Skip to content

Compliance & Trust

ARCHER is designed for deployment in regulated enterprise environments. This section documents how the system satisfies the requirements that matter in those environments: investigative provenance, immutable audit trails, regulatory reporting, and the hard limits that protect operators from liability.

Why NIS2 and DORA

ARCHER targets EU regulatory frameworks rather than US equivalents. This is a deliberate choice, not a geographic one.

They set the highest evidentiary bar. US frameworks in this space are either domain-specific (CMMC applies to defense contractors, FedRAMP to cloud service providers) or too general to prescribe what security tool output must actually contain. NIS2's 24-hour incident reporting requirement with specific evidence traceability - not a summary, the specific log entry - is a harder standard than anything in NIST SP 800-53 or SOC 2. DORA's threat-led penetration testing requirements define exactly what a penetration test must produce for a regulator to accept it. Building to the harder standard means the output satisfies the easier ones by implication.

They have extraterritorial reach. NIS2 applies to any organization serving EU critical infrastructure, regardless of where that organization is headquartered. DORA applies to any financial entity operating in the EU. A US-based organization with EU customers, EU operations, or EU data residency obligations is subject to both. Targeting EU frameworks makes ARCHER deployable in any regulated market globally. Targeting US-only frameworks limits the audience to specific US government or defense contexts.

They are specific to the problem. The NIS2 evidence standard and DORA TLPT requirements map directly onto what a security operations tool produces: commands run, outputs received, findings recorded, timeline of actions, MITRE technique mappings. The compliance requirements are not general - they describe the exact artifact ARCHER generates. That specificity makes compliance measurable rather than interpretive.

The Core Principle

Security tooling in regulated industries operates under a simple test: can a finding survive a legal or regulatory challenge? That test has specific requirements:

  • The finding must trace to specific source evidence
  • The investigation must be reproducible by an independent analyst
  • Every action must be time-stamped and attributable
  • Nothing in the record can be modified after the fact

"The AI flagged this" fails that test. ARCHER is built to pass it.

In This Section

  • NIS2 & DORA Alignment - how ARCHER's output satisfies EU regulatory requirements for incident reporting and operational resilience testing
  • Investigative Provenance - how ARCHER ensures every finding is traceable, reproducible, and auditable
  • Trust Requirements - the full list of nineteen requirements every investigation must satisfy
  • Hard Limits - actions that cannot be authorized in any mode of operation