Compliance frameworks, mapped for Canadian companies selling globally
Sell into three markets and you’ll collect five frameworks. The mistake is treating each as its own project. Built properly, one security program maps to all of them — so the useful way to organize this guide is by the market each framework unlocks.
Selling to enterprises & US health systems
SOC 2
The default ask from enterprise and institutional customers, especially in North America — if one deal requires a certification, it’s almost certainly this one. Read the guide →
HIPAA
Applies the moment a US health system, payer, or their data touches your product — including as a Canadian company. Read the guide →
Selling globally / to security-mature enterprises
ISO 27001
The international anchor certification — often the better long-term choice when your customers span multiple continents. Read the guide →
Selling into the EU & UK
GDPR
Applies as soon as your users are in Europe — regardless of where your company or servers are. Read the guide →
NIS2 & DORA
The EU’s security and resilience rules for essential sectors and financial institutions — reaching you through your customers’ contracts. Read the guide →
National certification schemes
Cyber Essentials (UK), BSI IT-Grundschutz and C5 (Germany), SecNumCloud (France), and friends — each country’s local trust currency. Read the guide →
Selling to the US federal government & defence
FedRAMP
Required to sell cloud services to US federal agencies — a serious commitment that deserves a clear-eyed cost/benefit call. Read the guide →
CMMC / NIST 800-171
The US defence supply chain’s contract gate — flows down from primes to subcontractors, including Canadian ones. Read the guide →
Selling to the Government of Canada & DND
CPCSC
Canada’s new cyber certification for defence suppliers — Level 1 self-assessments are appearing in DND contracts now. Read the guide →
Cross-cutting
Data residency & cross-border transfers
“Where is our data, and who can reach it?” — the question every regulated customer eventually asks, from CLOUD Act exposure to provincial residency rules. Read the guide →
Every framework above has a plain-language guide — and if your question doesn’t fit neatly into one, just ask.
Not sure which of these applies to you?
That’s a normal place to be — and a 30-minute conversation usually sorts it out. No pitch, no obligation.