FINMA-Aligned Infrastructure Verification
Deterministic policy verification against cited FINMA regulatory sources. Offline-first. Airgapped. Engineered for institutions where trust is non-negotiable.
Catch violations before production
Helvetiguard evaluates your Terraform plan against FINMA-derived controls and tells you exactly what's wrong and how to fix it.
resource "azurerm_key_vault" "main" {
name = "kv-finma-prod"
location = "Switzerland North"
sku_name = "standard"
purge_protection_enabled = true
public_network_access_enabled = true
# No network_acls block — violation!
}Helvetiguard Output
The world isn't black and white
Public access with proper network ACLs? That's not a hard failure — it's an exception path that requires CISO approval.
resource "azurerm_key_vault" "restricted" {
name = "kv-finma-restricted"
location = "Switzerland North"
public_network_access_enabled = true
network_acls {
default_action = "Deny"
bypass = "None"
ip_rules = ["203.0.113.0/24"]
virtual_network_subnet_ids = [
azurerm_subnet.kv.id
]
}
}Helvetiguard Output
Exception on file
{
"resource_address": "azurerm_key_vault.restricted",
"control_id": "FINMA_2023_1.CRITDATA.NET.002",
"requirement_id": "network_isolated",
"approved_by": "ciso@bank.ch",
"approved_at": "2026-03-15T00:00:00Z",
"expires_at": "2027-03-15T00:00:00Z",
"justification": "Legacy migration — PNA required until cutover"
}Every policy check traces back to its FINMA source paragraph. No black boxes. No ambiguity. Full auditability.
All relevant circulars
Faithfully extracted, cited to Rz §
Cloud-agnostic requirements
Azure resource-specific
Terraform · Pulumi · Native
See it in action
Follow a single FINMA requirement from the original circular text all the way to a Terraform policy check. Every layer is auditable.
FINMA Circular 2023/1, Margin no. 76-77 — Original regulatory text
“Critical data must be adequately protected from being accessed and used by unauthorised persons during operations and during the development, change and migration of ICT. This also applies to critical data in test environments.”
“The ICT assets that store or process critical data must be afforded particular protection. Access to these data must be regulated systematically and monitored continuously.”
FINMA_2023_1.CRITDATA.NET.002 — Regulatory control
TECH.NET_ISOLATION — Technical control
“Network isolation for critical data assets”
“Regulated systematically” is interpreted as: critical data assets must be isolated from unauthorized network access. Public endpoints must be disabled or restricted with deny-by-default ACLs.
AZURE.KV.NET_ISOLATION — Cloud control
Two compliance paths:
public_network_access_enabled = falsepublic_network_access_enabled = true, but network_acls.default_action = Deny + scoped access + no bypass → requires CISO approvalAZURE.KV.NET_ISOLATION__terraform — Tool binding
# Generated policy (simplified)
pna_disabled(resource) {
resource.change.after.public_network_access_enabled == false
}
default_action_deny(resource) {
acls := resource.change.after.network_acls
acls.default_action == "Deny"
}terraform show -json output · Deterministic · OfflineEvery control traced to specific FINMA circular paragraphs. Human-reviewed, machine-enforced. 40+ regulatory controls covering network isolation, encryption, access control, monitoring, BCM, and data residency.
Deterministic policies generated from regulatory controls. Runs offline in your CI pipeline. Same input always produces same output. Supports Terraform today, Pulumi and native Azure Policy coming soon. 200+ tool bindings across 50+ Azure resource types.
Per-resource, time-bound exceptions with full audit trail. Approved by CISO, enforced by code, reviewed via CODEOWNERS. Exact matching on control + resource + requirement. RFC3339 expiry dates. No shadow compliance.
Tailored to your institution
Every institution is different. Helvetiguard adapts to your FINMA supervisory category, institution type, and risk appetite. Category 5 banks get different rules than Category 1 systemically important institutions.
{
"version": "1",
"institution": {
"type": "bank",
"category": 3
},
"global": {
"expired_exception_outcome": "fail"
},
"parameters": {
"AZURE.KV.DATA_RESIDENCY": {
"approved_locations": [
"switzerlandnorth"
]
}
}
}Full support with 200+ bindings across 50+ Azure resource types.
Join the early access program for Pulumi infrastructure-as-code support.
Azure Policy and AWS Config integration. Contact us for early access.
Generic scanners check best practices. Helvetiguard enforces Swiss financial regulation.
| Helvetiguard | Checkov / tfsec | Azure Policy | Sentinel | |
|---|---|---|---|---|
| FINMA-specific controls | ✓ | — | — | — |
| Traced to circular § | ✓ | — | — | — |
| Proportionality (Cat 1-5) | ✓ | — | — | — |
| Auditable exceptions | ✓ | — | Partial | — |
| Offline / airgapped | ✓ | ✓ | — | — |
| Remediation guidance | ✓ | Partial | — | — |
Built in Switzerland
Your infrastructure data never leaves your pipeline. Evaluation runs entirely offline. No cloud dependency at runtime. No telemetry. No phone-home.
Every control decision is traceable to its FINMA source. Every exception has an approval chain. Every evaluation is deterministic and reproducible.
FINMA supervisory categories 1-5. Proportionality filtering. Institution-specific risk appetite. Per-control parameter overrides. Your compliance, your rules.
See Helvetiguard evaluate your Terraform plans against FINMA regulations in real time.