{"id":1460,"date":"2025-12-28T11:48:04","date_gmt":"2025-12-28T10:48:04","guid":{"rendered":"https:\/\/regulated-devsecops.com\/compliance-2\/"},"modified":"2026-03-26T07:03:13","modified_gmt":"2026-03-26T06:03:13","slug":"compliance","status":"publish","type":"page","link":"https:\/\/regulated-devsecops.com\/fr\/compliance\/","title":{"rendered":"Conformit\u00e9"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>La conformit\u00e9 comme propri\u00e9t\u00e9 technique \u2014 pas un exercice documentaire<\/strong><\/h2>\n\n\n\n<p>Dans les environnements r\u00e9glement\u00e9s, la conformit\u00e9 ne consiste pas \u00e0 produire des documents.<br>Il s&rsquo;agit de <strong>d\u00e9montrer le contr\u00f4le<\/strong>.<\/p>\n\n\n\n<p>Les r\u00e9gulateurs, auditeurs et autorit\u00e9s de supervision attendent des organisations qu&rsquo;elles prouvent :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Que les contr\u00f4les sont appliqu\u00e9s<\/li>\n\n\n\n<li>Que les responsabilit\u00e9s sont clairement s\u00e9par\u00e9es<\/li>\n\n\n\n<li>Que les changements sont tra\u00e7ables<\/li>\n\n\n\n<li>Que les preuves sont conserv\u00e9es<\/li>\n\n\n\n<li>Que les risques sont g\u00e9r\u00e9s en continu<\/li>\n<\/ul>\n\n\n\n<p>La conformit\u00e9 moderne doit \u00eatre int\u00e9gr\u00e9e directement dans :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Les pipelines CI\/CD<\/li>\n\n\n\n<li>Les processus SDLC s\u00e9curis\u00e9s<\/li>\n\n\n\n<li>Les environnements cloud et d&rsquo;ex\u00e9cution<\/li>\n<\/ul>\n\n\n\n<p>La conformit\u00e9 doit \u00eatre g\u00e9n\u00e9r\u00e9e par conception \u2014 pas reconstruite apr\u00e8s coup.<\/p>\n\n\n\n<p><em>Nouveau dans ces concepts ? Consultez notre <a href=\"https:\/\/regulated-devsecops.com\/fr\/glossary\/\">Glossaire<\/a> pour des d\u00e9finitions en langage clair, ou commencez par le <a href=\"https:\/\/regulated-devsecops.com\/fr\/start-here\/\">Guide de l&rsquo;auditeur<\/a>.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What \u201cCompliance\u201d Really Means<\/strong><\/h2>\n\n\n\n<p><br>Dans les environnements r\u00e9glement\u00e9s, la conformit\u00e9 op\u00e8re sur <strong>trois couches compl\u00e9mentaires<\/strong>.<\/p>\n\n\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n     viewBox=\"0 0 1200 520\"\n     role=\"img\"\n     aria-labelledby=\"title desc\"\n     data-theme=\"light\">\n\n  <title id=\"title_2\">R\u00e9glementations vs Normes vs Cadres d&rsquo;audit<\/title>\n  <desc id=\"desc_2\">\n    Comparaison visuelle des r\u00e9glementations, normes et cadres d&rsquo;audit en cybers\u00e9curit\u00e9\n    et conformit\u00e9, montrant comment les preuves CI\/CD soutiennent les trois couches.\n  <\/desc>\n\n  <style>\n    :root{\n      --bg:transparent;\n      --text:#0f172a;\n      --muted:#475569;\n      --stroke:#cbd5e1;\n      --card:#ffffff;\n\n      --reg:#2563eb;\n      --regSoft:#dbeafe;\n\n      --std:#7c3aed;\n      --stdSoft:#ede9fe;\n\n      --aud:#059669;\n      --audSoft:#d1fae5;\n    }\n    svg[data-theme=\"dark\"]{\n      --text:#e5e7eb;\n      --muted:#9ca3af;\n      --stroke:#374151;\n      --card:#0b1220;\n\n      --reg:#60a5fa;\n      --regSoft:#0b2a55;\n\n      --std:#a78bfa;\n      --stdSoft:#2a144d;\n\n      --aud:#34d399;\n      --audSoft:#063a2c;\n    }\n\n    .txt{font-family:ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto,Arial;}\n    .title{font-weight:900;font-size:22px;fill:var(--text);}\n    .sub{font-weight:600;font-size:14px;fill:var(--muted);}\n    .h{font-weight:900;font-size:15px;fill:var(--text);}\n    .p{font-weight:600;font-size:13px;fill:var(--muted);}\n\n    .card{fill:var(--card);stroke:var(--stroke);stroke-width:1.5;rx:16;}\n    .tag{font-weight:800;font-size:12px;letter-spacing:.04em;}\n\n    .reg{stroke:var(--reg) !important;fill:var(--regSoft) !important;}\n    .std{stroke:var(--std) !important;fill:var(--stdSoft) !important;}\n    .aud{stroke:var(--aud) !important;fill:var(--audSoft) !important;}\n\n    .arrow{\n      fill:none;\n      stroke:var(--muted);\n      stroke-width:3;\n      stroke-linecap:round;\n      marker-end:url(#arrow);\n    }\n\n    .evidence{\n      stroke-dasharray:6 6;\n    }\n  <\/style>\n\n  <defs>\n    <marker id=\"arrow\" viewBox=\"0 0 10 10\" refX=\"9\" refY=\"5\"\n            markerWidth=\"7\" markerHeight=\"7\" orient=\"auto\">\n      <path d=\"M0 0 L10 5 L0 10 Z\" fill=\"var(--muted)\"\/>\n    <\/marker>\n  <\/defs>\n\n  <!-- Header -->\n  <text class=\"txt title\" x=\"40\" y=\"48\">R\u00e9glementations vs Normes vs Cadres d&rsquo;audit<\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"74\">\n    Different types of obligations, one shared requirement: auditable evidence\n  <\/text>\n\n  <!-- Regulations -->\n  <g transform=\"translate(40,120)\">\n    <rect class=\"card reg\" width=\"320\" height=\"200\"\/>\n    <text class=\"txt h\" x=\"20\" y=\"36\">R\u00e9glementations<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"62\">Legally binding obligations<\/text>\n\n    <text class=\"txt tag\" x=\"20\" y=\"98\">Examples<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"120\">\u2022 DORA<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"140\">\u2022 NIS2<\/text>\n\n    <text class=\"txt p\" x=\"20\" y=\"170\">\n      Define what must be achieved\n    <\/text>\n  <\/g>\n\n  <!-- Standards -->\n  <g transform=\"translate(440,120)\">\n    <rect class=\"card std\" width=\"320\" height=\"200\"\/>\n    <text class=\"txt h\" x=\"20\" y=\"36\">Normes<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"62\">Structured control frameworks<\/text>\n\n    <text class=\"txt tag\" x=\"20\" y=\"98\">Examples<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"120\">\u2022 ISO\/IEC 27001<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"140\">\u2022 PCI DSS<\/text>\n\n    <text class=\"txt p\" x=\"20\" y=\"170\">\n      Describe how controls can be implemented\n    <\/text>\n  <\/g>\n\n  <!-- Audit frameworks -->\n  <g transform=\"translate(840,120)\">\n    <rect class=\"card aud\" width=\"340\" height=\"200\"\/>\n    <text class=\"txt h\" x=\"20\" y=\"36\">Audit &amp; Assurance Frameworks<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"62\">Independent validation<\/text>\n\n    <text class=\"txt tag\" x=\"20\" y=\"98\">Example<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"120\">\u2022 SOC 2<\/text>\n\n    <text class=\"txt p\" x=\"20\" y=\"170\">\n      Provide external assurance through audit reports\n    <\/text>\n  <\/g>\n\n  <!-- Evidence box -->\n  <g transform=\"translate(260,360)\">\n    <rect class=\"card\" width=\"680\" height=\"120\"\/>\n    <text class=\"txt h\" x=\"20\" y=\"36\">CI\/CD Evidence<\/text>\n    <text class=\"txt p\" x=\"20\" y=\"62\">\n      Logs, approvals, SBOMs, security test results, monitoring and incident timelines\n    <\/text>\n    <text class=\"txt p\" x=\"20\" y=\"88\">\n      Reusable, correlated, and retained across regulatory, standard, and audit contexts\n    <\/text>\n  <\/g>\n\n  <!-- Arrows -->\n  <path class=\"arrow evidence\" d=\"M 200 320 L 420 360\"\/>\n  <path class=\"arrow evidence\" d=\"M 600 320 L 600 360\"\/>\n  <path class=\"arrow evidence\" d=\"M 1000 320 L 780 360\"\/>\n\n<\/svg>\n\n  <figcaption class=\"gp-rds-caption\">\n    Comparaison visuelle des r\u00e9glementations, normes et cadres d&rsquo;audit en cybers\u00e9curit\u00e9\n    et conformit\u00e9, montrant comment les preuves CI\/CD soutiennent les trois couches.\n<\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">1. <strong>Regulations \u2014 What Must Be Achieved<\/strong><\/h3>\n\n\n\n<p>Legally binding obligations enforced by regulators.<\/p>\n\n\n\n<p><strong>Examples<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/dora\/\" data-type=\"page\" data-id=\"919\">DORA<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/nis2\/\" data-type=\"page\" data-id=\"921\">NIS2<\/a><\/li>\n\n\n<li>GDPR<\/li>\n<\/ul>\n\n\n\n<p>They define:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Operational resilience expectations<\/li>\n\n\n\n<li>ICT risk management requirements<\/li>\n\n\n\n<li>Supply chain governance<\/li>\n\n\n\n<li>Incident reporting obligations<\/li>\n<\/ul>\n\n\n\n<p>Failure to comply may result in supervisory action or financial penalties.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong>Standards \u2014 How Controls Can Be Implemented<\/strong><\/h3>\n\n\n\n<p>Structured control frameworks providing implementation guidance.<\/p>\n\n\n\n<p><strong>Examples<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/iso-27001\/\">ISO\/IEC 27001<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/pci-dss\/\">PCI DSS<\/a><\/li>\n<\/ul>\n\n\n\n<p>They describe:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Control objectives<\/li>\n\n\n\n<li>Process governance<\/li>\n\n\n\n<li>Security management practices<\/li>\n\n\n\n<li>Evidence expectations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. <strong>Audit &amp; Assurance Frameworks<\/strong> \u2014 Independent Validation<\/h3>\n\n\n\n<p>Frameworks that provide external assurance through audits.<\/p>\n\n\n\n<p><strong>Example<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/soc-2\/\">SOC 2<\/a><\/li>\n<\/ul>\n\n\n\n<p>They deliver:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Independent audit reports<\/li>\n\n\n\n<li>Customer assurance<\/li>\n\n\n\n<li>Governance validation<\/li>\n<\/ul>\n\n\n\n<p>Audits do not create compliance.<br>They verify it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Common Denominator: Technical Evidence<\/strong><\/h2>\n\n\n\n<p>Regardless of the framework, <strong>the same technical evidence is reused<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CI\/CD pipeline logs<\/li>\n\n\n\n<li>Change approvals<\/li>\n\n\n\n<li>Pull request reviews<\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/glossary\/#sbom\">SBOMs<\/a> and <a href=\"https:\/\/regulated-devsecops.com\/fr\/glossary\/#artifact\">artifact<\/a> provenance<\/li>\n\n\n\n<li>Security test results (<a href=\"https:\/\/regulated-devsecops.com\/fr\/glossary\/#sast\">SAST<\/a>, <a href=\"https:\/\/regulated-devsecops.com\/fr\/glossary\/#dast\">DAST<\/a>, <a href=\"https:\/\/regulated-devsecops.com\/fr\/glossary\/#sca\">SCA<\/a>)<\/li>\n\n\n\n<li>Deployment history<\/li>\n\n\n\n<li>Monitoring and incident timelines<\/li>\n<\/ul>\n\n\n\n<p>This evidence must be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generated continuously<\/li>\n\n\n\n<li>Correlated across systems<\/li>\n\n\n\n<li>Tamper-resistant<\/li>\n\n\n\n<li>Retained with access governance<\/li>\n<\/ul>\n\n\n\n<p>Without reliable evidence, compliance cannot be demonstrated.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Compliance Across the Software Delivery Lifecycle<\/strong><\/h2>\n\n\n\n<p>In regulated environments, <strong>every change must be explainable<\/strong>.<\/p>\n\n\n\n<p>Compliance therefore spans the full lifecycle:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Design decisions<\/li>\n\n\n\n<li>Code commits<\/li>\n\n\n\n<li>Pipeline execution<\/li>\n\n\n\n<li>Release approvals<\/li>\n\n\n\n<li>Production runtime<\/li>\n\n\n\n<li>Incident response<\/li>\n<\/ul>\n\n\n\n<p>A compliant SDLC creates a verifiable chain:<br><strong>Governance \u2192 Delivery \u2192 Runtime \u2192 Retention<\/strong><\/p>\n\n\n\n<p>Where:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Governance defines responsibility and policy<\/li>\n\n\n\n<li>Delivery enforces controls<\/li>\n\n\n\n<li>Runtime generates operational evidence<\/li>\n\n\n\n<li>Retention preserves auditability<\/li>\n<\/ul>\n\n\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n  <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n       viewBox=\"0 0 1200 520\"\n       role=\"img\"\n       aria-labelledby=\"gp-rds-title gp-rds-desc\"\n       class=\"gp-rds-svg\">\n\n    <title id=\"gp-rds-title\">\n      Compliance &amp; Audit Evidence Chain for Regulated SDLC\n    <\/title>\n\n    <desc id=\"gp-rds-desc\">\n      Diagram showing the audit evidence chain across a regulated software lifecycle: \nidentity, change control, pipeline controls, artifact integrity, runtime monitoring, and retention.\n    <\/desc>\n\n    <style>\n  \/* Default = light *\/\n    :root{\n      --bg: transparent;\n      --text: #0f172a;\n      --muted: #475569;\n      --stroke: #cbd5e1;\n      --card: #ffffff;\n      --accent: #2563eb;\n      --accentSoft:#dbeafe;\n      --warn:#f59e0b;\n      --warnSoft:#fffbeb;\n    }\n    \/* Optional dark theme *\/\n    svg[data-theme=\"dark\"]{\n        --text:#e5e7eb;\n        --muted:#9ca3af;\n        --stroke:#374151;\n        --card:#0b1220;\n        --accent:#60a5fa;\n        --accentSoft:#0b2a55;\n        --warn:#fbbf24;\n        --warnSoft:#2a1f0b;\n    } \n\n    .txt{font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Arial, \"Noto Sans\", \"Liberation Sans\", sans-serif;}\n    .title{font-weight:700; font-size:22px; fill:var(--text);}\n    .sub{font-weight:500; font-size:14px; fill:var(--muted);}\n    .label{font-weight:700; font-size:14px; fill:var(--text);}\n    .small{font-weight:500; font-size:12px; fill:var(--muted);}\n    .card{fill:var(--card); stroke:var(--stroke); stroke-width:1.5; rx:14;}\n    .lane{fill:transparent; stroke:var(--stroke); stroke-width:1.5; rx:16; stroke-dasharray:6 6;}\n    .laneTitle{font-weight:800; font-size:12px; fill:var(--muted); letter-spacing:.05em;}\n    .flow{fill:none; stroke:var(--stroke); stroke-width:2.5; stroke-linecap:round; stroke-linejoin:round;}\n    .arrow{marker-end:url(#arrow);}\n    .chip{fill:transparent; stroke:var(--stroke); stroke-width:1.5;}\n    .chipText{font-weight:700; font-size:12px; fill:var(--text);}\n    .chipBlue{fill:var(--accentSoft); stroke:var(--accent);}\n    .chipWarn{fill:var(--warnSoft); stroke:var(--warn);}\n    .chipTextMuted{font-weight:700; font-size:12px; fill:var(--muted);}\n  <\/style>\n\n  <defs>\n    <marker id=\"arrow\" viewBox=\"0 0 10 10\" refX=\"9.2\" refY=\"5\" markerWidth=\"7\" markerHeight=\"7\" orient=\"auto-start-reverse\">\n      <path d=\"M 0 0 L 10 5 L 0 10 z\" fill=\"var(--stroke)\"\/>\n    <\/marker>\n  <\/defs>\n\n  <!-- Background -->\n  <rect x=\"0\" y=\"0\" width=\"1200\" height=\"460\" fill=\"var(--bg)\"\/>\n\n  <!-- Header -->\n  <text class=\"txt title\" x=\"40\" y=\"48\">Compliance &amp; Audit Evidence Chain<\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"74\">Regulated SDLC: governance controls and verifiable evidence from change to runtime<\/text>\n\n  <!-- Lanes -->\n  <!-- Lane 1: Governance -->\n  <g>\n    <rect class=\"lane\" x=\"40\" y=\"100\" width=\"1120\" height=\"110\" rx=\"16\"\/>\n    <text class=\"txt laneTitle\" x=\"60\" y=\"126\">GOVERNANCE<\/text>\n\n    <g transform=\"translate(60,142)\">\n      <rect class=\"chip chipBlue\" x=\"0\" y=\"0\" width=\"200\" height=\"30\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"100\" y=\"20\" text-anchor=\"middle\">Identity &amp; access (IAM)<\/text>\n    <\/g>\n\n    <g transform=\"translate(280,142)\">\n      <rect class=\"chip chipBlue\" x=\"0\" y=\"0\" width=\"220\" height=\"30\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"110\" y=\"20\" text-anchor=\"middle\">Change management<\/text>\n    <\/g>\n\n    <g transform=\"translate(520,142)\">\n      <rect class=\"chip chipBlue\" x=\"0\" y=\"0\" width=\"250\" height=\"30\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"125\" y=\"20\" text-anchor=\"middle\">Segregation of duties<\/text>\n    <\/g>\n\n    <g transform=\"translate(790,142)\">\n      <rect class=\"chip chipBlue\" x=\"0\" y=\"0\" width=\"330\" height=\"30\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"165\" y=\"20\" text-anchor=\"middle\">Policies, standards &amp; exceptions<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Lane 2: Delivery Evidence -->\n  <g>\n    <rect class=\"lane\" x=\"40\" y=\"230\" width=\"1120\" height=\"150\" rx=\"16\"\/>\n    <text class=\"txt laneTitle\" x=\"60\" y=\"256\">DELIVERY EVIDENCE<\/text>\n\n    <!-- Cards -->\n    <g transform=\"translate(60,270)\">\n      <rect class=\"card\" x=\"0\" y=\"0\" width=\"250\" height=\"90\" rx=\"14\"\/>\n      <text class=\"txt label\" x=\"16\" y=\"28\">Change record<\/text>\n      <text class=\"txt small\" x=\"16\" y=\"50\">Ticket \u2022 approval \u2022 scope<\/text>\n      <g transform=\"translate(16,60)\">\n        <rect class=\"chip\" x=\"0\" y=\"0\" width=\"218\" height=\"26\" rx=\"6\"\/>\n        <text class=\"txt chipText\" x=\"109\" y=\"18\" text-anchor=\"middle\">Traceability ID<\/text>\n      <\/g>\n    <\/g>\n\n    <g transform=\"translate(335,270)\">\n      <rect class=\"card\" x=\"0\" y=\"0\" width=\"260\" height=\"90\" rx=\"14\"\/>\n      <text class=\"txt label\" x=\"16\" y=\"28\">Pull request<\/text>\n      <text class=\"txt small\" x=\"16\" y=\"50\">Reviews \u2022 checks \u2022 sign-off<\/text>\n      <g transform=\"translate(16,60)\">\n        <rect class=\"chip\" x=\"0\" y=\"0\" width=\"228\" height=\"26\" rx=\"6\"\/>\n        <text class=\"txt chipText\" x=\"114\" y=\"18\" text-anchor=\"middle\">Review evidence<\/text>\n      <\/g>\n    <\/g>\n\n    <g transform=\"translate(620,270)\">\n      <rect class=\"card\" x=\"0\" y=\"0\" width=\"260\" height=\"90\" rx=\"14\"\/>\n      <text class=\"txt label\" x=\"16\" y=\"28\">CI\/CD run<\/text>\n      <text class=\"txt small\" x=\"16\" y=\"50\">SAST \u2022 SCA \u2022 DAST \u2022 SBOM<\/text>\n      <g transform=\"translate(16,60)\">\n        <rect class=\"chip\" x=\"0\" y=\"0\" width=\"228\" height=\"26\" rx=\"6\"\/>\n        <text class=\"txt chipText\" x=\"114\" y=\"18\" text-anchor=\"middle\">Pipeline logs<\/text>\n      <\/g>\n    <\/g>\n\n    <g transform=\"translate(905,270)\">\n      <rect class=\"card\" x=\"0\" y=\"0\" width=\"255\" height=\"90\" rx=\"14\"\/>\n      <text class=\"txt label\" x=\"16\" y=\"28\">Release<\/text>\n      <text class=\"txt small\" x=\"16\" y=\"50\">Version \u2022 approvals \u2022 rollback<\/text>\n      <g transform=\"translate(16,60)\">\n        <rect class=\"chip\" x=\"0\" y=\"0\" width=\"223\" height=\"26\" rx=\"6\"\/>\n        <text class=\"txt chipText\" x=\"111.5\" y=\"18\" text-anchor=\"middle\">Release artifact<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- Flow arrows inside lane -->\n    <path class=\"flow arrow\" d=\"M 310 315 L 335 315\"\/>\n    <path class=\"flow arrow\" d=\"M 595 315 L 620 315\"\/>\n    <path class=\"flow arrow\" d=\"M 880 315 L 905 315\"\/>\n  <\/g>\n\n  <!-- Lane 3: Runtime Evidence -->\n  <g>\n    <rect class=\"lane\" x=\"40\" y=\"395\" width=\"1120\" height=\"50\" rx=\"16\"\/>\n    <text class=\"txt laneTitle\" x=\"60\" y=\"422\">RUNTIME EVIDENCE &amp; RETENTION<\/text>\n\n    <g transform=\"translate(380,410)\">\n      <rect class=\"chip chipWarn\" x=\"0\" y=\"0\" width=\"220\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"110\" y=\"19\" text-anchor=\"middle\">Centralized logging<\/text>\n    <\/g>\n\n    <g transform=\"translate(610,410)\">\n      <rect class=\"chip chipWarn\" x=\"0\" y=\"0\" width=\"250\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"125\" y=\"19\" text-anchor=\"middle\">Security monitoring<\/text>\n    <\/g>\n\n    <g transform=\"translate(870,410)\">\n      <rect class=\"chip chipWarn\" x=\"0\" y=\"0\" width=\"250\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"125\" y=\"19\" text-anchor=\"middle\">Retention &amp; access control<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Footer note -->\n  <text class=\"txt small\" x=\"40\" y=\"460\"> Every change is traceable, every control produces evidence, and evidence is retained with access governance.<\/text>\n\n  <\/svg>\n\n  <figcaption class=\"gp-rds-caption\">\n    Regulatory frameworks require organizations to demonstrate control, traceability, and accountability across development, delivery, and runtime environments. Compliance evidence must therefore be generated continuously, not retroactively.\n  <\/figcaption>\n<\/figure>\n\n\n\n<p><strong>Governance Controls<\/strong><\/p>\n\n\n\n<p>Compliance begins with governance:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identity &amp; access management<\/li>\n\n\n\n<li>Segregation of duties<\/li>\n\n\n\n<li>Change management policies<\/li>\n\n\n\n<li>Exception handling procedures<\/li>\n\n\n\n<li>Supplier risk management<\/li>\n<\/ul>\n\n\n\n<p>Governance defines the rules.<br>Architecture enforces them.<\/p>\n\n\n\n<p><strong>Delivery Evidence (CI\/CD)<\/strong><\/p>\n\n\n\n<p>Les pipelines CI\/CD must produce:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Change request traceability<\/li>\n\n\n\n<li>Pull request approvals<\/li>\n\n\n\n<li>Automated security test results<\/li>\n\n\n\n<li>Policy gate decisions<\/li>\n\n\n\n<li>Signed release artifacts<\/li>\n<\/ul>\n\n\n\n<p>Pipelines in regulated environments function as control systems \u2014 not just automation tools.<\/p>\n\n\n\n<p><strong>Runtime Evidence &amp; Retention<\/strong><\/p>\n\n\n\n<p>Production environments must provide:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized logging<\/li>\n\n\n\n<li>Security monitoring<\/li>\n\n\n\n<li>Incident tracking<\/li>\n\n\n\n<li>Retention and access governance<\/li>\n<\/ul>\n\n\n\n<p>Evidence must remain accessible for audit \u2014 sometimes years after deployment.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Every change is traceable.<br>Every control produces evidence.<br>Evidence is retained and accessible for audit.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Compliance in Regulated Enterprise Environments<\/strong><\/h2>\n\n\n\n<p>Regulated industries \u2014 banking, insurance, healthcare, critical infrastructure \u2014 are subject to <strong>multiple overlapping obligations<\/strong>, including:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">R\u00e9glementations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/dora\/\" data-type=\"page\" data-id=\"919\">DORA<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/nis2\/\" data-type=\"page\" data-id=\"921\">NIS2<\/a><\/li>\n\n\n<li>GDPR<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Normes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/iso-27001\/\">ISO\/IEC 27001<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/compliance\/pci-dss\/\">PCI DSS<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit frameworks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SOC 2<\/li>\n<\/ul>\n\n\n\n<p>These frameworks differ in scope, but share a requirement:<br>\ud83d\udc49 Demonstrable, continuous control.<\/p>\n\n\n\n<p>Compliance cannot rely on periodic audits alone.<br>It must be embedded in daily operations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Compliance Controls by Category<\/strong><\/h2>\n\n\n\n<p>Effective compliance relies on a balanced set of controls:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preventive<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access control<\/li>\n\n\n\n<li>Policy enforcement<\/li>\n\n\n\n<li>Secure defaults<\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/glossary\/#segregation-of-duties\">Segregation of duties<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Detective<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Logging<\/li>\n\n\n\n<li>Monitoring<\/li>\n\n\n\n<li>Continuous security testing<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Corrective<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Incident response<\/li>\n\n\n\n<li>Rollback mechanisms<\/li>\n\n\n\n<li>Remediation tracking<\/li>\n<\/ul>\n\n\n\n<p>A mature organization balances all three.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Continuous Compliance<\/strong><\/h2>\n\n\n\n<p>In modern regulated environments:<br>Compliance is not an annual event.<br>It is continuous.<\/p>\n\n\n\n<p>Les pipelines CI\/CD enable this by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automating policy enforcement<\/li>\n\n\n\n<li>Blocking non-compliant changes<\/li>\n\n\n\n<li>Generating audit-ready logs<\/li>\n\n\n\n<li>Preserving traceability by design<\/li>\n<\/ul>\n\n\n\n<p>When architecture enforces control, compliance becomes a property of the system. See <a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/continuous-compliance-via-ci-cd\/\">Continuous Compliance via CI\/CD<\/a> and <a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/continuous-auditing-vs-point-in-time-audits\/\">Continuous Auditing vs Point-in-Time Audits<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Regulatory Deep Dives<\/strong><\/h2>\n\n\n\n<p>This site provides in-depth coverage across five regulatory and assurance frameworks. Each hub page offers regulation-specific guidance, controls mappings, auditor checklists, and evidence references.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Framework<\/strong><\/th><th><strong>Type<\/strong><\/th><th><strong>Scope<\/strong><\/th><th><strong>Hub Page<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>DORA<\/strong><\/td><td>Regulation<\/td><td>EU financial entities \u2014 ICT risk, third-party governance, resilience testing<\/td><td><a href=\"https:\/\/regulated-devsecops.com\/compliance\/dora\/\">DORA Hub<\/a><\/td><\/tr><tr><td><strong>NIS2<\/strong><\/td><td>Regulation<\/td><td>Essential &amp; important entities \u2014 supply chain, incident reporting, risk management<\/td><td><a href=\"https:\/\/regulated-devsecops.com\/compliance\/nis2\/\">NIS2 Hub<\/a><\/td><\/tr><tr><td><strong>ISO 27001<\/strong><\/td><td>Standard<\/td><td>Any organisation \u2014 ISMS, Annex A controls, certification<\/td><td><a href=\"https:\/\/regulated-devsecops.com\/compliance\/iso-27001\/\">ISO 27001 Hub<\/a><\/td><\/tr><tr><td><strong>SOC 2<\/strong><\/td><td>Assurance<\/td><td>Service organisations \u2014 Trust Service Criteria, Type I\/II reports<\/td><td><a href=\"https:\/\/regulated-devsecops.com\/compliance\/soc-2\/\">SOC 2 Hub<\/a><\/td><\/tr><tr><td><strong>PCI DSS<\/strong><\/td><td>Standard<\/td><td>Cardholder data environments \u2014 secure development, access, logging<\/td><td><a href=\"https:\/\/regulated-devsecops.com\/compliance\/pci-dss\/\">PCI DSS Hub<\/a><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>DORA<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-compliance-architecture-ci-cd-as-a-regulated-ict-system\/\">DORA Compliance Architecture \u2014 CI\/CD as a Regulated ICT System<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-21-deep-dive-enforcing-ict-risk-controls-via-ci-cd\/\">DORA Article 21 Deep Dive \u2014 ICT Risk Controls<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-28-explained-managing-ict-third-party-risk-in-ci-cd-and-cloud-environments\/\">DORA Article 28 \u2014 Third-Party ICT Risk<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dora-article-28-auditor-checklist\/\">DORA Article 28 \u2014 Auditor Checklist<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>NIS2<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/nis2-security-architecture-explained\/\">NIS2 Security Architecture Explained<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/nis2-article-21-ci-cd-controls-mapping\/\">NIS2 Article 21 \u2014 CI\/CD Controls Mapping<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/nis2-supply-chain-security-auditing-third-party-components-in-ci-cd\/\">NIS2 Supply Chain Security \u2014 Auditing Third-Party Components<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/nis2-audit-checklist-evidence-pack-for-compliance-officers\/\">NIS2 Audit Checklist \u2014 Evidence Pack<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>ISO 27001<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/iso-27001-annex-a-controls-mapped-to-ci-cd-pipelines\/\">ISO 27001 Annex A Controls Mapped to CI\/CD Pipelines<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/iso-27001-a-14-deep-dive-system-development-and-maintenance-in-ci-cd\/\">ISO 27001 A.14 Deep Dive \u2014 System Development and Maintenance<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/iso-27001-certification-what-ci-cd-evidence-auditors-require\/\">ISO 27001 Certification \u2014 CI\/CD Evidence Requirements<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>SOC 2<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/soc-2-trust-service-criteria-mapped-to-pipeline-controls\/\">SOC 2 Trust Service Criteria Mapped to Pipeline Controls<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/soc-2-type-ii-sustained-ci-cd-evidence-requirements\/\">SOC 2 Type II \u2014 Sustained CI\/CD Evidence Requirements<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/soc-2-readiness-assessment-ci-cd-specific-checklist\/\">SOC 2 Readiness Assessment \u2014 CI\/CD-Specific Checklist<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>PCI DSS<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/pci-dss-v4-0-software-delivery-requirements-requirement-6-deep-dive\/\">PCI DSS v4.0 \u2014 Requirement 6 Deep Dive<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/pci-dss-and-ci-cd-what-qsas-need-to-verify\/\">PCI DSS and CI\/CD \u2014 What QSAs Need to Verify<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Cross-Regulation Comparisons<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/cross-regulation-comparisons\/iso-27001-vs-dora-vs-nis2-controls-overlap-matrix\/\">ISO 27001 vs DORA vs NIS2 \u2014 Controls Overlap Matrix<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/cross-regulation-comparisons\/nis2-vs-dora-overlap-analysis-for-dual-regulated-entities\/\">NIS2 vs DORA \u2014 Overlap Analysis for Dual-Regulated Entities<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/dual-compliance-architecture-explained\/\">Dual-Compliance Architecture Explained<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Audit &amp; Evidence<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/executive-audit-briefing-ci-cd-pipelines-in-regulated-environments\/\">Executive Audit Briefing<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/how-auditors-actually-review-ci-cd-pipelines\/\">How Auditors Actually Review CI\/CD Pipelines<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/audit-day-playbook-how-to-handle-ci-cd-audits-in-regulated-environments\/\">Audit Day Playbook<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/building-evidence-repository-continuous-compliance\/\">Building an Evidence Repository for Continuous Compliance<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/continuous-auditing-vs-point-in-time-audits\/\">Continuous Auditing vs Point-in-Time Audits<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/audit-evidence\/common-audit-findings-ci-cd-top-10-failures\/\">Common Audit Findings \u2014 Top 10 CI\/CD Failures<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Related Security Domains<\/strong><\/h2>\n\n\n\n<p>Compliance does not exist in isolation.<br>It depends on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/architecture\/\" data-type=\"page\" data-id=\"923\">Architecture<\/a><\/strong> \u2014 enforcement models and system design<\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-security\/\" data-type=\"page\" data-id=\"11\"><strong>CI\/CD Security<\/strong> <\/a>\u2014 pipelines as regulated systems<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/devsecops\/\" data-type=\"page\" data-id=\"13\">DevSecOps<\/a><\/strong> \u2014 secure ways of working<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/application-security\/\" data-type=\"page\" data-id=\"746\">Application Security<\/a><\/strong> \u2014 secure design and runtime protection<\/li>\n<\/ul>\n\n\n\n<p>Together, these domains create continuous, auditable resilience.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Final Principle<\/strong><\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Compliance in regulated environments is not about reporting. It is about control.<\/p>\n<\/blockquote>\n\n\n\n<p>If your systems enforce policy, generate traceability, and retain evidence by design, audits become verification exercises. If controls are informal or manual, compliance becomes reconstruction.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Related for Auditors<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/glossary\/\">Glossary<\/a> \u2014 Plain-language definitions of technical terms<\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/start-here\/\">Start Here \u2014 Auditor&rsquo;s Guide to CI\/CD Security<\/a><\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/resources\/\">Full Resource Directory<\/a> \u2014 Checklists, evidence packs, controls mappings<\/li>\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/fr\/architecture\/\">Architecture<\/a> \u2014 How CI\/CD enforces controls by design<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>La conformit\u00e9 comme propri\u00e9t\u00e9 technique \u2014 pas un exercice documentaire Dans les environnements r\u00e9glement\u00e9s, la conformit\u00e9 ne consiste pas \u00e0 produire des documents.Il s&rsquo;agit de d\u00e9montrer le contr\u00f4le. Les r\u00e9gulateurs, auditeurs et autorit\u00e9s de supervision attendent des organisations qu&rsquo;elles prouvent : La conformit\u00e9 moderne doit \u00eatre int\u00e9gr\u00e9e directement dans : La conformit\u00e9 doit \u00eatre g\u00e9n\u00e9r\u00e9e &#8230; <a title=\"Conformit\u00e9\" class=\"read-more\" href=\"https:\/\/regulated-devsecops.com\/fr\/compliance\/\" aria-label=\"En savoir plus sur Conformit\u00e9\">Lire la suite<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":5,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1460","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/pages\/1460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/comments?post=1460"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/pages\/1460\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/media?parent=1460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}