Compliance Coverage

IAM Maturity by Compliance Framework

Every AXIS assessment question carries regulatory citations. Those citations are resolved to the frameworks below, each with a research-derived maturity threshold, so one assessment shows where your identity program stands against the regulations and standards that apply to you.

EU Regulations & Directives

Binding EU rules that place identity and access controls inside broader risk, resilience, and data protection duties.

DORA
Threshold 2.5 of 4.0

Digital Operational Resilience Act (DORA)

DORA (Regulation (EU) 2022/2554) sets ICT risk management requirements for banks, insurers, investment firms, and other financial entities operating in the EU, and has applied since January 2025. Identity and access controls sit inside its ICT risk management framework, with management-body accountability for how access to ICT assets is protected and monitored.

10 mapped questions · 3 IAM domains

NIS2
Threshold 2.0 of 4.0

NIS2 Directive

NIS2 (Directive (EU) 2022/2555) sets cybersecurity risk management duties for essential and important entities across EU member states. Article 21(2) explicitly lists access control policies and multi-factor authentication among the measures entities are expected to adopt, alongside governance and accountability obligations.

10 mapped questions · 3 IAM domains

GDPR
Threshold 2.5 of 4.0

General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation governs the processing of personal data. Articles 25 and 32 expect appropriate technical and organizational measures, and provisions on consent, data minimization, and data subject rights shape how customer identity programs are designed and operated.

5 mapped questions · 3 IAM domains

PSD2
Threshold 2.5 of 4.0

Payment Services Directive 2 (PSD2)

The EU Payment Services Directive 2 (Directive (EU) 2015/2366) introduced Strong Customer Authentication (SCA) for electronic payments, detailed in regulatory technical standards. For identity programs it primarily shapes customer authentication, onboarding, and identity proofing flows for payment services.

2 mapped questions · 1 IAM domain

US Regulations & Programs

US federal and state requirements where access management is a core control family for auditors and regulators.

SOX
Threshold 2.0 of 4.0

Sarbanes-Oxley Act Section 404 (SOX)

Section 404 of the US Sarbanes-Oxley Act requires management to assess internal control over financial reporting. Auditors evaluate IT general controls, where access management is a core control family: who can reach financial systems, how access is granted, reviewed, separated, and evidenced.

10 mapped questions · 4 IAM domains

HIPAA
Threshold 2.0 of 4.0

HIPAA Security Rule

The HIPAA Security Rule (45 CFR 164.312) requires covered entities and business associates in US healthcare to implement technical safeguards for electronic protected health information, including access control, audit controls, and person or entity authentication.

8 mapped questions · 6 IAM domains

CCPA/CPRA
Threshold 2.0 of 4.0

California Consumer Privacy Act (CCPA/CPRA)

The California Consumer Privacy Act, as amended by the CPRA, grants California consumers rights over their personal information and expects businesses to maintain reasonable security procedures. For identity programs it mainly shapes customer registration, consent and preference handling, and identity verification for consumer requests.

3 mapped questions · 1 IAM domain

FedRAMP
Threshold 3.0 of 4.0

FedRAMP (Moderate Baseline)

FedRAMP authorizes cloud services for use by US federal agencies, building on the NIST SP 800-53 control catalog. The Moderate baseline expects documented and continuously monitored controls with automation across account management, access enforcement, and auditing. A High baseline variant carries stricter continuous-monitoring expectations.

1 mapped question · 1 IAM domain

Standards & Certifications

International standards, attestation criteria, and control catalogs that define identity and access expectations.

ISO/IEC 27001
Threshold 2.5 of 4.0

ISO/IEC 27001:2022

ISO/IEC 27001:2022 is the international standard for information security management systems. Annex A contains a substantial block of identity and access controls, including A.5.15 to A.5.18 on access control and identity management and A.8.2 to A.8.5 on privileged access rights, information access restriction, and secure authentication. Certification requires controls that are implemented and demonstrably effective.

32 mapped questions · 9 IAM domains

SOC 2
Threshold 2.5 of 4.0

SOC 2 Type II

SOC 2 reports on a service organization’s controls against the AICPA Trust Services Criteria. The CC6 logical access series covers access provisioning, authentication, and removal, and a Type II report tests operating effectiveness over a period of time rather than at a point in time.

25 mapped questions · 9 IAM domains

NIST CSF 2.0
Threshold 2.0 of 4.0

NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework 2.0 is a voluntary framework for managing cybersecurity risk. Identity, authentication, and access control live primarily in the PR.AA category, governance expectations in the GV function, and identity threat detection in the DE function. Implementation Tier 2 corresponds to risk-informed, repeatable processes.

34 mapped questions · 9 IAM domains

NIST SP 800-53
Threshold 2.5 of 4.0

NIST SP 800-53 (Moderate Baseline)

NIST SP 800-53 is the control catalog used across US federal systems and many regulated programs. The Access Control (AC) and Identification and Authentication (IA) families define account management, least privilege, separation of duties, and authenticator management. AXIS scores against the Moderate baseline; the High baseline carries a stricter threshold for enhanced and automated controls.

19 mapped questions · 6 IAM domains

NIST SP 800-63B
Threshold 2.5 of 4.0

NIST SP 800-63B Digital Identity Guidelines

NIST SP 800-63B, part of the Digital Identity Guidelines, defines Authentication Assurance Levels (AAL1 to AAL3) for digital authentication. It covers authenticator types, phishing resistance, session management, and account recovery, and is widely referenced for both workforce and customer authentication design.

8 mapped questions · 3 IAM domains

Framework mappings are derived from the AXIS question bank and scored with the same engine that powers assessment results. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. See each framework page for the exact question mapping and threshold.

See Your Alignment in One Assessment

Answer the assessment once; AXIS scores your identity program against every applicable framework, filtered by your scope and industry.