If a prime or a regulator asked tomorrow, could you prove it?
Cyber flow-down, sanctions, forced-labour duties — they bind several tiers below you, on deadlines already set. There’s a difference between asserting your chain is clean and being able to evidence it.
Settled as the Compliance Evidence PackMost obligations are met by assertion until the day they’re tested. An Evidence Pack draws the boundary between what your records actually prove and what you’d have to reconstruct under a probe — before the prime, the auditor or the regulator draws it for you.
What you can evidence — and what you’d have to reconstruct.
Typical reader: a contracts, compliance & assurance lead.
The clocks are already running.
The MOD’s Cyber Security Model v4 is now mandatory and cascades to the end of the chain; the UK Sanctions List became the single source in January 2026; the EU forced-labour regulation, now in force, begins to bite from its 2027 application date. The deadlines are set — the question is whether you can evidence the chain before they’re tested. See what changed →