FINMA-Aligned Infrastructure Verification
Deterministic policy verification against cited FINMA regulatory sources. Offline-first. Airgapped. Engineered for institutions where trust is non-negotiable.
Catch violations before production
Helvetiguard evaluates your Terraform plan against FINMA-derived controls and tells you exactly what's wrong and how to fix it.
resource "azurerm_key_vault" "main" {
name = "kv-finma-prod"
location = "Switzerland North"
sku_name = "standard"
purge_protection_enabled = true
public_network_access_enabled = true
# No network_acls block — violation!
}Helvetiguard Output
The world isn't black and white
Public access with proper network ACLs? That's not a hard failure — it's an exception path that requires CISO approval.
resource "azurerm_key_vault" "restricted" {
name = "kv-finma-restricted"
location = "Switzerland North"
public_network_access_enabled = true
network_acls {
default_action = "Deny"
bypass = "None"
ip_rules = ["203.0.113.0/24"]
virtual_network_subnet_ids = [
azurerm_subnet.kv.id
]
}
}Exception on file
{
"resource_address": "azurerm_key_vault.restricted",
"control_id": "FINMA_2023_1.RZ076",
"requirement_id": "network_isolated",
"approved_by": "ciso@bank.ch",
"approved_at": "2026-03-15T00:00:00Z",
"expires_at": "2027-03-15T00:00:00Z",
"justification": "Legacy migration — PNA required until cutover"
}Helvetiguard Output
Want to see what a full bank evaluation looks like?
Runs where you deploy
Add Helvetiguard to any CI system. No SaaS dependency at evaluation time. The config is delivered once — evaluation runs entirely offline against your Terraform plan.
# Compliance check — runs before apply
- name: Terraform Plan
run: terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
- name: Compliance Check
run: helvetiguard evaluate \
--contracts contracts/ \
--plan tfplan.json \
--config forge.control.config.json
- name: Terraform Apply
if: success()
run: terraform apply tfplanEvery policy check traces back to its FINMA source paragraph. No black boxes. No ambiguity. Full auditability.
All relevant circulars
Faithfully extracted, cited to Rz §
Cloud-agnostic requirements
Azure resource-specific
Terraform · Pulumi · Native
See it in action
Follow a single FINMA requirement from the original circular text all the way to a Terraform policy check. Every layer is auditable.
FINMA Circular 2023/1, Margin no. 76-77 — Original regulatory text
“Critical data must be adequately protected from being accessed and used by unauthorised persons during operations and during the development, change and migration of ICT. This also applies to critical data in test environments.”
“The ICT assets that store or process critical data must be afforded particular protection. Access to these data must be regulated systematically and monitored continuously.”
FINMA_2023_1.RZ076 — Regulatory control
TECH.NET_ISOLATION — Technical control
“Network isolation for critical data assets”
“Regulated systematically” is interpreted as: critical data assets must be isolated from unauthorized network access. Network exposure must be minimized and systematically controlled.
AZURE.KV.NET_ISOLATION — Cloud control
Two compliance paths:
public_network_access_enabled = falsepublic_network_access_enabled = truewith network_acls.default_action = Deny + scoped access + no bypass → requires CISO approvalAZURE.KV.NET_ISOLATION__terraform — Tool binding
# Generated policy (simplified)
# Path A: private access only
pna_disabled(resource) {
resource.change.after.public_network_access_enabled == false
}
# Path B: public with restrictions (exception required)
default_action_deny(resource) {
acls := resource.change.after.network_acls
acls.default_action == "Deny"
}
allowed_scope_defined(resource) {
count(acls.virtual_network_subnet_ids) > 0
}
bypass_disabled(resource) {
acls.bypass == "None"
}terraform show -json output · Deterministic · OfflineEvery control traced to specific FINMA circular paragraphs. Human-reviewed, machine-enforced. 40+ regulatory controls covering network isolation, encryption, access control, monitoring, BCM, and data residency.
Deterministic policies generated from regulatory controls. Runs offline in your CI pipeline. Same input always produces same output. Supports Terraform today, Pulumi and native Azure Policy coming soon. 200+ tool bindings across 50+ Azure resource types.
Per-resource, time-bound exceptions with full audit trail. Approved by CISO, enforced by code, reviewed via CODEOWNERS. Exact matching on control + resource + requirement. RFC3339 expiry dates. No shadow compliance.
Tailored to your institution
Every institution is different. Helvetiguard adapts to your FINMA supervisory category, institution type, and risk appetite. Category 5 banks get different rules than Category 1 systemically important institutions.
{
"version": "1",
"institution": {
"type": "bank",
"category": 3
},
"global": {
"expired_exception_outcome": "fail"
},
"parameters": {
"AZURE.KV.DATA_RESIDENCY": {
"approved_locations": ["switzerlandnorth"]
},
"AZURE.OPENAI.DATA_RESIDENCY": {
"approved_locations": [
"switzerlandnorth",
"swedencentral"
]
}
}
}Full support with 200+ bindings across 50+ Azure resource types.
Join the early access program for Pulumi infrastructure-as-code support.
Azure Policy and AWS Config integration. Contact us for early access.
Generic scanners check best practices. Helvetiguard enforces Swiss financial regulation.
| Helvetiguard | Checkov / tfsec | Azure Policy | Sentinel | |
|---|---|---|---|---|
| FINMA-specific controls | ✓ | — | — | — |
| Traced to circular § | ✓ | — | — | — |
| Proportionality (Cat 1-5) | ✓ | — | — | — |
| Auditable exceptions | ✓ | — | Partial | — |
| Offline / airgapped | ✓ | ✓ | — | — |
| Remediation guidance | ✓ | Partial | — | — |
Built in Switzerland
We come from years of experience in FINMA-regulated environments. As former management team members at Swiss financial institutions, we understand the pain of managing infrastructure resources that aren't compliant — and the audit pressure that comes with it.
Helvetiguard exists because we built what we needed ourselves.
Your infrastructure data never leaves your pipeline. Evaluation runs entirely offline. No cloud dependency at runtime. No telemetry. No phone-home.
Every control decision is traceable to its FINMA source. Every exception has an approval chain. Every evaluation is deterministic and reproducible.
FINMA supervisory categories 1-5. Proportionality filtering. Institution-specific risk appetite. Per-control parameter overrides. Your compliance, your rules.
See Helvetiguard evaluate your Terraform plans against FINMA regulations in real time.