> Would the certification require someone to take an official certification test for the framework used?

> And therefore we’re only allowed to use frameworks which have certification tests available?

When it's safety-critical, yes, absolutely. A service that handles sensitive PII, such as the one whose "engineers" should be prosecuted for this incident, is definitionally safety-critical.

If you're afraid in that world you'd be unable to work, maybe you deserve to be.