CityZeen® is supervised by the Luxembourg CSSF and operates under MiFID II, AIFMD and SFDR. The pages that follow set out our operational regulatory framework and our roadmap toward the enterprise security standards institutional buyers request — SOC 2, ISO 27001, ISO 42001.
These are the operational regulations that govern CityZeen® today, supervised by Luxembourg CSSF. They are publicly stated on /compliance and binding on every entity in the group.
| Framework | What it is | Status |
|---|---|---|
| CSSF · Luxembourg | Primary supervisor. Commission de Surveillance du Secteur Financier. | In force |
| MiFID II | Markets in Financial Instruments Directive II — professional client framework, best execution, transaction reporting. | In force |
| AIFMD | Alternative Investment Fund Directive — Luxembourg AIF structure, depository, risk management framework. | In force |
| SFDR | Sustainable Finance Disclosure Regulation — Article 8 & 9 classification, PAI reporting, taxonomy alignment. | In force |
| GDPR | EU 2016/679 — Art. 6 lawful basis, Art. 30 ROPA, Art. 35 DPIA, Art. 33 72-hour breach notification. | In force |
| eIDAS | Electronic identification & trust services — qualified signatures on regulated documents. | In force |
| AML5 / AML6 | EU Anti-Money Laundering Directives — KYC/KYB, beneficial-ownership transparency, suspicious-transaction reporting. | In force |
| CSSF Circular 22/806 | Outsourcing & IT arrangements — governs the data-protection posture of identity-verification vendors. | In force |
These are the certifications institutional procurement teams ask for in vendor security questionnaires. They are enterprise security controls, distinct from regulatory licensing. CityZeen® does not currently hold these attestations — the roadmap below is what we publish.
| Standard | What it covers | Target |
|---|---|---|
| SOC 2 Type II | AICPA attestation against the Trust Services Criteria — Security (always), Availability, Confidentiality, Processing Integrity, Privacy. Type II covers a 6–12 month observation window. The most-asked attestation in US / UK institutional procurement. | Roadmap Type I [20XX-Qx] · Type II [20XX-Qx] |
| ISO/IEC 27001:2022 | Information Security Management System (ISMS) certified against the 93 Annex A controls across four themes (organisational · people · physical · technological). Stage 1 + Stage 2 audit; 3-year recertification with annual surveillance. | Roadmap Stage 1 [20XX-Qx] · Stage 2 [20XX-Qx] |
| ISO/IEC 42001 | AI Management System (AIMS) — AI risk assessment, AI impact assessment, AI-specific Annex A controls. Structural way to demonstrate EU AI Act alignment. Scope: AME asset-matching engine, ASK AI concierge, Dynamic Pricing, Taxonomy. | Roadmap Alongside ISO 27001 |
| NIST CSF 2.0 | Voluntary US framework — Govern · Identify · Protect · Detect · Respond · Recover. Not certifiable. Used as a control-mapping and board-reporting lens, paired with SOC 2 / ISO 27001 for executive reporting. | Adopted internally |
| Annual independent pen test | Black-box + grey-box network and application testing by an accredited firm. Summary report shared with institutional counterparties under NDA. Pre-requisite for credible SOC 2 / ISO 27001 readiness. | Roadmap First test [20XX-Qx] |
| HIPAA · PCI DSS · FedRAMP · SOX ITGC · TSA | US healthcare · payment-card data · US federal cloud · listed-company IT · US transport. Not applicable to CityZeen's institutional capital-markets perimeter. | Not applicable |