Introduction to EA standards
To ensure EA practice is applied optimally in entities, it is important to define a set of standards for each EA domain so that all technical solutions and processes comply with predefined standards, ensuring consistency in design and implementation and regulatory compliance. The scope of standards covers all six EA domains: business, beneficiary experience, data, applications, technology, and security. Target audience includes EA teams, engineers, project managers, and stakeholders.
Benefits of EA standards
EA standards help reduce technical complexity, lower costs, speed up decision-making, and keep information secure. They also make sure new solutions work with what you already have.
Technical solutions and processes comply with predefined standards; consistent design and implementation.
Compliance with regulatory requirements for each EA domain.
Consistency and alignment across components within each domain.
Integration and interoperability: unified interfaces, protocols, and formats improve integration between systems and applications.
Support for initiatives and technical solutions for business goals, regulatory compliance, and meeting entity, staff, and client needs.
Security standards help mitigate risks from data breaches, non-compliance, and system vulnerabilities.
Reduce duplication, complexity, operational and maintenance cost, and improve spending efficiency.
Improve EA governance and compliance verification through checklists and audits (booklets, technical offers, technical requirements, architecture designs).
Improve quality of digital products and services, user satisfaction, and secure, easy-to-use digital solutions.
Steps to build EA standards
Inventory and assess local and global standards
Conduct a full inventory and assessment of local and global standards, frameworks, and relevant best practices for each EA domain. At the end of this step, define a library of standards linked to one or more domains and the nature of compliance (mandatory or optional).
Stakeholder engagement
Engage key stakeholders (business owners, IT and cybersecurity teams, domain experts, end users) in reviewing the list for completeness. At the end of this step, stakeholders agree on adopted standards that meet business needs and address practical challenges.
Build a custom EA standards list
Derive a defined list of EA standards from the adopted reference standards/frameworks, documenting and coding them clearly with brief descriptions, and specifying requirements, guidance, and recommended practices per domain using unified templates or frameworks.
Continuous improvement
Continuous improvement with stakeholders through periodic review of the EA standards list and commitment to ongoing updates so it stays aligned with business requirements, national regulations, and technical change.
Governance of compliance with EA standards
Verify compliance against the EA standards list: measure technical project specifications against the approved lists for all domains (business, beneficiary experience, data, applications, technology, security). Compliance status: compliant, non-compliant, partially compliant, not applicable, unknown. The same approach applies to booklets, designs and architecture, technical requirements, and technical offers.
Expected outputs
Adopted local and global standards and their link to EA domains in the entity, with each standard marked mandatory or optional.
Approved EA standards list for all domains (business, beneficiary experience, data, applications, technology, security).
Sample compliance verification tables against the EA standards list.
Reference standards by EA domain
Business Architecture Standards
Standards for documenting business processes, capabilities, information models, organizational structures, and strategic objectives. Examples: BPMN, capability maturity models, business capability maps.
BPMN 2.0OMG
Business Process Model and Notation: graphical representation of business processes; common language for business and technical teams.
Business Capability ModelThe Open Group
Framework to organise and understand capabilities required to execute strategy; align business capabilities with strategic objectives.
Business Architecture Guild
International organisation for business architecture; unified framework and standards.
Event-driven Process Chain (EPC)Uni Saarland
Methodology for modelling, documenting, and improving business processes graphically.
Beneficiary Experience Standards
Standards for effective, accessible UI and smooth digital experience. Include WCAG, UI design patterns, responsive design, user-centred design, and DGA guides (accessibility, digital experience maturity, beneficiary-centric policy).
WCAGW3C
Web Content Accessibility Guidelines for people with disabilities; perceivable, operable, understandable, and technically sound (WCAG Robust principle).
DGA guide: Accessibility for government e-sitesDGA
Accessibility guidance per WCAG/W3C, verification tools, assistive tech; digital-by-default.
User Interface Design Patterns
Reusable solutions for common design problems; consistent, intuitive interfaces.
Digital experience maturity indexDGA
Definition, objectives, strategic alignment with DGA directions, perspectives, axes, assessment mechanisms, maturity levels.
Beneficiary-centric policyDGA
Support entities to ensure easy use of digital services, information provision, engagement, smooth experience, and trust.
Data Architecture Standards
Standards for data modelling, governance, quality, metadata, integration, and security. Include modelling techniques, classification and encoding (e.g. NCA DCC-1:2022), data lifecycle per DAMA, NDMO regulations.
DAMA-DMBoKDAMA
Full data management body of knowledge; common vocabulary, practices, and standards.
NDMO data governance and personal data protectionNDMO
National data governance framework; data management, governance, and personal data protection controls.
NCA DCC-1:2022NCA
Minimum cybersecurity requirements for data protection across the data lifecycle.
Application Architecture Standards
Standards for development, deployment, integration, and management: languages, frameworks, design patterns, API specs, deployment (microservices, SOA, serverless), APM.
CMMICMMI Institute
Framework for assessing and improving process maturity; quality, efficiency, software development, project management.
SAFeScaled Agile
Framework for scaling agile to the enterprise; coordination, unified processes, faster delivery.
ISO/IEC 9126ISO/IEC
International standard for software quality: functionality, performance, reliability, maintainability.
DevSecOps
Approach combining development, security, and operations; continuous security in dev and deployment.
SOAThe Open Group
Architectural approach for reusable services and system integration; flexibility and scalability.
W3C web standards
Web technology standards (HTML, CSS, XML); interoperability and growth.
Technology Architecture Standards
Standards for data centres, infrastructure, cloud, networks, emerging tech, IT services. Include ANSI/TIA-942, ISO/IEC 20000 (ITSM), hardware specs, cloud guidance, DGA cloud adoption guide.
ISO/IEC 20000ISO/IEC
International standard for IT Service Management (ITSM): plan, deliver, maintain to meet business objectives.
ANSI/TIA-942TIA
Data centre design and operations: physical structure, power, cooling, fire protection, physical and logistical security.
Uptime Institute Tier Standards
Global standard for data centre availability and performance; Tier I–IV levels and certification.
NIST SP 500-292NIST
Cloud computing reference architecture; components, offerings, vendor-neutral architecture.
ITILAXELOS
Best practices for efficient IT service delivery; align services with business needs.
DGA guide: Cloud adoption for governmentDGA
Guidance for government entities adopting cloud; secure, effective adoption aligned with national strategy.
Security Architecture Standards
Standards for protecting digital assets, cyber threats, regulatory compliance. Include NIST, ISO 27001, NCA controls (ECC, CSCC, CCC, TCC, OTCC, OSMACC, DCC), network/data/application security, identity and access.
ISO/IEC 27001ISO/IEC
International standard for Information Security Management Systems (ISMS); manage sensitive information.
NCA ECC-1:2018NCA
Essential Cybersecurity Controls: minimum requirements based on best practices to reduce cyber risk.
NCA CSCC-1:2019NCA
Cybersecurity requirements for critical systems; protect sensitive systems and unauthorised access.
NCA CCC-1:2020NCA
Cloud cybersecurity controls for providers and subscribers.
NCA TCC-1:2021NCA
Cybersecurity controls for remote work; secure remote operations.
NCA DCC-1:2022NCA
Cybersecurity controls for data; protection across the data lifecycle.
NCA OTCC-1:2022NCA
Cybersecurity controls for operational technology in critical industrial facilities.
NCA OSMACC-1:2021NCA
Cybersecurity controls for entity social media accounts; protect official accounts.
OWASP Top Ten
Top ten web application security risks; guidance on common vulnerabilities and security priorities.
