Sphereon
insight
From governance to runtime enforcement
Verification answers one question: is this data authentic? It does not answer what may happen next. A governed decision requires three more things: a policy that defines what access or action follows, evidence of what was checked and when, and an audit trail that can prove the decision later.
Most organisations can verify a credential. Fewer can answer what their systems decided to do with that verified data, under which version of policy, with what evidence retained, and how that decision can be reproduced in an audit two years later.
That gap is where regulatory exposure lives. NIS2 and eIDAS 2.0 do not ask whether credentials were checked. They ask whether appropriate measures were applied consistently and whether the organisation can prove it.
Verification is one step, not the answer.
A credential verifier confirms that a credential is cryptographically intact, issued by a trusted source, and not revoked.
That is necessary, but it is not sufficient!
After verification, the organisation still needs to decide: does this person or organisation meet the policy threshold? Is the legal basis for processing in place? What access or action is authorised? And if this decision is challenged later, what record exists to support it?
The policy layer.
A verified credential establishes that a claim is authentic. Policy determines whether that claim is sufficient: does the level of assurance meet the threshold? Is the credential type accepted for this purpose? Does any additional condition apply?
Runtime policy enforcement means these questions are evaluated automatically, at the moment of verification, against a defined and versioned policy. The result is a go/no-go decision with a documented basis, not a judgment call made differently by different systems at different times.
The evidence layer.
The evidence layer captures what was checked, when, which policy version applied, what the result was, and what action followed. That record is tamper-proof and retained according to the attribute’s defined retention obligation.
Without structured evidence, the organisation can describe what its systems were designed to do. It cannot prove what they actually did, in which context, under which policy, and with what result. That is precisely the distinction regulators and auditors make.
Three layers. One governed decision.
Verification, policy, and evidence are not three separate operations. They are three layers of a single governed decision. Each depends on the others. Verification without policy produces an authenticated result with no defined consequence. Policy without evidence produces a decision that cannot be proven. Evidence without policy produces a record with no governed basis.
When all three layers are in place, every verification event becomes a governed decision: traceable, reproducible, and demonstrably compliant.
That is what NIS2, eIDAS 2.0, and any serious audit require.
Where Sphereon fits.
Sphereon’s EDK provides runtime policy enforcement and structured audit evidence as production-grade capabilities. Every verification event triggers a policy evaluation, produces a versioned decision record, and generates tamper-proof evidence retained according to defined obligations. VDX operates this across parties, trust relationships, and workflows.
The result is not a log. It is a structured, cryptographically secured record of what was checked, what policy applied, what was decided, and what followed. Producible on demand for regulators, auditors, and legal proceedings.
Turn verification into a governed decision.
Talk to Sphereon about adding policy enforcement, evidence retention, and structured audit to your verification flows.