Compliance support
Merula gives teams continuous technical evidence for the domain controls they depend on: DNS, TLS certificates, email authentication, mail transport security, web headers, availability, web hygiene, domain lifecycle and routing. This page explains how those findings relate to recognised standards, security frameworks and guidance — and where the boundary is.
Merula does not certify legal compliance. It continuously monitors externally visible technical controls that commonly support cyber hygiene, audit readiness, customer assurance and NIS2-related risk management. Throughout, a mapping means Merula provides technical evidence that can support a control — never a certification or a claim of full compliance.
OWASP Secure Headers
The HTTP-headers check aligns with the OWASP Secure Headers Project's recommended baseline. Each finding maps to one specific recommendation: missing HSTS, missing X-Content-Type-Options, missing frame-protection (X-Frame-Options or CSP frame-ancestors), version-disclosing headers (Server, X-Powered-By, X-AspNet-Version), and Set-Cookie security flags.
OWASP Top 10:2025
OWASP Top 10 is a risk-awareness catalogue, not a compliance regime — so these are risk-relevance mappings, not conformance claims. We reference the 2025 release. Only a small set of categories has externally observable signals that a domain monitor can genuinely evidence from outside the application; the rest require code-level, authenticated or application-internal access we do not have.
Note: in the 2025 release, Security Misconfiguration moved up from A05 (in 2021) to A02 — the second-most critical category in the consensus. That is the category Merula's headers, email-auth and transport findings most often relate to.
The mapping is at the level of specific findings: a check contributes to a category only when it surfaces the relevant weakness, not by default. The lists below name the checks whose findings can map to each category.
- A02:2025 Security Misconfiguration — HTTP security headers, SPF, DKIM, DMARC, STARTTLS, MTA-STS, TLS-RPT, DANE, CORS policy.
- A04:2025 Cryptographic Failures — TLS certificate (chain, expiry, hostname), protocol and cipher hardening, DNSSEC, CAA records, HSTS enforcement.
- A01:2025 Broken Access Control (partial) — CORS misconfiguration findings and SameSite cookie validation (CWE-1275).
- A07:2025 Authentication Failures (limited external signal) — TLS certificate hostname and chain validation where it affects server identity. Merula does not assess user authentication, sessions, identity providers or account controls.
- A03, A05, A06, A08, A09, A10 — application-internal, out of scope for an external monitor.
CWEs these external checks can surface, by category:
- A02:2025 — CWE-5, CWE-614, CWE-942, CWE-1004 (plus CWE-16 general)
- A04:2025 — CWE-296, CWE-319, CWE-324, CWE-326, CWE-327, CWE-523, CWE-757 (7 of 32)
- A01:2025 — CWE-1275 SameSite, plus CORS overlap with A02
- A07:2025 — CWE-295, CWE-297, CWE-298, CWE-299 (cert validation)
These CWE references describe the externally observable weaknesses Merula can surface today. They are finding-level references, not a claim of full category or CWE coverage.
EU NIS2 Directive — Article 21(2)
NIS2 requires essential and important entities to apply appropriate and proportionate cybersecurity risk-management measures. Merula does not determine scope or compliance, but several Article 21(2) themes can be supported by external technical evidence from the public domain layer:
- (b) Incident handling — change-event detection, the per-domain change log, alert delivery.
- (c) Business continuity (limited) — domain-registration-expiry monitoring evidences the domain-availability slice only; backups, disaster recovery and crisis management are out of scope.
- (g) Cyber-hygiene practices — DNS, certificates, email authentication, transport security and web headers. Much of Merula's monitoring supports this theme.
- (h) Cryptography and encryption policies — TLS protocol + cipher evaluation, STARTTLS, MTA-STS, TLS-RPT, DANE; email authentication (SPF, DKIM, DMARC) sits under (g) above as a cyber-hygiene control.
- (e) Vulnerability handling and disclosure (limited) — the security.txt check evidences a published vulnerability-disclosure channel; secure acquisition, development and maintenance are out of scope.
What Merula does not cover under NIS2:
- (a) Risk analysis and information-system security policies
- (d) Supply-chain security
- (e) Secure acquisition, development and maintenance — except the published vulnerability-disclosure channel evidenced by security.txt
- (f) Policies for assessing the effectiveness of measures
- (i) HR security, access control, asset management
- (j) Multi-factor authentication and secured internal voice/video/text and emergency communications — an internal-controls clause Merula does not observe from outside
Merula provides continuous external evidence for selected technical controls related to the cyber-hygiene and cryptography parts of NIS2 Article 21(2) — specifically (g), (h), the detection side of (b), (c) through domain-registration-expiry monitoring, and the disclosure channel of (e) through security.txt.
Recognised security guidance
Merula's email-authentication and transport checks are built on widely used internet standards, and the case for watching them continuously is made by recognised security authorities. The UK's National Cyber Security Centre, in its email-security and anti-spoofing guidance, recommends that organisations deploy SPF, DKIM and DMARC to reduce domain spoofing, move a DMARC policy towards enforcement in stages — monitoring the reports before tightening — and protect email in transit with TLS. Those are the same controls Merula monitors and the same staged journey it helps you follow.
Reference: NCSC (UK) — Email security and anti-spoofing. UK National Cyber Security Centre, Email security and anti-spoofing guidance.
European threat context
ENISA's Threat Landscape 2025 is a threat-centric analysis of incidents across the EU — the externally documented reason continuous domain hygiene is worth the attention. It reinforces the case for continuous visibility: the pattern of overlapping, persistent campaigns it describes is exactly what makes point-in-time checks insufficient.
A Merula finding is technical evidence about the public layer of your domains — what is observable from outside, and how it has changed over time.
Reference: ENISA Threat Landscape 2025 — threat-context reference. ENISA, Threat Landscape 2025 (October 2025) — a threat-centric analysis of around 4,875 incidents across the EU, July 2024 – June 2025.
Standards & RFCs
Every check is grounded in named standards, specifications or recognised security guidance. We avoid vague "best practice" language where a more precise reference exists. The chip strip on each check in your dashboard surfaces which standards that check evidences.
IETF (RFC)
- DNS resolution and integrity — RFC 1034, 1035, 2181, 2182, 3596, 4033–4035 (DNSSEC), 8659 (CAA)
- TLS for HTTPS — RFC 5246 (1.2), 8446 (1.3), 8996 (1.0/1.1 deprecation), 9525 (modern hostname validation), plus 7465 / 7457 / 8447 for cipher hygiene
- Email authentication — RFC 7208 (SPF), 6376 (DKIM), 7489 (DMARC)
- SMTP transport security — RFC 3207 (STARTTLS), 5321 (SMTP), 8461 (MTA-STS), 8460 (TLS-RPT), 6698 / 7671 / 7672 (DANE / TLSA)
- HTTP and headers — RFC 9110, 9112 (HTTP semantics + messaging), 6797 (HSTS), 6265bis (cookie security flags)
- Web hygiene — RFC 9309 (robots.txt), RFC 9116 (security.txt)
Web platform (W3C / WHATWG)
Modern browser-platform headers aren't IETF-tracked. The HTTP security-headers check covers the W3C / WHATWG specs: CSP Level 3, Cross-Origin-Opener-Policy, COEP, CORP, Referrer Policy, Permissions Policy, and Fetch (CORS). The recommended baseline we follow is the OWASP Secure Headers Project.
Industry baselines
- Mozilla SSL Configuration Generator (Intermediate baseline) — anchors the cipher-pattern list in our TLS hardening evaluation. Updated quarterly.
- NIST SP 800-52 Rev. 2 — US-government TLS configuration guideline. Relevant for US-centric customers and EU subsidiaries doing US business.
- CIS Benchmarks (NGINX, Apache, generic web-server) — server hardening lists. Our HTTP-headers and TLS checks cover the externally observable subset.
- sitemaps.org — XML sitemap structure (not an RFC, but the de facto standard).
Continuous evidence over time
Each check runs on a cadence matched to how fast its signal changes: most every hour on every enabled domain, the SMTP transport probes (STARTTLS, DANE) every six hours, the domain-registry and registrar-lock checks daily, and route-origin (RPKI) weekly — within the connection, registry and external-source limits each one faces. Each result is recorded; every status transition writes a change event. The audit trail is per-standard, not just per-check — you can answer "when did our RFC 8461 enforcement break?" with a specific change event, not a forensic exercise.
External references & further reading
The sources below inform how Merula is built and explain why continuous domain and email-security hygiene is worth the attention — recognised, independent references from standards bodies, national security authorities and ecosystem requirements.
- Internet standards (IETF / RFC) — the protocol specifications behind every check, catalogued above: DNS and DNSSEC, TLS, SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE/TLSA, CAA, HSTS, robots.txt and security.txt. Merula's checks are based on these widely adopted standards rather than on bespoke rules.
- NCSC (UK) — Email security and anti-spoofing — practical guidance from a national cyber-security authority on deploying SPF, DKIM and DMARC, moving to an enforced DMARC policy in stages, and protecting email in transit. NCSC: Email security and anti-spoofing ↗
- European national cybersecurity authorities — several national authorities publish guidance that points in the same direction as the standards above, especially around email authentication, DNSSEC and secure transport. Germany's BSI sets out email authentication (SPF, DKIM, DMARC) and secure transport (STARTTLS, DANE, MTA-STS) in its technical guidelines TR-03182 and TR-03108; the Netherlands' NCSC, France's ANSSI, Denmark's CFCS, Finland's NCSC-FI (Traficom) and Spain's INCIBE publish equivalent guidance on email authentication, DNSSEC and transport security. In some jurisdictions, email-authentication expectations have also moved from guidance into legal or sector-specific requirements for certain providers or public-sector bodies. The controls Merula monitors are the ones these recognised authorities recommend. BSI TR-03182 ↗ · NCSC (NL) ↗
- ENISA — European cyber-security context: the Threat Landscape 2025 (why continuous, convergent campaigns make ongoing hygiene matter) and the SME report's framing of cybersecurity as a continuous, consistent effort. ENISA Threat Landscape 2025 ↗
- OWASP — the Top 10:2025 and the Secure Headers Project, mapped per check in our framework mappings and summarised above. OWASP Top 10 ↗
- NIST — Cybersecurity Framework 2.0, SP 800-53 Rev. 5 and SP 800-177 (Trustworthy Email), referenced for their email-security and configuration vocabulary and mapped per check in our framework mappings.
- Mailbox-provider sender requirements — the bulk-sender authentication rules introduced by large mailbox providers (Gmail and Yahoo from February 2024; Microsoft Outlook from May 2025) make correct SPF, DKIM and DMARC increasingly important for deliverability and trust, not only for security. These are ecosystem requirements set by mail receivers; the dated facts are explained on the small-business track.
NIS2 does not mandate a specific DMARC setup for every organisation, but it raises expectations on cybersecurity risk management, governance and effective controls — Merula supports a concrete, externally observable slice of that. The detailed NIS2 mapping is earlier on this page; the full machine-rendered tables are in the framework mappings.
Where Merula's data lives — residency vs sovereignty
We're built and operated under Swedish law, by a Stockholm-based team, under Adspace Nordic AB. Our infrastructure runs in AWS in the Stockholm region, with backups in the same region.
That gives you EU data residency: customer records, check history, alert metadata, and DMARC reports physically reside in EU AWS regions. We do not replicate to non-EU regions, and we do not transfer data to processors outside the EEA except where contractually necessary (Stripe for billing).
It does not give you full data sovereignty. AWS is a US-headquartered provider. Under US law, including the CLOUD Act, US authorities may seek access to data held by US providers even when the data is stored outside the United States. Separate US intelligence authorities, such as Executive Order 12333, are part of the broader legal context considered in EU transfer-risk assessments. The Schrems II ruling (CJEU C-311/18, 2020) and the EU–US Data Privacy Framework sit in that legal landscape. The Framework changes the transfer-risk assessment but does not remove the need for customers with strict sovereignty requirements to make their own assessment.
What this means in practice:
- For the commercial SMB monitoring use case Merula targets, EU-region hosting on AWS is a common and pragmatic architecture. Most EU SMBs and agencies run on AWS, GCP, or Azure already; the data Merula stores is no more sensitive than what they already host with the same providers.
- For defence, government, regulated critical-infrastructure operators, or organisations subject to specific sovereignty mandates — AWS-based EU residency may not be sufficient. Merula does not currently target this segment; we will announce a sovereign-cloud variant if and when it makes commercial sense to operate one.
We state this plainly so prospective customers can make the assessment with the actual facts in hand.
The structured matrix
For the structured check-by-check matrix, see Standards & framework mappings.