From 44299599f9732a6eda1c1da1fc75df853b9320e5 Mon Sep 17 00:00:00 2001 From: Hermes Date: Sat, 23 May 2026 06:35:21 +0000 Subject: [PATCH] gbrain: sync converted org-mode brain files --- ideas/compliance-framework-mapping.org | 886 ++---------------------- ideas/compliance/_index.org | 79 +++ ideas/compliance/appi.org | 26 + ideas/compliance/apra-cps-234.org | 27 + ideas/compliance/basel-iii.org | 27 + ideas/compliance/ccpa-cpra.org | 23 + ideas/compliance/cra.org | 32 + ideas/compliance/dora.org | 29 + ideas/compliance/dpdp-act.org | 30 + ideas/compliance/eidas2.org | 26 + ideas/compliance/eu-ai-act.org | 32 + ideas/compliance/fatf.org | 32 + ideas/compliance/fedramp.org | 60 ++ ideas/compliance/first-mover-window.org | 23 + ideas/compliance/gdpr.org | 54 ++ ideas/compliance/glba.org | 23 + ideas/compliance/hipaa.org | 44 ++ ideas/compliance/ifc-ps.org | 26 + ideas/compliance/ifrs.org | 26 + ideas/compliance/irap.org | 23 + ideas/compliance/ismap.org | 24 + ideas/compliance/iso-27001.org | 31 + ideas/compliance/iso-27701.org | 20 + ideas/compliance/lfp-dppp.org | 24 + ideas/compliance/lgpd.org | 28 + ideas/compliance/nis2.org | 34 + ideas/compliance/ny-dfs-500.org | 25 + ideas/compliance/oecd.org | 23 + ideas/compliance/pipa.org | 30 + ideas/compliance/privacy-act-aus.org | 30 + ideas/compliance/quebec-law-25.org | 25 + ideas/compliance/revenue-table.org | 60 ++ ideas/compliance/soc2.org | 53 ++ ideas/compliance/sox.org | 27 + ideas/compliance/uk-gdpr.org | 21 + ideas/compliance/un-cefact.org | 35 + ideas/compliance/world-bank-esf.org | 28 + scripts/org-to-gbrain.py | 58 +- 38 files changed, 1248 insertions(+), 856 deletions(-) create mode 100644 ideas/compliance/_index.org create mode 100644 ideas/compliance/appi.org create mode 100644 ideas/compliance/apra-cps-234.org create mode 100644 ideas/compliance/basel-iii.org create mode 100644 ideas/compliance/ccpa-cpra.org create mode 100644 ideas/compliance/cra.org create mode 100644 ideas/compliance/dora.org create mode 100644 ideas/compliance/dpdp-act.org create mode 100644 ideas/compliance/eidas2.org create mode 100644 ideas/compliance/eu-ai-act.org create mode 100644 ideas/compliance/fatf.org create mode 100644 ideas/compliance/fedramp.org create mode 100644 ideas/compliance/first-mover-window.org create mode 100644 ideas/compliance/gdpr.org create mode 100644 ideas/compliance/glba.org create mode 100644 ideas/compliance/hipaa.org create mode 100644 ideas/compliance/ifc-ps.org create mode 100644 ideas/compliance/ifrs.org create mode 100644 ideas/compliance/irap.org create mode 100644 ideas/compliance/ismap.org create mode 100644 ideas/compliance/iso-27001.org create mode 100644 ideas/compliance/iso-27701.org create mode 100644 ideas/compliance/lfp-dppp.org create mode 100644 ideas/compliance/lgpd.org create mode 100644 ideas/compliance/nis2.org create mode 100644 ideas/compliance/ny-dfs-500.org create mode 100644 ideas/compliance/oecd.org create mode 100644 ideas/compliance/pipa.org create mode 100644 ideas/compliance/privacy-act-aus.org create mode 100644 ideas/compliance/quebec-law-25.org create mode 100644 ideas/compliance/revenue-table.org create mode 100644 ideas/compliance/soc2.org create mode 100644 ideas/compliance/sox.org create mode 100644 ideas/compliance/uk-gdpr.org create mode 100644 ideas/compliance/un-cefact.org create mode 100644 ideas/compliance/world-bank-esf.org diff --git a/ideas/compliance-framework-mapping.org b/ideas/compliance-framework-mapping.org index 44881a3..e8d3ca4 100644 --- a/ideas/compliance-framework-mapping.org +++ b/ideas/compliance-framework-mapping.org @@ -1,846 +1,48 @@ :PROPERTIES: :ID: e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c :CREATED: [2026-05-23 Sat] +:UPDATED: [2026-05-23 Sat] :END: -#+title: Compliance Framework Mapping — Global Regulated Industries (Triad-Wide) -#+filetags: :passepartout:triad:compliance:global:oecd:regulation:mapping: - -The verification monopoly and domain gate package revenue streams depend on -selling into regulated industries. These industries buy compliance, not software. -The four frameworks below are the most commonly referenced across the triad -knowledge base. This file defines each one, the economic pressure it creates, -and where it maps to the revenue model. - -* HIPAA (Health Insurance Portability and Accountability Act) - -** What it is - -US federal law enacted 1996. Governs how protected health information (PHI) -is stored, transmitted, and accessed. Two relevant rules: - -- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights - to access, amend, and request accounting of disclosures. Minimum necessary - standard — only the minimum PHI needed for the task may be used. -- **Security Rule:** administrative, physical, and technical safeguards for - electronic PHI (ePHI). Requires access controls, audit controls, integrity - controls, person/entity authentication, and transmission security. - -** Who must comply - -Covered entities (health plans, healthcare clearinghouses, healthcare providers -who transmit any ePHI) and business associates (any vendor handling PHI on behalf -of a covered entity). Business Associate Agreements (BAAs) are mandatory. - -** Penalties - -Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per -violation category. Criminal penalties for knowing misuse (up to 10 years -imprisonment). State AGs can also bring civil actions. - -** Why it matters for the triad - -HIPAA is the largest single compliance market in US healthcare — every hospital, -clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]] -($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate -constraints. Every PHI access attempt passes through the gate stack, producing -a machine-checkable audit trail that satisfies the Security Rule's audit control -requirement automatically. No separate logging infrastructure needed. Over a -five-year deployment, the accumulated fact store and proof history create -[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it. - -* SOC 2 (System and Organization Controls 2) - -** What it is - -An auditing standard developed by AICPA (American Institute of CPAs). Not a law. -Certifies that a service organization's controls over security, availability, -processing integrity, confidentiality, and privacy meet defined criteria. - -Five Trust Service Criteria (TSC): -- **Security** (mandatory): protection against unauthorized access (firewall, - access control, intrusion detection) -- **Availability** (optional): system available for operation and use as - committed (uptime, redundancy, disaster recovery) -- **Processing Integrity** (optional): system processing is complete, valid, - accurate, timely, and authorized -- **Confidentiality** (optional): information designated as confidential is - protected as committed -- **Privacy** (optional): personal information is collected, used, retained, - disclosed, and disposed of in conformity with commitments - -Two types: -- **Type I:** controls are suitably designed at a specific point in time -- **Type II:** controls operated effectively over a period (6-12 months) - -** Who must comply - -Any SaaS or cloud service provider whose enterprise customers require audited -vendors. Table stakes for B2B — most enterprise procurement contracts require -SOC 2 Type II. - -** Penalties - -No direct fines (not a law). But losing SOC 2 certification means losing -enterprise customers. Misrepresentation of certification status is fraud. - -** Why it matters for the triad - -SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider -needs SOC 2 Type II to sell compute to enterprises whose procurement policy -requires audited vendors. The gate stack itself maps directly to the Security -criterion (access controls, audit trails) — the Passepartout instance's -deterministic gate log serves as the evidence artifact for the audit. No -separate logging SIEM needed. This is the prerequisite to the larger -[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they -buy domain-specific gate packages for the same infrastructure. - -* GDPR (General Data Protection Regulation) - -** What it is - -EU regulation (effective May 2018) governing the processing of personal data of -natural persons in the EU. Extraterritorial — applies to any organization -processing EU personal data regardless of where the organization is based. - -Key requirements: -- Lawful basis for processing (consent, contract, legal obligation, vital - interests, public task, legitimate interests) -- Data minimization — collect only what is necessary -- Purpose limitation — do not reuse data for incompatible purposes -- Storage limitation — delete when no longer needed -- Right of access, rectification, erasure (right to be forgotten), - data portability, restriction, objection -- Data Protection Impact Assessment (DPIA) for high-risk processing -- Breach notification within 72 hours to supervisory authority -- Data Protection Officer (DPO) appointment for certain controllers/processors -- Data Processing Agreements (DPAs) between controllers and processors - -** Who must comply - -Any organization that processes personal data of EU residents. Includes -controllers (determine purposes and means) and processors (process on behalf -of controller). Non-EU organizations with EU data subjects are in scope. - -** Penalties - -Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered -system. Supervisory authorities in each member state enforce. Private right -of action for damages. - -** Why it matters for the triad - -GDPR is the most extraterritorial and aggressively enforced privacy framework. -The gate stack's principle of least privilege maps naturally to GDPR's data -minimization requirement. Every data access is gated by a verified rule that -states the purpose — the proof log is a built-in DPIA artifact. For the -[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must -maintain DPAs with all clients. Proof logs themselves may constitute personal -data if they reference natural persons (names in access rules, etc.), creating -a demand for privacy-preserving proof techniques. This is why the -[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and -purpose-boundary gate rules that are independently verified by the provider's -[[file:evaluation-harness.org][evaluation harness]]. - -* FedRAMP (Federal Risk and Authorization Management Program) - -** What it is - -US federal government's standardized approach to security assessment, -authorization, and continuous monitoring for cloud services. OMB policy -mandate — federal agencies must use FedRAMP-authorized services when available. - -Three impact levels based on data sensitivity: - -| Level | Data type | Examples | Cost to achieve | Timeline | -|---------|-----------|---------------------------------|-----------------|----------| -| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months | -| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months | -| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months | - -Two authorization paths: -- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA, - DOD. Hardest path, most reusable across agencies. -- **Agency:** authorization by a single federal agency for its own use. Faster - but less portable. - -Requires continuous monitoring (monthly scans, annual assessments, POA&M -for findings). - -** Who must comply - -Any cloud service provider that sells to US federal agencies. Including -IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies -are strongly discouraged from using non-authorized services. - -** Penalties - -No direct fines. Non-authorized providers are simply ineligible for federal -contracts. FedRAMP is a procurement gate, not a regulatory one. - -** Why it matters for the triad - -FedRAMP is the highest bar and the most expensive certification to obtain. -Few cloud providers achieve it (fewer than 300 authorized products as of 2025). -But those that do capture the US government market with minimal competition. -For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High -authorization can sell to every federal agency. The gate stack's deterministic -audit trail maps directly to FedRAMP's continuous monitoring requirement — -producing verifiable evidence of control effectiveness on every access, not -just during the annual assessment. This is what justifies the -[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software -package, it is the evidence pipeline for a certification that costs $1M-$5M -and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument -applies hardest here: an agency that has relied on a FedRAMP-authorized compute -provider for five years cannot switch without re-running the entire authorization -process with a new provider. - -* US — Financial and Corporate Frameworks - -** SOX (Sarbanes-Oxley Act) - -US federal law (2002). Mandates internal controls over financial reporting -(ICFR) for publicly traded companies. Section 404 requires management to assess -and auditors to attest to the effectiveness of internal controls. - -Who must comply: All US public companies; foreign issuers trading on US exchanges. -~6,000 public companies + foreign filers. - -Penalties: Up to $5M fines and 20 years imprisonment for certifying false -financial statements. CEO and CFO personally liable. - -Why it matters: Every financial control is a gate rule — who can approve a -journal entry, who can release a payment, who can modify a vendor record. The -gate stack encodes these as ACL2-verified rules and produces the audit trail -that the external auditor needs for Section 404 attestation. First-mover -advantage: SOX is mature (24 years old) but the audit market is $4B+ and -entirely manual — no competitor has automated the evidence pipeline. - -** GLBA (Gramm-Leach-Bliley Act) - -US federal law governing financial institutions' handling of nonpublic personal -information (NPI). Requires privacy notices, opt-out rights, and a Safeguards -Rule requiring an information security program. - -Who must comply: Banks, credit unions, insurance companies, securities firms, -financial advisers. ~20,000 institutions. - -Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers -and directors personally liable. - -Why it matters: The Safeguards Rule maps directly to gate stack access controls. -Every NPI access is gated; the proof log is the security program's evidence. -First-mover advantage is narrow (GLBA is well-understood) but the market is -large because every financial institution that dodges HIPAA still faces GLBA. - -** NY DFS 500 (23 NYCRR 500) - -New York State Department of Financial Services cybersecurity regulation for -financial services. The most aggressive US state-level financial cybersecurity -rule. Requires: risk assessment, penetration testing, multi-factor authentication, -incident response plan, annual certification of compliance by the board. - -Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage -brokers, virtual currency companies operating in New York. ~3,000 institutions. - -Penalties: $200K-$1M per violation; business license revocation possible. - -Why it matters: The annual board certification requirement creates demand for -verifiable evidence of control effectiveness — exactly what the gate stack -produces. First-mover advantage is significant (few vendors target NY DFS 500 -specifically) and the regulation is a template that other states are adopting. - -* US — State Privacy Frameworks - -** CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) - -California's comprehensive privacy law — the closest US analogue to GDPR. -CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to -know, delete, opt out of sale/sharing, correct inaccurate data, limit use -of sensitive PI. Private right of action for data breaches. - -Who must comply: For-profit businesses with >$25M revenue, or handling >100K -consumer records, or deriving >50% revenue from selling PI. Extraterritorial — -applies to any business collecting CA resident data. - -Penalties: $2,500 per violation (intentional: $7,500). Private right of action -for breaches: $100-$750 per incident per consumer. CPRA created the California -Privacy Protection Agency (CPPA) for enforcement. - -Why it matters: The opt-out/sale/sharing requirements create complex data flow -gate rules. The gate stack can encode "this data flow crosses a CCPA boundary" -and automatically enforce the opt-out at every data access. First-mover -advantage is moderate (many CCPA tools exist) but none provide a deterministic, -verifiable audit trail — they are all document-based. - -** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA) - -Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy -regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment, -privacy impact assessments, consent modernization, data portability, right to -de-index, algorithm transparency (automated decision-making disclosures). -Penalties up to $25M CAD or 4% of global revenue. - -Why it matters: The algorithm transparency requirement is unique — organizations -must disclose how automated decision systems work. The gate stack's ACL2 proof -log is a natural algorithm transparency artifact. First-mover advantage: this -is a new requirement with no established vendor tooling. - -* UK and EU — Additional Frameworks - -** UK GDPR / Data Protection Act 2018 - -Post-Brexit, the UK maintains its own version of GDPR via the Data Protection -Act 2018. Substantively identical to EU GDPR but diverging over time. The UK -has announced separate reforms targeting AI and digital identity. ICO (Information -Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover. - -Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed -for EU GDPR ports directly with verified translation of terminology (supervisory -authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2 -prover can verify that the UK version's rules are consistent with the EU version -(and alert when they diverge). This is a concrete ACL2 application. - -** NIS2 (Network and Information Security Directive) - -EU directive (effective October 2024, member states transpose by October 2025). -Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy, -transport, banking, financial market infrastructure, health, drinking water, -wastewater, digital infrastructure, ICT service management, public administration, -space, postal services, food, chemicals, manufacturing (critical products). - -Key requirements: risk management measures (supply chain security, incident -handling, business continuity), incident notification (24-hour early warning, -72-hour full report), C-level accountability (management can be held personally -liable for non-compliance), supply chain security for critical vendors. - -Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS). -Two tiers: essential (strict) and important (moderate). Extraterritorial — any -organization providing services to EU entities in covered sectors. - -Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal -liability for management. - -Why it matters: NIS2 is the largest European cybersecurity mandate ever. -Every requirement maps to a gate rule: supply chain access verification, -incident notification triggers, business continuity approval chains. First-mover -advantage is urgent — the transposition deadline is October 2025 (17 months). -Organizations need gate packages now. No competitor has a declarative gate -model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell. - -** EU AI Act - -First comprehensive AI regulation globally (effective August 2026). Risk-based -tiers: unacceptable (banned), high-risk (conformity assessment), limited -(transparency), minimal (code of conduct). High-risk systems require: risk -management, data governance, technical documentation, transparency, human -oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment -for some high-risk systems (notified bodies). - -Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial -if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI) -with additional obligations for systemic-risk GPAI. - -Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR). - -Why it matters: The EU AI Act's conformity assessment requirement creates an -instant certification market. Passepartout's gate stack can serve as the -human oversight and accuracy/robustness infrastructure for any AI system -deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum -force: an ACL2-verified gate stack is the most defensible approach to AI Act -compliance. First-mover advantage: the regulation takes effect August 2026. -No certification body or tool vendor has an ACL2-based compliance pipeline. -First to market captures the standard-setting role. - -** DORA (Digital Operational Resilience Act) - -EU regulation (effective January 2025) for the financial sector. Requires: -ICT risk management, incident reporting, digital operational resilience testing, -ICT third-party risk management (including contractual access and audit rights -for critical ICT providers), information sharing, threat-led penetration testing -(TLPT) for systemic institutions. - -Who must comply: 22,000+ financial entities in the EU (banks, investment firms, -payment processors, crypto-asset providers, insurance companies). Also ICT -third-party providers deemed critical. - -Penalties: Up to 2% of average daily turnover × number of days breached, or -10M EUR for legal entities. Personal liability for management. - -Why it matters: DORA's third-party risk management requirement is a natural gate -stack use case — every ICT provider access must be gated, logged, and auditable. -TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover -advantage is extremely time-sensitive: DORA is already in effect (January 2025). -Financial institutions are scrambling for compliance tooling. A DORA gate package -at $50K/yr with zero incremental cost per additional user is an immediate sale. - -** eIDAS 2.0 (Electronic Identification, Authentication and Trust Services) - -EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory -for member states to offer, optional for citizens. Requires: qualified electronic -signatures/seals/timestamps, qualified trust service providers (QTSPs), and the -EU Digital Identity Wallet for identity verification across borders. - -Who must comply: Trust service providers, government digital identity systems, -any organization accepting eIDAS-qualified identities. 27 member states must -provide wallets by 2026. - -Penalties: Member state enforcement; penalties vary but non-compliance blocks -access to the EU digital identity market. - -Why it matters: eIDAS 2.0 creates a verified digital identity layer across the -EU. The gate stack can integrate with eIDAS wallets as the identity provider -for gate rules — "only X, authenticated via eIDAS wallet, may approve this -transaction." First-mover advantage: wallets are being built now; the provider -that integrates with the wallet standard first locks in the identity gate -integration. - -** CRA (Cyber Resilience Act) - -EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements -for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM -(software bill of materials) disclosure, CE marking for cybersecurity. - -Who must comply: Manufacturers, importers, and distributors of connected products -sold in the EU. Categories: default (self-declaration), Class I (third-party -audit), Class II (notified body assessment). - -Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with -reporting obligations. - -Why it matters: CRA's CE marking requirement creates a certification pipeline -that the verification appliance can supply. If Passepartout's gate stack is -itself CRA-compliant (verified by the evaluation harness), it becomes the -compliance infrastructure for any product built on it. First-mover advantage: -Class II products require notified body assessment — the bottleneck is notified -body capacity. The gate stack's automated evidence pipeline bypasses the -bottleneck. - -* Japan - -** APPI (Act on Protection of Personal Information) - -Japan's comprehensive privacy law (amended 2022, fully effective 2023). -Applies to any business handling personal information of Japanese residents. -Key requirements: consent, purpose specification, data retention limits, -cross-border transfer restrictions (opt-in required), mandatory breach reporting, -data subject access/deletion rights, pseudonymized/anonymized data provisions. -Personal Information Protection Commission (PPC) enforces. - -Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to -1 year imprisonment. Orders to suspend data processing or delete data. - -Who must comply: All businesses handling personal information of Japanese -residents. Extraterritorial — applies to non-Japanese businesses targeting -Japanese residents. - -Why it matters: APPI's cross-border transfer restrictions require fine-grained -control over which data leaves Japan. The gate stack can encode "this data has -APPI cross-border consent flag = false → block egress." First-mover advantage -is moderate — few non-Japanese vendors target APPI specifically, and the 2022 -amendments added requirements that created compliance gaps. - -** ISMAP (Government Information System Security Management and Assessment Program) - -Japan's government cloud security program — analogous to FedRAMP. Cloud services -used by Japanese government agencies must be ISMAP-authorized. Managed by the -Digital Agency and the Information-technology Promotion Agency (IPA). - -Who must comply: Cloud service providers selling to Japanese national and local -government agencies. - -Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is -time-consuming and expensive. A compute marketplace provider with ISMAP -authorization has exclusive access to the Japanese government market. First-mover -advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered. - -* South Korea - -** PIPA (Personal Information Protection Act) - -South Korea's comprehensive privacy law (enacted 2011, major amendments 2023 -and 2024). One of the strictest privacy regimes globally. Key requirements: -consent, data minimization, purpose limitation, mandatory privacy impact -assessment, data protection officer, breach notification within 72 hours, -cross-border transfer restrictions, right to request data transmission -(portability). The Personal Information Protection Commission (PIPC) enforces -aggressively. - -Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal -penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M) -against major tech companies. Class action lawsuits permitted. - -Who must comply: Any organization handling personal information of South Korean -residents. Extraterritorial scope is broad and actively enforced. - -Why it matters: PIPA is structurally similar to GDPR but with stricter -enforcement and higher penalties relative to market size. The gate stack's -purpose-boundary gates map directly to PIPA's purpose limitation requirement. -First-mover advantage is large — PIPA has fewer compliance automation vendors -than GDPR, and the 2024 amendments (stricter consent, higher fines) are still -settling. - -* Australia - -** Privacy Act 1988 / Notifiable Data Breaches (NDB) scheme - -Australia's federal privacy law (amended 2023-2025). Comprehensive reform in -progress — the Privacy Act Review (2023) proposes significant expansion: -tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained), -direct right of action for individuals, new tort of serious invasion of privacy, -children's privacy code, automated decision-making transparency. - -Who must comply: Most Australian businesses with >$3M AUD turnover; all -health service providers; all businesses handling tax file numbers. Extraterritorial -— applies to any organization with an Australian link. - -Penalties: Current maximum $50M AUD (from amendments effective late 2024). -OAIC (Office of the Australian Information Commissioner) enforces. New direct -right of action will increase private litigation. - -Why it matters: The Privacy Act Review's proposed automated decision-making -transparency requirements are unique — organizations must disclose the logic -and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the -most defensible transparency artifact available. First-mover advantage: the -reforms are being legislated now; early adoption positions the gate stack as -the reference implementation. - -** APRA CPS 234 (Prudential Standard — Information Security) - -Australian Prudential Regulation Authority standard for regulated financial -institutions. Requires: clearly defined information security roles and -responsibilities, periodic cybersecurity capability assessments, robust control -testing, timely remediation of control weaknesses, mandatory notification of -material incidents to APRA within 72 hours. - -Who must comply: Banks, insurers, superannuation funds regulated by APRA. -~500 entities. - -Penalties: APRA can impose capital requirements, license conditions, or -license cancellation for non-compliance. Personal liability for board and -senior management. - -Why it matters: CPS 234's control testing requirement creates demand for -continuous verification — exactly what the gate stack and evaluation harness -provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is -escalating. No vendor provides a deterministic control-testing pipeline. - -** IRAP (Infosec Registered Assessors Program) - -Australian government's cloud security assessment program — analogous to -FedRAMP. Cloud services used by Australian government agencies must have an -IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC). -Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM. - -Who must comply: Cloud providers selling to Australian federal, state, and -local government agencies. Also critical infrastructure providers. - -Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP -Protected-level assessment is expensive and takes 6-12 months. First-mover -advantage: the gate stack's deterministic audit trail can be the primary -evidence artifact, reducing assessment scope/cost. - -* India - -** DPDP Act 2023 (Digital Personal Data Protection Act) - -India's first comprehensive federal privacy law (enacted August 2023, rules -drafting in progress, enforcement expected 2026-2027). Key features: consent -for personal data processing, data processor obligations, data principal rights -(right to access, correction, erasure, grievance redressal), Data Protection -Board of India (DPBI) enforcement, significant penalties, exempted government -processing for sovereignty/national security. - -Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary -responsibility regardless of processor fault. - -Who must comply: Any organization processing personal data of Indian residents, -where the data is collected in India or used to profile Indian residents. -Offshore data processors are in scope. - -Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive -privacy law before 2023. The rules (implementation details) are being drafted -now. This is the widest first-mover window in the global privacy landscape: -organizations need compliance tooling that doesn't exist yet. The gate stack's -consent-managed data access model maps directly to DPDP's consent framework. -A DPDP gate package at $30K/yr (discounted for India market) captures a market -of hundreds of thousands of businesses with no incumbent vendor. - -* Brazil - -** LGPD (Lei Geral de Proteção de Dados — Law 13,709/2018) - -Brazil's comprehensive privacy law (effective 2020, fines effective 2023). -Modeled on GDPR but with differences: LGPD defines "data processing agents" -(controller and operator), requires appointment of DPO (data protection officer), -mandates breach notification to ANPD (National Data Protection Authority) and -affected data subjects. 10 legal bases for processing (vs 6 in GDPR). - -Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL -(~$10M) per violation. ANPD can also order suspension of processing, partial -or total prohibition of database operation. - -Who must comply: Any organization (public or private) processing personal data -of Brazilian residents, regardless of where the organization is based. No -revenue threshold. - -Why it matters: LGPD affects every business operating in Latin America's largest -economy. The 2% revenue penalty structure creates strong economic incentive. -First-mover advantage: fewer compliance automation vendors in the Portuguese -market. A Portuguese-language gate package with LGPD-specific consent and data -subject rights gates captures a market of 210M people. - -* Mexico - -** LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties) - -Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements: -consent, notice (privacy notice must specify the "responsible party"), purpose -limitation, data subject rights (ARCO — access, rectification, cancellation, -opposition + deletion, portability), cross-border data transfer limitations, -security breach notification. INAI (National Institute for Transparency, -Access to Information and Personal Data Protection) enforces. - -Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also -suspend data processing. - -Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are -pushing toward privacy regime interoperability. A bilingual (Spanish/English) -gate package covering both LFPDPPP and US frameworks serves the massive -US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is -less automated than GDPR; the market has fewer vendors and lower expectations. - -* International Frameworks - -** ISO 27001 (Information Security Management) - -International standard for information security management systems (ISMS). -The most widely adopted security certification globally — ~60,000 certified -organizations. Requires: risk assessment, security controls (Annex A, 93 -controls across 4 domains), continuous improvement (Plan-Do-Check-Act), -management review, internal audit. - -Who must comply: Self-selected — enterprises pursue ISO 27001 certification -because supply chain partners and regulators require it. Increasingly mandatory -for: cloud providers, government contractors, critical infrastructure, and -regulated financial institutions in multiple jurisdictions. - -Penalties: No direct fines. Losing certification means losing business. - -Why it matters: ISO 27001 is the universal baseline. It is the entry-level -certification that opens every other regulated market. The gate stack maps -to Annex A controls directly (A.9 access control, A.12 operations security, -A.16 incident management, A.18 compliance). First-mover advantage: the ISO -27001 audit market is mature ($68B) and entirely manual (auditors flip through -binders). A gate stack that produces audit evidence automatically is not -competing with other software — it is competing with binders. - -** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001) - -International standard extending ISO 27001 for privacy information management. -Aligns with GDPR requirements. Provides a framework for PII (personally -identifiable information) controllers and processors. - -Why it matters: ISO 27701 bridges information security and privacy compliance. -An organization with ISO 27001 + ISO 27701 certification has a unified -audit framework. The gate stack's access control gates + privacy gates satisfy -both standards from the same infrastructure. First-mover advantage: adoption is -growing but still low (~1,000 certifications). Early gate package captures the -growth market. - -** Basel III (Bank for International Settlements — Basel Committee) - -International banking regulatory framework (BIS Basel Committee). Sets minimum -capital requirements, liquidity coverage ratio (LCR), net stable funding ratio -(NSFR), leverage ratio, and counterparty credit risk requirements. National -implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.). - -Who must comply: All internationally active banks. Systemically important -financial institutions (G-SIBs) face additional surcharges. - -Penalties: Capital adequacy violations trigger regulatory intervention at -increasing severity — restrictions on dividends, mandatory capital raising, -management replacement, resolution. - -Why it matters: Basel's risk-weight calculation is rule-heavy and -verification-friendly. The gate stack can encode credit risk weight mappings -and produce auditable proof that capital calculations follow the correct -methodology. First-mover advantage: Basel compliance is done via spreadsheets -and specialized risk platforms. No platform uses formal verification for -risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB -is a trivial expense relative to the capital requirement penalty of getting the -mapping wrong. - -** FATF (Financial Action Task Force) — AML/CFT Standards - -International standard-setter for anti-money laundering and counter-terrorism -financing. 40 Recommendations covering: risk assessment, customer due diligence -(CDD), beneficial ownership transparency, suspicious transaction reporting, -targeted financial sanctions, proliferation financing. National implementation -varies by jurisdiction. - -Who must comply: Financial institutions, DNFBPs (designated non-financial -businesses and professions), virtual asset service providers (VASPs). In -practice: every bank, money service business, crypto exchange, and high-value -dealer globally. - -Penalties: National enforcement varies. Systemic failures lead to FATF grey-list -(monitoring) or black-list (counter-measures). Grey-listing increases transaction -costs — Iran and North Korea are black-listed. - -Why it matters: FATF's CDD requirements are the most widespread and -rule-complex compliance obligation globally. The gate stack can encode -tiered CDD rules, prove that every customer onboarding followed the correct -verification path, and produce an auditable trail for every suspicion -determination. First-mover advantage: AML compliance is a $50B+ market -dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use -formal verification. The gate stack's proof log is a "deterministic audit -trail" that regulators would recognize as superior to the current paper-trail -approach. - -** OECD Privacy Guidelines and AI Principles - -OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation, -data quality, purpose specification, use limitation, security safeguards, -openness, individual participation, accountability. Non-binding but foundational -— the basis for GDPR, APPI, LGPD, and most other privacy laws. - -OECD AI Principles (adopted 2019, updated 2024): Five values-based principles -— inclusive growth and well-being, human-centered values and fairness, -transparency and explainability, robustness and safety, accountability. -Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI -guidelines all cite them. - -Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory -alignment with OECD principles is often a procurement requirement for -international organizations and development finance institutions. First-mover -advantage is about standard-setting: the gate package that maps to OECD -principles first becomes the reference implementation. - -** World Bank Environmental and Social Framework (ESF) - -The World Bank's framework for managing environmental and social risk in -investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3 -(resource efficiency), ESS4 (community health), ESS5 (land/resettlement), -ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage), -ESS9 (financial intermediaries), ESS10 (stakeholder engagement). - -Who must comply: Borrowers and project implementers across World Bank-financed -projects in 100+ countries. Also adopted by many multilateral development banks -(MDBs) as their standard. - -Why it matters: ESF compliance is condition precedent to World Bank disbursement. -Delays in compliance verification delay project funding. The gate stack's -deterministic rule system can encode ESF standards as execution gates — "no -disbursement unless ESS5 resettlement plan is verified complete." First-mover -advantage: World Bank compliance is entirely document-based (reports, audits, -site visits). A verified gate system is unprecedented. - -** IFC Performance Standards (PS) - -International Finance Corporation's standards for environmental and social -sustainability in private sector investment. Eight standards: PS1 (risk -management), PS2 (labor), PS3 (resource efficiency), PS4 (community health), -PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8 -(cultural heritage). Adopted by over 80 Equator Principles financial -institutions (project finance lenders). - -Who must comply: IFC investees and clients; any project finance deal under -the Equator Principles. - -Why it matters: The Equator Principles affect $100B+/yr in project finance. -Compliance verification is done by external consultants. The gate stack can -automate the evidence collection and provide verifiable proof that each PS -requirement has been met before financial close. First-mover advantage: no -vendor serves this market with automation — it is entirely consultant-delivered. - -** IFRS (International Financial Reporting Standards) - -International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17 -(insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the -most rule-complex — requiring actuarial models, expected credit loss calculations, -and contract classification algorithms. - -Who must comply: Publicly listed companies in 166 jurisdictions including the -EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most -of Asia and Africa. The US (GAAP) is the major holdout. - -Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets. -Getting an actuarial model or credit loss calculation wrong is a financial -reporting error. The gate stack's ACL2 prover can verify that the calculation -implementations match the standard's mathematical requirements. First-mover -advantage: IFRS 17 was the largest accounting change in a decade. Implementation -was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures -via ISSB) is coming. A verified IFRS gate package is a unique value proposition. - -** UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business) - -UN standards for electronic data interchange (EDI), trade facilitation, and -cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core -Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis -for WTO Trade Facilitation Agreement compliance. - -Who must comply: Customs authorities, logistics providers, trade finance banks, -exporters/importers in 170+ WTO member countries. - -Why it matters: Cross-border trade data exchange is rule-intensive (tariff -classification, rules of origin, customs valuation, sanitary/phytosanitary -requirements). The gate stack can encode trade compliance rules and prove that -every cross-border data exchange satisfies the applicable regulation. First-mover -advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle -modules and customs brokerages. None use verification. - -* First-Mover Window Analysis - -The first-mover window is the time in which a new compliance tool can establish -dominance before incumbents respond or the market settles on a standard approach. - -| Window | Frameworks | Rationale | -|--------|-----------|-----------| -| **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. | -| **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. | -| **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. | -| **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. | - -* Expanded Revenue Table - -| Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type | -|-----------|--------|--------------|------------------|-------------------|---------------------|----------------| -| HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control | -| SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit | -| GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent | -| FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring | -| SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls | -| GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy | -| NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls | -| CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows | -| NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain | -| EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management | -| DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience | -| eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates | -| CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security | -| UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy | -| APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy | -| ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment | -| PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent | -| Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency | -| APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls | -| IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment | -| DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent | -| LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy | -| LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy | -| ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls | -| ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management | -| Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy | -| FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening | -| IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification | -| UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules | -| World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates | -| IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates | - -A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + -ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider -for regulated cloud globally. The gate package portfolio alone — a mid-size -enterprise running 10+ packages — generates $500K/yr+ in recurring revenue. -At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any -single framework — it is about being the first to offer a unified gate stack -that maps to all of them. +#+title: Compliance Framework Mapping — Global Regulated Industries +#+filetags: :passepartout:triad:compliance:global:index: + +This file has been split into atomic framework notes under [[file:compliance/][compliance/]]. + +See [[file:compliance/_index.org][Compliance framework index]] for the hub with per-framework links. +See [[file:compliance/first-mover-window.org][First-mover window analysis]] for timing. +See [[file:compliance/revenue-table.org][Revenue table]] for pricing and TAM. + +Each framework is its own file in [[file:compliance/][compliance/]]: +- [[file:compliance/hipaa.org][HIPAA]] +- [[file:compliance/soc2.org][SOC 2]] +- [[file:compliance/gdpr.org][GDPR]] +- [[file:compliance/fedramp.org][FedRAMP]] +- [[file:compliance/sox.org][SOX]] +- [[file:compliance/glba.org][GLBA]] +- [[file:compliance/ny-dfs-500.org][NY DFS 500]] +- [[file:compliance/ccpa-cpra.org][CCPA/CPRA]] +- [[file:compliance/quebec-law-25.org][Quebec Law 25]] +- [[file:compliance/uk-gdpr.org][UK GDPR]] +- [[file:compliance/nis2.org][NIS2]] +- [[file:compliance/eu-ai-act.org][EU AI Act]] +- [[file:compliance/dora.org][DORA]] +- [[file:compliance/eidas2.org][eIDAS 2.0]] +- [[file:compliance/cra.org][CRA]] +- [[file:compliance/appi.org][APPI]] +- [[file:compliance/ismap.org][ISMAP]] +- [[file:compliance/pipa.org][PIPA]] +- [[file:compliance/privacy-act-aus.org][Privacy Act Australia]] +- [[file:compliance/apra-cps-234.org][APRA CPS 234]] +- [[file:compliance/irap.org][IRAP]] +- [[file:compliance/dpdp-act.org][DPDP Act India]] +- [[file:compliance/lgpd.org][LGPD Brazil]] +- [[file:compliance/lfp-dppp.org][LFPDPPP Mexico]] +- [[file:compliance/iso-27001.org][ISO 27001]] +- [[file:compliance/iso-27701.org][ISO 27701]] +- [[file:compliance/basel-iii.org][Basel III]] +- [[file:compliance/fatf.org][FATF AML/CFT]] +- [[file:compliance/ifrs.org][IFRS]] +- [[file:compliance/oecd.org][OECD Privacy/AI]] +- [[file:compliance/world-bank-esf.org][World Bank ESF]] +- [[file:compliance/ifc-ps.org][IFC PS]] +- [[file:compliance/un-cefact.org][UN/CEFACT]] diff --git a/ideas/compliance/_index.org b/ideas/compliance/_index.org new file mode 100644 index 0000000..697e77e --- /dev/null +++ b/ideas/compliance/_index.org @@ -0,0 +1,79 @@ +:PROPERTIES: +:ID: e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c +:CREATED: [2026-05-23 Sat] +:UPDATED: [2026-05-23 Sat] +:END: +#+title: Compliance Framework Index — Global Regulated Industries +#+filetags: :passepartout:triad:compliance:global:index:hub: + +The verification monopoly and domain gate package revenue streams depend on +selling into regulated industries. These industries buy compliance, not software. +Each framework below maps to a gate package the triad can sell — ACL2-verified +gate rules that produce deterministic audit trails. + +See [[file:first-mover-window.org][First-mover window analysis]] and [[file:revenue-table.org][Revenue table]] for the consolidated view. + +* US Frameworks + +- [[file:hipaa.org][HIPAA]] — Health privacy ($50K/yr, 500K+ orgs) +- [[file:soc2.org][SOC 2]] — Service organization controls ($50K/yr, 100K+ orgs) +- [[file:fedramp.org][FedRAMP]] — Federal cloud authorization ($100K/yr, 1K providers) +- [[file:sox.org][SOX]] — Financial controls ($50K/yr, 10K orgs) +- [[file:glba.org][GLBA]] — Financial privacy ($40K/yr, 20K orgs) +- [[file:ny-dfs-500.org][NY DFS 500]] — NY financial cybersecurity ($30K/yr, 3K orgs) +- [[file:ccpa-cpra.org][CCPA/CPRA]] — California privacy ($40K/yr, 50K+ orgs) + +* Canada + +- [[file:quebec-law-25.org][Quebec Law 25]] — Provincial privacy ($25K/yr, 10K+ orgs) + +* UK and EU + +- [[file:gdpr.org][GDPR]] — EU privacy ($50K/yr, 500K+ orgs) +- [[file:uk-gdpr.org][UK GDPR]] — UK privacy ($40K/yr, 100K+ orgs) +- [[file:nis2.org][NIS2]] — Network security ($50K/yr, 160K orgs) +- [[file:eu-ai-act.org][EU AI Act]] — AI regulation ($75K/yr, 100K+ orgs) +- [[file:dora.org][DORA]] — Financial resilience ($50K/yr, 22K+ orgs) +- [[file:eidas2.org][eIDAS 2.0]] — Digital identity ($30K/yr, 10K+ orgs) +- [[file:cra.org][CRA]] — Product cybersecurity ($40K/yr, 50K+ orgs) + +* Asia-Pacific + +- [[file:appi.org][APPI]] — Japan privacy ($40K/yr, 100K+ orgs) +- [[file:ismap.org][ISMAP]] — Japan cloud authorization ($75K/yr, 500 providers) +- [[file:pipa.org][PIPA]] — South Korea privacy ($35K/yr, 50K+ orgs) +- [[file:privacy-act-aus.org][Privacy Act]] — Australia privacy ($35K/yr, 50K+ orgs) +- [[file:apra-cps-234.org][APRA CPS 234]] — Australian financial security ($40K/yr, 500 orgs) +- [[file:irap.org][IRAP]] — Australian cloud authorization ($75K/yr, 300 providers) +- [[file:dpdp-act.org][DPDP Act]] — India privacy ($30K/yr, 500K+ orgs) + +* Latin America + +- [[file:lgpd.org][LGPD]] — Brazil privacy ($30K/yr, 200K+ orgs) +- [[file:lfp-dppp.org][LFPDPPP]] — Mexico privacy ($25K/yr, 50K+ orgs) + +* International + +- [[file:iso-27001.org][ISO 27001]] — ISMS ($40K/yr, 60K+ orgs) +- [[file:iso-27701.org][ISO 27701]] — Privacy management ($35K/yr, 1K+ orgs) +- [[file:basel-iii.org][Basel III]] — Banking capital ($100K/yr, 500 G-SIBs) +- [[file:fatf.org][FATF]] — AML/CFT ($50K/yr, 50K+ orgs) +- [[file:ifrs.org][IFRS 17]] — Insurance accounting ($75K/yr, 5K+ orgs) +- [[file:oecd.org][OECD Guidelines]] — Privacy/AI principles (indirect) +- [[file:world-bank-esf.org][World Bank ESF]] — Development finance ($50K/yr) +- [[file:ifc-ps.org][IFC PS]] — Project finance ($50K/yr) +- [[file:un-cefact.org][UN/CEFACT]] — Trade facilitation ($30K/yr, 50K+ orgs) + +* Strategic View + +| Region | Frameworks | Total TAM | First-mover priority | +|--------|-----------|-----------|---------------------| +| US | 7 | ~$33B | FedRAMP (procurement gate), NY DFS 500 (growing) | +| UK/EU | 7 | ~$24B | NIS2 (2025 deadline), AI Act (Aug 2026), DORA (in effect) | +| Asia-Pacific | 7 | ~$9B | DPDP (rules drafting), ISMAP/IRAP (gov cloud gates) | +| Latin America | 2 | ~$7B | LGPD (largest LATAM market) | +| International | 9 | ~$4.5B | ISO 27001 (universal baseline), World Bank/IFC (no market exists) | + +Next: [[file:first-mover-window.org][First-mover window analysis]] | [[file:revenue-table.org][Full revenue table]] +See also: [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/domain-gate-packages.org][Domain gate packages]], +[[file:../../ideas/compute-marketplace.org][Compute marketplace]], [[file:../../ideas/infrastructure-lock-in.org][Infrastructure lock-in]] diff --git a/ideas/compliance/appi.org b/ideas/compliance/appi.org new file mode 100644 index 0000000..73f2ccf --- /dev/null +++ b/ideas/compliance/appi.org @@ -0,0 +1,26 @@ +:PROPERTIES: +:ID: auto-appi +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:appi: + + +Japan's comprehensive privacy law (amended 2022, fully effective 2023). +Applies to any business handling personal information of Japanese residents. +Key requirements: consent, purpose specification, data retention limits, +cross-border transfer restrictions (opt-in required), mandatory breach reporting, +data subject access/deletion rights, pseudonymized/anonymized data provisions. +Personal Information Protection Commission (PPC) enforces. + +Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to +1 year imprisonment. Orders to suspend data processing or delete data. + +Who must comply: All businesses handling personal information of Japanese +residents. Extraterritorial — applies to non-Japanese businesses targeting +Japanese residents. + +Why it matters: APPI's cross-border transfer restrictions require fine-grained +control over which data leaves Japan. The gate stack can encode "this data has +APPI cross-border consent flag = false → block egress." First-mover advantage +is moderate — few non-Japanese vendors target APPI specifically, and the 2022 diff --git a/ideas/compliance/apra-cps-234.org b/ideas/compliance/apra-cps-234.org new file mode 100644 index 0000000..731baa4 --- /dev/null +++ b/ideas/compliance/apra-cps-234.org @@ -0,0 +1,27 @@ +:PROPERTIES: +:ID: auto-apra-cps-234 +:CREATED: [2026-05-23 Sat] +:END: +#+title: APRA CPS 234 (Prudential Standard — Information Security) +#+filetags: :passepartout:compliance:framework:apra: + +** APRA CPS 234 (Prudential Standard — Information Security) + +Australian Prudential Regulation Authority standard for regulated financial +institutions. Requires: clearly defined information security roles and +responsibilities, periodic cybersecurity capability assessments, robust control +testing, timely remediation of control weaknesses, mandatory notification of +material incidents to APRA within 72 hours. + +Who must comply: Banks, insurers, superannuation funds regulated by APRA. +~500 entities. + +Penalties: APRA can impose capital requirements, license conditions, or +license cancellation for non-compliance. Personal liability for board and +senior management. + +Why it matters: CPS 234's control testing requirement creates demand for +continuous verification — exactly what the gate stack and evaluation harness +provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is +escalating. No vendor provides a deterministic control-testing pipeline. + diff --git a/ideas/compliance/basel-iii.org b/ideas/compliance/basel-iii.org new file mode 100644 index 0000000..cd1f865 --- /dev/null +++ b/ideas/compliance/basel-iii.org @@ -0,0 +1,27 @@ +:PROPERTIES: +:ID: auto-basel-iii +:CREATED: [2026-05-23 Sat] +:END: +#+title: Basel III (Bank for International Settlements — Basel Committee) +#+filetags: :passepartout:compliance:framework:basel: + +** Basel III (Bank for International Settlements — Basel Committee) + +International banking regulatory framework (BIS Basel Committee). Sets minimum +capital requirements, liquidity coverage ratio (LCR), net stable funding ratio +(NSFR), leverage ratio, and counterparty credit risk requirements. National +implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.). + +Who must comply: All internationally active banks. Systemically important +financial institutions (G-SIBs) face additional surcharges. + +Penalties: Capital adequacy violations trigger regulatory intervention at +increasing severity — restrictions on dividends, mandatory capital raising, +management replacement, resolution. + +Why it matters: Basel's risk-weight calculation is rule-heavy and +verification-friendly. The gate stack can encode credit risk weight mappings +and produce auditable proof that capital calculations follow the correct +methodology. First-mover advantage: Basel compliance is done via spreadsheets +and specialized risk platforms. No platform uses formal verification for +risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB diff --git a/ideas/compliance/ccpa-cpra.org b/ideas/compliance/ccpa-cpra.org new file mode 100644 index 0000000..e9c70a6 --- /dev/null +++ b/ideas/compliance/ccpa-cpra.org @@ -0,0 +1,23 @@ +:PROPERTIES: +:ID: auto-ccpa-cpra +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:ccpa: + + +California's comprehensive privacy law — the closest US analogue to GDPR. +CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to +know, delete, opt out of sale/sharing, correct inaccurate data, limit use +of sensitive PI. Private right of action for data breaches. + +Who must comply: For-profit businesses with >$25M revenue, or handling >100K +consumer records, or deriving >50% revenue from selling PI. Extraterritorial — +applies to any business collecting CA resident data. + +Penalties: $2,500 per violation (intentional: $7,500). Private right of action +for breaches: $100-$750 per incident per consumer. CPRA created the California +Privacy Protection Agency (CPPA) for enforcement. + +Why it matters: The opt-out/sale/sharing requirements create complex data flow +gate rules. The gate stack can encode "this data flow crosses a CCPA boundary" diff --git a/ideas/compliance/cra.org b/ideas/compliance/cra.org new file mode 100644 index 0000000..67320cc --- /dev/null +++ b/ideas/compliance/cra.org @@ -0,0 +1,32 @@ +:PROPERTIES: +:ID: auto-cra +:CREATED: [2026-05-23 Sat] +:END: +#+title: transaction." First-mover advantage: wallets are being built now; the provider +#+filetags: :passepartout:compliance:framework:cra: + +transaction." First-mover advantage: wallets are being built now; the provider +that integrates with the wallet standard first locks in the identity gate +integration. + +** CRA (Cyber Resilience Act) + +EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements +for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM +(software bill of materials) disclosure, CE marking for cybersecurity. + +Who must comply: Manufacturers, importers, and distributors of connected products +sold in the EU. Categories: default (self-declaration), Class I (third-party +audit), Class II (notified body assessment). + +Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with +reporting obligations. + +Why it matters: CRA's CE marking requirement creates a certification pipeline +that the verification appliance can supply. If Passepartout's gate stack is +itself CRA-compliant (verified by the evaluation harness), it becomes the +compliance infrastructure for any product built on it. First-mover advantage: +Class II products require notified body assessment — the bottleneck is notified +body capacity. The gate stack's automated evidence pipeline bypasses the +bottleneck. + diff --git a/ideas/compliance/dora.org b/ideas/compliance/dora.org new file mode 100644 index 0000000..c85aa7c --- /dev/null +++ b/ideas/compliance/dora.org @@ -0,0 +1,29 @@ +:PROPERTIES: +:ID: auto-dora +:CREATED: [2026-05-23 Sat] +:END: +#+title: DORA (Digital Operational Resilience Act) +#+filetags: :passepartout:compliance:framework:dora: + +** DORA (Digital Operational Resilience Act) + +EU regulation (effective January 2025) for the financial sector. Requires: +ICT risk management, incident reporting, digital operational resilience testing, +ICT third-party risk management (including contractual access and audit rights +for critical ICT providers), information sharing, threat-led penetration testing +(TLPT) for systemic institutions. + +Who must comply: 22,000+ financial entities in the EU (banks, investment firms, +payment processors, crypto-asset providers, insurance companies). Also ICT +third-party providers deemed critical. + +Penalties: Up to 2% of average daily turnover × number of days breached, or +10M EUR for legal entities. Personal liability for management. + +Why it matters: DORA's third-party risk management requirement is a natural gate +stack use case — every ICT provider access must be gated, logged, and auditable. +TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover +advantage is extremely time-sensitive: DORA is already in effect (January 2025). +Financial institutions are scrambling for compliance tooling. A DORA gate package +at $50K/yr with zero incremental cost per additional user is an immediate sale. + diff --git a/ideas/compliance/dpdp-act.org b/ideas/compliance/dpdp-act.org new file mode 100644 index 0000000..b899f8f --- /dev/null +++ b/ideas/compliance/dpdp-act.org @@ -0,0 +1,30 @@ +:PROPERTIES: +:ID: auto-dpdp-act +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:dpdp: + + +India's first comprehensive federal privacy law (enacted August 2023, rules +drafting in progress, enforcement expected 2026-2027). Key features: consent +for personal data processing, data processor obligations, data principal rights +(right to access, correction, erasure, grievance redressal), Data Protection +Board of India (DPBI) enforcement, significant penalties, exempted government +processing for sovereignty/national security. + +Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary +responsibility regardless of processor fault. + +Who must comply: Any organization processing personal data of Indian residents, +where the data is collected in India or used to profile Indian residents. +Offshore data processors are in scope. + +Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive +privacy law before 2023. The rules (implementation details) are being drafted +now. This is the widest first-mover window in the global privacy landscape: +organizations need compliance tooling that doesn't exist yet. The gate stack's +consent-managed data access model maps directly to DPDP's consent framework. +A DPDP gate package at $30K/yr (discounted for India market) captures a market +of hundreds of thousands of businesses with no incumbent vendor. + diff --git a/ideas/compliance/eidas2.org b/ideas/compliance/eidas2.org new file mode 100644 index 0000000..59895fd --- /dev/null +++ b/ideas/compliance/eidas2.org @@ -0,0 +1,26 @@ +:PROPERTIES: +:ID: auto-eidas2 +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:eidas2: + + +** eIDAS 2.0 (Electronic Identification, Authentication and Trust Services) + +EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory +for member states to offer, optional for citizens. Requires: qualified electronic +signatures/seals/timestamps, qualified trust service providers (QTSPs), and the +EU Digital Identity Wallet for identity verification across borders. + +Who must comply: Trust service providers, government digital identity systems, +any organization accepting eIDAS-qualified identities. 27 member states must +provide wallets by 2026. + +Penalties: Member state enforcement; penalties vary but non-compliance blocks +access to the EU digital identity market. + +Why it matters: eIDAS 2.0 creates a verified digital identity layer across the +EU. The gate stack can integrate with eIDAS wallets as the identity provider +for gate rules — "only X, authenticated via eIDAS wallet, may approve this +transaction." First-mover advantage: wallets are being built now; the provider diff --git a/ideas/compliance/eu-ai-act.org b/ideas/compliance/eu-ai-act.org new file mode 100644 index 0000000..b874caa --- /dev/null +++ b/ideas/compliance/eu-ai-act.org @@ -0,0 +1,32 @@ +:PROPERTIES: +:ID: auto-eu-ai-act +:CREATED: [2026-05-23 Sat] +:END: +#+title: EU AI Act +#+filetags: :passepartout:compliance:framework:eu: + +** EU AI Act + +First comprehensive AI regulation globally (effective August 2026). Risk-based +tiers: unacceptable (banned), high-risk (conformity assessment), limited +(transparency), minimal (code of conduct). High-risk systems require: risk +management, data governance, technical documentation, transparency, human +oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment +for some high-risk systems (notified bodies). + +Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial +if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI) +with additional obligations for systemic-risk GPAI. + +Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR). + +Why it matters: The EU AI Act's conformity assessment requirement creates an +instant certification market. Passepartout's gate stack can serve as the +human oversight and accuracy/robustness infrastructure for any AI system +deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum +force: an ACL2-verified gate stack is the most defensible approach to AI Act +compliance. First-mover advantage: the regulation takes effect August 2026. +No certification body or tool vendor has an ACL2-based compliance pipeline. +First to market captures the standard-setting role. + +** DORA (Digital Operational Resilience Act) diff --git a/ideas/compliance/fatf.org b/ideas/compliance/fatf.org new file mode 100644 index 0000000..dca37a5 --- /dev/null +++ b/ideas/compliance/fatf.org @@ -0,0 +1,32 @@ +:PROPERTIES: +:ID: auto-fatf +:CREATED: [2026-05-23 Sat] +:END: +#+title: risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB +#+filetags: :passepartout:compliance:framework:fatf: + +risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB +is a trivial expense relative to the capital requirement penalty of getting the +mapping wrong. + +** FATF (Financial Action Task Force) — AML/CFT Standards + +International standard-setter for anti-money laundering and counter-terrorism +financing. 40 Recommendations covering: risk assessment, customer due diligence +(CDD), beneficial ownership transparency, suspicious transaction reporting, +targeted financial sanctions, proliferation financing. National implementation +varies by jurisdiction. + +Who must comply: Financial institutions, DNFBPs (designated non-financial +businesses and professions), virtual asset service providers (VASPs). In +practice: every bank, money service business, crypto exchange, and high-value +dealer globally. + +Penalties: National enforcement varies. Systemic failures lead to FATF grey-list +(monitoring) or black-list (counter-measures). Grey-listing increases transaction +costs — Iran and North Korea are black-listed. + +Why it matters: FATF's CDD requirements are the most widespread and +rule-complex compliance obligation globally. The gate stack can encode +tiered CDD rules, prove that every customer onboarding followed the correct +verification path, and produce an auditable trail for every suspicion diff --git a/ideas/compliance/fedramp.org b/ideas/compliance/fedramp.org new file mode 100644 index 0000000..096c22c --- /dev/null +++ b/ideas/compliance/fedramp.org @@ -0,0 +1,60 @@ +:PROPERTIES: +:ID: auto-fedramp +:CREATED: [2026-05-23 Sat] +:END: +#+title: FedRAMP (Federal Risk and Authorization Management Program) +#+filetags: :passepartout:compliance:framework:fedramp: + +* FedRAMP (Federal Risk and Authorization Management Program) + +** What it is + +US federal government's standardized approach to security assessment, +authorization, and continuous monitoring for cloud services. OMB policy +mandate — federal agencies must use FedRAMP-authorized services when available. + +Three impact levels based on data sensitivity: + +| Level | Data type | Examples | Cost to achieve | Timeline | +|---------|-----------|---------------------------------|-----------------|----------| +| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months | +| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months | +| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months | + +Two authorization paths: +- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA, + DOD. Hardest path, most reusable across agencies. +- **Agency:** authorization by a single federal agency for its own use. Faster + but less portable. + +Requires continuous monitoring (monthly scans, annual assessments, POA&M +for findings). + +** Who must comply + +Any cloud service provider that sells to US federal agencies. Including +IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies +are strongly discouraged from using non-authorized services. + +** Penalties + +No direct fines. Non-authorized providers are simply ineligible for federal +contracts. FedRAMP is a procurement gate, not a regulatory one. + +** Why it matters for the triad + +FedRAMP is the highest bar and the most expensive certification to obtain. +Few cloud providers achieve it (fewer than 300 authorized products as of 2025). +But those that do capture the US government market with minimal competition. +For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High +authorization can sell to every federal agency. The gate stack's deterministic +audit trail maps directly to FedRAMP's continuous monitoring requirement — +producing verifiable evidence of control effectiveness on every access, not +just during the annual assessment. This is what justifies the +[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software +package, it is the evidence pipeline for a certification that costs $1M-$5M +and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument +applies hardest here: an agency that has relied on a FedRAMP-authorized compute +provider for five years cannot switch without re-running the entire authorization +process with a new provider. + diff --git a/ideas/compliance/first-mover-window.org b/ideas/compliance/first-mover-window.org new file mode 100644 index 0000000..9c008d6 --- /dev/null +++ b/ideas/compliance/first-mover-window.org @@ -0,0 +1,23 @@ +:PROPERTIES: +:ID: auto-first-mover-window +:CREATED: [2026-05-23 Sat] +:END: +#+title: First-Mover Window Analysis +#+filetags: :passepartout:compliance:strategy:first-mover: + +* First-Mover Window Analysis + +The first-mover window is the time in which a new compliance tool can establish +dominance before incumbents respond or the market settles on a standard approach. + +| Window | Frameworks | Rationale | +|--------|-----------|-----------| +| **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. | +| **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. | +| **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. | +| **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. | + + + +See also: [[file:_index.org][Compliance index]], [[file:revenue-table.org][Revenue table]], +[[file:../../ideas/verification-appliance.org][Verification appliance]], [[file:../../ideas/verification-monopoly.org][Verification monopoly]] diff --git a/ideas/compliance/gdpr.org b/ideas/compliance/gdpr.org new file mode 100644 index 0000000..4662ba4 --- /dev/null +++ b/ideas/compliance/gdpr.org @@ -0,0 +1,54 @@ +:PROPERTIES: +:ID: auto-gdpr +:CREATED: [2026-05-23 Sat] +:END: +#+title: GDPR (General Data Protection Regulation) +#+filetags: :passepartout:compliance:framework:gdpr: + +* GDPR (General Data Protection Regulation) + +** What it is + +EU regulation (effective May 2018) governing the processing of personal data of +natural persons in the EU. Extraterritorial — applies to any organization +processing EU personal data regardless of where the organization is based. + +Key requirements: +- Lawful basis for processing (consent, contract, legal obligation, vital + interests, public task, legitimate interests) +- Data minimization — collect only what is necessary +- Purpose limitation — do not reuse data for incompatible purposes +- Storage limitation — delete when no longer needed +- Right of access, rectification, erasure (right to be forgotten), + data portability, restriction, objection +- Data Protection Impact Assessment (DPIA) for high-risk processing +- Breach notification within 72 hours to supervisory authority +- Data Protection Officer (DPO) appointment for certain controllers/processors +- Data Processing Agreements (DPAs) between controllers and processors + +** Who must comply + +Any organization that processes personal data of EU residents. Includes +controllers (determine purposes and means) and processors (process on behalf +of controller). Non-EU organizations with EU data subjects are in scope. + +** Penalties + +Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered +system. Supervisory authorities in each member state enforce. Private right +of action for damages. + +** Why it matters for the triad + +GDPR is the most extraterritorial and aggressively enforced privacy framework. +The gate stack's principle of least privilege maps naturally to GDPR's data +minimization requirement. Every data access is gated by a verified rule that +states the purpose — the proof log is a built-in DPIA artifact. For the +[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must +maintain DPAs with all clients. Proof logs themselves may constitute personal +data if they reference natural persons (names in access rules, etc.), creating +a demand for privacy-preserving proof techniques. This is why the +[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and +purpose-boundary gate rules that are independently verified by the provider's +[[file:evaluation-harness.org][evaluation harness]]. + diff --git a/ideas/compliance/glba.org b/ideas/compliance/glba.org new file mode 100644 index 0000000..5dacf2a --- /dev/null +++ b/ideas/compliance/glba.org @@ -0,0 +1,23 @@ +:PROPERTIES: +:ID: auto-glba +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:glba: + + +US federal law governing financial institutions' handling of nonpublic personal +information (NPI). Requires privacy notices, opt-out rights, and a Safeguards +Rule requiring an information security program. + +Who must comply: Banks, credit unions, insurance companies, securities firms, +financial advisers. ~20,000 institutions. + +Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers +and directors personally liable. + +Why it matters: The Safeguards Rule maps directly to gate stack access controls. +Every NPI access is gated; the proof log is the security program's evidence. +First-mover advantage is narrow (GLBA is well-understood) but the market is +large because every financial institution that dodges HIPAA still faces GLBA. + diff --git a/ideas/compliance/hipaa.org b/ideas/compliance/hipaa.org new file mode 100644 index 0000000..e5e56d4 --- /dev/null +++ b/ideas/compliance/hipaa.org @@ -0,0 +1,44 @@ +:PROPERTIES: +:ID: auto-hipaa +:CREATED: [2026-05-23 Sat] +:END: +#+title: HIPAA (Health Insurance Portability and Accountability Act) +#+filetags: :passepartout:compliance:framework:hipaa: + +* HIPAA (Health Insurance Portability and Accountability Act) + +** What it is + +US federal law enacted 1996. Governs how protected health information (PHI) +is stored, transmitted, and accessed. Two relevant rules: + +- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights + to access, amend, and request accounting of disclosures. Minimum necessary + standard — only the minimum PHI needed for the task may be used. +- **Security Rule:** administrative, physical, and technical safeguards for + electronic PHI (ePHI). Requires access controls, audit controls, integrity + controls, person/entity authentication, and transmission security. + +** Who must comply + +Covered entities (health plans, healthcare clearinghouses, healthcare providers +who transmit any ePHI) and business associates (any vendor handling PHI on behalf +of a covered entity). Business Associate Agreements (BAAs) are mandatory. + +** Penalties + +Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per +violation category. Criminal penalties for knowing misuse (up to 10 years +imprisonment). State AGs can also bring civil actions. + +** Why it matters for the triad + +HIPAA is the largest single compliance market in US healthcare — every hospital, +clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]] +($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate +constraints. Every PHI access attempt passes through the gate stack, producing +a machine-checkable audit trail that satisfies the Security Rule's audit control +requirement automatically. No separate logging infrastructure needed. Over a +five-year deployment, the accumulated fact store and proof history create +[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it. + diff --git a/ideas/compliance/ifc-ps.org b/ideas/compliance/ifc-ps.org new file mode 100644 index 0000000..f6c3cc9 --- /dev/null +++ b/ideas/compliance/ifc-ps.org @@ -0,0 +1,26 @@ +:PROPERTIES: +:ID: auto-ifc-ps +:CREATED: [2026-05-23 Sat] +:END: +#+title: projects in 100+ countries. Also adopted by many multilateral development banks +#+filetags: :passepartout:compliance:framework:ifc: + +projects in 100+ countries. Also adopted by many multilateral development banks +(MDBs) as their standard. + +Why it matters: ESF compliance is condition precedent to World Bank disbursement. +Delays in compliance verification delay project funding. The gate stack's +deterministic rule system can encode ESF standards as execution gates — "no +disbursement unless ESS5 resettlement plan is verified complete." First-mover +advantage: World Bank compliance is entirely document-based (reports, audits, +site visits). A verified gate system is unprecedented. + +** IFC Performance Standards (PS) + +International Finance Corporation's standards for environmental and social +sustainability in private sector investment. Eight standards: PS1 (risk +management), PS2 (labor), PS3 (resource efficiency), PS4 (community health), +PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8 +(cultural heritage). Adopted by over 80 Equator Principles financial +institutions (project finance lenders). + diff --git a/ideas/compliance/ifrs.org b/ideas/compliance/ifrs.org new file mode 100644 index 0000000..1bedd92 --- /dev/null +++ b/ideas/compliance/ifrs.org @@ -0,0 +1,26 @@ +:PROPERTIES: +:ID: auto-ifrs +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:ifrs: + + +Who must comply: IFC investees and clients; any project finance deal under +the Equator Principles. + +Why it matters: The Equator Principles affect $100B+/yr in project finance. +Compliance verification is done by external consultants. The gate stack can +automate the evidence collection and provide verifiable proof that each PS +requirement has been met before financial close. First-mover advantage: no +vendor serves this market with automation — it is entirely consultant-delivered. + +** IFRS (International Financial Reporting Standards) + +International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17 +(insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the +most rule-complex — requiring actuarial models, expected credit loss calculations, +and contract classification algorithms. + +Who must comply: Publicly listed companies in 166 jurisdictions including the +EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most diff --git a/ideas/compliance/irap.org b/ideas/compliance/irap.org new file mode 100644 index 0000000..c0d0908 --- /dev/null +++ b/ideas/compliance/irap.org @@ -0,0 +1,23 @@ +:PROPERTIES: +:ID: auto-irap +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:irap: + + +** IRAP (Infosec Registered Assessors Program) + +Australian government's cloud security assessment program — analogous to +FedRAMP. Cloud services used by Australian government agencies must have an +IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC). +Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM. + +Who must comply: Cloud providers selling to Australian federal, state, and +local government agencies. Also critical infrastructure providers. + +Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP +Protected-level assessment is expensive and takes 6-12 months. First-mover +advantage: the gate stack's deterministic audit trail can be the primary +evidence artifact, reducing assessment scope/cost. + diff --git a/ideas/compliance/ismap.org b/ideas/compliance/ismap.org new file mode 100644 index 0000000..284bbe3 --- /dev/null +++ b/ideas/compliance/ismap.org @@ -0,0 +1,24 @@ +:PROPERTIES: +:ID: auto-ismap +:CREATED: [2026-05-23 Sat] +:END: +#+title: is moderate — few non-Japanese vendors target APPI specifically, and the 2022 +#+filetags: :passepartout:compliance:framework:ismap: + +is moderate — few non-Japanese vendors target APPI specifically, and the 2022 +amendments added requirements that created compliance gaps. + +** ISMAP (Government Information System Security Management and Assessment Program) + +Japan's government cloud security program — analogous to FedRAMP. Cloud services +used by Japanese government agencies must be ISMAP-authorized. Managed by the +Digital Agency and the Information-technology Promotion Agency (IPA). + +Who must comply: Cloud service providers selling to Japanese national and local +government agencies. + +Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is +time-consuming and expensive. A compute marketplace provider with ISMAP +authorization has exclusive access to the Japanese government market. First-mover +advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered. + diff --git a/ideas/compliance/iso-27001.org b/ideas/compliance/iso-27001.org new file mode 100644 index 0000000..6332cdf --- /dev/null +++ b/ideas/compliance/iso-27001.org @@ -0,0 +1,31 @@ +:PROPERTIES: +:ID: auto-iso-27001 +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:iso: + + +International standard for information security management systems (ISMS). +The most widely adopted security certification globally — ~60,000 certified +organizations. Requires: risk assessment, security controls (Annex A, 93 +controls across 4 domains), continuous improvement (Plan-Do-Check-Act), +management review, internal audit. + +Who must comply: Self-selected — enterprises pursue ISO 27001 certification +because supply chain partners and regulators require it. Increasingly mandatory +for: cloud providers, government contractors, critical infrastructure, and +regulated financial institutions in multiple jurisdictions. + +Penalties: No direct fines. Losing certification means losing business. + +Why it matters: ISO 27001 is the universal baseline. It is the entry-level +certification that opens every other regulated market. The gate stack maps +to Annex A controls directly (A.9 access control, A.12 operations security, +A.16 incident management, A.18 compliance). First-mover advantage: the ISO +27001 audit market is mature ($68B) and entirely manual (auditors flip through +binders). A gate stack that produces audit evidence automatically is not +competing with other software — it is competing with binders. + +** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001) + diff --git a/ideas/compliance/iso-27701.org b/ideas/compliance/iso-27701.org new file mode 100644 index 0000000..e57a886 --- /dev/null +++ b/ideas/compliance/iso-27701.org @@ -0,0 +1,20 @@ +:PROPERTIES: +:ID: auto-iso-27701 +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:iso: + + +International standard extending ISO 27001 for privacy information management. +Aligns with GDPR requirements. Provides a framework for PII (personally +identifiable information) controllers and processors. + +Why it matters: ISO 27701 bridges information security and privacy compliance. +An organization with ISO 27001 + ISO 27701 certification has a unified +audit framework. The gate stack's access control gates + privacy gates satisfy +both standards from the same infrastructure. First-mover advantage: adoption is +growing but still low (~1,000 certifications). Early gate package captures the +growth market. + +** Basel III (Bank for International Settlements — Basel Committee) diff --git a/ideas/compliance/lfp-dppp.org b/ideas/compliance/lfp-dppp.org new file mode 100644 index 0000000..96ffe3c --- /dev/null +++ b/ideas/compliance/lfp-dppp.org @@ -0,0 +1,24 @@ +:PROPERTIES: +:ID: auto-lfp-dppp +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:lfp: + + +Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements: +consent, notice (privacy notice must specify the "responsible party"), purpose +limitation, data subject rights (ARCO — access, rectification, cancellation, +opposition + deletion, portability), cross-border data transfer limitations, +security breach notification. INAI (National Institute for Transparency, +Access to Information and Personal Data Protection) enforces. + +Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also +suspend data processing. + +Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are +pushing toward privacy regime interoperability. A bilingual (Spanish/English) +gate package covering both LFPDPPP and US frameworks serves the massive +US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is +less automated than GDPR; the market has fewer vendors and lower expectations. + diff --git a/ideas/compliance/lgpd.org b/ideas/compliance/lgpd.org new file mode 100644 index 0000000..6c18848 --- /dev/null +++ b/ideas/compliance/lgpd.org @@ -0,0 +1,28 @@ +:PROPERTIES: +:ID: auto-lgpd +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:lgpd: + + +Brazil's comprehensive privacy law (effective 2020, fines effective 2023). +Modeled on GDPR but with differences: LGPD defines "data processing agents" +(controller and operator), requires appointment of DPO (data protection officer), +mandates breach notification to ANPD (National Data Protection Authority) and +affected data subjects. 10 legal bases for processing (vs 6 in GDPR). + +Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL +(~$10M) per violation. ANPD can also order suspension of processing, partial +or total prohibition of database operation. + +Who must comply: Any organization (public or private) processing personal data +of Brazilian residents, regardless of where the organization is based. No +revenue threshold. + +Why it matters: LGPD affects every business operating in Latin America's largest +economy. The 2% revenue penalty structure creates strong economic incentive. +First-mover advantage: fewer compliance automation vendors in the Portuguese +market. A Portuguese-language gate package with LGPD-specific consent and data +subject rights gates captures a market of 210M people. + diff --git a/ideas/compliance/nis2.org b/ideas/compliance/nis2.org new file mode 100644 index 0000000..b1c8b95 --- /dev/null +++ b/ideas/compliance/nis2.org @@ -0,0 +1,34 @@ +:PROPERTIES: +:ID: auto-nis2 +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:nis2: + + +EU directive (effective October 2024, member states transpose by October 2025). +Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy, +transport, banking, financial market infrastructure, health, drinking water, +wastewater, digital infrastructure, ICT service management, public administration, +space, postal services, food, chemicals, manufacturing (critical products). + +Key requirements: risk management measures (supply chain security, incident +handling, business continuity), incident notification (24-hour early warning, +72-hour full report), C-level accountability (management can be held personally +liable for non-compliance), supply chain security for critical vendors. + +Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS). +Two tiers: essential (strict) and important (moderate). Extraterritorial — any +organization providing services to EU entities in covered sectors. + +Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal +liability for management. + +Why it matters: NIS2 is the largest European cybersecurity mandate ever. +Every requirement maps to a gate rule: supply chain access verification, +incident notification triggers, business continuity approval chains. First-mover +advantage is urgent — the transposition deadline is October 2025 (17 months). +Organizations need gate packages now. No competitor has a declarative gate +model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell. + +** EU AI Act diff --git a/ideas/compliance/ny-dfs-500.org b/ideas/compliance/ny-dfs-500.org new file mode 100644 index 0000000..1046d34 --- /dev/null +++ b/ideas/compliance/ny-dfs-500.org @@ -0,0 +1,25 @@ +:PROPERTIES: +:ID: auto-ny-dfs-500 +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:ny: + + +** NY DFS 500 (23 NYCRR 500) + +New York State Department of Financial Services cybersecurity regulation for +financial services. The most aggressive US state-level financial cybersecurity +rule. Requires: risk assessment, penetration testing, multi-factor authentication, +incident response plan, annual certification of compliance by the board. + +Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage +brokers, virtual currency companies operating in New York. ~3,000 institutions. + +Penalties: $200K-$1M per violation; business license revocation possible. + +Why it matters: The annual board certification requirement creates demand for +verifiable evidence of control effectiveness — exactly what the gate stack +produces. First-mover advantage is significant (few vendors target NY DFS 500 +specifically) and the regulation is a template that other states are adopting. + diff --git a/ideas/compliance/oecd.org b/ideas/compliance/oecd.org new file mode 100644 index 0000000..67e6181 --- /dev/null +++ b/ideas/compliance/oecd.org @@ -0,0 +1,23 @@ +:PROPERTIES: +:ID: auto-oecd +:CREATED: [2026-05-23 Sat] +:END: +#+title: verification path, and produce an auditable trail for every suspicion +#+filetags: :passepartout:compliance:framework:oecd: + +verification path, and produce an auditable trail for every suspicion +determination. First-mover advantage: AML compliance is a $50B+ market +dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use +formal verification. The gate stack's proof log is a "deterministic audit +trail" that regulators would recognize as superior to the current paper-trail +approach. + +** OECD Privacy Guidelines and AI Principles + +OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation, +data quality, purpose specification, use limitation, security safeguards, +openness, individual participation, accountability. Non-binding but foundational +— the basis for GDPR, APPI, LGPD, and most other privacy laws. + +OECD AI Principles (adopted 2019, updated 2024): Five values-based principles +— inclusive growth and well-being, human-centered values and fairness, diff --git a/ideas/compliance/pipa.org b/ideas/compliance/pipa.org new file mode 100644 index 0000000..6e469b0 --- /dev/null +++ b/ideas/compliance/pipa.org @@ -0,0 +1,30 @@ +:PROPERTIES: +:ID: auto-pipa +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:pipa: + + +South Korea's comprehensive privacy law (enacted 2011, major amendments 2023 +and 2024). One of the strictest privacy regimes globally. Key requirements: +consent, data minimization, purpose limitation, mandatory privacy impact +assessment, data protection officer, breach notification within 72 hours, +cross-border transfer restrictions, right to request data transmission +(portability). The Personal Information Protection Commission (PIPC) enforces +aggressively. + +Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal +penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M) +against major tech companies. Class action lawsuits permitted. + +Who must comply: Any organization handling personal information of South Korean +residents. Extraterritorial scope is broad and actively enforced. + +Why it matters: PIPA is structurally similar to GDPR but with stricter +enforcement and higher penalties relative to market size. The gate stack's +purpose-boundary gates map directly to PIPA's purpose limitation requirement. +First-mover advantage is large — PIPA has fewer compliance automation vendors +than GDPR, and the 2024 amendments (stricter consent, higher fines) are still +settling. + diff --git a/ideas/compliance/privacy-act-aus.org b/ideas/compliance/privacy-act-aus.org new file mode 100644 index 0000000..ee82966 --- /dev/null +++ b/ideas/compliance/privacy-act-aus.org @@ -0,0 +1,30 @@ +:PROPERTIES: +:ID: auto-privacy-act-aus +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:privacy: + + +Australia's federal privacy law (amended 2023-2025). Comprehensive reform in +progress — the Privacy Act Review (2023) proposes significant expansion: +tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained), +direct right of action for individuals, new tort of serious invasion of privacy, +children's privacy code, automated decision-making transparency. + +Who must comply: Most Australian businesses with >$3M AUD turnover; all +health service providers; all businesses handling tax file numbers. Extraterritorial +— applies to any organization with an Australian link. + +Penalties: Current maximum $50M AUD (from amendments effective late 2024). +OAIC (Office of the Australian Information Commissioner) enforces. New direct +right of action will increase private litigation. + +Why it matters: The Privacy Act Review's proposed automated decision-making +transparency requirements are unique — organizations must disclose the logic +and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the +most defensible transparency artifact available. First-mover advantage: the +reforms are being legislated now; early adoption positions the gate stack as +the reference implementation. + +** APRA CPS 234 (Prudential Standard — Information Security) diff --git a/ideas/compliance/quebec-law-25.org b/ideas/compliance/quebec-law-25.org new file mode 100644 index 0000000..2de6ea5 --- /dev/null +++ b/ideas/compliance/quebec-law-25.org @@ -0,0 +1,25 @@ +:PROPERTIES: +:ID: auto-quebec-law-25 +:CREATED: [2026-05-23 Sat] +:END: +#+title: gate rules. The gate stack can encode "this data flow crosses a CCPA boundary" +#+filetags: :passepartout:compliance:framework:quebec: + +gate rules. The gate stack can encode "this data flow crosses a CCPA boundary" +and automatically enforce the opt-out at every data access. First-mover +advantage is moderate (many CCPA tools exist) but none provide a deterministic, +verifiable audit trail — they are all document-based. + +** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA) + +Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy +regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment, +privacy impact assessments, consent modernization, data portability, right to +de-index, algorithm transparency (automated decision-making disclosures). +Penalties up to $25M CAD or 4% of global revenue. + +Why it matters: The algorithm transparency requirement is unique — organizations +must disclose how automated decision systems work. The gate stack's ACL2 proof +log is a natural algorithm transparency artifact. First-mover advantage: this +is a new requirement with no established vendor tooling. + diff --git a/ideas/compliance/revenue-table.org b/ideas/compliance/revenue-table.org new file mode 100644 index 0000000..9d81df0 --- /dev/null +++ b/ideas/compliance/revenue-table.org @@ -0,0 +1,60 @@ +:PROPERTIES: +:ID: auto-revenue-table +:CREATED: [2026-05-23 Sat] +:END: +#+title: Compliance Framework Revenue Table +#+filetags: :passepartout:compliance:revenue:pricing: + +* Expanded Revenue Table + +| Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type | +|-----------|--------|--------------|------------------|-------------------|---------------------|----------------| +| HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control | +| SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit | +| GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent | +| FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring | +| SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls | +| GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy | +| NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls | +| CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows | +| NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain | +| EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management | +| DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience | +| eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates | +| CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security | +| UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy | +| APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy | +| ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment | +| PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent | +| Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency | +| APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls | +| IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment | +| DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent | +| LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy | +| LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy | +| ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls | +| ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management | +| Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy | +| FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening | +| IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification | +| UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules | +| World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates | +| IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates | + +A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + +ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider +for regulated cloud globally. The gate package portfolio alone — a mid-size +enterprise running 10+ packages — generates $500K/yr+ in recurring revenue. +At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any +single framework — it is about being the first to offer a unified gate stack +that maps to all of them. + + +A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + +ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider +for regulated cloud globally. The gate package portfolio alone — a mid-size +enterprise running 10+ packages — generates $500K/yr+ in recurring revenue. +At 10,000 such enterprises: $5B/yr. + +See also: [[file:_index.org][Compliance index]], [[file:first-mover-window.org][First-mover window analysis]], +[[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/compute-marketplace.org][Compute marketplace]] diff --git a/ideas/compliance/soc2.org b/ideas/compliance/soc2.org new file mode 100644 index 0000000..b7a63cb --- /dev/null +++ b/ideas/compliance/soc2.org @@ -0,0 +1,53 @@ +:PROPERTIES: +:ID: auto-soc2 +:CREATED: [2026-05-23 Sat] +:END: +#+title: SOC 2 (System and Organization Controls 2) +#+filetags: :passepartout:compliance:framework:soc2: + +* SOC 2 (System and Organization Controls 2) + +** What it is + +An auditing standard developed by AICPA (American Institute of CPAs). Not a law. +Certifies that a service organization's controls over security, availability, +processing integrity, confidentiality, and privacy meet defined criteria. + +Five Trust Service Criteria (TSC): +- **Security** (mandatory): protection against unauthorized access (firewall, + access control, intrusion detection) +- **Availability** (optional): system available for operation and use as + committed (uptime, redundancy, disaster recovery) +- **Processing Integrity** (optional): system processing is complete, valid, + accurate, timely, and authorized +- **Confidentiality** (optional): information designated as confidential is + protected as committed +- **Privacy** (optional): personal information is collected, used, retained, + disclosed, and disposed of in conformity with commitments + +Two types: +- **Type I:** controls are suitably designed at a specific point in time +- **Type II:** controls operated effectively over a period (6-12 months) + +** Who must comply + +Any SaaS or cloud service provider whose enterprise customers require audited +vendors. Table stakes for B2B — most enterprise procurement contracts require +SOC 2 Type II. + +** Penalties + +No direct fines (not a law). But losing SOC 2 certification means losing +enterprise customers. Misrepresentation of certification status is fraud. + +** Why it matters for the triad + +SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider +needs SOC 2 Type II to sell compute to enterprises whose procurement policy +requires audited vendors. The gate stack itself maps directly to the Security +criterion (access controls, audit trails) — the Passepartout instance's +deterministic gate log serves as the evidence artifact for the audit. No +separate logging SIEM needed. This is the prerequisite to the larger +[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they +buy domain-specific gate packages for the same infrastructure. + diff --git a/ideas/compliance/sox.org b/ideas/compliance/sox.org new file mode 100644 index 0000000..08beaea --- /dev/null +++ b/ideas/compliance/sox.org @@ -0,0 +1,27 @@ +:PROPERTIES: +:ID: auto-sox +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:sox: + + +US federal law (2002). Mandates internal controls over financial reporting +(ICFR) for publicly traded companies. Section 404 requires management to assess +and auditors to attest to the effectiveness of internal controls. + +Who must comply: All US public companies; foreign issuers trading on US exchanges. +~6,000 public companies + foreign filers. + +Penalties: Up to $5M fines and 20 years imprisonment for certifying false +financial statements. CEO and CFO personally liable. + +Why it matters: Every financial control is a gate rule — who can approve a +journal entry, who can release a payment, who can modify a vendor record. The +gate stack encodes these as ACL2-verified rules and produces the audit trail +that the external auditor needs for Section 404 attestation. First-mover +advantage: SOX is mature (24 years old) but the audit market is $4B+ and +entirely manual — no competitor has automated the evidence pipeline. + +** GLBA (Gramm-Leach-Bliley Act) + diff --git a/ideas/compliance/uk-gdpr.org b/ideas/compliance/uk-gdpr.org new file mode 100644 index 0000000..9611be2 --- /dev/null +++ b/ideas/compliance/uk-gdpr.org @@ -0,0 +1,21 @@ +:PROPERTIES: +:ID: auto-uk-gdpr +:CREATED: [2026-05-23 Sat] +:END: +#+title: +#+filetags: :passepartout:compliance:framework:uk: + + +Post-Brexit, the UK maintains its own version of GDPR via the Data Protection +Act 2018. Substantively identical to EU GDPR but diverging over time. The UK +has announced separate reforms targeting AI and digital identity. ICO (Information +Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover. + +Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed +for EU GDPR ports directly with verified translation of terminology (supervisory +authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2 +prover can verify that the UK version's rules are consistent with the EU version +(and alert when they diverge). This is a concrete ACL2 application. + +** NIS2 (Network and Information Security Directive) + diff --git a/ideas/compliance/un-cefact.org b/ideas/compliance/un-cefact.org new file mode 100644 index 0000000..eb304b9 --- /dev/null +++ b/ideas/compliance/un-cefact.org @@ -0,0 +1,35 @@ +:PROPERTIES: +:ID: auto-un-cefact +:CREATED: [2026-05-23 Sat] +:END: +#+title: EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most +#+filetags: :passepartout:compliance:framework:un: + +EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most +of Asia and Africa. The US (GAAP) is the major holdout. + +Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets. +Getting an actuarial model or credit loss calculation wrong is a financial +reporting error. The gate stack's ACL2 prover can verify that the calculation +implementations match the standard's mathematical requirements. First-mover +advantage: IFRS 17 was the largest accounting change in a decade. Implementation +was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures +via ISSB) is coming. A verified IFRS gate package is a unique value proposition. + +** UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business) + +UN standards for electronic data interchange (EDI), trade facilitation, and +cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core +Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis +for WTO Trade Facilitation Agreement compliance. + +Who must comply: Customs authorities, logistics providers, trade finance banks, +exporters/importers in 170+ WTO member countries. + +Why it matters: Cross-border trade data exchange is rule-intensive (tariff +classification, rules of origin, customs valuation, sanitary/phytosanitary +requirements). The gate stack can encode trade compliance rules and prove that +every cross-border data exchange satisfies the applicable regulation. First-mover +advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle +modules and customs brokerages. None use verification. + diff --git a/ideas/compliance/world-bank-esf.org b/ideas/compliance/world-bank-esf.org new file mode 100644 index 0000000..3073b5a --- /dev/null +++ b/ideas/compliance/world-bank-esf.org @@ -0,0 +1,28 @@ +:PROPERTIES: +:ID: auto-world-bank-esf +:CREATED: [2026-05-23 Sat] +:END: +#+title: — inclusive growth and well-being, human-centered values and fairness, +#+filetags: :passepartout:compliance:framework:world: + +— inclusive growth and well-being, human-centered values and fairness, +transparency and explainability, robustness and safety, accountability. +Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI +guidelines all cite them. + +Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory +alignment with OECD principles is often a procurement requirement for +international organizations and development finance institutions. First-mover +advantage is about standard-setting: the gate package that maps to OECD +principles first becomes the reference implementation. + +** World Bank Environmental and Social Framework (ESF) + +The World Bank's framework for managing environmental and social risk in +investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3 +(resource efficiency), ESS4 (community health), ESS5 (land/resettlement), +ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage), +ESS9 (financial intermediaries), ESS10 (stakeholder engagement). + +Who must comply: Borrowers and project implementers across World Bank-financed +projects in 100+ countries. Also adopted by many multilateral development banks diff --git a/scripts/org-to-gbrain.py b/scripts/org-to-gbrain.py index 21446e0..f417c5d 100644 --- a/scripts/org-to-gbrain.py +++ b/scripts/org-to-gbrain.py @@ -1,12 +1,47 @@ #!/usr/bin/env python3 """Convert brain Org-mode files to markdown + YAML frontmatter and sync into gbrain.""" -import subprocess, re, os, sys +import subprocess, re, os, sys, glob BRAIN = "/root/brain" GBRAIN_SRC = "/mnt/hermes/brain" PANDOC = "/usr/bin/pandoc" BUN = os.path.expanduser("~/.bun/bin/gbrain") +def find_org_files(): + """Scan ideas/ recursively for all .org files, return (slug, rel_path, abs_path).""" + files = [] + base = f"{BRAIN}/ideas" + for root, dirs, filenames in os.walk(base): + for fn in filenames: + if not fn.endswith('.org'): + continue + abs_path = os.path.join(root, fn) + rel = os.path.relpath(abs_path, base) + # rel is like "compliance/hipaa.org" or "triad-overview.org" + name = fn[:-4] # remove .org + files.append((name, rel, abs_path)) + return files + +def gbrain_target(rel_path): + """Derive gbrain target path from org relative path. + + ideas/compliance/hipaa.org → concepts/compliance/hipaa.md + ideas/triad-overview.org → concepts/triad-overview.md (via routing dict) + ideas/competitive-analysis...→ ideas/competitive-analysis.md + """ + parts = rel_path.split('/') + + if len(parts) == 1: + # Flat file in ideas/ root — use ROUTING dict + slug = parts[0][:-4] if parts[0].endswith('.org') else parts[0][:-4] + category = ROUTING.get(slug, "concepts") + return f"{GBRAIN_SRC}/{category}/{slug}.md" + else: + # In a subdirectory: ideas/compliance/foo.org → concepts/compliance/foo.md + subdir = parts[0] + slug = parts[1][:-4] if parts[1].endswith('.org') else parts[1][:-4] + return f"{GBRAIN_SRC}/concepts/{subdir}/{slug}.md" + def extract_org_properties(src_path): """Extract :PROPERTIES: drawer and #+title/#+filetags from an org file.""" props = {} @@ -135,20 +170,13 @@ ROUTING = { } def main(): - # Ensure MECE directories exist - for d in ["concepts", "ideas"]: - os.makedirs(f"{GBRAIN_SRC}/{d}", exist_ok=True) - imported = [] - for slug, category in ROUTING.items(): - src_path = f"{BRAIN}/ideas/{slug}.org" - if not os.path.exists(src_path): - print(f" SKIP {slug}: not found") - continue + for slug, rel_path, src_path in find_org_files(): + dst_path = gbrain_target(rel_path) - dst_dir = f"{GBRAIN_SRC}/{category}" - dst_path = f"{dst_dir}/{slug}.md" + # Create parent directories + os.makedirs(os.path.dirname(dst_path), exist_ok=True) # Extract frontmatter from org properties props = extract_org_properties(src_path) @@ -168,8 +196,10 @@ def main(): with open(dst_path, 'w') as f: f.write(full) - imported.append(f"{category}/{slug}.md") - print(f" OK {category}/{slug}") + # Show relative path for clarity + rel_dst = os.path.relpath(dst_path, GBRAIN_SRC) + imported.append(rel_dst) + print(f" OK {rel_dst}") print(f"\nConverted {len(imported)} files.")