Primary sources

Resources

The texts and standards used in Clewline's advisory work. Official regulation texts, technical standards, and open source frameworks — not summaries. For definitions of the terms that show up in audits and architecture reviews, see the Glossary. For the latest developments and what they mean in practice, see the Regulatory updates feed. For curated CVE-style alerts with operational context, see Vulnerability alerts.

For the public Sovereign Scan tools: try.html (default framing), try-tribal.html (tribal briefing). Kubernetes upstream: calibration case study explains the frozen calibration benchmark. For long-form research, see Research papers.

Tracker refresh: · Briefing feed:

EU regulations — official texts
EU AI Act — Official Journal text
Regulation (EU) 2024/1689 · EUR-Lex
DORA — Digital Operational Resilience Act
Regulation (EU) 2022/2554 · EUR-Lex
NIS2 Directive
Directive (EU) 2022/2555 · EUR-Lex
Cyber Resilience Act (CRA)
Regulation (EU) 2024/2847 · EUR-Lex
Technical standards and frameworks
SLSA — Supply chain Levels for Software Artefacts
OpenSSF · Framework for supply chain integrity
OpenSSF Scorecard
OpenSSF · Automated security health checks for open source
BSI TR-03183-2 — SBOM requirements
German Federal Office for Information Security · CRA technical guidance · v2.1.0 August 2025
NIST AI RMF 1.0
NIST · AI Risk Management Framework
CCC White Papers and Technical Reports
Confidential Computing Consortium · Linux Foundation
Implementation guidance
Clewline CRA implementation hub
Scope classification and Article 14 workflow guides
EU AI Act — Official Implementation Timeline
European Commission AI Act Service Desk
DORA Technical Standards (RTS/ITS)
European Banking Authority · Level 2 implementing measures
CRA — Commission Implementation Page
European Commission Digital Strategy
Writing
Code, Chips and Control
Sal Kimmich · Leanpub · The security posture of digital isolation
Memory Safe Strategy: Mastering the Language Architecture Matrix
Sal Kimmich · HackerNoon · 2024