Four frameworks. One solution.
Cyber Essentials Plus v3.3
The April 2026 update to Cyber Essentials Plus v3.3 introduces mandatory automated metadata sanitization requirements. Manual processes are explicitly excluded.
Digital Operational Resilience Act
DORA requires documented evidence of data sanitization processes, immutable audit trails, and automated ICT risk controls for all regulated financial entities.
UK GDPR — Article 25
Data Protection by Design requires that personal data embedded in documents is removed before external transmission. Metadata is explicitly classified as personal data under UK GDPR.
NCSC Guidance — Document Metadata
NCSC's official guidance on document metadata risks explicitly recommends automated sanitization tools and warns against manual processes for organisations handling sensitive data.
Manual cleaning is no longer compliant.
The April 2026 update explicitly requires automated tooling. Here is how OPSEC Scrub maps to each new requirement.
| Reference | Requirement | Manual Process | OPSEC Scrub |
|---|---|---|---|
| CE+ 3.3 §4.1 | Automated removal of metadata from outbound files Manual processes are explicitly excluded from v3.3 compliance. Automated tooling is required. | ||
| CE+ 3.3 §4.2 | Immutable audit log of all sanitization events Logs must be cryptographically signed and stored in an append-only system. | ||
| CE+ 3.3 §5.1 | PII detection prior to external transmission Requires automated NLP/NER-based detection, not keyword matching. | ||
| CE+ 3.3 §5.3 | Network-level interception (not endpoint-dependent) Endpoint agents are insufficient; network proxy required for full coverage. | ||
| CE+ 3.3 §6.1 | Evidence trail exportable for IASME auditors Reports must be generated on-demand in auditor-readable format. |
DORA Readiness: Articles 9–19
For financial entities subject to DORA, OPSEC Scrub provides the documented ICT risk controls and operational resilience evidence the regulation demands.
ICT Risk Management
OPSEC Scrub's immutable logs satisfy DORA's requirement for documented ICT risk controls with evidence of continuous operation.
Data Integrity Controls
Cryptographic file hashing (before/after sanitization) provides the data integrity verification DORA mandates for outbound data flows.
Operational Resilience Testing
OPSEC Scrub's API enables automated testing of sanitization coverage as part of your DORA resilience testing programme.
ICT Incident Reporting
Sanitization failure events are automatically escalated to your SIEM, supporting DORA's 4-hour incident notification requirement.
Audit-ready in 30 minutes.
Deploy OPSEC Scrub and your compliance team will have the evidence trail they need for the next audit cycle — automatically generated, cryptographically signed.