Policy rules · Policy rules

Regional gate — EU only

ALLOW only if `country_code` is one of the 27 EU member states. Use it for services that must enforce EU residency at the protocol level.

regional
gate
gdpr

Tested against:policyEngine: 1.0.0

Use case

A platform that must operate strictly inside the EU — for residency reasons, for member-state regulatory reasons, or because the service is gated to EU citizens. Express this as a list-membership check on the country_code claim coming from a PID credential.

Rule

{
  "fact": "country_code",
  "operator": "in",
  "value": [
    "AT","BE","BG","CY","CZ","DE","DK","EE","ES","FI",
    "FR","GR","HR","HU","IE","IT","LT","LU","LV","MT",
    "NL","PL","PT","RO","SE","SI","SK"
  ]
}

Facts shape

data class GeoFacts(val country_code: String) // ISO 3166-1 alpha-2

Trace — DENY

A US visitor presents a US PID and the rule rejects:

{
  "decision": "DENY",
  "trace": [
    { "fact": "country_code", "operator": "in", "value": ["AT", "BE", "..."], "actual": "US", "result": "fail" }
  ]
}

When to use

Strict EU-residency services (regulated finance, sector-specific platforms)
Compliance with member-state-only EUDIW pilots

When not to use

A subset of countries (use regional-allow-list)
Country detected from IP, not credential — IP can't be trusted as identity

Regional gate — EU only

Use case

Rule

Facts shape

Trace — DENY

When to use

When not to use

See also

More policy rules

Age-over-18 gate

Age-over-21 gate

Composite — admin OR (manager AND finance)

Consent-required gate