gbrain: sync converted org-mode brain files
This commit is contained in:
Hermes
@@ -2,7 +2,7 @@
|
||||
:ID: auto-appi
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: APPI (Act on the Protection of Personal Information — Japan)
|
||||
#+filetags: :passepartout:compliance:framework:appi:
|
||||
|
||||
|
||||
|
||||
@@ -21,7 +21,7 @@ license cancellation for non-compliance. Personal liability for board and
|
||||
senior management.
|
||||
|
||||
Why it matters: CPS 234's control testing requirement creates demand for
|
||||
continuous verification — exactly what the gate stack and evaluation harness
|
||||
continuous verification — exactly what the gate stack and [[file:../evaluation-harness.org][evaluation harness]]
|
||||
provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
|
||||
escalating. No vendor provides a deterministic control-testing pipeline.
|
||||
|
||||
|
||||
@@ -2,11 +2,11 @@
|
||||
:ID: auto-ccpa-cpra
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: CCPA/CPRA (California Consumer Privacy Act)
|
||||
#+filetags: :passepartout:compliance:framework:ccpa:
|
||||
|
||||
|
||||
California's comprehensive privacy law — the closest US analogue to GDPR.
|
||||
California's comprehensive privacy law — the closest US analogue to [[file:gdpr.org][GDPR]].
|
||||
CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to
|
||||
know, delete, opt out of sale/sharing, correct inaccurate data, limit use
|
||||
of sensitive PI. Private right of action for data breaches.
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
#+title: Compliance Framework Index — Global Regulated Industries
|
||||
#+filetags: :passepartout:triad:compliance:global:index:hub:
|
||||
|
||||
The verification monopoly and domain gate package revenue streams depend on
|
||||
The [[file:../verification-monopoly.org][verification monopoly]] and domain gate package revenue streams depend on
|
||||
selling into regulated industries. These industries buy compliance, not software.
|
||||
Each framework below maps to a gate package the triad can sell — ACL2-verified
|
||||
gate rules that produce deterministic audit trails.
|
||||
@@ -75,5 +75,5 @@ See [[file:first-mover-window.org][First-mover window analysis]] and [[file:reve
|
||||
| International | 9 | ~$4.5B | ISO 27001 (universal baseline), World Bank/IFC (no market exists) |
|
||||
|
||||
Next: [[file:first-mover-window.org][First-mover window analysis]] | [[file:revenue-table.org][Full revenue table]]
|
||||
See also: [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/domain-gate-packages.org][Domain gate packages]],
|
||||
[[file:../../ideas/compute-marketplace.org][Compute marketplace]], [[file:../../ideas/infrastructure-lock-in.org][Infrastructure lock-in]]
|
||||
See also: [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/domain-gate-packages.org][[[file:../domain-gate-packages.org][Domain gate packages]]]],
|
||||
[[file:../../ideas/compute-marketplace.org][[[file:../compute-marketplace.org][Compute marketplace]]]], [[file:../../ideas/infrastructure-lock-in.org][Infrastructure lock-in]]
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-cra
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: transaction." First-mover advantage: wallets are being built now; the provider
|
||||
#+title: CRA (EU Cyber Resilience Act)
|
||||
#+filetags: :passepartout:compliance:framework:cra:
|
||||
|
||||
transaction." First-mover advantage: wallets are being built now; the provider
|
||||
@@ -23,8 +23,8 @@ Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
|
||||
reporting obligations.
|
||||
|
||||
Why it matters: CRA's CE marking requirement creates a certification pipeline
|
||||
that the verification appliance can supply. If Passepartout's gate stack is
|
||||
itself CRA-compliant (verified by the evaluation harness), it becomes the
|
||||
that the [[file:../verification-appliance.org][verification appliance]] can supply. If Passepartout's gate stack is
|
||||
itself CRA-compliant (verified by the [[file:../evaluation-harness.org][evaluation harness]]), it becomes the
|
||||
compliance infrastructure for any product built on it. First-mover advantage:
|
||||
Class II products require notified body assessment — the bottleneck is notified
|
||||
body capacity. The gate stack's automated evidence pipeline bypasses the
|
||||
|
||||
@@ -22,7 +22,7 @@ Penalties: Up to 2% of average daily turnover × number of days breached, or
|
||||
|
||||
Why it matters: DORA's third-party risk management requirement is a natural gate
|
||||
stack use case — every ICT provider access must be gated, logged, and auditable.
|
||||
TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover
|
||||
TLPT (threat-led penetration testing) maps to the [[file:../evaluation-harness.org][evaluation harness]]. First-mover
|
||||
advantage is extremely time-sensitive: DORA is already in effect (January 2025).
|
||||
Financial institutions are scrambling for compliance tooling. A DORA gate package
|
||||
at $50K/yr with zero incremental cost per additional user is an immediate sale.
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-dpdp-act
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: DPDP Act (Digital Personal Data Protection Act — India)
|
||||
#+filetags: :passepartout:compliance:framework:dpdp:
|
||||
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-eidas2
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: eIDAS 2.0 (European Digital Identity Framework)
|
||||
#+filetags: :passepartout:compliance:framework:eidas2:
|
||||
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@ Who must comply: Providers and deployers of AI systems in the EU. Extraterritori
|
||||
if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI)
|
||||
with additional obligations for systemic-risk GPAI.
|
||||
|
||||
Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).
|
||||
Penalties: Up to 35M EUR or 7% of global turnover (higher than [[file:gdpr.org][GDPR]]).
|
||||
|
||||
Why it matters: The EU AI Act's conformity assessment requirement creates an
|
||||
instant certification market. Passepartout's gate stack can serve as the
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-fatf
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
|
||||
#+title: FATF (Financial Action Task Force)
|
||||
#+filetags: :passepartout:compliance:framework:fatf:
|
||||
|
||||
risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
|
||||
|
||||
@@ -12,12 +12,12 @@ dominance before incumbents respond or the market settles on a standard approach
|
||||
|
||||
| Window | Frameworks | Rationale |
|
||||
|--------|-----------|-----------|
|
||||
| **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
|
||||
| **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
|
||||
| **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
|
||||
| **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
|
||||
| **Critical (<12 months)** | [[file:eu-ai-act.org][EU AI Act]] (Aug 2026 effective), [[file:nis2.org][NIS2]] (Oct 2025 deadline), [[file:dora.org][DORA]] (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
|
||||
| **Wide (12-36 months)** | [[file:dpdp-act.org][DPDP Act]] 2023 (rules drafting), India privacy; Privacy Act Review (Australia); [[file:quebec-law-25.org][Quebec Law 25]]; [[file:cra.org][CRA]] phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
|
||||
| **Mature (commodity)** | [[file:gdpr.org][GDPR]] (2018), [[file:sox.org][SOX]] (2002), [[file:hipaa.org][HIPAA]] (1996), [[file:glba.org][GLBA]] (1999), [[file:basel-iii.org][Basel III]] (2010), [[file:fatf.org][FATF]] 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
|
||||
| **Latent (undiscovered)** | [[file:oecd.org][OECD]] AI Principles, UN/CEFACT, [[file:world-bank-esf.org][World Bank ESF]], [[file:ifc-ps.org][IFC PS]] | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
|
||||
|
||||
|
||||
|
||||
See also: [[file:_index.org][Compliance index]], [[file:revenue-table.org][Revenue table]],
|
||||
[[file:../../ideas/verification-appliance.org][Verification appliance]], [[file:../../ideas/verification-monopoly.org][Verification monopoly]]
|
||||
See also: [[file:compliance-index.org][Compliance index]], [[file:revenue-table.org][Revenue table]],
|
||||
[[file:../../ideas/verification-appliance.org][[[file:../verification-appliance.org][Verification appliance]]]], [[file:../../ideas/verification-monopoly.org][[[file:../verification-monopoly.org][Verification monopoly]]]]
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-glba
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: GLBA (Gramm-Leach-Bliley Act)
|
||||
#+filetags: :passepartout:compliance:framework:glba:
|
||||
|
||||
|
||||
@@ -19,5 +19,5 @@ and directors personally liable.
|
||||
Why it matters: The Safeguards Rule maps directly to gate stack access controls.
|
||||
Every NPI access is gated; the proof log is the security program's evidence.
|
||||
First-mover advantage is narrow (GLBA is well-understood) but the market is
|
||||
large because every financial institution that dodges HIPAA still faces GLBA.
|
||||
large because every financial institution that dodges [[file:hipaa.org][HIPAA]] still faces GLBA.
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-ifc-ps
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: projects in 100+ countries. Also adopted by many multilateral development banks
|
||||
#+title: IFC Performance Standards
|
||||
#+filetags: :passepartout:compliance:framework:ifc:
|
||||
|
||||
projects in 100+ countries. Also adopted by many multilateral development banks
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-ifrs
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: IFC Performance Standards (Environmental and Social Sustainability)
|
||||
#+filetags: :passepartout:compliance:framework:ifrs:
|
||||
|
||||
|
||||
|
||||
@@ -2,21 +2,21 @@
|
||||
:ID: auto-irap
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: IRAP (Infosec Registered Assessors Program — Australia)
|
||||
#+filetags: :passepartout:compliance:framework:irap:
|
||||
|
||||
|
||||
** IRAP (Infosec Registered Assessors Program)
|
||||
|
||||
Australian government's cloud security assessment program — analogous to
|
||||
FedRAMP. Cloud services used by Australian government agencies must have an
|
||||
[[file:fedramp.org][FedRAMP]]. Cloud services used by Australian government agencies must have an
|
||||
IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC).
|
||||
Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.
|
||||
|
||||
Who must comply: Cloud providers selling to Australian federal, state, and
|
||||
local government agencies. Also critical infrastructure providers.
|
||||
|
||||
Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP
|
||||
Why it matters: Like FedRAMP and [[file:ismap.org][ISMAP]], IRAP is a procurement gate. An IRAP
|
||||
Protected-level assessment is expensive and takes 6-12 months. First-mover
|
||||
advantage: the gate stack's deterministic audit trail can be the primary
|
||||
evidence artifact, reducing assessment scope/cost.
|
||||
|
||||
@@ -2,15 +2,15 @@
|
||||
:ID: auto-ismap
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: is moderate — few non-Japanese vendors target APPI specifically, and the 2022
|
||||
#+title: ISMAP (Government Security Framework — Japan)
|
||||
#+filetags: :passepartout:compliance:framework:ismap:
|
||||
|
||||
is moderate — few non-Japanese vendors target APPI specifically, and the 2022
|
||||
is moderate — few non-Japanese vendors target [[file:appi.org][APPI]] specifically, and the 2022
|
||||
amendments added requirements that created compliance gaps.
|
||||
|
||||
** ISMAP (Government Information System Security Management and Assessment Program)
|
||||
|
||||
Japan's government cloud security program — analogous to FedRAMP. Cloud services
|
||||
Japan's government cloud security program — analogous to [[file:fedramp.org][FedRAMP]]. Cloud services
|
||||
used by Japanese government agencies must be ISMAP-authorized. Managed by the
|
||||
Digital Agency and the Information-technology Promotion Agency (IPA).
|
||||
|
||||
@@ -18,7 +18,7 @@ Who must comply: Cloud service providers selling to Japanese national and local
|
||||
government agencies.
|
||||
|
||||
Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is
|
||||
time-consuming and expensive. A compute marketplace provider with ISMAP
|
||||
time-consuming and expensive. A [[file:../compute-marketplace.org][compute marketplace]] provider with ISMAP
|
||||
authorization has exclusive access to the Japanese government market. First-mover
|
||||
advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered.
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-iso-27001
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: ISO/IEC 27001 (Information Security Management)
|
||||
#+filetags: :passepartout:compliance:framework:iso:
|
||||
|
||||
|
||||
|
||||
@@ -2,12 +2,12 @@
|
||||
:ID: auto-iso-27701
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: ISO/IEC 27701 (Privacy Information Management)
|
||||
#+filetags: :passepartout:compliance:framework:iso:
|
||||
|
||||
|
||||
International standard extending ISO 27001 for privacy information management.
|
||||
Aligns with GDPR requirements. Provides a framework for PII (personally
|
||||
International standard extending [[file:iso-27001.org][ISO 27001]] for privacy information management.
|
||||
Aligns with [[file:gdpr.org][GDPR]] requirements. Provides a framework for PII (personally
|
||||
identifiable information) controllers and processors.
|
||||
|
||||
Why it matters: ISO 27701 bridges information security and privacy compliance.
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-lfp-dppp
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: LFPDPPP (Ley Federal de Protección de Datos Personales — Mexico)
|
||||
#+filetags: :passepartout:compliance:framework:lfp:
|
||||
|
||||
|
||||
@@ -20,5 +20,5 @@ Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are
|
||||
pushing toward privacy regime interoperability. A bilingual (Spanish/English)
|
||||
gate package covering both LFPDPPP and US frameworks serves the massive
|
||||
US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is
|
||||
less automated than GDPR; the market has fewer vendors and lower expectations.
|
||||
less automated than [[file:gdpr.org][GDPR]]; the market has fewer vendors and lower expectations.
|
||||
|
||||
|
||||
@@ -2,12 +2,12 @@
|
||||
:ID: auto-lgpd
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: LGPD (Lei Geral de Proteção de Dados — Brazil)
|
||||
#+filetags: :passepartout:compliance:framework:lgpd:
|
||||
|
||||
|
||||
Brazil's comprehensive privacy law (effective 2020, fines effective 2023).
|
||||
Modeled on GDPR but with differences: LGPD defines "data processing agents"
|
||||
Modeled on [[file:gdpr.org][GDPR]] but with differences: LGPD defines "data processing agents"
|
||||
(controller and operator), requires appointment of DPO (data protection officer),
|
||||
mandates breach notification to ANPD (National Data Protection Authority) and
|
||||
affected data subjects. 10 legal bases for processing (vs 6 in GDPR).
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-nis2
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: NIS 2 Directive (EU Network and Information Security)
|
||||
#+filetags: :passepartout:compliance:framework:nis2:
|
||||
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-ny-dfs-500
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: NY DFS 500 (New York Cybersecurity Regulation)
|
||||
#+filetags: :passepartout:compliance:framework:ny:
|
||||
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-oecd
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: verification path, and produce an auditable trail for every suspicion
|
||||
#+title: OECD Guidelines
|
||||
#+filetags: :passepartout:compliance:framework:oecd:
|
||||
|
||||
verification path, and produce an auditable trail for every suspicion
|
||||
@@ -17,7 +17,7 @@ approach.
|
||||
OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation,
|
||||
data quality, purpose specification, use limitation, security safeguards,
|
||||
openness, individual participation, accountability. Non-binding but foundational
|
||||
— the basis for GDPR, APPI, LGPD, and most other privacy laws.
|
||||
— the basis for [[file:gdpr.org][GDPR]], [[file:appi.org][APPI]], [[file:lgpd.org][LGPD]], and most other privacy laws.
|
||||
|
||||
OECD AI Principles (adopted 2019, updated 2024): Five values-based principles
|
||||
— inclusive growth and well-being, human-centered values and fairness,
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-pipa
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: PIPA (Personal Information Protection Act — South Korea)
|
||||
#+filetags: :passepartout:compliance:framework:pipa:
|
||||
|
||||
|
||||
@@ -21,7 +21,7 @@ against major tech companies. Class action lawsuits permitted.
|
||||
Who must comply: Any organization handling personal information of South Korean
|
||||
residents. Extraterritorial scope is broad and actively enforced.
|
||||
|
||||
Why it matters: PIPA is structurally similar to GDPR but with stricter
|
||||
Why it matters: PIPA is structurally similar to [[file:gdpr.org][GDPR]] but with stricter
|
||||
enforcement and higher penalties relative to market size. The gate stack's
|
||||
purpose-boundary gates map directly to PIPA's purpose limitation requirement.
|
||||
First-mover advantage is large — PIPA has fewer compliance automation vendors
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-privacy-act-aus
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: Privacy Act 1988 (Australia)
|
||||
#+filetags: :passepartout:compliance:framework:privacy:
|
||||
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-quebec-law-25
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
|
||||
#+title: Quebec Law 25
|
||||
#+filetags: :passepartout:compliance:framework:quebec:
|
||||
|
||||
gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
|
||||
@@ -13,7 +13,7 @@ verifiable audit trail — they are all document-based.
|
||||
** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA)
|
||||
|
||||
Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy
|
||||
regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment,
|
||||
regulation — closer to [[file:gdpr.org][GDPR]] than PIPEDA. Requires: privacy officer appointment,
|
||||
privacy impact assessments, consent modernization, data portability, right to
|
||||
de-index, algorithm transparency (automated decision-making disclosures).
|
||||
Penalties up to $25M CAD or 4% of global revenue.
|
||||
|
||||
@@ -9,39 +9,39 @@
|
||||
|
||||
| Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type |
|
||||
|-----------|--------|--------------|------------------|-------------------|---------------------|----------------|
|
||||
| HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
|
||||
| [[file:hipaa.org][HIPAA]] | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
|
||||
| SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit |
|
||||
| GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
|
||||
| FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
|
||||
| SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
|
||||
| GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy |
|
||||
| NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
|
||||
| [[file:gdpr.org][GDPR]] | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
|
||||
| [[file:fedramp.org][FedRAMP]] | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
|
||||
| [[file:sox.org][SOX]] | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
|
||||
| [[file:glba.org][GLBA]] | US | $40K | 20K | $800M | Moderate | Financial privacy |
|
||||
| [[file:ny-dfs-500.org][NY DFS 500]] | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
|
||||
| CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
|
||||
| NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
|
||||
| EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
|
||||
| DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
|
||||
| [[file:nis2.org][NIS2]] | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
|
||||
| [[file:eu-ai-act.org][EU AI Act]] | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
|
||||
| [[file:dora.org][DORA]] | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
|
||||
| eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
|
||||
| CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
|
||||
| UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
|
||||
| APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
|
||||
| ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
|
||||
| PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
|
||||
| [[file:cra.org][CRA]] | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
|
||||
| [[file:uk-gdpr.org][UK GDPR]] | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
|
||||
| [[file:appi.org][APPI]] | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
|
||||
| [[file:ismap.org][ISMAP]] | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
|
||||
| [[file:pipa.org][PIPA]] | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
|
||||
| Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency |
|
||||
| APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls |
|
||||
| IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
|
||||
| DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
|
||||
| LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
|
||||
| [[file:apra-cps-234.org][APRA CPS 234]] | Australia | $40K | 500 | $20M | Moderate | Info security controls |
|
||||
| [[file:irap.org][IRAP]] | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
|
||||
| [[file:dpdp-act.org][DPDP Act]] | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
|
||||
| [[file:lgpd.org][LGPD]] | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
|
||||
| LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
|
||||
| ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
|
||||
| ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
|
||||
| Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
|
||||
| FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
|
||||
| IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
|
||||
| [[file:iso-27001.org][ISO 27001]] | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
|
||||
| [[file:iso-27701.org][ISO 27701]] | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
|
||||
| [[file:basel-iii.org][Basel III]] | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
|
||||
| [[file:fatf.org][FATF]] AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
|
||||
| [[file:ifrs.org][IFRS]] 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
|
||||
| UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
|
||||
| World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
|
||||
| IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
|
||||
| [[file:world-bank-esf.org][World Bank ESF]] | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
|
||||
| [[file:ifc-ps.org][IFC PS]] | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
|
||||
|
||||
A compute marketplace provider with authorization in 5+ frameworks (FedRAMP +
|
||||
A [[file:../compute-marketplace.org][compute marketplace]] provider with authorization in 5+ frameworks (FedRAMP +
|
||||
ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
|
||||
for regulated cloud globally. The gate package portfolio alone — a mid-size
|
||||
enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
|
||||
@@ -56,5 +56,5 @@ for regulated cloud globally. The gate package portfolio alone — a mid-size
|
||||
enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
|
||||
At 10,000 such enterprises: $5B/yr.
|
||||
|
||||
See also: [[file:_index.org][Compliance index]], [[file:first-mover-window.org][First-mover window analysis]],
|
||||
[[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/compute-marketplace.org][Compute marketplace]]
|
||||
See also: [[file:compliance-index.org][Compliance index]], [[file:first-mover-window.org][First-mover window analysis]],
|
||||
[[file:../../ideas/verification-monopoly.org][[[file:../verification-monopoly.org][Verification monopoly]]]], [[file:../../ideas/compute-marketplace.org][Compute marketplace]]
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-sox
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: SOX (Sarbanes-Oxley Act)
|
||||
#+filetags: :passepartout:compliance:framework:sox:
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
:PROPERTIES:
|
||||
:ID: auto-uk-gdpr
|
||||
:ID: auto-uk-[[file:gdpr.org][gdpr]]
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title:
|
||||
#+title: UK GDPR (Post-Brexit Data Protection)
|
||||
#+filetags: :passepartout:compliance:framework:uk:
|
||||
|
||||
|
||||
|
||||
@@ -2,13 +2,13 @@
|
||||
:ID: auto-un-cefact
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
|
||||
#+title: UN/CEFACT (United Nations Centre for Trade Facilitation and Electronic Business)
|
||||
#+filetags: :passepartout:compliance:framework:un:
|
||||
|
||||
EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
|
||||
of Asia and Africa. The US (GAAP) is the major holdout.
|
||||
|
||||
Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets.
|
||||
Why it matters: [[file:ifrs.org][IFRS]] 17 and IFRS 9 are algorithmically complex rule sets.
|
||||
Getting an actuarial model or credit loss calculation wrong is a financial
|
||||
reporting error. The gate stack's ACL2 prover can verify that the calculation
|
||||
implementations match the standard's mathematical requirements. First-mover
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
:ID: auto-world-bank-esf
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: — inclusive growth and well-being, human-centered values and fairness,
|
||||
#+title: World Bank Environmental and Social Framework
|
||||
#+filetags: :passepartout:compliance:framework:world:
|
||||
|
||||
— inclusive growth and well-being, human-centered values and fairness,
|
||||
@@ -10,7 +10,7 @@ transparency and explainability, robustness and safety, accountability.
|
||||
Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI
|
||||
guidelines all cite them.
|
||||
|
||||
Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory
|
||||
Why it matters: The [[file:oecd.org][OECD]] frameworks are indirect revenue drivers. Regulatory
|
||||
alignment with OECD principles is often a procurement requirement for
|
||||
international organizations and development finance institutions. First-mover
|
||||
advantage is about standard-setting: the gate package that maps to OECD
|
||||
|
||||
Reference in New Issue
Block a user