# Background `Please read this epic to understand the background to this initiative: click `[`here`](https://gitlab.com/groups/gitlab-org/-/epics/17111) # Problem Due to the number of different compliance frameworks and standards an organization may have to follow, there can be a case where each of the requirements and controls may not overlap with each other but would need to be applied to all projects within a group. This is usually solved by applying [a default compliance framework](https://docs.gitlab.com/user/compliance/compliance_frameworks/#default-compliance-frameworks), which will apply a chosen compliance framework automatically to all projects within a group. However, a key issue is that the default compliance framework only supports 1 framework, rather than multiple # Solution One way to solve this problem is to allow a default compliance framework to apply multiple compliance framework labels to projects within a group. There could be a concept where frameworks + associated policies could be applied to multiple projects within a group or instance if we map compliance framework labels, with policies scoped through those labels, to apply to projects based on certain metadata. We are assuming that `Labels` may make be an appropriate type of meta data to try to map compliance framework labels + policies in an automatic way. For example: * Organization A operates in both the financial industry and in Europe, and might have to follow the following frameworks in different jurisdictions: * USA: * California Consumer Privacy Act (CCPA) * Payment Card Industry Data Security Standard (PCI DSS) * Financial Industry Regulatory Authority (FINRA) rules * European Union * European Banking Authority (EBA) regulations * General Data Protection Regulation (GDPR) * Payment Services Directive 2 (PSD2) * A GitLab instance could be structured where all projects are provided a geographical tag: * For example, projects in the USA are tagged with \~geo::america and projects in Europe are tagged with \~geo::eu; * A rule can then be constructed/created where: * For projects with the \~geo::america tag; * Apply the following compliance frameworks by default: * CCPA * PCI DSS * FINRA; and * Apply these for all existing or new projects that are created which have the \~geo::america tag. The example being used here is based on geographical region but, due to the flexibility of labels, this will hopefully help map to a wide variety of different use cases and helps to expand the default compliance framework system that we have in place for a single framework, to encompass situations where multiple compliance frameworks may need to be set by default. We are still exploring the results, implications, risk and rewards of allowing this to occur, so please feel free to provide feedback to this issue with your use case to help inform our decision making here. # Personas * [Cameron (Compliance Manager)](https://handbook.gitlab.com/handbook/product/personas/#cameron-compliance-manager) # Next steps * [ ] Require review of epic by compliance product trio * [ ] Problem validation for workflow to improve ease of use in creation workflow * [ ] Research competitor products in this space * [ ] Could you clarify the technical possibilities? * [ ] Design explorations for compliance <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> > [!important] > > This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> > [!important] > > This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> > [!important] > This page may contain information related to upcoming products, features and functionality. > It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. > Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->