Regulatory compliance mapping
Every mandate mapped to the operation it governs.
eBRP Suite maps regulatory compliance requirements directly to the Process and Application entity records they apply to — creating a traceable, auditable compliance-to-operations linkage at the source of truth. eRMA then connects compliance gaps to the services they put at risk.
Supported frameworks
The mandates your program is governed by — all mapped in eBRP Suite.
Compliance mandates are mapped to PPTDFS entity records — not maintained as a separate compliance module. This means compliance is always live, always in context, and always connected to the risk and recovery data that auditors and regulators need to see.
DORA
Digital Operational Resilience Act
EU Financial services · Live since Jan 2025
ICT risk management, incident classification and reporting, resilience testing, and third-party ICT concentration risk — all mapped to eBRP Process and Application entities.
ICT risk management requirements mapped to technology entity risk assessments
Third-party ICT concentration — PPTDFS supplier dependency analysis
eRMA cascade: DORA Article compliance gap → impacted financial services
TLPT (Threat-Led Penetration Testing) exercise evidence via CommandCentre
ISO 22301
Business Continuity Management
International · All sectors
Full BCM lifecycle alignment — Context, BIA, Strategy, Planning, Testing, and Review phases all supported natively in eBRP Suite’s program architecture.
Clause 6.2 — BIA objectives and recovery requirements via eBIA
Clause 8.3 — Business continuity plans as executable task playbooks
Clause 8.5 — Exercise and testing via CommandCentre with audit logs
Clause 9 — Performance evaluation reports and eRMA gap analysis
NIST SP 800-34
Contingency Planning Guide
US Federal agencies · FISMA
Federal IT and business continuity planning requirements — BIA, contingency strategies, plan development, testing, and maintenance — fully supported with on-premises deployment for data sovereignty.
BIA — system characterization and criticality determination via eBIA
ISCP, BCP, COOP, and CONPLAN types — all supported in Toolkit
Testing and exercises — TTP tracking via CommandCentre
On-premises perpetual license for Federal data sovereignty requirements
FFIEC BCP
Business Continuity Planning
US Financial institutions
FFIEC BCP examination requirements — BIA, risk assessment, third-party management, testing, and board oversight — with eBRP generating FFIEC-formatted compliance evidence packages.
BIA — financial impact and criticality rating via eBIA weighted-average computation
Risk assessment per process and technology entity with mitigation tracking
Third-party dependency mapping via PPTDFS supplier model
eRMA-generated FFIEC audit evidence package for examination preparation
HIPAA
Health Insurance Portability & Accountability Act
US Healthcare
HIPAA Security Rule contingency plan requirements — data backup, disaster recovery, emergency mode operations, testing and revision, and application and data criticality analysis.
§164.308(a)(7) — Contingency plan mapped to EMR and clinical system entities
Data backup and disaster recovery plans built in Toolkit with executable tasks
Role-based access controls enforcing HIPAA minimum necessary principle
Testing and revision records via CommandCentre exercise audit trail
NERC CIP
Critical Infrastructure Protection
North American utilities & energy
NERC CIP reliability standards for Bulk Electric System (BES) — critical asset protection, cyber system security, recovery plans, and configuration management mapped to eBRP entities.
CIP-002 — BES Cyber System categorization mapped to Technology entities
CIP-009 — Recovery plans built in Toolkit with eRMA gap analysis
CIP-014 — Physical security GIS mapping of transmission substations
eRMA cascade: NERC CIP compliance gap → BES service impact analysis
How it works
From mandate to entity to audit evidence — in one system.
eBRP Suite’s compliance approach is structural, not documentary. Mandates map to entities. Entities carry risk. eRMA traces gaps. Auditors get evidence.
01
Map mandates to entities
Regulatory requirements — DORA Articles, HIPAA clauses, NIST controls — are mapped to the specific Process and Application entity records they govern in Toolkit. One-time setup, live forever.
02
Risk assessed per entity
Each mapped entity carries a current risk assessment — Threat, Vulnerability, Impact, Likelihood, and Mitigation status. Open mitigations create immediate compliance exposure signals.
03
eRMA cascades impact
eRMA traces any compliance gap or risk exposure through the PPTDFS dependency chain — identifying every Service affected if the gap materializes. “What breaks if we fail DORA Article 11?” answered in seconds.
04
Evidence packaged for audit
eRMA generates compliance evidence packages — BIA outputs, risk mitigation records, exercise logs, plan completeness reports — formatted for the specific regulatory framework’s audit requirements.
Compliance evidence packaging
From weeks of manual preparation to on-demand audit evidence.
eRMA’s compliance evidence packaging capability converts your live program data into structured, audit-ready documentation — formatted for the regulatory framework your auditor is examining.
What’s included in an evidence package
eRMA assembles the complete evidence set from your live program data — no manual compilation, no stale documents.
- BIA outputs — RTO/RPO, criticality tiers, and impact ratings per process
- Risk assessment records — all entity assessments with mitigation status and history
- Plan completeness report — all plans mapped to regulatory requirements
- Exercise and test history — CommandCentre audit trail with dates and outcomes
- Review and approval records — BIA approvals, plan sign-offs, governance audit trail
- Compliance gap analysis — open items, owner, and remediation timeline
How to request an evidence package via eRMA
Ask eRMA in plain language. Get a structured evidence package in the format your auditor expects.
- “Generate DORA compliance evidence package for our ICT risk management audit”
- “Create ISO 22301 performance evaluation report for management review”
- “Produce FFIEC BCP examination evidence for our annual regulatory review”
- “Show all open HIPAA contingency plan gaps with remediation owners and dates”
- “Generate NERC CIP CIP-009 recovery plan evidence for reliability standards audit”
- “Summarize exercise test coverage across all Tier-1 processes for the past 12 months”
See your regulatory mandates mapped in eBRP Suite.
Request a demo and watch eRMA generate a compliance evidence package for your framework — DORA, ISO 22301, FFIEC, HIPAA, or NIST — using a representative program structure.