
Pillar 2 – Cost Optimization – pillar documentation with all COST controls
-
Assessment Methodology – regulatory classification in the assessment process