Compliance Framework

How H2IO supports regulatory requirements for NIS2, DORA, and GDPR

Regulatory Coverage

H2IO is designed to help organizations meet the technical requirements of European regulatory frameworks governing digital operational resilience, network security, and data protection.

DORA - Digital Operational Resilience Act

Applicable to financial entities and their ICT service providers.

Article 9: ICT risk management framework - Continuous monitoring of ICT assets
Article 10: Detection capabilities - Real-time anomaly identification
Article 12: Backup and recovery - Immutable audit trail preservation
Article 15: ICT third-party risk - Supply chain visibility

NIS2 - Network and Information Security Directive

Applicable to essential and important entities across critical sectors.

Article 21(a): Risk analysis and security policies - Asset inventory management
Article 21(b): Incident handling - Event correlation and reporting
Article 21(d): Supply chain security - Third-party asset tracking
Article 21(i): Access control - Role-based administration

GDPR - General Data Protection Regulation

Applicable to processing of personal data within the EU.

Article 32: Security of processing - Encryption of telemetry data
Article 33: Breach notification - Incident detection capabilities
Article 35: Impact assessment - Infrastructure visibility for DPIAs

Gaia-X - European Data Infrastructure

Compatible with European sovereign cloud initiatives.

Data Sovereignty: EU-only personnel and infrastructure options
Transparency: Verifiable compliance controls and audit trails
Interoperability: Deployable across Gaia-X ecosystem providers
Trust Framework: Aligned with Label Level 2/3 requirements

Framework Compatibility

H2IO is built with controls aligned to common compliance frameworks:

SOC 2 Type II - Security and availability controls
ISO 27001 - Information security management
ISO 27701 - Privacy information management

Sector Suitability

H2IO provides end-to-end encryption, comprehensive audit logging, role-based access controls, and EU-only data handling. These capabilities support deployment in regulated sectors including:

Government and public sector
Defense and NATO-aligned organizations
Healthcare and life sciences
Financial services and insurance
Critical infrastructure operators

Data Residency

H2IO supports EU data sovereignty requirements through self-hosted deployment options. Compatible with sovereign cloud providers including Gaia-X ecosystem members. All personnel are exclusively EU member state citizens, ensuring immunity from extra-territorial data access laws.

Documentation

Compliance officers and auditors may request detailed control mappings and audit evidence by contacting our compliance team through the standard procurement process.