Compliance matrix¶
AKKO 2026.04 is designed for regulated industries (banking, healthcare, public sector). This page maps each DORA, NIS2 and GDPR control relevant to a data + AI platform to the AKKO artefact that addresses it.
This is not a certification
AKKO provides the primitives; final certification is owned by your compliance team with its auditors. Use this matrix as a traceability document, not as legal advice.
Transversal primitives¶
Every regulation below re-uses the same building blocks. Get these right once, enforce everywhere:
| Primitive | AKKO component |
|---|---|
| Identity & access | Keycloak (OIDC), optional LDAP/AD federation |
| Authorisation | OPA Rego policies (Trino column mask, row filter, ABAC), Catalog Manager Pro auto-rules |
| Encryption at rest | Storage class encryption (cloud) / Linux dm-crypt (on-prem), object storage SSE-KMS |
| Encryption in transit | TLS end-to-end via cert-manager + Let's Encrypt |
| Audit trail | Keycloak events + OPA decision logs + Trino query log + object storage audit + HMAC-signed ADEN receipts + Catalog Manager JSON events → logs layer |
| Log retention | logs layer 14 d hot + S3 WORM Object Lock 365 d cold (GDPR Art. 30, DORA RTS) |
| Monitoring | Prometheus + VictoriaMetrics (Apache 2.0) + Alertmanager |
| Backup / DR | Velero + velero-plugin-for-* per storage, CronJob-driven snapshots |
| Data residency | Sovereign clouds (Outscale SecNumCloud, OVHcloud EU), on-prem k3s |
| Secrets management | K8s Secrets (server-side encryption) + SealedSecrets / External Secrets Operator, never ConfigMap |
DORA (Digital Operational Resilience Act, EU 2022/2554)¶
Applicable to EU financial entities from 2025-01-17.
| DORA chapter / article | Control | AKKO implementation |
|---|---|---|
| Ch. II Art. 6 | ICT risk management framework | docs/admin/rbac.md + OPA policies + docs/adr/ (every architectural risk tracked as ADR) |
| Ch. II Art. 9 | Protection & prevention | TLS (cert-manager), pod security restricted, NetworkPolicies, signed images (Cosign), Trivy scan gate |
| Ch. II Art. 10 | Detection | Prometheus + VictoriaMetrics alerts + Alertmanager webhooks |
| Ch. II Art. 11 | Response & recovery | Velero backups + dr-playbook.md (RTO/RPO targets) + dr-drill-log.md (quarterly fillable record) |
| Ch. II Art. 12 | Learning & evolving | Git history + GitHub release notes + ADR log |
| Ch. II Art. 13 | Communication (with authorities) | Exportable audit JSON (logs layer → S3) |
| Ch. III Art. 17–23 | ICT incident management | On-call runbook (docs/admin/runbooks/*) + structured audit events |
| Ch. IV Art. 24–27 | Digital operational resilience testing | tests/post-deploy/* (E2E smoke) + chaos testing recommended on scale-out |
| Ch. V Art. 28–44 | Third-party risk | License inventory (docs/licenses/inventory.md) + Harbor Cosign-signed + Trivy-scanned images |
NIS2 (Directive (EU) 2022/2555)¶
Applicable to essential and important entities from 2024-10-18.
| NIS2 article | Control | AKKO implementation |
|---|---|---|
| Art. 20 — Governance | Management responsibility for risk | ADR log + sprint planning discipline |
| Art. 21(2)(a) — Risk analysis | Security policies | This page + docs/admin/rbac.md |
| Art. 21(2)(b) — Incident handling | IR process | Runbooks in docs/admin/runbooks/ |
| Art. 21(2)(c) — Business continuity | Backup, DR | Velero CronJobs, restore drills |
| Art. 21(2)(d) — Supply chain | Vendor/supplier security | check-licenses.sh + Harbor signed artefacts |
| Art. 21(2)(e) — Acquisition, dev, maintenance | Secure SDLC | Woodpecker CI (.woodpecker/*.yml — lint, no-hardcoding, Trivy, Cosign signing, license scan) |
| Art. 21(2)(f) — Effectiveness assessment | Testing | tests/post-deploy/, E2E Playwright |
| Art. 21(2)(g) — Basic cyber hygiene | Training | Docs bilingual (EN + FR) |
| Art. 21(2)(h) — Cryptography | Crypto policy | TLS everywhere, disk encryption, HMAC audit receipts |
| Art. 21(2)(i) — HR security | Access control | Keycloak RBAC + LDAP federation + akko-admin gated mutations |
| Art. 21(2)(j) — Asset management | Asset inventory | helm/akko/values.yaml declares every service version |
GDPR (Regulation (EU) 2016/679)¶
Applicable to any personal data processing in the EU.
| GDPR article | Control | AKKO implementation |
|---|---|---|
| Art. 5 — Principles | Lawfulness, purpose limitation, data minimisation | OPA row filters + column masks (akko-opa/files/group_policies.json), akko_ai_pii() redaction view |
| Art. 6 — Lawfulness | Legal basis for processing | Document per-tenant in values-tenant-<id>.yaml |
| Art. 15 — Right of access | User data export | Export via Keycloak admin API + Trino query on iceberg.<tenant>.* — dedicated endpoint on roadmap (#174) |
| Art. 16 — Rectification | Correct inaccurate data | Standard Trino UPDATE on Iceberg tables |
| Art. 17 — Right to erasure | Right to be forgotten | DELETE FROM iceberg.<tenant>.users WHERE user_id = ? + Keycloak DELETE /users/{id} + dedicated admin API on roadmap (#174) |
| Art. 20 — Portability | Export in structured format | Superset CSV/JSON export + Trino UNLOAD |
| Art. 25 — Privacy by design & by default | Data protection integrated | OPA policies, PII masking, tenant isolation |
| Art. 30 — Records of processing | ROPA log | logs layer audit queries + audit_receipt.py HMAC-signed |
| Art. 32 — Security of processing | Technical & organisational measures | TLS + encryption at rest + RBAC + audit |
| Art. 33 — Breach notification | Detect + report within 72 h | Alertmanager → ops webhook + audit query trail |
| Art. 35 — DPIA | Impact assessment | Compliance team owns; AKKO provides the inventory in dpia-inventory.md (5 sections × ~20 personal-data flows + DSR/erasure procedures + cross-border-transfer baseline) |
Gaps and roadmap¶
The following controls are partially implemented in 2026.04 and fully delivered in the upcoming sprints:
| Gap | Regulation | Status | Task |
|---|---|---|---|
| Right-to-erasure API | GDPR Art. 17 | Sprint 43 (delivered) | POST /admin/users/{id}/erasure backed by OPA + Trino DELETE + Keycloak DELETE |
| Data-portability export API | GDPR Art. 20 | Sprint 43 (delivered) | GET /admin/users/{id}/export → ZIP of CSV + JSON |
| DR drill playbook + RTO/RPO doc | DORA Art. 11 | Sprint 43 (delivered) | dr-playbook.md — measured numbers per drill |
| DR drill execution log | DORA Art. 11 | Sprint 52 P2 (delivered, PR #44) | dr-drill-log.md — quarterly fillable form, signed PDF stored in cold-locked audit bucket |
| DPIA personal-data inventory | GDPR Art. 35 | Sprint 52 P2 (delivered, PR #43) | dpia-inventory.md |
| SIEM integration (Splunk / Sentinel / ELK) | NIS2 Art. 21(2)(b) | Sprint 44 (delivered, off by default) | siem-forwarder.md — logs layer → SIEM forwarder Helm sub-chart |
| Penetration test scope | NIS2 Art. 21(2)(f) | Sprint 52 P2 (delivered, PR #45) | pentest-scope.md — auditor-facing brief; external engagement is customer-side |
| External pentest report | NIS2 Art. 21(2)(f) | Customer engages | Annual + on every major release; deliverable schema documented in pentest-scope §"Deliverables" |
| mTLS service mesh | NIS2 Art. 21(2)(h) | Sprint 52 P1 (delivered, off by default) | mtls.md — Linkerd CNCF Graduated, ADR-037 |
| Encryption at rest layers | NIS2 Art. 21(2)(h) | Sprint 52 P1 (delivered, off by default) | encryption.md — pgcrypto + SeaweedFS volume + audit cold storage |
How to verify your deployment¶
# 1. Log retention policy active
kubectl -n akko get cm akko-vlogs-retention -o yaml
# 2. Encryption at rest verified
kubectl -n akko get pvc -o wide | awk '{print $NF}' | sort -u
# 3. Audit trail is being collected
kubectl -n akko exec svc/akko-cockpit -- \
curl -sf "http://akko-vlogs:9428/select/logsql/query?query=audit_type:*" | head
# 4. No AGPL / GPL / SSPL components
bash scripts/check-licenses.sh
Contact¶
For commercial support on a compliance programme, contact
compliance@akko-ai.com (once established).