[3.12] Regulatory & policy alignment

[ozzyathome]

Aspect

Section: 3.12 Regulatory and policy alignment
Orientation relevance: both

Objective

Decide whether and how a profile declares the regulatory or policy expectations it helps
satisfy, while keeping the methodology itself independent of any single regime.

Background & links

Scoping document §3.12. A common driver for profiles is satisfying multiple regulators with a
single artifact. Context worth referencing without binding the method to it: the NIS
Cooperation Group roadmap's call for a standardised cryptographic-inventory format; EU CRA /
TR-03183 SBOM trajectory; US cryptographic-inventory expectations.

Options under consideration

• Informative declaration — a profile lists the regulatory expectations it maps to, as
  non-normative metadata. (Trade-off: low coupling; advisory only.)
• Normative mapping annex — a per-profile regulatory cross-reference. (Trade-off: stronger
  compliance evidence; higher maintenance as regimes change.)

Open questions

• Whether a profile declares the regulatory/policy expectations it addresses, and in what form.
• How a profile stays usable across jurisdictions (one profile serving e.g. EU and US) rather than a bespoke artifact per regulator.
• How regulatory-landscape changes are reflected in profile maintenance.

Dependencies

Relates to objective/scope (3.1 #4) and governance/maintenance (3.11 #11).

Decision

Not yet decided.

Impact on the specification

Spec section "Regulatory and policy alignment."